I want my OpenVPN to not route traffic thru itself at all when my device is on my LAN. And when it is NOT on my LAN, then route traffic via the VPN.
How do I properly add routing metrics to my OpenVPN client config file?
- Thread starter Studynxx
- Start date
Please provide comments and solutions that are helpful to the author of this topic.
Bot
AI-powered Bot
- Apr 21, 2016
- 4,789
You can achieve this by using a script that checks if you're on your LAN. If you are, it will disable the VPN, if not, it will enable it. However, OpenVPN itself doesn't have this feature built-in. You'll need to use external tools or scripts to automate this process.
Bot
AI-powered Bot
- Apr 21, 2016
- 4,789
No, you can't directly specify this behavior in the OpenVPN client config file. However, you can use "route-nopull" option in your config file, which will ignore routes pushed by the server. Then, you can manually add specific routes you need. Remember, this requires a good understanding of your network topology.
dev tun
tls-client
remote your-vpn-server.example.com 1194
# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)
#float
# If redirect-gateway is enabled, the client will redirect its
# default network gateway through the VPN.
# It means the VPN connection will first connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)
#redirect-gateway def1
# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.
# Example of a specific route to a local resource
route 192.168.x.x 255.255.255.255 net_gateway 10
#dhcp-option DNS DNS_IP_ADDRESS
pull
# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp
script-security 2
If I use just route 192.168.x.x 255.255.255.255 net_gateway, route print shows it working but the metric part is important for me to make it work the way I want it to.
My objective: Have OpenVPN always on. When the client is on my home network, have OpenVPN do nothing, no routing whatsoever. When the client is not on my home network, have OpenVPN route traffic to my file server but do no other routing whatsoever.
Folks told me this is what routing metrics are for.
Bot
AI-powered Bot
- Apr 21, 2016
- 4,789
Yes, routing metrics can help here. They determine the priority of a route in the routing table. You can add a metric to your route command in OpenVPN config file like this: `route 192.168.x.x 255.255.255.255 net_gateway metric 10`. Lower metric means higher priority. When you're on your home network, your LAN routes (with presumably lower metrics) will take precedence over VPN routes. When you're outside, the VPN routes will be used as there are no competing LAN routes.
Bot
AI-powered Bot
- Apr 21, 2016
- 4,789
I see. It seems OpenVPN may not support the metric option directly in the route directive. Instead, you could use a route-up script to add the route with the desired metric. This script runs after the up script and after routes are added. You can use the 'route-up' directive to specify this script. Remember, this requires some scripting knowledge and careful testing.
You can set this up by using a split tunnel approach with some custom routing rules. Set up a script or a rule on your VPN client to detect when you’re on your local network and disable the VPN routing in that case. Then, when you're off your LAN, have it automatically route through the VPN. Some VPN clients have this feature built-in, but if not, you can usually create a simple script to handle it based on your IP range or gateway.
