Configuring "split tunnel", i.e. only routing certain traffic over the VPN can be configured. It consists of three parts, although some may not be required for your particular setup:
NOTE: if there are no internal-only DNS entries to resolve, you SHOULD NOT
push DNS servers to the client. If there are, then make sure to also specify
dnsDomainSearch. In addition, make sure they are also
included in the
We have an organization
example.local that has two IP ranges,
10.43.43.0/24 that clients need access to from home. The internal DNS
10.1.1.1/32 is responsible for resolving the
domain for internal servers. Only traffic to these IP ranges and the DNS server
should be allowed from the VPN server.
office profile in
'vpnProfiles' => [ 'office' => [ 'profileNumber' => 1, 'displayName' => 'Office', // issued to VPN clients 'range' => '10.0.0.0/24', 'range6' => 'fd00::/64', // hostname VPN clients will connect to 'hostName' => 'office.example.org', ... ... // push the routes to the client, *including* the DNS IP 'routes' => ['10.42.42.0/24', '10.43.43.0/24', '10.1.1.1/32'], // push the local DNS to the clients as well 'dns' => ['10.1.1.1'], // Connection-specific DNS Suffix 'dnsDomain' => 'example.local', // Connection-specific DNS Suffix Search List 'dnsDomainSearch' => ['example.local', 'foo.example.local', 'bar.example.local'], ], ],
Take special note of the
options. See PROFILE_CONFIG for other configuration
options that may be relevant for your situation.
To apply the configuration changes:
$ sudo vpn-maint-apply-changes
If the command is not available, install the
vpn-maint-scripts package first.
Restricting network access for VPN clients is already documented in
FIREWALL.md, but just to be complete,
the (FORWARD) configuration of the firewall would be like this, assuming
is the interface connecting to your local network from your VPN server:
-A FORWARD -i tun+ -o eth0 -d 10.42.42.0/24 -j ACCEPT -A FORWARD -i tun+ -o eth0 -d 10.43.43.0/24 -j ACCEPT -A FORWARD -i tun+ -o eth0 -d 10.1.1.1/32 -j ACCEPT -A FORWARD -i eth0 -o tun+ -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited
NOTE: restart the firewall after making modifications!
NOTE: for IPv6 routes it works exactly the same.