Default route via VPN while keeping LAN & services available
OpenVPN is working great and all, but I was having trouble getting my other LAN hosts to connect to the OpenVPN client system (a Raspberry Pi) while also keeping the services I normally run on it available from the internet. On the remote server, I was using redirect-gateway def1, which works but makes some assumptions about how you intend to use it.
After a lot of frustration and perusal of almost-but-not-quite posts on OpenVPN troubleshooting, I came across an article which didn’t mention OpenVPN but instead discussed how to set default routes for multiple interfaces.
Here’s what I took away. Extra lines in /etc/openvpn/client.conf:
|
1
2
3
4
|
up-delay
route-delay 2
script-security 2
route-up /etc/openvpn/multiple_gateways.sh
|
and in multiple_gateways.sh:
|
1
2
3
4
5
|
#!/bin/sh
/sbin/ip route add _local_net_/24 dev eth0 src _local_ip_ table mypriv
/sbin/ip route add default via _local_gateway_ dev eth0 table mypriv
/sbin/ip rule add from _local_ip_/32 table mypriv
/sbin/ip rule add to _local_ip_/32 table mypriv
|
One caveat: I haven’t done a ton of testing, and after rebooting my Pi, it didn’t come up cleanly, so a down.sh script may be needed to tear down the extra config when OpenVPN disconnects. That being said, I have services available from the internet, connections from the LAN to the Pi working, and the default route for outgoing connections still going over the VPN.
About The Author
Charlie Herron
Denizen of Portland, Maine; tech jack; lover / hater / whatever; philosophical dabbler. http://twitter.com/realgeek