We have been using OpenVPN at the office to access development resources only. So, as long as we have LAN connection to the VPN host server all is good. However, there is the need to direct all traffic including internet through it. It can be useful on public network to have it as a secure tunnel for all traffic to have more peace of mind. I don't want it to apply to every connection, I still prefer using internet non-tunneled on secure local network for speed reason.
Some references assume the setting is to be applied to all connected clients so the setup is set on server config. The notes below move the server-side setting to client so it can be set per client/case only.
Setting things up on the server sideThe server is Ubuntu using Shorewall as a Firewall. What is needed on the server side is setting NAT from OpenVPN interface to the internet so the internet traffic from vpn can be forwarded to the outside world. Here's what to do
Allow IP Forwarding in /etc/shorewall/shorewall.conf :
add entry to /etc/shorewall/masq :
eth0 [vpn network IP]
allow traffic from vpn to internet on /etc/shorewall/policy :
vpn net ACCEPT
Here's the lines to be added on the client configuration :
dhcp-option DNS 126.96.36.199
dhcp-option DNS 188.8.131.52
Google DNS used to override whatever exist on client system in case it cannot be accessed through the tunnel.
I make two different .ovpn file with the same keys setting but one has the above setting. This makes it easy to switch between the one for tunneling internet traffic and vpn-lan-only.
That's about it. Below is some source references :
- http://wiki.debian.org/HowTo/shorewall (part about PAT and NAT)