, Johann Schmitz

A VPN is often used to allow external users to access the internal infrastructure from outside the company network or to restrict access to management features at a remote location.

A common deployment pattern is to use a internal network to separate the VPN clients from the rest of the systems. To have the clients go through the VPN to reach the internal network, we need a static route on the clients. I've written about this topic before (pushing static routes with pfSense and pushing static routes with ISC DHCP server). To reduce the maintenance overhead, we can have the route pushed to the client from the server.

To achieve this, we just have to add a line like this to our /etc/openvpn/openvpn.conf:

push "route 192.168.123.0 255.255.255.0"

This adds a route to the 192.168.123.0/24 network via the host running the OpenVPN server. Make sure to allow forwarding and configure the firewall accordingly.

To push a route for an IPv6 network, use the following syntax:

push route-ipv6 fe80:1111:2222:3333::/112