Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: mk2394875 on August 30, 2022, 11:09:04 AM

Title: How to route specific IP ranges over VPN?
Post by: mk2394875 on August 30, 2022, 11:09:04 AM
Hi all,

I have a OPNSense 22.7_4 box that also runs a OpenVPN server. The VPN is setup so that only traffic destined for 192.168.0.0/24 gets routed through the VPN, all other traffic will go through the clients 'normal' internet connection.

However, we have some IP ranges that are only reachable from the office IP, so those need to be routed through the VPN.

Question: How and where do I configure this? I have a firewall alias containing all IP ranges.

Any help is greatly appreciated.
Title: Re: How to route specific IP ranges over VPN?
Post by: Patrick M. Hausen on August 30, 2022, 11:26:26 AM
Add these IP addresses to the "local networks" in your OpenVPN server configuration.
Title: Re: How to route specific IP ranges over VPN?
Post by: mk2394875 on August 30, 2022, 11:27:52 AM
Thanks, problem is that the IP's are AWS IP ranges of 3 regions, so it's about 300 ip ranges..
Title: Re: How to route specific IP ranges over VPN?
Post by: Patrick M. Hausen on August 30, 2022, 11:44:13 AM
Yes, but that's the only solution I know of. Write a script that outputs them in a single line like "1.2.3.4/32,5.6.7.8/32,..." - without spaces, important - then use copy & paste.
Title: Re: How to route specific IP ranges over VPN?
Post by: mk2394875 on August 30, 2022, 11:58:57 AM
Gotcha, tried that, but now I'm getting a bunch of 'Route addition failed using service' errors when connected, please see attached logfile

EDIT: Some routes seem to get added, but the majority doesn't...
Title: Re: How to route specific IP ranges over VPN?
Post by: Patrick M. Hausen on August 30, 2022, 12:32:17 PM
Logfile says it: "the object already exists". Seems like you have overlaps.

And - if you want to route - you should really use a tun device and a dedicated VPN network.
Title: Re: How to route specific IP ranges over VPN?
Post by: mk2394875 on August 30, 2022, 01:01:19 PM
That's the weird thing, there are no overlaps.
I have pasted all ranges into notepad++ and checked for duplicates, there are none.

What do you mean by tun device and a dedicated VPN network?

I have currently setup the server using below guide, which is the setup I need. A single VPN server for ~50 clients to connect to.
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
Title: Re: How to route specific IP ranges over VPN?
Post by: Patrick M. Hausen on August 30, 2022, 01:12:34 PM
Device mode: tun. It looks from the log of your Windows client that it is using tap, not tun. But that might be an artefact of the Windows software, I honestly don't know.

How did you specify your addresses? 1.2.3.4/32 or just 1.2.3.4? It might be the case that without the /32 netmask, the software uses the "native" classful netmask of the network in question, not a single host. Please make sure you have /32 everywhere you mean to say "only this single address."
Title: Re: How to route specific IP ranges over VPN?
Post by: mk2394875 on August 30, 2022, 01:16:21 PM
Ah, I see.

I checked the server config, it is in fact using TUN as the device mode.

I specified all ranges with the netmask applied to them, like in the file attached.
No single IP addresses, only ranges.
Text only | Text with Images