Hi,
I've created a local bridge on Ubuntu using these sites as a guide:
http://blog.lincoln.hk/blog/2013/03/19/ ... er-on-vps/
http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/
When I connect from Android using VPN Client Pro over SSTP the VPN connects fine, but all Internet is routed through SE too.
I think it's the nat tables, but when they weren't there there was no Intenet at all.
iptables -t nat -A POSTROUTING -s 192.168.30.0/24 -j SNAT --to-source 192.168.0.1
apt-get install -y iptables-persistent
How can I allow VPN clients to connect, but not route Internet through SE and only use their local network for Internet?
Cheers
Internet through SE
-
elmoghazy.omar
- Posts: 4
- Joined: Thu Jan 17, 2019 10:30 am
Re: Internet through SE
Hi, what you are trying to achieve is called "split tunneling" there's already a good guide on how to implement it on the forum:
viewtopic.php?f=7&t=59975&p=77412&hilit ... ide#p77412
cheers
viewtopic.php?f=7&t=59975&p=77412&hilit ... ide#p77412
cheers
-
cmpts_cpeacock
- Posts: 10
- Joined: Sun Aug 05, 2018 11:38 am
Re: Internet through SE
Thanks. That's Windows focussed, whereas I'm using Ubuntu.
I'll see if I can find any posts specific to Ubuntu / Linux and split tunnelling.
Cheers
I'll see if I can find any posts specific to Ubuntu / Linux and split tunnelling.
Cheers
-
thisjun
- Posts: 2300
- Joined: Mon Feb 24, 2014 11:03 am
Re: Internet through SE
You can use static route pushing feature.
This is the description of PUSHROUTE option of dhcpset command of vpncmd.
Specify the static routing table to push.
Example: "192.168.5.0/255.255.255.0/192.168.4.254, 10.0.0.0/255.0.0.0/192.168.4.253"
Split multiple entries (maximum: 64 entries) by comma or space characters. Each entry must be specified
in the "IP network address/subnet mask/gateway IP address" format.
This Virtual DHCP Server can push the classless static routes (RFC 3442) with DHCP reply messages to
VPN clients.
Whether or not a VPN client can recognize the classless static routes (RFC 3442) depends on the target
VPN client software. SoftEther VPN Client and OpenVPN Client are supporting the classless static
routes. On L2TP/IPsec and MS-SSTP protocols, the compatibility depends on the implementation of the
client software. You can realize the split tunneling if you clear the default gateway field on the
Virtual DHCP Server options. On the client side, L2TP/IPsec and MS-SSTP clients need to be configured
not to set up the default gateway for the split tunneling usage.
You can also push the classless static routes (RFC 3442) by your existing external DHCP server. In that
case, disable the Virtual DHCP Server function on SecureNAT, and you need not to set up the classless
routes on this command.
This is the description of PUSHROUTE option of dhcpset command of vpncmd.
Specify the static routing table to push.
Example: "192.168.5.0/255.255.255.0/192.168.4.254, 10.0.0.0/255.0.0.0/192.168.4.253"
Split multiple entries (maximum: 64 entries) by comma or space characters. Each entry must be specified
in the "IP network address/subnet mask/gateway IP address" format.
This Virtual DHCP Server can push the classless static routes (RFC 3442) with DHCP reply messages to
VPN clients.
Whether or not a VPN client can recognize the classless static routes (RFC 3442) depends on the target
VPN client software. SoftEther VPN Client and OpenVPN Client are supporting the classless static
routes. On L2TP/IPsec and MS-SSTP protocols, the compatibility depends on the implementation of the
client software. You can realize the split tunneling if you clear the default gateway field on the
Virtual DHCP Server options. On the client side, L2TP/IPsec and MS-SSTP clients need to be configured
not to set up the default gateway for the split tunneling usage.
You can also push the classless static routes (RFC 3442) by your existing external DHCP server. In that
case, disable the Virtual DHCP Server function on SecureNAT, and you need not to set up the classless
routes on this command.
-
cmpts_cpeacock
- Posts: 10
- Joined: Sun Aug 05, 2018 11:38 am
Re: Internet through SE
Thanks. Will check it out. I've not got round to sorting it yet, but that will help
That said, I am using DNSMASQ for the DHCP element so would it work the same was as you suggest, or do I need to use DNSMASQ and PUSHROUTE together?
That said, I am using DNSMASQ for the DHCP element so would it work the same was as you suggest, or do I need to use DNSMASQ and PUSHROUTE together?