VPN for smart working (but without overloading the server)

I want to do a trick!

I took my office an Open VPN server ...

on another network, somewhere else, I enter the client certificate on a device with Openwrt ...

by connecting the PC to this device all the traffic I produce will exit within the VPN tunnel (since the OpenVPN server is the default gateway) ...

I would like to be able to access the network resources within the network on which the VPN server is located but I would like the traffic directed to the internet (any public ip address) not to pass through the vpn but to leave the wlan connection of the Opnewrt device (outside the vpn tunnel): so as not to overload the VPN server

I thank you for the support, I apologize if I have expressed myself wrong or if the question is not really inherent in the forum, but I believe that at this moment it is difficult to solve this question may also be useful to someone else.

My noob solution: OpenVPN in default gateway and then change the route for internet in the openwrt device:

route add 0.0.0.0 dev wlan

(obviously it doesn't work)

Do a split tunnel vpn and advertise to the client only the addresses of the office. Then the rest of the addresses will be forwarded to your ISP.

yes, the split tunnel was the first solution I had thought of ...

however, the split tunnel only sends the traffic to the VPN to the VPN subnet (the 10.8.0.0/8 because I'm lazy) ...

in this scenario I have to put myself in the server to map the devices, managing the routing, and the client in order to access a remote resource must know its address...

I don't have to manage all these things with the openvpn default gateway and I'm happy!

on the device with Openwrt (and the client certificate) I have 2 interfaces: the wlan that goes out in its gateway and the tun0 that goes out in the VPN tunnel, my reasoning is "I keep all the advantages of a vpn in default gateway, but I turn the internet traffic on the wlan "...

if it is useful this is the routing table of the device with Openwrt:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         192.168.43.1    0.0.0.0         UG    20     0        0 wlan-sta
<server PUB IP> 192.168.43.1    255.255.255.255 UGH   0      0        0 wlan-sta
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun0
192.168.8.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.43.0    *               255.255.255.0   U     20     0        0 wlan-sta

Currently the VPN server is sending to the clients the prefixes 0.0.0.0/1 and 128.0.0.0/1 to bypass the local default gateway.
You have two options.
Either the server will only advertise the office subnet, or the client will ignore the default gateway and install the routes only for the office.

I'm trying to execute the second suggestion you gave me, in theory it should be enough to remove the first record of the route table ... right?

sudo route del -net 0.0.0.0 gw 10.8.0.1 netmask 128.0.0.0 dev tun0

obviously the busybox version is from the early 90's and the options I use are not good ...

Nope, not like this:
Like this, or like this.

I think I have solved, at least in part:

in the OpenVPN server configuration file /etc/openvpn/server.conf

comment out the line for the default gateway:

#push redirect-gateway def1 bypass-dhcp

and insert the route for the local network and the no-pull:

route-nopull
push "route 192.168.1.0 255.255.255.0"

in this way the split tunnel goes great and does what I need ...

however!

by inserting the certificate in the device with Openwrt the connected clients can access the resources in the remote LAN (where the VPN server is located) but canno't surf the web ...

I'm using a glinet firmware and I don't know if that is the problem ...
or if I have to go to manage the routing in the device ...
even if the server should impose the route on the device ...
do I have to put everything in bridge and cut the bull's head?

there are no ip conflicts ...

sorry for my terrible english

You'll need to verify that the OpenWrt has the proper routes in the routing table. Since the VPN works properly, then the route for 192.168.1.0/24 works fine. Is there still a default route via your ISP?

this is the current routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               128.0.0.0       U     0      0        0 tun0
default         192.168.43.1    0.0.0.0         UG    20     0        0 wlan-sta
<VPN pub IP>    192.168.43.1    255.255.255.255 UGH   0      0        0 wlan-sta
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
128.0.0.0       *               128.0.0.0       U     0      0        0 tun0
192.168.1.0     10.8.0.1        255.255.255.0   UG    0      0        0 tun0
192.168.8.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.43.0    *               255.255.255.0   U     20     0        0 wlan-sta

in theory by removing the first default routing rule I should have solved the problem ...

No it wouldn't because you have another route for 128.0.0.0/128.0.0.0 in the middle.

Remove from client config the redirect gateway too.

solved the problem, I am using a Glinet product that sets a check on the VPN connection, i.e. when the VPN does not send me on the internet traffic on the Wlan is prevented ... it should be a security system to protect user privacy, and to end also makes sense ...

to solve this, this link explains everything:

https://forum.gl-inet.com/t/openvpn-configuration-to-avoid-the-default-redirection-all-through-the-vpn/6519/6

thanks for all the support I hope this post can be useful to others too!

GL-iNet clone of OpenWRT is beyond our discussion, I had very bad experience with it.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.