Only route a specific IP address through VPN

tag-icon tag-icon networking routing openvpn ubuntu-18.04 gateway
Only route a specific IP address through VPN

Estoy en una máquina Ubuntu 18.04 y quiero enrutar solo una IP a través del túnel VPN a la red de mi lugar de trabajo, es decir, el recurso compartido de archivos de la red.

Me dieron un archivo de configuración de cliente .ovpn con todo el material de autenticación dentro y pude configurarlo y acceder al servidor de archivos. Para hacerlo, seguí la ruta GUI: [Configuración del sistema Ubuntu > Red > VPN > Importar desde archivo...]. Sin embargo, una vez que activé la VPN, ya no puedo acceder a Internet: intentar abrir google.com genera un tiempo de espera.

I've added the following to the bottom of my .ovpn file:

route-nopull
route <file server ip> 255.255.255.255

But when I try to use the [Import from file...] again, the GUI stops me and says I have to enter a gateway address for this specific route before I can save this VPN-configuration. The 255.255.255.255 from the route directive above is filled in as the netmask.

I have no idea what gateway ip I have to enter there. I have tried:

  • 192.168.0.1
  • 192.168.1.1
  • 192.168.421.1

1 Not actually 42, but some specific number pulled from ipconfig output on a windows machine inside the network.

How do I find the correct gateway ip? Am I going about this all wrong?

Respuesta1

I'd recommend the following options:

route-noexec
up misc/up.sh

Where misc/up.sh refers to a script relative to the config file. ( My config is in /etc/openvpn/foo.conf and the script is in /etc/openvpn/misc/up.sh) This script would then contain the following:

#!/bin/sh
#

ip route add <file_server_ip> via $4
#ip route add <file_server_ip> dev $1

This lets the VPN server configure your endpoint IP address, but routing will be handled by the script. If the above doesn't work, try using just the second line.

Respuesta2

route gateway is practically arbitrary at least for a tun setup, as it's not necessary / actually useful (the actual gateway, when it's not the server, is determined by iroute instead).

My guess is either you are filtering the route-gateway option in the client conf, or the server conf simply isn't pushing it (not using the server directive).

The address "should be" the VPN IP of the server, but it shouldn't matter even if you just use any IP (though I am not sure if the "smart" GUI would check it against anything; it shouldn't be able to unless you are doing a one-to-one setup with ifconfig).

P.S. In other words, if the connection doesn't work after you fill in some random IP for the field, it may not be the cause of you problem.

información relacionada