Solved

OpenDNS?

Posted on 2011-09-21
10
344 Views
Last Modified: 2012-05-12
Hi,

I was looking for a way to route only my Internettraffic via my openvpn-conneciton and stumbled upon opendns.

Can somebody explain me the practical goal/use of it? I 've read the explanation but don't get the full concept and how I could implement it correctly in my config.

Note: I'm working with a dyndns.

Thanks,
J.
0
Comment
Question by:janhoedt
  • 5
  • 5
10 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36572042
I'm not totally clear on what you are asking.  Do you want to route internet-bound traffic over one interface and internal-bound traffic over another?
0
 

Author Comment

by:janhoedt
ID: 36572168
Yes, that would be the goal indeed.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36572176
OK then this is not a DNS issue, but rather a routing issue.

Which OS?

paste the output of 'netstat -rn' from cmd.exe or command line.
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:janhoedt
ID: 36572178
In openvpn you can specify a gateway, but then ALL my traffic is routed over openvpn.
I need to specify which traffic goes over openvpn and which not. Ideal situation would be I could specify:
-lan traffic not over vpn (I can see them in route print)
-internet traffic over vpn with an exception list I can manually edit (if possible)

I might need a proxy on my openvpn network (it's running on a Synology NAS)?
0
 

Author Comment

by:janhoedt
ID: 36572193
Goal is to have this as flexible as possible. Iow I would like to do this on openvpn-client, not on machine.

nestat -rn

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   10.101.161.254  10.101.161.129       1
     10.101.160.0    255.255.254.0   10.101.161.129  10.101.161.129       20
   10.101.161.129  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255   10.101.161.129  10.101.161.129       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
       172.16.1.0    255.255.255.0       172.16.1.5      172.16.1.6       1
       172.16.1.1  255.255.255.255       172.16.1.5      172.16.1.6       1
       172.16.1.4  255.255.255.252       172.16.1.6      172.16.1.6       30
       172.16.1.6  255.255.255.255        127.0.0.1       127.0.0.1       30
   172.16.255.255  255.255.255.255       172.16.1.6      172.16.1.6       30
      192.168.1.0    255.255.255.0       172.16.1.5      172.16.1.6       1
        224.0.0.0        240.0.0.0   10.101.161.129  10.101.161.129       20
        224.0.0.0        240.0.0.0       172.16.1.6      172.16.1.6       30
  255.255.255.255  255.255.255.255   10.101.161.129  10.101.161.129       1
  255.255.255.255  255.255.255.255   10.101.161.129               2       1
  255.255.255.255  255.255.255.255       172.16.1.6      172.16.1.6       1
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36572408
Assuming your openvpn gateway is 10.101.161.254, correct?

What is probably happening is that in your server config you have something like
push "redirect-gateway def1"

Open in new window

which is going to set the default gateway of client machines to be the vpn gateway.

So, if you admin the server, remove that line.  If you are a client only, then set
route-nopull

Open in new window

in the client config and re-add all of the other routes that openvpn adds to your routing table.

Is this a personal VPN or something setup by your employer?  I ask because if this is a work vpn, they probably have a good reason for setting it up how they did.  I don't advocate changing settings if that is the case.
0
 

Author Comment

by:janhoedt
ID: 36572617
Hi,

Thanks for your input!
No, my vpn gateway is 172.16.1.6 (the openvpn server -Synology NAS-).
It's a personal vpn I'm testing with in order to set it up for a small company which has laptops which should be able to connect from anywhere over openvpn (3G, behind proxy etc).

I would like to be able to switch between settings: route all traffic through vpn or not, route specific routes or not, exceptions ...
So I could change the vpn-server, but would prefer to have flexibility on the client-side/make different profiles.

J.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36572713
To easily switch between routing fully over the vpn or not would probably be best handled by adding/removing "push "redirect-gateway def1"" in the server config.

From what I can see, the only thing that can be done client-side is to prevent routes from being pushed by the server, thus requiring all vpn routes that are normally added to be added manually.

I must say that I don't have direct experience with this situation, perhaps someone else can answer if client-specific profiles are an option, or verify if my answers are correct.
0
 

Author Comment

by:janhoedt
ID: 36572811
Settings server:
so if I remove the push routes, these will not be routed by my vpn anymore?

Note: there is no push redirect gateway. Traffic is not all over vpn, only my lan, think you understood that wrong. Would only like to set Internet-traffic over vpn.

SETTINGS VPN-SERVER:
------------------------
DS> vi openvpn.conf
push "route 192.168.1.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
dev tun

management 127.0.0.1 1195

server 172.16.1.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3


#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~



auth-user-pass
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 36575857
Basically here is what needs to be done:

Setup static routes for all internal networks with a gateway of 10.101.161.254
Set the default gateway (0.0.0.0) to 172.16.1.6

You can try setting the default gateway in the server config by using redirect-gateway statement I posted.  I'm not sure about the "def1" at the end of it, but try it anyways and paste the modified routing table.
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question