Solved

Openvpn set metric on route?

Posted on 2014-04-04
16
4,001 Views
Last Modified: 2014-06-12
Hi,

My local lan has same ip range as remote: 192.168.2.x.
Can I set a metric on routes to solve this?

J.
0
Comment
Question by:janhoedt
  • 6
  • 3
  • 2
  • +1
16 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 39978064
metric can help here in distinguishing two subets sharing the same scope because in a routing table, subnet and mask are just the factors used to identify a network.

If you want to access both subnets or each other at the same time, one of them should be using a different IP schema or hiding behind a NAT gateway.
0
 

Author Comment

by:janhoedt
ID: 39978104
I only need one subnet at a time. Only the remote when I connect via vpn. So what should I add then and where?
It would be nice to do this on client as well as having possibility on server too.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40012989
I believe the ideal way to get around this is to use dynamic IP pools so that you can NAT to the remote site. I like this method alot since it allows access to both local and remote.

That being said the quick and dirty way to get this to work without configuring complex DIP pools is to disable split-tunneling.

This will force all traffic through the VPN even for your local subnet. Beware that if you have local network printers they will not be usable, and ofcourse all your internet traffic will go through the vpn
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:janhoedt
ID: 40019516
Please clarify the dynamic ip pools.

2nd option is not valid for me.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40019916
Hi janhoedt, in an earlier post you stated: "I only need one subnet at a time. Only the remote when I connect via vpn. So what should I add then and where?

The 2nd option gives you exactly this scenario.

If you still can not use this option, you can create static routes for specific IP addresses in your route table and point them to the VPN gateway, while leaving your route table default gateway pointing to your regular internet connection.
0
 

Author Comment

by:janhoedt
ID: 40020119
On Ophone 2nd option is ok.
0
 

Author Comment

by:janhoedt
ID: 40092987
>If you still can not use this option, you can create static routes for specific IP addresses in your route table
Please specify how. I'd like to do this within the config of OpenVPN, in other words it should push this routes within its configfile so that every pc that runs openvpn has this routes.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40127079
The config file may include the corresponding route commands. Choose the subnet mask to be more specific than the local one to force precedence. Usually you set up host routes for single IPs, but you can also use subnets.
You have the choice to include the routing commands in each local client config file (having more flexibility but more admin effort), or centrally in the server's config file. You only need to do one of both, and I recommend to push the routes from server on connection:
# a single IP
push "route 192.168.2.1 255.255.255.255"
# a subrange of the network: .248-.255
push "route 192.168.2.248 255.255.255.248"

Open in new window

0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40127094
You can also use the other approach to direct all traffic to OpenVPN with
redirect-gateway defl

Open in new window

on client or
push "redirect-gateway defl"

Open in new window

on server.
0
 

Author Comment

by:janhoedt
ID: 40127106
I know the commands thanks. I know the redirect gateway options and I don't want to use it.
The routes are already pushed. As mentioned, I need to put a metric on the routet, that's all I need.
Can that be done on the push route?
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 40127143
Yes, but since the local routes have better metric, it will get difficult to manage it that way. In fact you do not need the metric! As I said, a host route (or any route with more restrictive subnet mask) has precedence over a more generic. Since the local network is 192.168.2.0/24, any more specific route up to 192.168.2.0/25 and 192.168.2.128/25 leads to redirecting the corresponding traffic via OpenVPN.

"I know the commands thanks." - obviously you do not. Else you would be able to look into the manual, which clearly tells what the options for the route command are. The man page is always what you should look first at if you need a config option for OpenVPN. The syntax is
route network/IP [netmask] [gateway] [metric]

Open in new window

You can use "default" or vpn_gateway for gateway to keep it dynamic.
0
 

Author Comment

by:janhoedt
ID: 40129277
I've set the
route 192.168.0.0 255.255.0.0 192.168.33.2 10

in the config-file but route print shows
route 192.168.0.0 255.255.0.0 192.168.33.2 30
so it did not accept it.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fortigate 100D NTP Issue 4 76
Vpn Server 2012 not working Draytek Vigor 2830 2 43
How to take over, control, & secure a network 9 81
PCI compliance 16 30
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now