Split-tunneling is a technique used in networking that allows a user to route some of their traffic through a VPN while letting other traffic use their local network. OpenVPN is a popular open-source VPN solution that supports this feature, providing flexibility for users who want to secure certain types of traffic while keeping other traffic unaffected. By configuring routing tables in OpenVPN, you can enable split-tunneling with precision.
Prerequisites
Before setting up split-tunneling on OpenVPN, ensure the following:
An OpenVPN server and client already configured and operational.
Access to the OpenVPN server’s configuration files.
Root or administrative privileges on the server and client machines.
A basic understanding of networking concepts and routing tables.
Configuring Split-Tunneling Using Routing Tables
The core of split-tunneling on OpenVPN involves configuring the server to allow only specific traffic to go through the VPN tunnel. This is done by altering the routing table on the client system.
### Step 1: Modify Server Configuration
On the OpenVPN server, you need to define which traffic should be routed through the VPN tunnel. This can be accomplished by specifying routes within the OpenVPN configuration file (server.conf or openvpn.conf).
Add routes for the specific IP ranges you want to send through the VPN:
push “route 192.168.10.0 255.255.255.0”
push “route 10.0.0.0 255.255.255.0”
The push directive sends routes to the client, telling it to route traffic for specific subnets through the VPN. In this case, traffic destined for the 192.168.10.0/24 and 10.0.0.0/24 networks will go through the tunnel.
Step 2: Enable Split-Tunneling on the Client Side
On the OpenVPN client, you can configure the client to ignore default routes and only route selected traffic through the VPN. This can be done by adding the route-nopull directive in the client configuration file (client.ovpn):
route-nopull
The route-nopull option prevents OpenVPN from automatically adding the default route to the VPN interface. Without this setting, all traffic would be routed through the VPN, effectively disabling split-tunneling.
Step 3: Manually Add Routes on the Client
Once you’ve added the route-nopull directive, you need to specify which routes should be routed through the VPN. This can be done with the route directive in the client configuration file. For instance:
route 192.168.10.0 255.255.255.0
route 10.0.0.0 255.255.255.0
These commands tell the OpenVPN client to send traffic destined for 192.168.10.0/24 and 10.0.0.0/24 through the VPN tunnel.
Advanced Configuration: Using Routing Tables for Split-Tunneling
In some cases, you may need finer control over which traffic goes through the VPN based on the routing table. This is particularly useful in more complex networking environments where traffic needs to be selectively routed based on criteria like source IP or protocol type.
Step 4: Use IP Routing Tables for Fine-Grained Control
To leverage advanced routing techniques, you can configure separate routing tables on the client system. First, ensure that the ip rule and ip route commands are available on your client system. These commands allow you to set up rules for routing traffic based on criteria such as source IP addresses or destinations.
Add the following commands to the client’s startup script or OpenVPN configuration file:
# Add a new routing table for VPN traffic
echo “100 vpn” >> /etc/iproute2/rt_tables
# Create a rule to route traffic destined for specific IP ranges through the VPN
ip rule add from 192.168.10.0/24 table vpn
ip route add 192.168.10.0/24 dev tun0 table vpn
This creates a rule that specifies any traffic from 192.168.10.0/24 should be routed through the VPN interface (tun0). You can extend this logic to other IP ranges as necessary.
Configuring DNS for Split-Tunneling
When using split-tunneling, DNS requests can also be affected. You may want DNS queries for specific domains to pass through the VPN while others use the local DNS server. To accomplish this, you need to configure DNS settings in the OpenVPN client configuration.
Add the following DNS push directives to the server configuration:
push “dhcp-option DNS 10.8.0.1”
On the client side, use a local DNS server for non-VPN traffic by adding a custom DNS setting in the client configuration:
dhcp-option DNS 192.168.1.1
This ensures that DNS queries for VPN traffic are handled through the VPN’s DNS server while local DNS queries use the local network’s DNS server.
Troubleshooting Split-Tunneling Configuration
If you encounter issues with split-tunneling, there are several steps to check:
Ensure the route-nopull directive is properly configured on the client.
Verify that the client and server have the correct IP range and subnet mask configurations.
Check the client’s routing table using route -n or ip route to ensure routes are correctly configured.
Ensure that DNS queries are directed to the appropriate DNS servers based on your split-tunneling settings.
