Friday, February 15, 2013

Tunnel Internet traffic through OpenVPN per client only

We have been using OpenVPN at the office to access development resources only. So, as long as we have LAN connection to the VPN host server all is good. However, there is the need to direct all traffic including internet through it. It can be useful on public network to have it as a secure tunnel for all traffic to have more peace of mind. I don't want it to apply to every connection, I still prefer using internet non-tunneled on secure local network for speed reason.

Some references assume the setting is to be applied to all connected clients so the setup is set on server config. The notes below move the server-side setting to client so it can be set per client/case only.

Setting things up on the server side

The server is Ubuntu using Shorewall as a Firewall. What is needed on the server side is setting NAT from OpenVPN interface to the internet so the internet traffic from vpn can be forwarded to the outside world. Here's what to do

Allow IP Forwarding in /etc/shorewall/shorewall.conf :

IP_FORWARDING=Yes

add entry to /etc/shorewall/masq :

eth0    [vpn network IP]

allow traffic from vpn to internet on /etc/shorewall/policy :

vpn net ACCEPT

Client Side 


Here's the lines to be added on the client configuration :

redirect-gateway def1
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4


Google DNS used to override whatever exist on client system in case it cannot be accessed through the tunnel.

I make two different .ovpn file with the same keys setting but one has the above setting. This makes it easy to switch between the one for tunneling internet traffic and vpn-lan-only.

That's about it. Below is some source references :

  • http://openvpn.net/index.php/open-source/documentation/howto.html#redirect
  • http://wiki.debian.org/HowTo/shorewall (part about PAT and NAT)


1 comment:

Unknown said...

Thank you it helps !