Documentation

Server 3.x

Split Tunnel#

Configuring “split tunnel”, i.e. only routing certain traffic over the VPN can be configured. It consists of three parts, although some may not be required for your particular setup:

  1. Configuring the “routes” to the client to inform them which IP ranges need to be routed over the VPN and make sure the VPN is not used as a “default gateway”;
  2. Configure and (internal) DNS server to be used by the clients that possibly resolves “local” names only;
  3. Restrict other traffic from being sent over the VPN to other locations than the pushed routes, the clients should not be able to override the “route” configuration, e.g. by forcing “default gateway”.

NOTE: if there are no internal-only DNS entries to resolve, you SHOULD NOT push DNS servers to the client. If there are, then make sure to also specify dnsSearchDomainList. In addition, make sure the IP address(es) of the DNS server(s) are also included in the routeList.

Example#

We have an organization example.local that has two IP ranges, 10.42.42.0/24 and 10.43.43.0/24 that clients need access to from home. The internal DNS server, on 10.1.1.1/32 is responsible for resolving the example.local domain for internal servers. Only traffic to these IP ranges and the DNS server should be allowed from the VPN server.

Profile Configuration#

Configure an office profile in /etc/vpn-user-portal/config.php, e.g.:

'ProfileList' => [
    [
        'profileId' => 'office',
        'displayName' => 'Office',
        // issued to VPN clients
        'oRangeFour' => '10.0.0.0/24',
        'oRangeSix' => 'fd00::/64',
        // hostname VPN clients will connect to
        'hostName' => 'office.example.org',

        ...
        ...

        // push the routes to the client, *including* the DNS IP
        'routeList' => ['10.42.42.0/24', '10.43.43.0/24', '10.1.1.1/32'],

        // push the local DNS to the clients as well
        'dnsServerList' => ['10.1.1.1'],

        // Connection-specific DNS Suffix Search List
        'dnsSearchDomainList' => ['example.local', 'foo.example.local', 'bar.example.local'],
    ],
],

Take special note of the routeList, dnsServerList and dnsSearchDomainList options. See Profile Config for other configuration options that may be relevant for your situation.

To apply the configuration changes:

$ sudo vpn-maint-apply-changes

Routing List Collisions with VPN Server IP#

Sometimes you want VPN clients to send traffic over the VPN to certain prefixes, but the public IP address of the VPN server itself is contained in that prefix. This may result in a “routing loop” on some platforms.

NOTE: it is better to avoid having a routeList with the VPN server’s IP address in it if you can!

In this example your VPN server’s public IP address is 192.0.2.5. You want all traffic to the 192.0.2.0/24 network to go over the VPN. So how do we prevent the VPN tunnel connection to go over the VPN and thus result in a loop?

For both WireGuard and OpenVPN we can use the excludeRouteList function where we list the VPN server’s public IP address(es).

'defaultGateway' => false,
'routeList' => ['192.0.2.0/24'],
'excludeRouteList' => ['192.0.2.5/32'],

If your server also supports connecting over IPv6, and the server’s VPN IPv6 address is also included in the routeList you can do the exact same thing for IPv6.

A full example:

[
    'profileId' => 'overlap-split-tunnel',
    'displayName' => 'Overlap Split Tunnel',
    'hostName' => 'vpn.tuxed.net',
    'oRangeFour' => '10.142.191.0/24',
    'oRangeSix' => 'fd39:470:9e3d:a887::/64',
    'wRangeFour' => '10.67.251.0/24',
    'wRangeSix' => 'fd8b:9f9d:bd74:58dd::/64',
    'routeList' => [
        '195.30.8.34/32',            // v6.de
        '145.220.52.0/24',           // vpn.tuxed.net server IPv4 prefix
        '2001:608:0:1007::1:34/128', // v6.de
        '2001:608:0:1007::34/128',   // v6.de
        '2001:67c:6ec:520::/64',     // vpn.tuxed.net server IPv6 prefix
    ],
    'excludeRouteList' => [
        '145.220.52.76/32',                      // vpn.tuxed.net IPv4 address
        '2001:67c:6ec:520:5054:ff:fe87:7dac/128' // vpn.tuxed.net IPv6 address
    ],
    'defaultGateway' => false,
],

All traffic to v6.de goes over the VPN, all traffic to the IPv4 and IPv6 prefixes of vpn.tuxed.net also go over the VPN, except direct traffic to the IPv4 and IPv6 addresses of vpn.tuxed.net. Thus a routing loop is avoided.

Firewall Configuration#

You may want to update your firewall to drop/reject traffic to prefixes you do not want routed over the VPN.