Author Topic: How to route specific IP ranges over VPN? (Read 1617 times)

mk2394875 · « **on:** August 30, 2022, 11:09:04 am »

Hi all,

I have a OPNSense 22.7_4 box that also runs a OpenVPN server. The VPN is setup so that only traffic destined for 192.168.0.0/24 gets routed through the VPN, all other traffic will go through the clients 'normal' internet connection.

However, we have some IP ranges that are only reachable from the office IP, so those need to be routed through the VPN.

Question: How and where do I configure this? I have a firewall alias containing all IP ranges.

Any help is greatly appreciated.

Patrick M. Hausen · « **Reply #1 on:** August 30, 2022, 11:26:26 am »

Add these IP addresses to the "local networks" in your OpenVPN server configuration.

mk2394875 · « **Reply #2 on:** August 30, 2022, 11:27:52 am »

Thanks, problem is that the IP's are AWS IP ranges of 3 regions, so it's about 300 ip ranges..

Patrick M. Hausen · « **Reply #3 on:** August 30, 2022, 11:44:13 am »

Yes, but that's the only solution I know of. Write a script that outputs them in a single line like "1.2.3.4/32,5.6.7.8/32,..." - without spaces, important - then use copy & paste.

mk2394875 · « **Reply #4 on:** August 30, 2022, 11:58:57 am »

Gotcha, tried that, but now I'm getting a bunch of 'Route addition failed using service' errors when connected, please see attached logfile

EDIT: Some routes seem to get added, but the majority doesn't...

Patrick M. Hausen · « **Reply #5 on:** August 30, 2022, 12:32:17 pm »

Logfile says it: "the object already exists". Seems like you have overlaps.

And - if you want to route - you should really use a tun device and a dedicated VPN network.

mk2394875 · « **Reply #6 on:** August 30, 2022, 01:01:19 pm »

That's the weird thing, there are no overlaps.
I have pasted all ranges into notepad++ and checked for duplicates, there are none.

What do you mean by tun device and a dedicated VPN network?

I have currently setup the server using below guide, which is the setup I need. A single VPN server for ~50 clients to connect to.
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html

Patrick M. Hausen · « **Reply #7 on:** August 30, 2022, 01:12:34 pm »

Device mode: tun. It looks from the log of your Windows client that it is using tap, not tun. But that might be an artefact of the Windows software, I honestly don't know.

How did you specify your addresses? 1.2.3.4/32 or just 1.2.3.4? It might be the case that without the /32 netmask, the software uses the "native" classful netmask of the network in question, not a single host. Please make sure you have /32 everywhere you mean to say "only this single address."

mk2394875 · « **Reply #8 on:** August 30, 2022, 01:16:21 pm »

Ah, I see.

I checked the server config, it is in fact using TUN as the device mode.

I specified all ranges with the netmask applied to them, like in the file attached.
No single IP addresses, only ranges.

Author Topic: How to route specific IP ranges over VPN? (Read 1617 times)

mk2394875

How to route specific IP ranges over VPN?

Patrick M. Hausen

Re: How to route specific IP ranges over VPN?

mk2394875

Re: How to route specific IP ranges over VPN?

Patrick M. Hausen

Re: How to route specific IP ranges over VPN?

mk2394875

Re: How to route specific IP ranges over VPN?

Patrick M. Hausen

Re: How to route specific IP ranges over VPN?

mk2394875

Re: How to route specific IP ranges over VPN?

Patrick M. Hausen

Re: How to route specific IP ranges over VPN?

mk2394875

Re: How to route specific IP ranges over VPN?