Ask / Submit

openvpn split tunnel

asked 2019-01-22 20:36:02 +0200

jsm gravatar image

updated 2019-01-23 09:44:31 +0200

jiit gravatar image

It seems that use of remote gateway is hardcoded into the internet openvpn connection GUI. Why? If i execute openvpn on the cli on the Jolla C sailfish 3 without using /usr/lib/connman/scripts/openvpn-script and --route-noexec I get the wanted result, which is a split tunnel to the internet and to my home network via vpn0. I always get a default gw with dev vpn0 with the gui.

How can I remain using my lte connection directly for non related vpn networks using the VPN GUI?


edit retag flag offensive close delete



Thats why I use openvpn only on the cli. Maybe they had fix this "bug" .

FYI: I use up/down scripts (mentioned by openvpn), but this does not work with the gui vpn (see here)

utkiek ( 2019-01-23 12:27:14 +0200 )edit

The behaviour that you described is probably the desired one - i.e., route _all_ traffic through VPN, which is extremely useful when you want to protect yourself on an insecure WLAN. The use case that you are describing is for when you want to use services that are not public on the internet, but are available on your own network. I don't think this is a bug - perhaps a feature request to support this option? I am assuming that your ovpn server config doesn't push a route and yet SFOS decides to set it as a default gateway? if this is the case, why do you need to use --route-noexec in the init script?

gabriel ( 2019-01-23 14:35:30 +0200 )edit

Yeah I'm aware of the common use case. It should have said without using /usr/lib/connman/scripts/openvpn-script and without using --route-noexec. Yes it is a feature request, but i think that the ones using the vpn as def remote gateway should just configure their vpn to send def route. I cannot see why this should be (hard?)coded this way..

jsm ( 2019-01-23 17:56:31 +0200 )edit

2 Answers

Sort by » oldest newest most voted

answered 2019-01-25 07:31:50 +0200

melg01 gravatar image

updated 2019-01-25 07:40:22 +0200

It's a perfectly valid requesr. Split VPN - or individually targeted routing, can be desirable in some situations, even from a business perspective. Let me point you to three typical use cases, that may arise when working remotely, e.g. at home office or as a consulter or technician at the site of your client, connected simultaneously to two networks:

  • privacy: you don't want your private internet traffic going through your employers network, while you're accessing the business ressources. This is valid from the employers point of view as well: he has no log files of what else you do, it's nothing of his business.
  • access of local ressources: you need to use ip-ressources which are on another network, e.g. your network printer at home or some storage.
  • You set up a VPN tunnel between two partners and want to specify the different routing possibilities.

Of course, there are serious security issues to this kind of setup with split-vpn, and I'd probably not allow it in my business. But as a request and sometimes even need, it can make sense.

edit flag offensive delete publish link more

answered 2019-01-24 21:43:40 +0200

dominican gravatar image

That's not a bug, when sailfish route all the traffic through the VPN, it's protecting you from an insecure WLAN connection, and that's something that personally i love from sailfish OS X, maybe as @gabriel says, you must request a new feature to Jolla.

edit flag offensive delete publish link more


I never marked it as a bug, but as a feature request :-)

jsm ( 2019-01-24 21:53:37 +0200 )edit

certainly :)

dominican ( 2019-01-24 22:05:33 +0200 )edit

hm hint for all surveillance guys: use ipv6 in WIFI spots! Happy side routing! (yes, there is another ip protocol and it is ignored by tunnel builders - even Jolla)

cy8aer ( 2019-01-25 10:38:55 +0200 )edit

You only have to block the ipv6 protocol using the iptables :)

dominican ( 2019-01-25 17:42:49 +0200 )edit

Nope you have to implement v6 - on both sides

cy8aer ( 2019-01-26 17:28:59 +0200 )edit
Login/Signup to Answer

Question tools



Asked: 2019-01-22 20:36:02 +0200

Seen: 288 times

Last updated: Jan 25