You are not logged in.
Disclaimer - I am NOT a networking guru, and what I do know I've picked up piecemeal, and rarely understand what I'm reading.
When I'm working from home, I connect to the office VPN before RDP to the server for my desktop. Works just fine.
However, I just tested (outside of office hours) speeds, and the VPN gets me 20Mbit/s compared to my local 998Mbit/s.
I know that you can restrict VPN to a single process, but I'm blowed if I can understand how.
Can anyone point me to a resource in plain English that will allow me to connect only the RDP via the VPN, whilst leaving everything else to my local connection.
The VPN is Wireguard, but I've converted that to ovpn here. (i.e. I don't use wireguard locally, just ovpn).
I know this sound like a dumb question, but it's well outside my comfort zone. Most stuff I can manage to get there (or I just know how to get there), but networking is a black art to me.
Last edited by Roken (2024-07-24 07:41:10)
Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703
/ is the root of all problems.
Offline
However, I just tested (outside of office hours) speeds, and the VPN gets me 20Mbit/s compared to my local 998Mbit/s.
Presumably because all traffic is routed through the VPN (a.k.a "full tunnel").
Can anyone point me to a resource in plain English that will allow me to connect only the RDP via the VPN, whilst leaving everything else to my local connection.
This is called a "split tunnel" VPN.
The VPN is Wireguard, but I've converted that to ovpn here. (i.e. I don't use wireguard locally, just ovpn).
What? Are you serious? How did you do that?
In OpenVPN configurations the parameter for setting the VPN endpoint as the gateway can either be pushed to the client from the server or set locally via "redirect-gateway". Reference: https://openvpn.net/community-resources … envpn-2-6/
Offline
The VPN is Wireguard, but I've converted that to ovpn here. (i.e. I don't use wireguard locally, just ovpn).
What? Are you serious? How did you do that?In OpenVPN configurations the parameter for setting the VPN endpoint as the gateway can either be pushed to the client from the server or set locally via "redirect-gateway". Reference: https://openvpn.net/community-resources … envpn-2-6/
OK, like I said, networking is a black art to me. I took the wireguard config from a Windows machine. Copied a couple of config files (it's been a while) and fed them in to ovpn.
Whatever I did, it worked. Now, I just need to make it only work with my RDP to work. I know it can be done (Split tunnel - thank you), but the black magic still escapes me.
Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703
/ is the root of all problems.
Offline
Can you show us your openvpn config file(s) with redacted keys and addresses?
Offline
There's not much to it. ovpn is started with
openvpn --data-ciphers AES-256-CBC --config client.ovpn --auth-user-pass pass.txt
and client.ovpn is
dev tun
client
proto tcp-client
ca ca.crt
cert client.crt
key client.pem
verify-x509-name "O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server"
remote-cert-eku "TLS Web Server Authentication"
remote redacted
redirect-gateway def1
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
auth SHA256
float
reneg-sec 28800
nobind
mute-replay-warnings
auth-user-pass
Obviously, I'm not sharing the certs or pass.txt.
Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703
/ is the root of all problems.
Offline
Just comment out the "redirect-gateway" command and add a route with a netmask for the IPv4 space your RDP server is in:
...
remote-cert-eku "TLS Web Server Authentication"
remote redacted
# redirect-gateway def1
route 10.88.66.0 255.255.255.0
persist-key
persist-tun
...
any try to reach the RDP server.
If you only need access to a single IP you can set a host route: "route 10.88.66.212"
BTW: Did you confuse "WatchGuard" with "WireGuard"?
Last edited by -thc (2024-07-18 19:09:40)
Offline
BTW: Did you confuse "WatchGuard" with "WireGuard"?
I did, my bad. Sorry.
I'll give the masking a try.
Thank you.
EDIT: I've made the config changes that you suggested, and I can still connect to the VPN and the RDP. However, all traffic is still routed through the VPN (I can see this via my external IP address, and more tellingly, by running a speedtest on my local machine. My own connection is 1Gbit/s, where via the VPN I get about 20Mbit/s.
Like I said, a complete black art to me, this networking lark.
Last edited by Roken (2024-07-19 07:17:29)
Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703
/ is the root of all problems.
Offline
When you are connected to the VPN issue the command
ip r
If the "default" (or one of the defaults with the higher valued metric) is still your VPN endpoint, the "redirect" is probably pushed to your client from the VPN server. If that's the case, you have to tell the client to ignore the redirect:
...
remote-cert-eku "TLS Web Server Authentication"
remote redacted
# redirect-gateway def1
pull-filter ignore redirect-gateway
route 10.88.66.0 255.255.255.0
persist-key
persist-tun
...
Last edited by -thc (2024-07-19 08:00:53)
Offline
default via 192.168.0.1 dev eth0 proto dhcp src 192.168.0.24 metric 1002
192.168.0.1 is, obviously, localhost, and 192.168.0.24 is my local machines local IP.
That is the only default. However,
curl -s https://ipinfo.io/ip
Still reports my external IP as that of the VPN, and not my local WAN.
Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703
/ is the root of all problems.
Offline
That's curious. If you issue the command
ip a
while connected to the VPN has the "tun"-interface an IPv6 address? And what kind of IPv4 address?
Last edited by -thc (2024-07-21 18:45:53)
Offline
ip a
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.X.X/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 REDACYTED scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
I've obviously stripped out lo and eth0 (which are understandably unchanged before and after connection).
Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703
/ is the root of all problems.
Offline
Is your tunnel (tun) IPv4 192.168.0.X?
Offline
No - it's 192.168.113.X
Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703
/ is the root of all problems.
Offline
O.K. If the IPv6 address of the tun interface begins with "fe80::" please post your complete IPv4 routing table ("ip r").
If the IPv6 address belongs to any other address space please post your IPv6 routing table ("ip -6 r").
Offline
IPv6 does begin with fe80::
$ ip r
0.0.0.0/1 via 192.168.113.1 dev tun0
default via 192.168.0.1 dev eth0 proto dhcp src 192.168.0.24 metric 1002
128.0.0.0/1 via 192.168.113.1 dev tun0
192.168.0.0/24 dev eth0 proto dhcp scope link src 192.168.0.24 metric 1002
192.168.113.0/24 dev tun0 proto kernel scope link src 192.168.113.12
REDACTED via 192.168.0.1 dev eth0
The redacted IP is the IP of the VPN (i.e. Work)
NB. I appreciate the time you are taking to help with this.
Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703
/ is the root of all problems.
Offline
Here is what I think happens: The VPN endpoint pushes two additional routes which practically covers the complete IPv4 address space.
0.0.0.0/1 "plus" 128.0.0.0/1 "equals" 0.0.0.0/0
All IPv4 traffic will be routed through the VPN even if the default gateway is unset.
To verify my assumption please do two things:
1. Revert all changes to the OpenVPN config file but keep "redirect-gateway def1" commented out.
The resulting routing table ("ip r") should look exactly like the one you just posted.
2. Look at the routing table ("ip r") when the VPN is off. It should look like this:
default via 192.168.0.1 dev eth0 proto dhcp src 192.168.0.24 metric 100
192.168.0.0/24 dev eth0 proto dhcp scope link src 192.168.0.24 metric 100
Offline
Despite the curious configuration of your VPN endpoint you may still achieve what you want.
1. Comment out the "redirect-gateway def1" command in your client config
...
remote-cert-eku "TLS Web Server Authentication"
remote redacted
# redirect-gateway def1
persist-key
persist-tun
...
2 If the VPN endpoint additionally also pushes the default gateway - the routing table shows the VPN endpoint as a default gateway despite the change above - supress it:
...
remote-cert-eku "TLS Web Server Authentication"
remote redacted
# redirect-gateway def1
pull-filter ignore redirect-gateway
persist-key
persist-tun
...
3. The other routes work as a route for the complete IPv4 address space and can be suppressed as well:
...
remote-cert-eku "TLS Web Server Authentication"
remote redacted
# redirect-gateway def1
pull-filter ignore redirect-gateway
route-nopull
persist-key
persist-tun
...
4. If your RDP server is not in the 192.168.113.0 subnet you have to add a route to it:
...
remote-cert-eku "TLS Web Server Authentication"
remote redacted
# redirect-gateway def1
pull-filter ignore redirect-gateway
route-nopull
route 10.88.66.212
persist-key
persist-tun
...
Offline
@-thc - thank you so much.
All the changes in 4. were required, but it's working. I'm connected to the RDP via the VPN, whilst all my local traffic is now direct.
I have to admit to being a little in awe.
Thank you again.
Ryzen 5900X 12 core/24 thread - RTX 3090 FE 24 Gb, Asus B550-F Gaming MB, 128Gb Corsair DDR4, Cooler Master N300 chassis, 5 HD (2 NvME PCI, 4SSD) + 1 x optical.
Linux user #545703
/ is the root of all problems.
Offline
Offline