Default route via VPN while keeping LAN & services available
OpenVPN is working great and all, but I was having trouble getting my other LAN hosts to connect to the OpenVPN client system (a Raspberry Pi) while also keeping the services I normally run on it available from the internet. On the remote server, I was using redirect-gateway def1
, which works but makes some assumptions about how you intend to use it.
After a lot of frustration and perusal of almost-but-not-quite posts on OpenVPN troubleshooting, I came across an article which didn’t mention OpenVPN but instead discussed how to set default routes for multiple interfaces.
Here’s what I took away. Extra lines in /etc/openvpn/client.conf:
1
2
3
4
|
up-delay
route-delay 2
script-security 2
route-up /etc/openvpn/multiple_gateways.sh
|
and in multiple_gateways.sh:
1
2
3
4
5
|
#!/bin/sh
/sbin/ip route add _local_net_/24 dev eth0 src _local_ip_ table mypriv
/sbin/ip route add default via _local_gateway_ dev eth0 table mypriv
/sbin/ip rule add from _local_ip_/32 table mypriv
/sbin/ip rule add to _local_ip_/32 table mypriv
|
One caveat: I haven’t done a ton of testing, and after rebooting my Pi, it didn’t come up cleanly, so a down.sh
script may be needed to tear down the extra config when OpenVPN disconnects. That being said, I have services available from the internet, connections from the LAN to the Pi working, and the default route for outgoing connections still going over the VPN.