OpenVPN: Only route a specific IP addresses through VPN?

Question

On a remote private network there are two servers -- a file server and a database server (these are both Win machines, in case it matters).

The file server has its own fairly robust authentication mechanisms, and allows me to connect directly from a remote location.

The database server uses a simple username and password, so to prevent unauthorized access, it's locked down to the local network -- external traffic is blocked.

To access the database server, I'm using the OpenVPN client on Windows to connect to a VPN server on the private network.

By default, OpenVPN routes all network packets destined for the remote network on which the VPN server resides, through the VPN. Unfortunately, accessing the file server through the VPN is extremely slow!

Question:

How can I configure the OpenVPN client to ONLY route traffic through the VPN that is destined for a single, specific IP address -- namely the database server??

It's simple, see here for how to do it http://superuser.com/a/178675/96461 — Sameer Alibhai, Nov 26 '12 at 21:49

score 115 · Answer 1 · edited Jan 16 '21 at 07:33

115

The correct configuration for OpenVpn is:

route-nopull 
route 192.168.0.0 255.255.255.0

These entries belong in your .ovpn file and will direct all 192.168.0.* subnet traffic through the VPN.

For one IP only (192.168.0.1):

route-nopull 
route 192.168.0.1 255.255.255.255

BTW: route-nopull means "don't pull routes from the server"

edited Jan 16 '21 at 07:33

ndemou

1,050
1
10
18

answered Aug 06 '13 at 08:15

Thomas

1,251
1
8
2

3

We are mostly English speakers and don't necessarily know German. Please translate your answer. – gronostaj Aug 06 '13 at 08:44
1

+1. This is exactly what I needed. I am using ovpn clients on my linux and hence you answer just saved me. Thanks. – slayedbylucifer May 30 '14 at 08:33
Can i just route a website to vpn?For example just www.facebook.com – Nicola Peluchetti Oct 28 '14 at 22:15
In my case routing single ip through vpn seems to work ok. But when using subnet mask it does not work at all. Any ideas why? – running.t Dec 18 '14 at 14:40
I still dont know answer to my question (above), but I have done some investigation and created separate thread about it: http://superuser.com/questions/854194/openvpn-route-only-specific-subnetwork-through-vpn-works-for-single-ip-adress – running.t Dec 18 '14 at 16:06
3

is it possible to use dns name instead of ip address ? – Michael Dec 25 '14 at 22:30
Here is a suggested edit from an anonymous user who must not have enough rep to post comments. (They tried to add it as an edit) Add it to your answer if you feel it is appropriate. **You also need to add this: `script-security 2` Without it route-nopull doesn't work. At least on Windows it doesn't.** – DrZoo Feb 18 '16 at 22:24
I didn't need `script-security 2` on windows – xtian Aug 23 '18 at 11:58
1

But routes has a 3rd argument which is the gateway, what should I put there ? – Neji Soltani Jun 02 '19 at 13:16
2

for me the problem with `route-nopull` is that it prevents the server from giving me its DNS server. I *do* want the VPN dns, but I *do not* want to route _all_ ips... digging. – hwjp Mar 08 '21 at 10:57
@hwjp did you figure it out? I just looked at the log to see what options the remote was trying to push and added the relevant ones for DNS. – Michael Aug 08 '22 at 18:45
What if I want to route everything but not route a single IP address? – Shayan Oct 15 '22 at 12:26

Dennis · Answer 2 · 2013-03-12T22:36:46.677

Goals

Use the plain internet connection for all internet traffic by default, even when the VPN is connected.
Route traffic to one specific IP address through the VPN.

Steps

Press Win + R and execute ncpa.cpl.
Right-click the VPN connection and go to Properties → Networking.
Select Internet Protocol Version 4 and go to Properties → Advanced....
Uncheck Use default gateway on remote network and click OK.
(optional) Repeat the previous steps for Internet Protocol Version 6.
(Re)connect to your VPN.
Open a command prompt and execute route print -4.

Spot the VPN's interface in the Interface list and its gateway in the Active Routes.

On my machine, I have:

Interface List
 32...........................Super Free VPN

[...]

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         On-link        10.6.6.127     31
         10.0.0.0        255.0.0.0        10.88.1.1      10.88.1.102     31

Here, the VPN's gateway is 10.88.1.1, since its the gateway for the 10.xxx.xxx.xxx block.

Add a persistant route that will be appended to the active routes whenever there's a connection to the VPN:
```
route -p add 23.22.135.169 10.88.1.1 if 32
```
In this example, 23.22.135.169 is the IP of whatismyip.org, 10.88.1.1 is the gateway's IP and 32 the number of the interface.
(optional) Repeat the previous steps for route print -6.
Test the setup.

If everything worked out, whatismyip.org and www.whatismyip.cx will display different IPs now.

@ЕлинЙ. if you're using Network Manager just select "Use this connection only for resources on this network". — leif81, Nov 08 '14 at 02:09

score 24 · Answer 3 · edited Apr 25 '19 at 06:28

24

To your OpenVPN client config, add a line like:

route The.IP.To.Go 255.255.255.255

(Where The.IP.To.Go is the IP you wish to route through the VPN)

This instructs OpenVPN to create the entry in your OS's routing table.

Alternatively, the OpenVPN server could be made to "push" this routing configuration down to clients, by adding to the server config:

push "route The.IP.To.Go 255.255.255.255"

EDIT: One thing I missed addressing--the default forwarding of all traffic... It could either be disabled on the server, or clients can elect to ignore "pushed" directives (so our second option "pushing" the route would not work) via:

route-nopull

edited Apr 25 '19 at 06:28

Community

1

answered Feb 04 '13 at 14:38

Adam

241
2
3

As the question is written, this is probably the best answer - the question explicitly asks for a client config change. However, if there's only one user (or all have the same rules) and they're in charge of both client and server I'd just change the routing in the "server.conf" on the OpenVPN server to add the desired individual routes in (the example conf file has example routes in it). – SomeoneElse Feb 24 '23 at 21:02

score 11 · Answer 4 · answered Jan 10 '20 at 21:36

In response to the comments asking for an easy linux / networkmanager friendly solution to customizing what gets routed over OpenVPN, here is a GUI friendly way to set it up. This answer is, as far as I can tell, just the GUI version of Thomas's answer.

Step 1: select your VPN configuration

Step 2: go over to the relevant tab (either IPv4 or IPv6)

Step 3: Click the "Routes..." button in the bottom right

Step 4: Add your desired route (in this case it is redirecting all traffic from 192.168.0.* through the VPN

Step 5: check the "use only for resources on this connection" checkbox so that connecting to the VPN doesn't change your default gateway settings to route all traffic through the VPN.

It also works by leaving the column "Gateway" empty (then it defaults to 0.0.0.0) — domids, Jan 13 '22 at 09:06

score -2 · Answer 5 · edited Feb 13 '15 at 10:44

-2

iptables -A PREROUTING -t mangle -i <LAN_interface> \
-d <remote_network>/<remote_netmask> -j ROUTE --gw <openvpn_host_ip>

edited Feb 13 '15 at 10:44

slhck

223,558
70
607
592

answered Feb 13 '15 at 09:07

Dharmesh

11

1

Please explain what this command does. Just one command without explanation is not that useful. Also check the formatting of your post—all the `` are not visible if they're not marked as code. – slhck Feb 13 '15 at 10:44
1

The question is about configuring the Windows OpenVPN client side of things; this is a Linux server-side configuration that doesn't apply. – Jim Stewart Dec 19 '19 at 08:06

OpenVPN: Only route a specific IP addresses through VPN?

5 Answers5

Goals

Steps

Linked