?
Solved

OpenDNS?

Posted on 2011-09-21
10
Medium Priority
?
366 Views
Last Modified: 2012-05-12
Hi,

I was looking for a way to route only my Internettraffic via my openvpn-conneciton and stumbled upon opendns.

Can somebody explain me the practical goal/use of it? I 've read the explanation but don't get the full concept and how I could implement it correctly in my config.

Note: I'm working with a dyndns.

Thanks,
J.
0
Comment
Question by:janhoedt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 36572042
I'm not totally clear on what you are asking.  Do you want to route internet-bound traffic over one interface and internal-bound traffic over another?
0
 

Author Comment

by:janhoedt
ID: 36572168
Yes, that would be the goal indeed.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36572176
OK then this is not a DNS issue, but rather a routing issue.

Which OS?

paste the output of 'netstat -rn' from cmd.exe or command line.
0
Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

 

Author Comment

by:janhoedt
ID: 36572178
In openvpn you can specify a gateway, but then ALL my traffic is routed over openvpn.
I need to specify which traffic goes over openvpn and which not. Ideal situation would be I could specify:
-lan traffic not over vpn (I can see them in route print)
-internet traffic over vpn with an exception list I can manually edit (if possible)

I might need a proxy on my openvpn network (it's running on a Synology NAS)?
0
 

Author Comment

by:janhoedt
ID: 36572193
Goal is to have this as flexible as possible. Iow I would like to do this on openvpn-client, not on machine.

nestat -rn

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   10.101.161.254  10.101.161.129       1
     10.101.160.0    255.255.254.0   10.101.161.129  10.101.161.129       20
   10.101.161.129  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255   10.101.161.129  10.101.161.129       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
       172.16.1.0    255.255.255.0       172.16.1.5      172.16.1.6       1
       172.16.1.1  255.255.255.255       172.16.1.5      172.16.1.6       1
       172.16.1.4  255.255.255.252       172.16.1.6      172.16.1.6       30
       172.16.1.6  255.255.255.255        127.0.0.1       127.0.0.1       30
   172.16.255.255  255.255.255.255       172.16.1.6      172.16.1.6       30
      192.168.1.0    255.255.255.0       172.16.1.5      172.16.1.6       1
        224.0.0.0        240.0.0.0   10.101.161.129  10.101.161.129       20
        224.0.0.0        240.0.0.0       172.16.1.6      172.16.1.6       30
  255.255.255.255  255.255.255.255   10.101.161.129  10.101.161.129       1
  255.255.255.255  255.255.255.255   10.101.161.129               2       1
  255.255.255.255  255.255.255.255       172.16.1.6      172.16.1.6       1
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36572408
Assuming your openvpn gateway is 10.101.161.254, correct?

What is probably happening is that in your server config you have something like
push "redirect-gateway def1"

Open in new window

which is going to set the default gateway of client machines to be the vpn gateway.

So, if you admin the server, remove that line.  If you are a client only, then set
route-nopull

Open in new window

in the client config and re-add all of the other routes that openvpn adds to your routing table.

Is this a personal VPN or something setup by your employer?  I ask because if this is a work vpn, they probably have a good reason for setting it up how they did.  I don't advocate changing settings if that is the case.
0
 

Author Comment

by:janhoedt
ID: 36572617
Hi,

Thanks for your input!
No, my vpn gateway is 172.16.1.6 (the openvpn server -Synology NAS-).
It's a personal vpn I'm testing with in order to set it up for a small company which has laptops which should be able to connect from anywhere over openvpn (3G, behind proxy etc).

I would like to be able to switch between settings: route all traffic through vpn or not, route specific routes or not, exceptions ...
So I could change the vpn-server, but would prefer to have flexibility on the client-side/make different profiles.

J.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36572713
To easily switch between routing fully over the vpn or not would probably be best handled by adding/removing "push "redirect-gateway def1"" in the server config.

From what I can see, the only thing that can be done client-side is to prevent routes from being pushed by the server, thus requiring all vpn routes that are normally added to be added manually.

I must say that I don't have direct experience with this situation, perhaps someone else can answer if client-specific profiles are an option, or verify if my answers are correct.
0
 

Author Comment

by:janhoedt
ID: 36572811
Settings server:
so if I remove the push routes, these will not be routed by my vpn anymore?

Note: there is no push redirect gateway. Traffic is not all over vpn, only my lan, think you understood that wrong. Would only like to set Internet-traffic over vpn.

SETTINGS VPN-SERVER:
------------------------
DS> vi openvpn.conf
push "route 192.168.1.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
dev tun

management 127.0.0.1 1195

server 172.16.1.0 255.255.255.0


dh /usr/local/synovpn/etc/openvpn/keys/dh1024.pem
ca /usr/local/synovpn/etc/openvpn/keys/ca.crt
cert /usr/local/synovpn/etc/openvpn/keys/server.crt
key /usr/local/synovpn/etc/openvpn/keys/server.key

max-clients 5

comp-lzo

persist-tun
persist-key

verb 3


#log-append /var/log/openvpn.log

keepalive 10 60
reneg-sec 0

plugin /usr/local/synovpn/lib/radiusplugin.so /usr/local/synovpn/etc/openvpn/rad
client-cert-not-required
username-as-common-name
duplicate-cn
proto tcp
~



auth-user-pass
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 2000 total points
ID: 36575857
Basically here is what needs to be done:

Setup static routes for all internal networks with a gateway of 10.101.161.254
Set the default gateway (0.0.0.0) to 172.16.1.6

You can try setting the default gateway in the server config by using redirect-gateway statement I posted.  I'm not sure about the "def1" at the end of it, but try it anyways and paste the modified routing table.
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question