Question

Routing between two interfaces

I have a droplet running OpenVPN-AS. I connect to this server to surf the internet when I am using hostile wifi or unsecure networks (OpenVPN client IP 172.27.234.X). The OpenVPN-AS server connects to OpenVPN on a Linksys router to access my internal home network. I can ping and access the IPs on my home network from the server. I would like to route ONLY traffic for my home network over the tunnel on the server.

Info

my iPhone (172.27.234.x) ----connects to----> OpenVPN-AS Digital Ocean Server (172.19.13.x) ----connects to----> OpenVPN on Linksys home router ----connects to----> internal home network (172.16.222.x)

Right now the iPhone connects perfectly routing all traffic through OpenVPN-AS and receiving an IP from OpenVPN-AS of 172.27.234.x.

OpenVPN-AS connects to OpenVPN Linksys

OpenVPN-AS is assigned an IP to tun0 of 172.19.13.x

OpenVPN Linksys allows access to 172.16.222.x

I would like iPhone to be able to client into OpenVPN-AS surf the net from OpenVPN-AS’s internet but be able to access anything in 172.16.222.x.

Here’s OpenVPN-AS’s routing table route-n

Kernel IP routing table


Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         64.x.x.x     0.0.0.0         UG    0      0        0 eth0
10.46.0.0       0.0.0.0         255.255.0.0     U     0      0        0 eth0
64.x.x.x     0.0.0.0         255.255.240.0   U     0      0        0 eth0
172.16.222.0    172.19.13.1     255.255.255.0   UG    0      0        0 tun0
172.19.13.0     0.0.0.0         255.255.255.0   U     0      0        0 tun0
172.27.224.0    0.0.0.0         255.255.254.0   U     0      0        0 as0t0
172.27.226.0    0.0.0.0         255.255.254.0   U     0      0        0 as0t1
172.27.228.0    0.0.0.0         255.255.254.0   U     0      0        0 as0t2
172.27.230.0    0.0.0.0         255.255.254.0   U     0      0        0 as0t3
172.27.232.0    0.0.0.0         255.255.254.0   U     0      0        0 as0t4
172.27.234.0    0.0.0.0         255.255.254.0   U     0      0        0 as0t5
172.27.236.0    0.0.0.0         255.255.254.0   U     0      0        0 as0t6
172.27.238.0    0.0.0.0         255.255.254.0   U     0      0        0 as0t7

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys
Site Moderator
Site Moderator badge
June 21, 2023

Heya,

Here are the steps you might need to take:

  1. On the iPhone: Ensure that the OpenVPN client is not set to route all traffic over the VPN. This can often be a setting in the client application, often called “Send all traffic over VPN connection” or similar.

  2. On the OpenVPN-AS server: You need to ensure that the OpenVPN Access Server is not pushing a default route to clients. You can change this by going to the Admin Web UI and going to VPN Settings. In the “Routing” section, look for “Should client Internet traffic be routed through the VPN?” and set it to “No”.

  3. Pushing the route to the home network: Still on the OpenVPN-AS server, under “Specify the private subnets to which all clients should be given access (as ‘network/netmask_bits’, one per line)”, add your home network: 172.16.222.0/24. This will ensure that your iPhone knows to route traffic for your home network over the VPN.

  4. IP Forwarding on OpenVPN-AS server: Your OpenVPN server should have IP forwarding enabled to allow forwarding traffic from your iPhone to your home network. You can enable it by editing the sysctl.conf file (/etc/sysctl.conf), adding or uncommenting the line: net.ipv4.ip_forward = 1, then applying the changes with sysctl -p.

  5. NAT configuration on OpenVPN-AS server: If the devices on your home network need to reply back to your iPhone, they’ll need to know the route back or the OpenVPN server will need to do Source NAT. You can enable Source NAT on the OpenVPN server with a command like iptables -t nat -A POSTROUTING -s 172.27.234.0/24 -o tun0 -j MASQUERADE.

Remember to replace all the IP addresses and network interfaces with what is used in your configuration. Also, ensure your firewall rules allow the necessary traffic, and remember to make any necessary changes permanent across reboots.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel