Solved

Openvpn set metric on route?

Posted on 2014-04-04
16
3,703 Views
Last Modified: 2014-06-12
Hi,

My local lan has same ip range as remote: 192.168.2.x.
Can I set a metric on routes to solve this?

J.
0
Comment
Question by:janhoedt
  • 6
  • 3
  • 2
  • +1
16 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 39978064
metric can help here in distinguishing two subets sharing the same scope because in a routing table, subnet and mask are just the factors used to identify a network.

If you want to access both subnets or each other at the same time, one of them should be using a different IP schema or hiding behind a NAT gateway.
0
 

Author Comment

by:janhoedt
ID: 39978104
I only need one subnet at a time. Only the remote when I connect via vpn. So what should I add then and where?
It would be nice to do this on client as well as having possibility on server too.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40012989
I believe the ideal way to get around this is to use dynamic IP pools so that you can NAT to the remote site. I like this method alot since it allows access to both local and remote.

That being said the quick and dirty way to get this to work without configuring complex DIP pools is to disable split-tunneling.

This will force all traffic through the VPN even for your local subnet. Beware that if you have local network printers they will not be usable, and ofcourse all your internet traffic will go through the vpn
0
 

Author Comment

by:janhoedt
ID: 40019516
Please clarify the dynamic ip pools.

2nd option is not valid for me.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40019916
Hi janhoedt, in an earlier post you stated: "I only need one subnet at a time. Only the remote when I connect via vpn. So what should I add then and where?

The 2nd option gives you exactly this scenario.

If you still can not use this option, you can create static routes for specific IP addresses in your route table and point them to the VPN gateway, while leaving your route table default gateway pointing to your regular internet connection.
0
 

Author Comment

by:janhoedt
ID: 40020119
On Ophone 2nd option is ok.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:janhoedt
ID: 40092987
>If you still can not use this option, you can create static routes for specific IP addresses in your route table
Please specify how. I'd like to do this within the config of OpenVPN, in other words it should push this routes within its configfile so that every pc that runs openvpn has this routes.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40127079
The config file may include the corresponding route commands. Choose the subnet mask to be more specific than the local one to force precedence. Usually you set up host routes for single IPs, but you can also use subnets.
You have the choice to include the routing commands in each local client config file (having more flexibility but more admin effort), or centrally in the server's config file. You only need to do one of both, and I recommend to push the routes from server on connection:
# a single IP
push "route 192.168.2.1 255.255.255.255"
# a subrange of the network: .248-.255
push "route 192.168.2.248 255.255.255.248"

Open in new window

0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40127094
You can also use the other approach to direct all traffic to OpenVPN with
redirect-gateway defl

Open in new window

on client or
push "redirect-gateway defl"

Open in new window

on server.
0
 

Author Comment

by:janhoedt
ID: 40127106
I know the commands thanks. I know the redirect gateway options and I don't want to use it.
The routes are already pushed. As mentioned, I need to put a metric on the routet, that's all I need.
Can that be done on the push route?
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40127143
Yes, but since the local routes have better metric, it will get difficult to manage it that way. In fact you do not need the metric! As I said, a host route (or any route with more restrictive subnet mask) has precedence over a more generic. Since the local network is 192.168.2.0/24, any more specific route up to 192.168.2.0/25 and 192.168.2.128/25 leads to redirecting the corresponding traffic via OpenVPN.

"I know the commands thanks." - obviously you do not. Else you would be able to look into the manual, which clearly tells what the options for the route command are. The man page is always what you should look first at if you need a config option for OpenVPN. The syntax is
route network/IP [netmask] [gateway] [metric]

Open in new window

You can use "default" or vpn_gateway for gateway to keep it dynamic.
0
 

Author Comment

by:janhoedt
ID: 40129277
I've set the
route 192.168.0.0 255.255.0.0 192.168.33.2 10

in the config-file but route print shows
route 192.168.0.0 255.255.0.0 192.168.33.2 30
so it did not accept it.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now