search

peacey / split-vpn

A split tunnel VPN script for Unifi OS routers (UDM, UXG, UDR) with policy based routing.
GNU General Public License v3.0
814 stars 56 forks source link

Exempt destinations doesn’t work for me. #142

Open nigels0 opened 1 year ago

nigels0 commented 1 year ago

Hi,

My network consists of two UDMPs in two locations running on network 192.168.x.x. I am using split-vpn with OpenVPN to connect my appletv in the remote UDMP to the local one in the U.K. to bypass geofencing

I have this set up on the remote UDMP in my vpn.config

FORCED_SOURCE_INTERFACE="br31"

my appletv is on the 31 vpn. (on the remote UDMP)

but I want to access local (to my U.K. UDMP _ 192.168.5.x ) networks without going through the OpenVPN `# Exempt these destinations from the VPN.

Format: [IP/nn]

EXEMPT_DESTINATIONS_IPV4="192.168.5.0/24" `

when I set this up, I cannot access any networks on the local UDMP - removing this, forces all traffic through the VPN and I can access the local network (U.K.).

I think I might be misunderstanding how this works, but it isn’t working for me!

peacey commented 1 year ago

Hi @nigels0,

Are you still having issues or have you figured it out? If you're still having issues, please show me your full vpn.conf file. Your exempt setting seems correct and should allow local LAN traffic.

nigels0 commented 1 year ago

Thanks for following this up! Unfortunately I’m not at the location, so I’ll re-check when I’m back

tracestep commented 1 year ago

Yeah, EXEMPT_DESTINATIONS is not working for me either. Mine looks like:

EXEMPT_DESTINATIONS_IPV4="192.168.0.0/16 10.0.0.0/8 172.16.0.0/12"

And I have a single host on FORCED_SOURCE_IPV4:

FORCED_SOURCE_IPV4="192.168.10.104"

iptables --table mangle -- list gives out:

...
Chain BIFROST_PREROUTING (1 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK set 0x8
MARK       all  --  anywhere             192.168.10.1         mark match 0x8 MARK and 0x0
MARK       all  --  anywhere             192.168.0.0/16       mark match 0x8 MARK and 0x0
MARK       all  --  anywhere             10.0.0.0/8           mark match 0x8 MARK and 0x0
MARK       all  --  anywhere             172.16.0.0/12        mark match 0x8 MARK and 0x0
MARK       all  --  192.168.10.104       anywhere             MARK set 0x8
...

I don't know much about iptables, but it looks like the FORCED_SOURCE is taking precedence over EXEMPT_DESTINATIONS, right? Should it, though?

EDIT: I am using nexthop on UDMPRO 2.47 2.5.17