December 8, 2009 at 11:39 pm #42091
I have an openvpn setup up and running, but I don’t want all traffic going through the vpn – just specific subnets. In my previous openvpn setup on a dedicated machine, I would just have it push over certain subnets to the routing table but not be the default gateway.
Is it possible to get the same thing working with zs?December 9, 2009 at 2:07 pm #49241
In my setup, I add the routes that I want to tunnel to the ZS to the client config with the command
route 192.168.0.0 255.255.255.0 188.8.131.52 1December 9, 2009 at 3:28 pm #49242
The problem isn’t sending specific subnets through the tunnel – the problem is that when the VPN comes up it routes ALL traffic through the VPN.
As I said in my post, previously with my own openvpn setup, only specific subnets were pushed via the openvpn server config file to route through the tunnel. This also seems to be the default way openvpn operates unless a specific configuration option is given in the config file.
This is a problem as if you bring up the VPN, all your existing connections will a) go through a much slower VPN tunnel and b) get disconnected since they’re now taking a completely different return path route.December 9, 2009 at 5:24 pm #49243
root@zeroshell root> ps auxw | grep vpn
root 10399 0.1 2.4 6704 4628 ? S Dec08 2:31 vpn --dev-type tap --dev VPN99 --mode server --tls-server --proto tcp-server --port 1194 --dh /etc/ssl/dh.pem --ca /var/register/system/openvpn/Auth/X509/CAFile --cert /var/register/system/openvpn/TLS/cert.pem --key /var/register/system/openvpn/TLS/key.pem --daemon VPN99_H2L --ifconfig-pool 10.14.149.178 10.14.149.190 255.255.255.240 --push route-gateway 10.14.149.177 --push --push dhcp-option DNS 10.14.149.1 --push route remote_host 255.255.255.255 net_gateway 1 --push route 10.14.149.176 255.255.255.240 --client-connect /root/kerbynet.cgi/scripts/ov_connect --client-disconnect /root/kerbynet.cgi/scripts/ov_disconnect --mute 3 --management 127.0.0.1 34099 --keepalive 5 60 --duplicate-cn
This is my server side openvpn configuration taken from the shell. It doesn’t send any specific routes, but the DNS and the gateway. On my client file I inject the routes I wish my client to route through the tunnel. Hope this helps, if not please take a screenshot of the web interface page of the vpn configuration so we can take a look.December 14, 2009 at 5:09 pm #49244
Mine is similar but has a –push-redirect-gateway option added on, which looks to be the problem – it’s causing the client to reroute everything over the vpn connection. I’ll look later, but if you know, where’s the easiest way to edit the command line?December 14, 2009 at 7:13 pm #49245
nm found the vpn generating script.December 14, 2009 at 7:19 pm #49246
Don’t mess with the scripts. Post here a screenshot of the webpage of your zeroshell vpn config.December 14, 2009 at 10:34 pm #49247
Why not? There’s no way to remove –push-redirect-gateway from the web interface as it checks for the existence of multiple subnets (which I have) and if true, at that point adds in the redirect-gateway option – posting an image of it would be pointless as there’s nothing in the web interface – it’s all in the script.
You can see this yourself in /root/kerbynet.cgi/scripts/vpn_startDecember 15, 2009 at 10:16 am #49248
Because in my openvpn it is not sending me the default gateway, so I believe there is a way to do it without messing with the scripts.December 15, 2009 at 4:41 pm #49249
Here’s the relevant part of the script:
NETS=`cat $REGISTER/system/openvpn/Nets 2>/dev/null`
if [ -z "$NETS" ] ; then
So I either make a non-zero Nets file or I edit the script line directly. Most likely the reason you’re not getting the –redirect-gateway is because you have a Nets file. I don’t. Since there is no documentation on what’s in that file or what it’s supposed to do there’s no obvious way to fix it from the GUI. The only thing that creates a Nets file is vpn_setnet, which uses a parameter when called to either set an empty Nets file or a Nets file with a newline character. I don’t feel like chasing down what actually CALLS vpn_setnet as my hack works for now.
On the next version I’ll re-evaluate if the hack stays or something else gets done.December 16, 2009 at 9:25 am #49250
Take a look here.
Most likely all you need to do is add the networks to send to the client.
You must be logged in to reply to this topic.