By default, openvpn traffic only local network traffic through vpn. We can config openvpn client to route all ipv4 traffic through vpn, such as the advanced option in tunnelblick
. However, some other vpn clients like zerotier, whose client is not sound enough, thus we have to route these traffic manually.
Env
Supposing vpn gateway is 10.1.1.1, whose public network address is 1.2.3.4.
- Traffic 1.2.3.4⁄32 through our default gateway,
important!
- Traffic 0.0.0.0/1 and 128.0.0.0/1 through vpn gateway
OSX
we can use the following commands
route add 1.2.3.4/32 192.168.1.1 ## assuming 192.168.1.1 is out local network gateway
route add 0.0.0.0/1 10.1.1.1
route add 128.0.0.0/1 10.1.1.1
Linux
route add -net 1.2.3.4 netmask 255.255.255.255 gw 192.168.1.1
route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.1.1.1
route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.1.1.1
In any case, we can’t omit route vpn public address through default gateway.
In zerotier, we can get supernodes with command zerotier-cli listpeers
, supernodes are listed with supernode suffix.
When we have finished these steps, however, network connection is lost in turn. Perhaps, we haven’t config vpn the redirect network traffic. In openvpn, we should add the follwing directives to server configuration file, which means the clients will redirect all their traffic through vpn. By default, it’s not enabled.
push "redirect-gateway def1 bypass-dhcp"
then config nat iptables to masquerade traffic
iptables -t nat -A POSTROUTING -s 10.1.1.1/24 -o eth0 -j MASQUERADE
We assume the vpn subnet is 10.1.1.1⁄24.
Reference:
The following is the guide to config openvpn server on debian
How to Setup and Configure an OpenVPN Server on Debian 6
How to Setup and Configure an OpenVPN Server on Debian 8 jessie