18

I'm using OpenVPN on Windows with a TAP adapter.

I know you can specify a route to a specific ip address to go to your local internet connection. However it can't do the same for a hostname/domain.

Is there a way to keep my traffic on the VPN but route requests to www.google.com for example through my default gateaway at home (192.168.1.1 in my case)?

I was thinking that I could set 127.0.0.1 www.google.com in my HOSTS file and run a local apache and deal with a ruleset in there, but I'd rather not have to run a local webserver/proxy if there is another way I don't know about.

Improve this question

3 Answers 3

Reset to default
6

You can specify a route to a host name only if you use --allow-pull-fqdn details can be found in The OpenVPN Manual

Improve this answer
1
  • 3
    Looks like something I'm looking for but the documentation isn't very clear on how to use this. Do you maybe have an example on how I would route traffic to lets' say www.google.com through my local adapter instead of the openvpn one? Do I edit the .ovpn file with: push "route www.google.com 192.168.1.1" --allow-pull-fqdn
    – Jack Skinner
    Commented Sep 24, 2015 at 2:44
23

You can add this to the .ovpn file:

allow-pull-fqdn
route www.google.com 255.255.255.255 net_gateway

Then on openvpn startup this will lookup www.google.com, get it's IP address, and then add a route for that using the net (not VPN).

The problem is, google uses multiple IP addresses, so when you try to visit google it will still use the VPN unless you happen to hit the same IP address it looked up when it started.

One hack is to get one of the IP addresses that google uses and add it to your /etc/hosts, so then your machine will always use the same IP address for google, and the openvpn route command will accomplish what you want.

Problem is, of course, if google ever stops using that IP address or, for whatever reason, wants to route you to a different IP address. Then it fails.

Improve this answer
2
  • what if it is a CDN and multiple domains use the same IP address, but you want to use the VPN only for one of them?
    – Karthik T
    Commented Jul 25, 2018 at 2:18
  • Don't know - you'd have to test it to see if openvpn is storing the IP or the domain name for comparison - I would assume it's the IP address.
    – David Ljung Madison Stellar
    Commented Jul 27, 2018 at 0:23
16

I know this entry is very late to the game, but I recently spent several hours researching this same topic and figured I'd help others that might be looking for the same thing. While the most common use case to is route everything through your VPN, there are two exception scenarios, when it comes to VPNs:

  1. You want mostly all traffic to go through the VPN, with a few exceptions
  2. You only have a couple of sites that you want to route through the VPN

Route most with exceptions For scenario # 1, David's response works just fine. To overcome the multiple IPs issue, do a WHOIS lookup and create the route for an IP address block, not just an IP address. Note that you might have to perform several look ups, to get the entire set of IP address blocks.

# if your build doesn't support "net_gateway," replace it with your own default gateway
# I added extra spacing for legibility, but a single space is fine
route  172.217.0.0   255.255.0.0    net_gateway  ;  google.com
route  216.239.32.0  255.255.224.0  net_gateway  ;  google.com
allow-pull-fqdn  ;  my config works *without* this option, so test on your build
route  google-public-dns-a.google.com  net_gateway  ;  8.8.8.8
route  google-public-dns-b.google.com  net_gateway  ;  8.8.4.4
route  ifconfig.co     net_gateway  ;  confirm at least one exception is routing properly
route  whatismyip.com  net_gateway

Route just a few David's response also applies to scenario # 2; however, you add the route-nopull option, to prevent the server from sending a default route for the VPN. I haven't tested it, but I suppose you could add your own default route to point to your net_gateway.

route  1.2.3.0  255.255.255.0  vpn_gateway  ;  "vpn_gateway" is optional & 1.2.3.0 is fictitious
route  2.3.4.0  255.255.255.0  ;  another example - perhaps an IPTV provider
allow-pull-fqdn
route  ifconfig.me       vpn_gateway
route  myexternalip.com  vpn_gateway
route-nopull

Testing the configs I like to add routes for ifconfig.co, ifconfig.me, whatismyip.com, and myexternalip.com, because it allows me to quickly test what profile I'm running: either full VPN or split tunneling. When I'm running full VPN, all sites will return my VPN address; otherwise, ifconfig.co and whatismyip.com will return my local address, while ifconfig.me and myexternalip.com will return my VPN address.

C:\utils> for %f in (co me) do curl ifconfig.%f

- or -

PS C:\utils> "whatismyip", "myexternalip" | % { Start-Process ("http://{0}.com" -f $_) }

I know it's nothing special, but I provide some details that would really have helped me, when I was looking around. I hope this helps at least one person.

I'd love to hear about any other VPN tips or tricks out there. Happy secure surfing!

Improve this answer
1
  • For the record while this probably worked at one point, allow-pull-fqdn was removed from OpenVPN in v3.0 [see discussion here], so you'll have to manually specify any IPs you want to ignore or pass through to the VPN.
    – Mordred
    Commented Dec 27, 2023 at 2:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .