Forums

Bruce
Bruce
Offline
Resolved
0 votes
I want to route all my remote devices & lan segments (lan & hotlan for now , VLAN later) through the COS openvpn server.
No traffic goes to a vpn service.
VPN is for bringing back remote device traffic to COS and protecting local devices on lan segments with wifi and iot.
I want all devices to utilizing dns of COS & gateway management feature
Reading through other posts I still can't piece this together.
is it as simple as adding ???

push "redirect-gateway def1 bypass-dhcp"

to /etc/openvpn/clients.conf

will the same config work on say an ios device connecting from a coffee shop or my wifi on the lan?
or do i need 2 different profiles?
if I'm using ***.poweredbyclear.com will that get resolved locally on the lan?
is this what the redirect-gateway does?
thanks
trying to learn as i go
In VPN
Friday, October 30 2020, 07:14 PM
Share this post:
Responses (1)
  • Accepted Answer

    Sunday, November 01 2020, 09:02 AM - #Permalink
    Resolved
    0 votes
    I believe there is a special trick to securing LAN traffic with OpenVPN. I thought I knew it a while ago, tried it and failed. Your best port of call will be the OpenVPN forums. I thing it requires changing something in the ovpn file you are using.

    [edit]
    Try this link. You may have to add the "local" parameter to the "redirect-gateway" line, but I'd probably leave in the "bypass-dhcp". I think the interface was written not to change the line if manually configured this way but I am not sure. It may show the line disabled in the Webconfig. It is just possible you will need 2 different client configurations as I don't know how that will work from a coffee shop.
    [/edit]

    However, using it will shoot you in the foot. For Gateway Management to be effective, it needs to see MAC addresses, and once you are using OpenVPN, the MAC address becomes obscured. At that point all you can do is move the special rule in GM which collects all sorts of unknown IP's and move it into your desired rule set. However it means everyone will end up using the same rules.

    Using ***.poweredbyclear.com is fine on your LAN but you should add an entry in your DNS server pointing it to your ClearOS LAN IP.

    Redirect the gateway stops split tunnelling, so it pushes all traffic through the VPN instead of allowing traffic not directed to the ClearOS LAN subnet(s) going straight to the internet via the remote connection.
    The reply is currently minimized Show
Your Reply