OpenVPN exlude one IP

Utini · 2022-12-30 09:55:22

Hi all,

is there a way to exclude on single IP from going through OpenVPN on my laptop?
I am connected to my companies network with my private laptop. I can connect to my home network via OpenVPN but then I won't be able to access my companies RDP server anymore.
So I would like to exclude the companies RDP server IP from OpenVPN.

Thanks!

Utini · 2022-12-30 13:01:07

I tried the following but it isn't working:

OpenVPN Client Options -> IPv4 -> Routes -> Add:
Adress: RDP Server IP
Netmask: 255.255.255.0
Gateway: 0.0.0.0

But I still can't ping the RDP Server IP while connected to the VPN.

I also tried using the gateway from the output of "ip r | grep default" but that doesn't work either.
When connected to the VPN, then "ip r | grep default" will also show a different default gateway with lower metric score.

Last edited by Utini (2022-12-30 13:05:06)

rab0171610@gmail.com · 2022-12-30 17:39:52

Are you using an openvpn.conf file? If you know the IP address of the IP you do not want routed through the VPN, you know the gateway address of your router that you want the IP address actually routed to (not the vpn) and you use a config file to connect the vpn (not network manager) you can try adding this to your client config file:
route xxx.xxx.xx.xx 255.255.255.255 yyy.yyy.yy.yy
where x's is the IP of the website you don't want routed through the vpn and y's is the IP address of your router or default gateway.
How you do that through network manager or some other gui, I do not know.

Utini · 2023-01-02 06:15:33

In network manager gui there is Settings - IPv4 -> Routes.
I tried to add a route there but it doesn't work either.

"ip route | grep default" output:

default via 12.80.102.1 dev enp9s0u1u3u4 proto dhcp src 12.80.102.251 metric 100

So I added the following route to my VPN via network manager gui:

Address: RDP Server IP
Netmask: 255.255.255.255
Gateway: 12.80.102.1

Still not working :S

However, it works if I connect to my home VPN and afterwards connect to my work VPN which has the options in "routes" called "use only for resources on this connection".
There I have added several rules but I already tried adding all those rules to the routes of my homenetwork VPN.. without success.

Last edited by Utini (2023-01-02 06:17:42)

-thc · 2023-01-02 16:30:01

I'm a little confused - where is your location in the context of this thread? Inside your company network? Outside and not at home? At home?

Utini · 2023-01-03 09:25:49

Inside my companies network.

When connect to my companies network via ethernet:
- General internet works (e.g. browsing)
- Connection to companies RDP server works

When connection to my companies network via ethernet with OpenVPN enabled:
- All traffic is routed through my VPN
- General internet works (e.g. browsing)
- Connection to companies RDP server doesn't work (can't ping it)

So I would want to exclude whatever IP/connection is needed from the VPN to make sure I can still reach the RDP server.

Utini · 2023-01-03 09:28:45

Further explanation:

I am running OpenVPN Server on my Router and connect with Archlinux (KDE / Networmanager) as client.
So far my VPN Tunnel seems to work and all traffic is routed through the VPN.

However, the output of netstat -rn makes me curious if all routes are really correct?

netstat -rn without OpenVPN connected:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         12.99.102.1     0.0.0.0         UG        0 0          0 enp9s0u1u3u4
12.99.102.0     0.0.0.0         255.255.254.0   U         0 0          0 enp9s0u1u3u4

netstat -rn with OpenVPN connected (VPN Server 155.120.155.120):

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         12.9.0.1        0.0.0.0         UG        0 0          0 tun0
0.0.0.0         12.99.102.1     0.0.0.0         UG        0 0          0 enp9s0u1u3u4
12.9.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
12.99.102.0     0.0.0.0         255.255.254.0   U         0 0          0 enp9s0u1u3u4
12.99.102.1     0.0.0.0         255.255.255.255 UH        0 0          0 enp9s0u1u3u4
155.120.155.120 12.99.102.1     255.255.255.255 UGH       0 0          0 enp9s0u1u3u4

Additionally I would like to exclude a single IP on my companies network from the VPN.
This is because the companies RDP server is only accessible from local IPs (as it seems).
So when connected to my VPN, and routing all my traffic through my VPN, I would connect to the RDP Server with my VPN IP instead of my local company network IP. That doesn't work.

Lets say the RDP Server IP is 12.99.100.122.
In the Networkmanager OpenVPN configuration I will add the following IPv4 route:

Address: 12.99.100.122
Netmask: 255.255.255.255
Gateway: 12.9.0.1

However, I still won't be able to reach the RDP server. I also can't ping it.
Do I have to add additional routes?

netstat -rn with OpenVPN connected and route added to the configuration:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         12.9.0.1        0.0.0.0         UG        0 0          0 tun0
0.0.0.0         12.99.102.1     0.0.0.0         UG        0 0          0 enp9s0u1u3u4
12.9.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
12.99.100.122   12.99.102.1     255.255.255.255 UGH       0 0          0 tun0
12.99.102.0     0.0.0.0         255.255.254.0   U         0 0          0 enp9s0u1u3u4
12.99.102.1     0.0.0.0         255.255.255.255 UH        0 0          0 enp9s0u1u3u4
12.99.102.1     0.0.0.0         255.255.255.255 UH        0 0          0 tun0
155.120.155.120 12.99.102.1     255.255.255.255 UGH       0 0          0 enp9s0u1u3u4

Thanks in advance!

Last edited by Utini (2023-01-03 11:39:39)

-thc · 2023-01-03 11:21:37

Your special route is defined on the wrong interface (tun0 - the OpenVPN tunnel device).

Please post the output of

netstat -rne

when connected to your OpenVPN and without the additional route.

Utini · 2023-01-03 11:41:56

Oh crap.. I have tried for days to configure the route on that VPN lol.
Because I thought, since everything goes through the VPN, I need to tell the VPN to "passthrough" a specific IP.

Anyway, netstat -rne with OpenVPN but without any routes:

0.0.0.0         12.9.0.1        0.0.0.0         UG    50     0        0 tun0
0.0.0.0         12.99.102.1     0.0.0.0         UG    100    0        0 enp9s0u1u3u4
12.9.0.0        0.0.0.0         255.255.255.0   U     50     0        0 tun0
12.99.102.0     0.0.0.0         255.255.254.0   U     100    0        0 enp9s0u1u3u4
12.99.102.1     0.0.0.0         255.255.255.255 UH    50     0        0 enp9s0u1u3u4
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
155.120.155.120 12.99.102.1     255.255.255.255 UGH   50     0        0 enp9s0u1u3u4

"155.120.155.120" is the IP I need to be able to ping / the IP that I use to connect via RDP.

schard · 2023-01-03 11:58:22

...the exceptional route must be configured on your company's network, i.e. with gateway 12.99.102.1.

PS: The question remains as to why you route all traffic through your home VPN in the first place.
If you only want to access services on your home network through it, it should be sufficient to just route the VPN and your home network behind it and refrain from using the VPN interface as a default gateway.

Last edited by schard (2023-01-03 12:00:43)

Utini · 2023-01-03 12:13:59

So I will have to add the route in Networkmanager on my ethernet connection? Like the example below?

Address: RDP Server IP
Netmask: 255.255.255.255
Gateway: 12.99.102.1

@Edit: Setting above route won't let me ping the RDP server IP when connected to the VPN.

schard wrote:

PS: The question remains as to why you route all traffic through your home VPN in the first place.
If you only want to access services on your home network through it, it should be sufficient to just route the VPN and your home network behind it and refrain from using the VPN interface as a default gateway.

Because I also want to exclude any of my private traffic (or basically my host traffic) from my companies network.
Basically my private laptop acts like a host computer. The RDP connection is my actual working computer.
So everything happening on my laptop should stay private. Does that make sense?

Last edited by Utini (2023-01-03 12:37:51)

schard · 2023-01-03 13:55:10

What's the output of "ip route" after you set up the above route and connected to your VPN?

Utini · 2023-01-03 14:12:34

Ahh I think I got it now. I had to manually disconnect and re-connect the adapter / connection to apply the route.
Pinging the RDP works now.

So now all my traffic, except for requests on that one and only IP (155.120.155.120) should go over my OpenVPN connection and be encrypted/invisible from my companies network?

ip route without OpenVPN connected:

default via 12.99.102.1 dev enp9s0u1u3u4 proto dhcp src 12.99.102.251 metric 100 
12.99.102.0/23 dev enp9s0u1u3u4 proto kernel scope link src 12.99.102.251 metric 100 
12.99.102.1 dev enp9s0u1u3u4 proto static scope link metric 100 
155.120.155.120 via 12.99.102.1 dev enp9s0u1u3u4 proto static metric 100 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown

ip route with OpenVPN connected:

default via 12.9.0.1 dev tun0 proto static metric 50 
default via 12.99.102.1 dev enp9s0u1u3u4 proto dhcp src 12.99.102.251 metric 100 
12.9.0.0/24 dev tun0 proto kernel scope link src 12.9.0.2 metric 50 
12.99.102.0/23 dev enp9s0u1u3u4 proto kernel scope link src 12.99.102.251 metric 100 
12.99.102.1 dev enp9s0u1u3u4 proto static scope link metric 50 
12.99.102.1 dev enp9s0u1u3u4 proto static scope link metric 100 
155.120.155.120 via 12.99.102.1 dev enp9s0u1u3u4 proto static metric 100 
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown 
166.130.125.100 via 12.99.102.1 dev enp9s0u1u3u4 proto static metric 50

RDP Server IP: 155.120.155.120
OpenVPN Server IP: 166.130.125.100

Arch Linux

#1 2022-12-30 09:55:22

OpenVPN exlude one IP

#2 2022-12-30 13:01:07

Re: OpenVPN exlude one IP

#3 2022-12-30 17:39:52

Re: OpenVPN exlude one IP

#4 2023-01-02 06:15:33

Re: OpenVPN exlude one IP

#5 2023-01-02 16:30:01

Re: OpenVPN exlude one IP

#6 2023-01-03 09:25:49

Re: OpenVPN exlude one IP

#7 2023-01-03 09:28:45

Re: OpenVPN exlude one IP

#8 2023-01-03 11:21:37

Re: OpenVPN exlude one IP

#9 2023-01-03 11:41:56

Re: OpenVPN exlude one IP

#10 2023-01-03 11:58:22

Re: OpenVPN exlude one IP

#11 2023-01-03 12:13:59

Re: OpenVPN exlude one IP

#12 2023-01-03 13:55:10

Re: OpenVPN exlude one IP

#13 2023-01-03 14:12:34

Re: OpenVPN exlude one IP

Board footer