How to Configure OpenVPN Server to Exclude Default Gateway Routing for Selective LAN Access


2 views

When setting up an OpenVPN server for internal network access, you often need to provide selective routing rather than full tunnel access. The scenario typically involves:

  • Main corporate LAN: 192.168.1.0/24
  • VPN subnet: 192.168.100.0/24
  • Goal: Allow VPN clients to access only the corporate LAN while excluding internet traffic routing

Here's the proper server-side configuration (typically in /etc/openvpn/server.conf):


port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 192.168.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
client-config-dir ccd
keepalive 10 120
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
persist-key
persist-tun
status openvpn-status.log
verb 3

Three key directives handle the selective routing:


# Push specific LAN route to clients
push "route 192.168.1.0 255.255.255.0"

# Ensure server knows route to client network
route 192.168.1.0 255.255.255.0

# Prevent default gateway push (crucial)
;push "redirect-gateway def1 bypass-dhcp"

For per-client customization, use client configuration directory (ccd):


# Create client-specific file in ccd/
# Example: /etc/openvpn/ccd/client1

ifconfig-push 192.168.100.5 192.168.100.6
iroute 192.168.1.0 255.255.255.0
push "route 192.168.1.128 255.255.255.128"

After connecting, check routes on client machine:


# Windows:
route print

# Linux:
ip route show

You should see the pushed LAN route without a default gateway override.

To further secure the setup:


# In server.conf
client-to-client
duplicate-cn
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN corp.example.com"

When setting up an OpenVPN server for selective network access, many administrators need to provide access to specific LAN subnets while preventing VPN clients from routing all traffic through the VPN tunnel. This is particularly important when:

  • Providing access to internal resources without becoming the client's default gateway
  • Maintaining local internet connectivity for remote users
  • Reducing bandwidth usage on the VPN server

The key configuration directive in your OpenVPN server config file (server.conf or equivalent) should look like this:

# Basic server configuration
port 1194
proto udp
dev tun
server 192.168.100.0 255.255.255.0

# Critical routing configuration
push "route 192.168.1.0 255.255.255.0"
push "route-metric 1001"

For more granular control, consider these additional directives:

# Prevent default gateway push
push "route 0.0.0.0 128.0.0.0 net_gateway"
push "route 128.0.0.0 128.0.0.0 net_gateway"

# Optional: Client-specific rules
client-config-dir /etc/openvpn/ccd

While server-side configuration is preferred, you can enforce this behavior on clients with:

# In client.ovpn or equivalent
route-nopull
route 192.168.1.0 255.255.255.0 vpn_gateway

After implementation, verify with:

# On Linux/macOS clients:
ip route show
netstat -rn

# On Windows clients:
route print

Watch for these potential problems:

  • Firewall rules blocking the VPN subnet
  • Missing NAT configuration for VPN clients
  • Route metric conflicts