Short question: How do I force local traffic through the VPN connection?
(Fedora 41 KDE)
Details:
I’m away from home for a few days and need to vpn back in to my home network to access my services. Before I left I exported a profile from my openvpn server (on OPNSense), created/imported the vpn profile via the Network Connections in F41 KDE.
It connects no problem, but I cannot browse the home LAN, ex: “http://192.168.1.155:3000”. It is still browsing the local LAN I am at currently.
I know this means that local traffic is not going through the VPN connection, but I do not see and option for this in the Network Connection setup.
If your home LAN is using the same subnet that the local network is using then there is no way for the networking code to know how to distinguish each subnet.
Since everybody defaults to 182.168.1.0/24 I suspect that is what is happening.
What does ip addr report?
For my home network I use the rarely use private subnet 172.16.0.0/12 block.
So far I have not encounted an issue using wireguard on 172.16.0.0/12 to my home.
As you will see 192.168.0.0/16 is used by default almost everywhere.
Companies almost always use 10.0.0.0/8.
(There are some other blocks, but they are best avoided as well).
I have changed the local network to 10.1.1.1 to eliminate that issue, however it still does not work.
ip addr vpn not connected= 10.1.1.106
ip addr w/vpn connected= 172.16.1.6
When I connect to the vpn on my cellphone it works perfect. I can browse the home LAN and reach my selfhost services. On this fedora laptop I cannot. Both are setup via the same import .ovpn method.
Something is not configuring correctly on the Fedora Network setup…
Edit to add: FYI… The home LAN is on 192.168.1.1 The opnvpn server on OPNsense requires it to be on its own subnet (172.16.1.1). Like I said it works fine on the cellphone…
In opnsense, using “Instances”, setting the “Local Network” to 192.168.1.0/24 should do the job, causing the route be pushed from server to client. With “redirect gateway” you can decide to use the VPN only to reach the remote LAN or direct the whole internet through the VPN.
Just for information: with OpenVPN native or systemd service, so not via NetworkManager,
you can do NAT with the snat or dnat parameters to map the remote network to another IP range, meaning that you can do VPN with equal IP range on both sites.
So in the Network Manager UI when adding a Route the rollover says this:
“IP addresses identify your computer on the network. Click the “Add” button to add an IP address.”
I was adding the IP, but was thinking it was supposed to be the IP I wanted this machine to be. The rollover is very misleading. That was the problem it seems.
@einer Thanks for all the help… @hmmsjan Thanks for the tip, I’ll look into the Instances…
The “legacy” server works in the same way:
“IPvX local networks” are pushed to the client, so the client gets a route into the Pfsense networks.
“IPvX remote networks” are added to the pfsense routes, so the pfsense networks have access to the network local to the client.
Agree about this rollover, it is intended as general explanation of an “IP address”, but it is not your computer’s IP and in this context it is even not an address but a network, depending on the mask’s size.
