Routing all client traffic through the VNS3 overlay

Follow

By default, OpenVPN (and most other VPN clients) only directs traffic that is addressed to the overlay to the tunnel. All other traffic is routed according to the machine's local route table.  This article will help you set up your VNS3 clients to direct all traffic through the overlay.

For the purposes of this article, we will assume that your VNS3 server is configured with the default overlay subnet of 172.31.1.0/22, and your client's local subnet is 192.168.100.0/24:

If you'd like all traffic to be passed through VNS3, you'll need to add

redirect-gateway def1
route 192.168.100.0 255.255.255.0 net_gateway

to the configuration file downloaded from the VNS3 Clientpacks page.  After doing so, all of the client's outbound traffic will be directed to VNS3 - except packets that are specifically addressed to the client's local subnet.

You'll also need to provide your client a DNS server to be used while the connection is active.  This can be any DNS server that is reachable by the client while connected.  For example, [dhcp-option DNS 8.8.8.8] can be added to the clientpack configuration file to direct that client to use Google's DNS.

In VNS3, in order to give VPN clients access to 0.0.0.0/0, you'll need to add [MACRO_CUST -o eth0 -s 172.31.1.0/22 ! -d 172.31.1.0/22 -j MASQUERADE] to the firewall (again without brackets).

 

NOTE: This will not provide your VPN clients access to the AWS (underlay) subnet. They will be able to access their local subnet normally, the overlay network via the VPN, and the internet via the VPN.  If you need your VNS3 clients to have access the AWS subnet, add the following rules to the VNS3 firewall (assuming your AWS subnet is 10.10.10.0/22):

FORWARD_CUST -i eth0 -s 172.31.1.0/22 -d 10.10.10.0/22 -j ACCEPT

FORWARD_CUST -i eth0 -s 10.10.10.0/22 -d 172.31.1.0/22 -j ACCEPT

Have more questions? Submit a request

Comments