OpenVPN: Routing via VPN just for some clients?

I have already read about “redirect-gateway def1” but, is there any way to route traffic through the VPN only for some clients? For example those who are abroad.

I would also love to suggest a graphical way to change where ipp.txt is stored so that I can have a static IP assignment for clients without this file being redirected every time I make any changes to the server through the web interface, or just the graphical option to assign IPs to clients.

You can specify (override) if all traffic is routed through the VPN in individual client config files. Either specify “redirect-gateway def1” if the server does not push it, or “route-nopull” if the server does push it (but then you have to additionally specify all the other routes that the server would otherwise push to access specific subnets through the VPN). I always make two versions of the client config files I use - one “LAN only” and one “Full” - and choose based on circumstances.

Yes, now I get it. Fortunately, last night I finally found out how to add those individual client configuration files. It’s just what I was looking for, but finding information on how to do it turned out to be quite tricky.

For those who, like me, get what to do but not how to, here is how I did it.

First of all you have to add option client_config_dir '/etc/openvpn/ccd' to your /etc/config/openvpn file:

     config openvpn 'server_turris'
     option enabled '1'
     option port '1194'
     option proto 'udp'
     option dev 'tun_turris'
     option ca '/etc/ssl/ca/openvpn/ca.crt'
     option crl_verify '/etc/ssl/ca/openvpn/ca.crl'
     option cert '/etc/ssl/ca/openvpn/01.crt'
     option key '/etc/ssl/ca/openvpn/01.key'
     option dh '/etc/ssl/ca/openvpn/dhparam.pem'
     option server '10.2.0.0 255.255.0.0'
     option duplicate_cn '0'
     option keepalive '10 120'
     option persist_key '1'
     option persist_tun '1'
     option status '/tmp/openvpn-status.log'
     option verb '3'
     option mute '20'
     option topology 'subnet'
     option ifconfig_pool_persist '/tmp/ipp.txt'
===> option client_config_dir '/etc/openvpn/ccd' <===
     list push 'route 10.0.0.0 255.255.0.0'
     list push 'dhcp-option DNS 10.2.0.1

Once you have done this, you have to create the referenced directory (ccd stands for "Client Configuration Directory"):

mkdir /etc/openvpn/ccd

Now, inside this directory, you can create the configuration files for the individual clients. If your client certificate is named "Client-1" also the file itself has to be named "Client-1" without dot nor extension and respecting the capitalization.

E.g. /etc/openvpn/ccd/Client-1

Within these files you can define the specific configuration for each client. Below are some common examples.

Assign an IP configuration

ifconfig-push 10.2.2.2 255.255.0.0

Adding route to wan network (to connect to your ISP’s router if you have double nat)

push 'route 192.168.1.0 255.255.255.0'

Route all traffic via VPN just for this client

push 'redirect-gateway def1'

Combined example

* You can also comment lines if you don’t want to apply a command right now but you want to keep it in the file.

root@Turris:~# cat /etc/openvpn/ccd/Client-1

    ifconfig-push 10.2.2.2 255.255.0.0
    push 'route 192.168.1.0 255.255.255.0'
    # push 'redirect-gateway def1'

I hope it will be a good help for those who, like me, are looking for how to do it and find a lot of half explanations and commands that do not really understand what they do.

To clarify, what I referred to was modifying individual client-side config files. Your solution does it server-side. Either should work. But be aware that clients can override these settings if they so wish.

At least in my case, it is more convenient to do it server-side.

• I don’t really have physical access to all clients.
• I don’t have to find how to do it if there is any difference by OS (Linux, Windows, Android, …).
• And this way I can include it in the server snapshots.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.