OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Setting up routing

If you set up a routed VPN, i.e. one where local and remote subnets differ, you need to set up routing between the subnets so that packets will transit the VPN.

Here is a possible road warrior network configuration:

Road Warrior (Windows)

    TAP-Windows Adapter
    10.3.0.2 subnet 255.255.255.0

ifconfig option in OpenVPN config:

    ifconfig 10.3.0.2 255.255.255.0

Main Office, server (any OS)

    tap adapter
    10.3.0.1 subnet 255.255.255.0

ifconfig option in OpenVPN config:

    ifconfig 10.3.0.1 255.255.255.0
    private ethernet
    10.0.0.1 subnet 255.255.255.0

The road warrior needs this route in order to reach machines on the main office subnet:

    route add 10.0.0.0 mask 255.255.255.0 10.3.0.1 (this is a shell command)

Routes can be conveniently specified in the OpenVPN config file itself using the –route option:

    route 10.0.0.0 255.255.255.0 10.3.0.1

If the OpenVPN server in the main office is also the gateway for machines on the remote subnet, no special route is required on the main office side.

On the other hand, if the main office OpenVPN server is NOT also the gateway, then whatever machine or router which IS the gateway must know to route 10.3.0.0 subnet 255.255.255.0 to the machine which is running OpenVPN.

Share