Skip to main content

Tutorial: Configure Full and Split Tunneling in Access Server

Abstract

Configure full and split tunneling in OpenVPN Access Server using the Admin Web UI and CLI. Learn how to control traffic routing globally and per user or group.

Overview

This tutorial explains how to configure full and split tunneling in Access Server.

You'll learn:

  • How tunneling works.

  • How to configure it globally.

  • How to override settings for specific users and groups using both the Admin Web UI and CLI.

Prerequisites

  • Access Server installed and running.

  • Admin Web UI access.

  • Root access to the Access Server console (for CLI steps).

How full and split tunneling work in Access Server

Access Server uses two OpenVPN directives to control traffic routing:

  • redirect-gateway: Sends all client traffic through the VPN (full tunnel).

  • redirect-private: Routes only specific private subnets through the VPN while other traffic uses the client's local internet connection (split tunnel).

By default, full tunneling is configured globally and can be overridden at the user or group level.

full_tunnel_vs_split_tunnel.svg

Step 1: Configure tunneling globally using the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Access Controls.

    • The Group and User Access Rules tab displays.

  3. Click the Internet Access and DNS tab.

  4. Under Internet gateway, select one of the following:

    • Full-Tunnel

    • Split-Tunnel

  5. Click Save and Restart.

Step 2: Configure tunneling globally using the CLI

  1. Connect to the console and get root privileges.

  2. Configure full tunneling:

    sacli --key "vpn.client.routing.reroute_gw" --value "true" ConfigPut
sacli start

  3. Configure split tunneling:

    sacli --key "vpn.client.routing.reroute_gw" --value "false" ConfigPut
sacli start

Step 3: Configure split tunneling for users and groups (when full tunnel is enabled globally)

Important

This override can only be configured using the CLI.

  1. Connect to the console and get root privileges.

  2. Enable split tunneling without pushing DNS:

    sacli --user <USER_OR_GROUP> --key "prop_reroute_gw_override" --value "disable" UserPropPut

  3. Enable split tunneling while still pushing DNS:

    sacli --user <USER_OR_GROUP> --key "prop_reroute_gw_override" --value "dns_only" UserPropPut

  4. Refresh the Access Server configuration:

    sacli start

Step 4: Configure full tunneling for users and groups (when split tunnel is enabled globally)

Important

This method simulates full tunneling by routing all traffic using two large subnets:

  • 0.0.0.0/1

  • 128.0.0.0/1

simulated_full_tunnel.svg

Configure using Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Access Controls.

    • The Group and User Access Rules tab displays.

  3. Click New Access Rule.

  4. Select Group or User as the target.

  5. Select your user or group under Username/Group name.

  6. Add a rule:

    • IP address: 0.0.0.0/1

    • Reachable via: NAT

  7. Click Save rule.

  8. Click New Access Rule to add a second rule.

  9. Repeat the above steps to select the same User or Group.

  10. Add a rule:

    • IP address: 128.0.0.0/1

    • Reachable via: NAT

  11. Click Save rule and Restart.

Configure using CLI

  1. Connect to the console and get root privileges.

  2. Use these commands to enable full tunnel for a user, without changing DNS settings:

    sacli --user <USER_NAME> --key "type" --value "user_compile" UserPropPut
sacli --user <USER_NAME> --key "access_to.0" --value "+NAT:0.0.0.0/1" UserPropPut
sacli --user <USER_NAME> --key "access_to.1" --value "+NAT:128.0.0.0/1" UserPropPut

  3. Use these commands to enable full tunnel for a group, without changing DNS settings:

    sacli --user <GROUP_NAME> --key "access_to.0" --value "+SUBNET:0.0.0.0/1" UserPropPut
sacli --user <GROUP_NAME> --key "access_to.1" --value "+SUBNET:128.0.0.0/1" UserPropPut

  4. Refresh the Access Server configuration:

    sacli start
In this section: