How can i route specific traffic through VPN Client

Issues related to configuring your network
Post Reply
malikchand
Posts: 3
Joined: 2021/02/22 09:37:44

How can i route specific traffic through VPN Client

Post by malikchand » 2021/06/24 10:12:57

I have VPN network based CentOS 8 with OpenConnect Package. I need to allow VPN clients to use their local internet for browsing instead of server side. Currently all VPN clients utilising server side internet for browsing.

ip add
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 2c:27:d7:19:03:4a brd ff:ff:ff:ff:ff:ff
inet 200.200.200.3/24 brd 200.200.200.255 scope global dynamic noprefixroute eno1
valid_lft 84701sec preferred_lft 84701sec
inet6 fe80::c53b:410a:9d0f:cc5b/64 scope link noprefixroute
valid_lft forever preferred_lft forever
6: vpns0: <POINTOPOINT,UP,LOWER_UP> mtu 1434 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.10.1 peer 10.10.10.76/32 scope global vpns0
valid_lft forever preferred_lft forever
inet6 fe80::8da5:409d:a886:5bfb/64 scope link stable-privacy
valid_lft forever preferred_lft forever
ip route
default via 200.200.200.1 dev eno1 proto dhcp metric 100
10.10.10.76 dev vpns0 proto kernel scope link src 10.10.10.1
200.200.200.0/24 dev eno1 proto kernel scope link src 200.200.200.3 metric 100
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno1
sources:
services: cockpit dhcpv6-client http https ipsec ssh
ports: 500/udp 4500/udp 443/tcp 443/udp 80/tcp
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule protocol value="ah" accept
rule protocol value="esp" accept
rule family="ipv4" source address="10.10.10.0/24” masquerade
netstat -rn
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 200.200.200.1 0.0.0.0 UG 0 0 0 eno1
10.10.10.76 0.0.0.0 255.255.255.255 UH 0 0 0 vpns0
200.200.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: How can i route specific traffic through VPN Client

Post by jlehtone » 2021/06/25 11:22:11

malikchand wrote:
2021/06/24 10:12:57
Currently all VPN clients utilising server side internet for browsing.

ip route

Code: Select all

    default via 200.200.200.1 dev eno1 proto dhcp metric 100 
    10.10.10.76 dev vpns0 proto kernel scope link src 10.10.10.1 
    200.200.200.0/24 dev eno1 proto kernel scope link src 200.200.200.3 metric 100
If the above is the routing table of a client, then it does not use server side, because only the host 10.10.10.76 is accessed with vpn.


When VPN client forms a connection to VPN server, the server hands interface configuration to the client just like DHCP server hands to DHCP client. The usual "roadwarrior" configuration sets default gateway to be the VPN server, i.e. route almost all traffic via the VPN tunnel.

However, VPN client should have an option to discard the offered routes. Not all clients/protocols do.
The VPN server can have option to not push the default route. Then clients need static routes (given by server) to access the the networks that they are supposed to reach via the VPN tunnel.

malikchand
Posts: 3
Joined: 2021/02/22 09:37:44

Re: How can i route specific traffic through VPN Client

Post by malikchand » 2021/10/10 11:15:10

Solved
Thank you for your Support
However i managed to solve this issue it was quit easy
i just disable default route on ocserc.conf file and and it worked perfectly . :) 8-)

Post Reply