[Openvpn-users] Split Tunnel on a per client basis

Sun, 22 May 2016 09:13:28 -0700 

Hello,

We are running OpenVPN v2.3.5 using subnet topology.

As configured, connected clients are rerouted totally (full tunnel) 
through the "organizational" network.

Can we configure on the server side particular clients to connect in 
split-tunnel mode and how? Those clients should use their own connection 
to the Internet, but would be able to access some organizational 
networks which would be explicitly declared (how?). Could this be done 
using ccd files?

I guess we could put at a proper place adirective of the sort:

    if $virtual_client_ip ==<affected_ip_address> then
       do not "push redirect-gateway def1 bypass-dhcp"
       "push route xxx.xxx.xxx.xxx 255.255.255.0"
    endif

Please advise. Thanks in advance.

Here is the current server configuration:

    port 1795
    proto udp

    fragment 1200
    mssfix 1200
    dev tun2
    topology subnet
    ca ca.crt
    cert server.crt
    key server.key
    dh dh2048.pem

    server 10.12.12.0 255.255.255.0

    ifconfig-pool-persist ipp.txt

    client-config-dir ccd
    ccd-exclusive

    push "redirect-gateway def1 bypass-dhcp"

    push "explicit-exit-notify"
    push "dhcp-option DNS 194.xxx.xxx.xxx"
    push "dhcp-option DNS 194.xxx.xxx.xxx"

    keepalive 5 60
    tls-auth ta.key 0

    cipher AES-256-CBC

    comp-lzo

    user root
    group root

    persist-key
    persist-tun

    persist-local-ip
    persist-remote-ip
    push "persist-key"
    push "persist-tun"
    status /var/log/openvpn-status.log 5
    status-version 2
    log-append  /var/log/openvpn.log

    verb 4
    script-security 2

    client-connect /etc/openvpn/client-connect-tasks-srv.sh
    client-disconnect /etc/openvpn/client-disconnect-tasks-srv.sh

    plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so
    /etc/openvpn/auth/ldap.conf

Nick

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to