4

I have an OpenVPN server set up on my Raspberry Pi, when I installed it the guide I followed said to add a line like: push "route 192.168.1.0 255.255.255.0" so that the server would let the client know that that network could be reached through the VPN, or so I understood.But now I'm using the Pi as a router to share a WiFi Internet connection with a computer,using the network 192.168.0.0,and so I was thinking of adding a route for that network that way, but I tried connecting before doing it and the PC can be reached without doing anything.

Doing a traceroute I saw that apparently 10.8.0.1 is the default gateway, so it can just reach it from there without a problem. So I'm wondering, what is that statement really used for? It doesn't seem to be necessary for making the client aware of the network, since all the traffic is going through the VPN anyway.

Improve this question
2
  • route is used to allow a client remote access to a subnet (i.e. LAN) behind the router. push is specified in the server config to push the route directive to the client upon the client connecting to the server, negating the need to have the route directive in the client's *.ovpn config.
    – JW0914
    Commented Nov 1, 2019 at 12:13
  • “since all the traffic is going through the VPN anyway.”—That is not necessarily the case. Split tunneling is widely used.
    – Daniel B
    Commented Mar 13 at 12:12

1 Answer 1

Reset to default
0

It is generally used to set routes to the VPN clients.

For instance, I use it to push 0.0.0.0 to one of the computers inside the VPN so all traffic is tunneled through the VPN.

In your case, it would seem that you are pushing a route to the LAN behind the VPN so you end up sending packets to the VPN tunnel endpoint to be forwarded to the LAN.

In which case, I would suggest to set the VPN using a bridged TAP device, which automatically sets the route to the internal LAN without the need for forwarding or NATing.

Improve this answer
3
  • If I understand this correctly, that method would create a bridge with the OpenVPN tap interface and another one,in this case wlan0 (connected to the Internet), and clients would seem to be physically in the network (192.168.1.0) and could even get IP addresses from the DHCP server,but would this still allow me to access the PC (192.168.0.2)?
    – DaRk_St0rM
    Commented Jun 29, 2016 at 17:50
  • Yes, and they can access you too
    – Imanol Barba Sabariego
    Commented Jul 3, 2016 at 2:17
  • TAP [Layer 2] should only be used in specific instances, with the vast majority requiring only TUN [Layer 3]. The main usage for TAP is transparent bridging between remote subnets, i.e. Router 1 and Router 2 are remotely connected via OpenVPN (the router themselves, not the devices behind the routers) and the user wants remote devices behind Router 1 and Router 2 to be able to access specific subnets behind each router transparently. This is a rare usage of OpenVPN, with the vast majority of users utilizing TUN.
    – JW0914
    Commented Nov 1, 2019 at 12:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .