Solved

OpenDNS?

Posted on 2011-09-21
10
317 Views
Last Modified: 2012-05-12
Hi,

I was looking for a way to route only my Internettraffic via my openvpn-conneciton and stumbled upon opendns.

Can somebody explain me the practical goal/use of it? I 've read the explanation but don't get the full concept and how I could implement it correctly in my config.

Note: I'm working with a dyndns.

Thanks,
J.
0
Comment
Question by:janhoedt
  • 5
  • 5
10 Comments
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
I'm not totally clear on what you are asking.  Do you want to route internet-bound traffic over one interface and internal-bound traffic over another?
0
 

Author Comment

by:janhoedt
Comment Utility
Yes, that would be the goal indeed.
0
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
OK then this is not a DNS issue, but rather a routing issue.

Which OS?

paste the output of 'netstat -rn' from cmd.exe or command line.
0
 

Author Comment

by:janhoedt
Comment Utility
In openvpn you can specify a gateway, but then ALL my traffic is routed over openvpn.
I need to specify which traffic goes over openvpn and which not. Ideal situation would be I could specify:
-lan traffic not over vpn (I can see them in route print)
-internet traffic over vpn with an exception list I can manually edit (if possible)

I might need a proxy on my openvpn network (it's running on a Synology NAS)?
0
 

Author Comment

by:janhoedt
Comment Utility
Goal is to have this as flexible as possible. Iow I would like to do this on openvpn-client, not on machine.

nestat -rn

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   10.101.161.254  10.101.161.129       1
     10.101.160.0    255.255.254.0   10.101.161.129  10.101.161.129       20
   10.101.161.129  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255   10.101.161.129  10.101.161.129       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
       172.16.1.0    255.255.255.0       172.16.1.5      172.16.1.6       1
       172.16.1.1  255.255.255.255       172.16.1.5      172.16.1.6       1
       172.16.1.4  255.255.255.252       172.16.1.6      172.16.1.6       30
       172.16.1.6  255.255.255.255        127.0.0.1       127.0.0.1       30
   172.16.255.255  255.255.255.255       172.16.1.6      172.16.1.6       30
      192.168.1.0    255.255.255.0       172.16.1.5      172.16.1.6       1
        224.0.0.0        240.0.0.0   10.101.161.129  10.101.161.129       20
        224.0.0.0        240.0.0.0       172.16.1.6      172.16.1.6       30
  255.255.255.255  255.255.255.255   10.101.161.129  10.101.161.129       1
  255.255.255.255  255.255.255.255   10.101.161.129               2       1
  255.255.255.255  255.255.255.255       172.16.1.6      172.16.1.6       1
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
Assuming your openvpn gateway is 10.101.161.254, correct?

What is probably happening is that in your server config you have something like
push "redirect-gateway def1"

Open in new window

which is going to set the default gateway of client machines to be the vpn gateway.

So, if you admin the server, remove that line.  If you are a client only, then set
route-nopull

Open in new window

in the client config and re-add all of the other routes that openvpn adds to your routing table.

Is this a personal VPN or something setup by your employer?  I ask because if this is a work vpn, they probably have a good reason for setting it up how they did.  I don't advocate changing settings if that is the case.
0
 

Author Comment

by:janhoedt
Comment Utility
Hi,

Thanks for your input!
No, my vpn gateway is 172.16.1.6 (the openvpn server -Synology NAS-).
It's a personal vpn I'm testing with in order to set it up for a small company which has laptops which should be able to connect from anywhere over openvpn (3G, behind proxy etc).

I would like to be able to switch between settings: route all traffic through vpn or not, route specific routes or not, exceptions ...
So I could change the vpn-server, but would prefer to have flexibility on the client-side/make different profiles.

J.
0
 
LVL 21

Expert Comment

by:Papertrip
Comment Utility
To easily switch between routing fully over the vpn or not would probably be best handled by adding/removing "push "redirect-gateway def1"" in the server config.

From what I can see, the only thing that can be done client-side is to prevent routes from being pushed by the server, thus requiring all vpn routes that are normally added to be added manually.

I must say that I don't have direct experience with this situation, perhaps someone else can answer if client-specific profiles are an option, or verify if my answers are correct.
0
 

Author Comment

by:janhoedt
Comment Utility
Settings server:
so if I remove the push routes, these will not be routed by my vpn anymore?

Note: there is no push redirect gateway. Traffic is not all over vpn, only my lan, think you understood that wrong. Would only like to set Internet-traffic over vpn.

SETTINGS VPN-SERVER:
------------------------
DS> vi openvpn.conf
push "route 192.168.1.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
dev tun

management 127.0.0.1 1195

server 172.16.1.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3


#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~



auth-user-pass
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
Comment Utility
Basically here is what needs to be done:

Setup static routes for all internal networks with a gateway of 10.101.161.254
Set the default gateway (0.0.0.0) to 172.16.1.6

You can try setting the default gateway in the server config by using redirect-gateway statement I posted.  I'm not sure about the "def1" at the end of it, but try it anyways and paste the modified routing table.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now