Setting OpenVPN client only for other LAN

Hi everyone, I would like to configure an OpenVPN client on OpenWrt so that it is in action only when I request resources from the other LAN.
Example:
Office - OpenVPN Server with RDP Server
Home - OpenVPN Client

I would like that when I am surfing the Internet from home, it does not pass traffic from the VPN, while if I want to connect to the Server via RDP it does.
Following the Wiki instructions (https://openwrt.org/docs/guide-user/services/vpn/openvpn/client-luci) getting up to step 5, it works, but even in normal internet browsing it uses the VPN (I can tell because I see the public IP of the office on sites like myip.com etc).
Is there a configuration to make it work as I would like?
Thanks to all!

Hey,

It sounds like your VPN is currently routing all your internet traffic through the tunnel, but you only want it to route specific traffic (like RDP to your office). Here’s how to fix that:

1. Disable Default Route for the VPN:

• Go to Network > Interfaces in LuCI.
• Edit your OpenVPN interface.
• Uncheck "Use default gateway" or "Use peer default gateway" (depending on the option available).
• This stops the VPN from taking over all your internet traffic.

2. Set up Static Routes for Office Resources:

• Go to Network > Static Routes in LuCI.
• Add a new route to your office network (e.g., 192.168.X.X/24), pointing it through the VPN interface.

3. Update Your Firewall Rules (if needed):

• Ensure traffic destined for the office network is allowed through the VPN interface.

This setup should let you browse the internet normally at home while routing only office traffic (like RDP) through the VPN. Give it a shot!

Did you try this yourself ?

Or is your AI hallucinating?

Not entirely sure what you want , do you run a concurrent OpenVPN server and OpenVPN client or do you want some LAN clients to use your OpenVPN client and others use the WAN?

It can help if you share your config, Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
cat /etc/config/openvpn
for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done
for vpn in $(ls /tmp/etc/openvpn*.conf);do echo $vpn;cat $vpn;echo;done
logread | grep openvpn

BTW using WireGuard is much faster and easier to setup instead of OpenVPN

did this myself

Since you control the OpenVPN server, you should configure this from the server side. OpenVPN follows the paradigm that a client will be mostly automatically configured upon receiving instructions from the server. This is different than for example WireGuard, which does not "push" configuration instructions through the link, so each end must be configued locally.

Have the server not push a default route and instead only push a route to the office PC and/or office LAN. The client will install these routes. Since the default route is not changed, the client network will continue to use its local ISP to reach the Internet directly.

I tried to answer everyone at one time, but I exceeded the character limit. I will answer you one by one then

I understand the logic in your steps (which really seem to be written by AI btw ), I tried to follow them however it doesn't work for me: by disabling the default gateway I actually no longer browse normally via the VPN (but I navigate correctly on internet with my home ISP, is a step forward!), however it seems that the route is not working (where I have configured it correctly) as I cannot reach the RDP server.
The moment I enable the interface with the default route disabled, I stop reaching the RDP server.
I will share all my configurations below to try and get help.

In my home I run the OpenVPN client (via OpenWRT) of my office OpenVPN server (a WatchGuard firewall).
I would like all the devices I have in my home that navigate to an address in the 192.168.1.1/24 network (office) to use the VPN tunnel, but when navigating to any other network (wan, lan) to not use the VPN.
The concept is similar to Branch Office VPN (but one-way in this case).
As I wrote in my response to Yusuf6411, his basic logic in the steps he suggested resonates with me, because it prevents the VPN from taking over in my standard browsing and uses a specific route that routes network traffic only when browsing to an address belonging to the VPN. It doesn't work for me at the moment, though.
I will add the details you asked for below. I hope I didn't hide too much information that seemed private, if I made a mistake please ask!

You are right, I control the OpenVPN server, but there are also other users using it, this makes it difficult for me to go and change the instructions pushed by the server.
If there was a way to configure these directions on OpenWRT that would be great.

Some technical specifications:

ubus call system board

{
        "kernel": "5.15.167",
        "hostname": "Yggdrasill",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX6000",
        "board_name": "asus,tuf-ax6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '[red]'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'
        option ipv6 '0'

config device
        option name 'lan1'
        option macaddr '[red]'

config device
        option name 'lan2'
        option macaddr '[red]'

config device
        option name 'lan3'
        option macaddr '[red]'

config device
        option name 'lan4'
        option macaddr '[red]'

config device
        option name 'lan5'
        option macaddr '[red]'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.128.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '[red]'

config device
        option name 'eth1'

config interface 'wan'
        option device 'eth1.835'
        option proto 'pppoe'
        option username '[red]'
        option password '[red]'
        option ipv6 'auto'
        option peerdns '0'
        list dns '[red]'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config route 'vpn'
        option interface 'lan'
        option target '192.168.50.0/24'
        option gateway '192.168.50.1'

config interface 'guest'
        option proto 'static'
        option device 'phy0-ap1'
        option ipaddr '192.168.6.1'
        option netmask '255.255.255.0'

config interface 'iot'
        option device 'br-iot.20'
        option proto 'static'
        list ipaddr '192.168.20.1/24'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '30'
        option name 'br-lan.30'
        option ipv6 '0'

config interface 'dmz'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'

config device
        option name 'br-iot'
        option type 'bridge'
        list ports 'lan2'
        option ipv6 '0'

config device
        option type '8021q'
        option ifname 'br-iot'
        option vid '20'
        option name 'br-iot.20'
        option ipv6 '0'

config bridge-vlan
        option device 'br-iot'
        option vlan '20'
        list ports 'lan2:u*'

config device
        option name 'phy0-ap0'
        option ipv6 '0'

config device
        option name 'phy0-ap1'
        option ipv6 '0'

config device
        option name 'phy1-ap0'
        option ipv6 '0'

config interface 'openvpn_[red-the vpn client profile of this post][red]'
        option proto 'none'
        option device 'tun2'
        option defaultroute '0'

config route
        option interface 'lan'
        option target '192.168.1.1/24'
        option gateway '192.168.16.1'

config route
        option interface 'openvpn_[red-the vpn client profile of this post][red]'
        option target '192.168.1.1/24'
        option gateway '192.168.16.1'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel '8'
        option band '2g'
        option htmode 'HE20'
        option country 'IT'
        option cell_density '0'
        option he_su_beamformee '1'
        option he_bss_color '8'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '[red]'
        option encryption 'sae-mixed'
        option key '[red]'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel '140'
        option band '5g'
        option htmode 'HE80'
        option country 'IT'
        option cell_density '0'
        option he_su_beamformee '1'
        option he_bss_color '8'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '[red]'
        option encryption 'sae-mixed'
        option key '[red]'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid '[red]'
        option encryption 'sae-mixed'
        option network 'guest'
        option key '[red]'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,[red]'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.1,8.8.8.8'

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.1,8.8.8.8'

config dhcp 'dmz'
        option interface 'dmz'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option ' 6,1.1.1.1,8.8.8.8'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'tun0'
        list device 'tun1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'openvpn_[red-the vpn client profile of this post][red]'
        list device 'pppoe-wan'
        list device 'tun2'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'ovpn'
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-TCP-OpenVPN'
        list proto 'tcp'
        option src 'wan'
        option dest_port '8443'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Allow-Guest-DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-Guest-DHCP'
        list proto 'udp'
        option src 'guest'
        option dest_port '67'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Redirect DNS Query to PiHole'
        option src 'lan'
        option src_ip '![red]'
        option src_dport '53'
        option dest_ip '[red]'
        option dest_port '53'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Redirect WAN'
        option src 'wan'
        option src_ip '192.168.128.0/24'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '[red]'
        option dest_port '443'

config nat
        option name 'PiHole Nat DNS'
        list proto 'tcp'
        list proto 'udp'
        option src 'lan'
        option dest_ip '[red]'
        option dest_port '53'
        option target 'MASQUERADE'

config rule
        option name 'Block-Public-DoT'
        option src 'lan'
        option dest 'wan'
        option dest_port '853'
        option target 'REJECT'
        list src_ip '![red]'

config rule
        option name 'Block-Public-DNS'
        option src 'lan'
        option dest_port '443'
        option target 'REJECT'
        list dest_ip '1.1.1.1'
        list dest_ip '1.0.0.1'
        list dest_ip '8.8.8.8'
        list dest_ip '8.8.4.4'
        option dest 'wan'
        option enabled '0'
        list src_ip '![red]'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Redirect DoT Query to PiHole'
        option src 'lan'
        option src_ip '![red]'
        option src_dport '853'
        option dest_ip '[red]'
        option dest_port '53'
        option enabled '0'

config zone
        option name 'dmz'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'dmz'

config forwarding
        option src 'dmz'
        option dest 'wan'

config zone
        option name 'iot'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'iot'

config forwarding
        option src 'iot'
        option dest 'wan'

config rule
        option name 'Allow-DMZ-DHCP'
        list proto 'udp'
        option src 'dmz'
        option target 'ACCEPT'
        option dest_port '67'

config rule
        option name 'Allow-DMZ-DNS'
        option src 'dmz'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-IoT-DNS'
        option src 'iot'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-IoT-DHCP'
        list proto 'udp'
        option src 'iot'
        option dest_port '67'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'dmz'

config forwarding
        option src 'lan'
        option dest 'iot'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Reverse-Proxy-HTTP-Trusted'
        option src 'wan'
        option src_ip '[red]'
        option src_dport '80'
        option dest_ip '[red]'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Reverse-Proxy-HTTPS-Trusted'
        option src 'wan'
        option src_ip '[red]'
        option src_dport '443'
        option dest_ip '[red]'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Reverse-Proxy-HTTPS-Trusted-2'
        option src 'wan'
        option src_dport '443'
        option src_ip '[red]'
        option dest_ip '[red]'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'RDP-x-Trusted'
        option src 'wan'
        option src_ip '[red]'
        option src_dport '3389'
        option dest_ip '[red]'
        option dest_port '3389'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'RDP-x-Trusted-2'
        option src 'wan'
        option src_ip '[red]'
        option src_dport '3389'
        option dest_ip '[red]'
        option dest_port '3389'

config redirect
        option dest 'dmz'
        option target 'DNAT'
        option name 'Reverse-Proxy'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_port '80'
        option dest_ip '[red]'

config redirect
        option dest 'dmz'
        option target 'DNAT'
        option name 'Reverse-Proxy-HTTPS'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '[red]'
        option dest_port '443'

config nat
        option name 'SNAT TLC'
        option src '*'
        option target 'SNAT'
        option snat_ip '[red]'
        option dest_ip '[red]'
        list proto 'all'
        option enabled '0'

config rule
        option name 'Drop-TLC'
        list proto 'all'
        option src 'iot'
        list src_mac '[red]'
        option dest 'wan'
        option target 'REJECT'

ip route show

default via 192.168.100.1 dev pppoe-wan
192.168.6.0/24 dev phy0-ap1 scope link  src 192.168.6.1
192.168.9.0/24 dev tun0 scope link  src 192.168.9.1
192.168.9.0/24 dev tun1 scope link  src 192.168.9.1
192.168.20.0/24 dev br-iot.20 scope link  src 192.168.20.1
192.168.30.0/24 dev br-lan.30 scope link  src 192.168.30.1
192.168.100.1 dev pppoe-wan scope link  src [red]
192.168.128.0/24 dev br-lan scope link  src 192.168.128.1
[red - my Office VPN Public IP Address] via 192.168.100.1 dev pppoe-wan

cat /etc/config/openvpn
I also have a OpenVPN Server (one TCP one UDP) configured on my home OpenWRT.

config openvpn 'server'
        option enabled '1'
        option config '/etc/openvpn/server.conf'

config openvpn 'tcpvpn'
        option config '/etc/openvpn/tcpvpn.ovpn'
        option enabled '1'

config openvpn '[red-the vpn client of this post]'
        option config '/etc/openvpn/red-the vpn client of this post.ovpn'
        option enabled '1'

for ovpn in $(ls /etc/openvpn/*.ovpn);do echo $ovpn; cat $ovpn; echo;done

/etc/openvpn/client.ovpn
user nobody
group nogroup
dev tun
nobind
client
remote [red].ns0.it 1194 udp
auth-nocache
remote-cert-tls server
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 client key-----
[red]
-----END OpenVPN tls-crypt-v2 client key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
[red]
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
[red]
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
[red]
-----END CERTIFICATE-----
</ca>

/etc/openvpn/[red-the vpn client of this post].ovpn
dev tun
client
proto tcp
<ca>
-----BEGIN CERTIFICATE-----
[red]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[red]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[red]
-----END PRIVATE KEY-----
</key>
remote-cert-eku "TLS Web Server Authentication"
remote [red the public ip address of the client vpn of this post] 8443
remote 10.0.1.2 8443
redirect-gateway def1
persist-key
persist-tun
verb 3
mute 20
keepalive 10 60
cipher AES-256-CBC
auth SHA256
float
reneg-sec 28800
nobind
mute-replay-warnings
auth-user-pass /etc/openvpn/[red-the vpn client of this post].auth
tls-version-min 1.2
;remember_connection 1
;auto_reconnect 1

/etc/openvpn/tcpvpn.ovpn
user nobody
group nogroup
dev tun
port 8443
proto tcp
server 192.168.9.0 255.255.255.0
topology subnet
client-to-client
keepalive 10 60
persist-tun
persist-key
push "dhcp-option DNS 192.168.9.1"
push "dhcp-option DOMAIN lan"
push "redirect-gateway def1"
push "persist-tun"
push "persist-key"
<dh>
-----BEGIN DH PARAMETERS-----
[red]
-----END DH PARAMETERS-----
</dh>
<tls-crypt-v2>
-----BEGIN OpenVPN tls-crypt-v2 server key-----
[red]
-----END OpenVPN tls-crypt-v2 server key-----
</tls-crypt-v2>
<key>
-----BEGIN PRIVATE KEY-----
[red]
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
[red]
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
[red]
-----END CERTIFICATE-----
</ca>

for vpn in $(ls /tmp/etc/openvpn.conf);do echo $vpn;cat $vpn;echo;done*

ls: /tmp/etc/openvpn*.conf: No such file or directory

logread | grep openvpn

Fri Jan 10 21:59:59 2025 daemon.warn openvpn[red-the vpn client profile of this post][6057]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Fri Jan 10 21:59:59 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: OpenVPN 2.5.8 aarch64-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Fri Jan 10 21:59:59 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: library versions: OpenSSL 3.0.15 3 Sep 2024, LZO 2.10
Fri Jan 10 21:59:59 2025 daemon.warn openvpn[red-the vpn client profile of this post][6057]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jan 10 21:59:59 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: TCP/UDP: Preserving recently used remote address: [AF_INET][red-the public ip address of vpn client profile of this post]:8443
Fri Jan 10 21:59:59 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Fri Jan 10 21:59:59 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: Attempting to establish TCP connection with [AF_INET][red-the public ip address of vpn client profile of this post]:8443 [nonblock]
Fri Jan 10 21:59:59 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: TCP connection established with [AF_INET][red-the public ip address of vpn client profile of this post]:8443
Fri Jan 10 21:59:59 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: TCP_CLIENT link local: (not bound)
Fri Jan 10 21:59:59 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: TCP_CLIENT link remote: [AF_INET][red-the public ip address of vpn client profile of this post]:8443
Fri Jan 10 22:00:00 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: TLS: Initial packet from [AF_INET][red-the public ip address of vpn client profile of this post]:8443, sid=3b51bf2f 699e53b6
Fri Jan 10 22:00:00 2025 daemon.warn openvpn[red-the vpn client profile of this post][6057]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jan 10 22:00:00 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: VERIFY OK: depth=1, O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN (SN [red] 2020-10-30 01:53:17 UTC) CA
Fri Jan 10 22:00:00 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: Validating certificate extended key usage
Fri Jan 10 22:00:00 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Jan 10 22:00:00 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: VERIFY EKU OK
Fri Jan 10 22:00:00 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: VERIFY OK: depth=0, O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server
Fri Jan 10 22:00:00 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, peer certificate: 2048 bit RSA, signature: RSA-SHA256
Fri Jan 10 22:00:00 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: [Fireware SSLVPN Server] Peer Connection Initiated with [AF_INET][red-the public ip address of vpn client profile of this post]:8443
Fri Jan 10 22:00:01 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: SENT CONTROL [Fireware SSLVPN Server]: 'PUSH_REQUEST' (status=1)
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: SENT CONTROL [Fireware SSLVPN Server]: 'PUSH_REQUEST' (status=1)
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,block-outside-dns,dhcp-option DOMAIN [red].local,dhcp-option DNS 192.168.1.11,dhcp-option DNS 208.67.222.222,route-gateway 192.168.16.1,topology subnet,ping 10,ping-restart 60,ifconfig 192.168.16.3 255.255.255.0,peer-id 0'
Fri Jan 10 22:00:06 2025 daemon.warn openvpn[red-the vpn client profile of this post][6057]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Fri Jan 10 22:00:06 2025 daemon.err openvpn[red-the vpn client profile of this post][6057]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:2: block-outside-dns (2.5.8)
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: OPTIONS IMPORT: timers and/or timeouts modified
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: OPTIONS IMPORT: --ifconfig/up options modified
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: OPTIONS IMPORT: route options modified
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: OPTIONS IMPORT: route-related options modified
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: OPTIONS IMPORT: peer-id set
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: OPTIONS IMPORT: adjusting link_mtu to 1626
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: Using peer cipher 'AES-256-CBC'
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: net_route_v4_best_gw query: dst 0.0.0.0
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: net_route_v4_best_gw result: via 192.168.100.1 dev pppoe-wan
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: TUN/TAP device tun2 opened
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: net_iface_mtu_set: mtu 1500 for tun2
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: net_iface_up: set tun2 up
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: net_addr_v4_add: 192.168.16.3/24 dev tun2
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: /usr/libexec/openvpn-hotplug up [red-the vpn client profile of this post] tun2 1500 1626 192.168.16.3 255.255.255.0 init
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: net_route_v4_add: [red-the public ip address of vpn client profile of this post]/32 via 192.168.100.1 dev [NULL] table 0 metric -1
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: net_route_v4_add: 0.0.0.0/1 via 192.168.16.1 dev [NULL] table 0 metric -1
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: net_route_v4_add: 128.0.0.0/1 via 192.168.16.1 dev [NULL] table 0 metric -1
Fri Jan 10 22:00:06 2025 daemon.notice openvpn[red-the vpn client profile of this post][6057]: Initialization Sequence Completed
Fri Jan 10 22:02:41 2025 daemon.notice netifd: Interface 'openvpn_[red-the vpn client profile of this post][red-the vpn client profile of this post]' is enabled
Fri Jan 10 22:02:41 2025 daemon.notice netifd: Interface 'openvpn_[red-the vpn client profile of this post][red-the vpn client profile of this post]' has link connectivity
Fri Jan 10 22:02:41 2025 daemon.notice netifd: Interface 'openvpn_[red-the vpn client profile of this post][red-the vpn client profile of this post]' is setting up now
Fri Jan 10 22:02:41 2025 daemon.notice netifd: Interface 'openvpn_[red-the vpn client profile of this post][red-the vpn client profile of this post]' is now up
Fri Jan 10 22:02:41 2025 user.notice firewall: Reloading firewall due to ifup of openvpn_[red-the vpn client profile of this post][red-the vpn client profile of this post] (tun2)

The VPN connects and correctly retrieves the 192.168.16.1 gateway (pushed from the server)

OK if this is the client to your office we are talking about I suggest to do the following after making a backup config

Replace dev tun with dev tun11 this because you have multiple tunnels and depending on the startup sequence they are numbered and we need a fixed number for the firewall, you might also number the other tunnels with a fixed number
Remove redirect-gateway def1
Add pull-filter ignore "redirect-gateway"
These last two will prevent a default route via the OpenVPN

Now the next step is to add a route to your office 192.168.1.0/24 and to the VPN server
So add in this same openvpn config:
route 192.168.1.0 255.255.255.0 vpn_gateway
This is probably not necessary as it should be there already so do not do this unless the route is not there when the tunnel is up:
route 192.168.16.0 255.255.255.0 vpn_gateway

Note these two subnets cannot be used locally on your side!

The only thing left is to add tun11 to your interface definition so change the interface in /etc/config/network to use tun11 and remove option default route so that it will show like this:

The interface is already added to the WAN firewall zone so that should be fine. On the WAN firewall zone you can now remove list device 'tun2'

Next some sanitizing and remove this:

Reboot and test again

I think I may love you
It's working like a charm (with also the route for 192.168.16.0)

Note these two subnets cannot be used locally on your side!

Yes, this is why when I configured my OpenWRT network, I've used 192.168.128.1/24

Really, thanks to all you folks!

Glad it is working and I could be of assistance

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.