OpenVPN traffic split
Introduction
OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.
This article provides a guide on how to configure an OpenVPN client on a RUTxxx router in such a way that a part of the router's LAN clients reach the Internet through the OpenVPN server (web proxy) and the other part reaches the Internet through the router's WAN (mobile, wired or WiFi connection). It should also be noted that this guide is aimed at more advanced users and, therefore, skips some of the more self-explanatory steps in order to preserve the overall coherence of the article. For example, the step-by-step configuration of the OpenVPN client instance will be left out and only comments on certain relevant parameters will be provided. If you feel this lack of information impedes your ability to configure the setup, we suggest you check out our configuration guides on how to generate TLS sertificates and OpenVPN configuration examples for reference.
Configuration overview and prerequisites
Before we begin, let's overview the configuration that we are attempting to achieve and the prerequisites that make it possible.
Prerequisites:
- A single RUTxxx router (excluding RUT850) with an active internet connection that will act as the OpenVPN client
- At least one end device (PC, Laptop) to configure the routers and test the set up
Configuration scheme:
The figure above depicts the OpenVPN traffic split scheme. A RUTxxx router acts as an OpenVPN client (virtual IP: 10.0.0.6; P-t-P: 10.0.0.5) that is connected to a remote OpenVPN server. The routers LAN IP addresses range from 192.168.1.1 to 192.168.1.254.
When the scheme is realized, Devices in the 192.168.1.1 to 192.168.1.127 IP range reach the Internet via the router's WAN and devices in the 192.168.1.128 to 192.168.1.254 IP range reach the Internet via the OpenVPN server effectively "adopting" the server's Public IP address.
Router configuration
Most of the router's configuration will done via a command line interface by executing SSH commands. For examples provided in this guide, we will be using the Linux Terminal application. This is not the only available method. You can find detailed instruction on all command line interface available in RUTxxx routers here. Choose one that is available or most preferred by you and you will still be able to follow the guide step-by-step regardless of which method you chose as the commands used will remain identical.
OpenVPN client
- First, you must create an OpenVPN client instance on your router. You can do this either via command line or from the router's WebUI, Services → VPN → OpenVPN section. We will not go into further detail on this because the client's configuration will depend on the OpenVPN server that you are connecting to. You can find detailed instructions on how to create and configure an OpenVPN client instance in our OpenVPN configuration examples article, which also contains information on how to configure an OpenVPN server on a RUTxxx router, if that is what you are using for this configuration.
- Once you have configured your OpenVPN client, you should probably test whether the OpenVPN connection is operational as this will make troubleshooting easier later on. The easiest way to do so is to login to the router's WebUI and check OpenVPN status in Status → Network → OpenVPN:
- If the connection was successful, we can start the traffic split configuration. First, we'll need to add an additional routing table. This can done by issuing the following command:
echo "5 rt" >> /etc/iproute2/rt_tables
This adds a new routing table called rt. /etc/iproute2/rt_tables is a file used by the iproute2 utilities which translate user friendly names given on the command line into integer values used by the kernel. So the number 5 is just the way for the iproute to identify the table.
- Next, we'll need to some entries to the network configuration file /etc/config/network. You can edit the file with the vi command. Type vi /etc/config/network and press the "I" button on your keyboard to begin editing. Add the following lines:
config interface 'vpnas' option 'proto' 'none' option 'ifname' 'tun_c_client1' config 'route' option 'interface' 'vpnas' option 'target' '0.0.0.0' option 'netmask' '0.0.0.0' option 'table' 'rt' option gateway '10.0.0.5' config rule option in 'lan' option src '192.168.1.128/25' option lookup 'rt' option priority '10'
When you're finished, press the "Esc" button and type :wq to save the changes and exit the editor. The