Dear Teltonika Community,
I need help configuring OpenVPN on my RUTX12 with the following setup:
- OpenVPN clients should connect to the server via the device’s external Ethernet IP (e.g.,
11.11.11.11 static).
- Connected clients should route their internet traffic through different mobile interfaces:
- **Client openvpn 1 ** → Use Mobile Internet 1 (IP:
12.12.12.12)
- Client openvpn 2 → Use Mobile Internet 2 (IP:
13.13.13.13)
How can I achieve this split routing? Are there specific firewall rules, OpenVPN server settings, or policy-based routing configurations required?
Thank you in advance for your support!
Hello,
I believe your described setup can be achieved using policy-based routing. This allows you to route traffic from different OpenVPN client IPs through specific WAN interfaces based on defined rules.
More information and guidance on policy-based routing can be found in the wiki documentation here:
Additionally, similar setups and discussions were covered on the forum, which may offer helpful insights:
Let us know if further assistance with creating rules is needed.
Best regards,
server openvpn
tls-server
auth sha256
cipher AES-256-CBC
dev tun_s_b1
keepalive 10 120
mode server
port 1194
proto udp
push “dhcp-option DNS 8.8.8.8”
push “route-gateway 10.8.0.1”
push “route 192.168.1.0 255.255.255.0”
push “route 192.168.2.0 255.255.255.0”
resolv-retry infinite
topology subnet
server 10.8.0.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
script-security 2
verb 5
client b1_client_1
client
tls-client
auth sha256
cipher AES-256-CBC
dev tun_s_b1
keepalive 10 120
port 1194
proto udp
remote “this is static ip internet provider”
nobind
script-security 2
verb 5
static virtual ip
root@RUTX09:~# cd /etc/openvpn/ccd/
root@RUTX09:/tmp/etc/openvpn-ccd# cat b1_client_1
ifconfig-push 10.8.0.10 255.255.255.0
root@RUTX09:/tmp/etc/openvpn-ccd#
police
routing rule
If I add:
push “redirect-gateway def1 bypass-dhcp”
to OpenVPN server config, clients get internet access but only through Ethernet (static IP), not through mobile interface.
If I delete this line, clients lose internet access completely.
I need clients to:
- Connect to VPN server via Ethernet (provider’s static IP)
- Have their internet traffic routed through mobile interface
Hello,
From the first view, the created static route is a bit incorrect:
- For interface, the VPN client’s interface should be selected;
- For target and netmask –
0.0.0.0;
- Gateway should be the mobile WAN IP.
Then, in the routing rule:
- The Incoming interface is logical interface where the client resides.;
- Outgoing interface – leave empty;
- Source subnet – specify the IP address of the VPN client.
- Destination subnet – can be left empty;
- Lookup Table – ID of routing table (
1), correct.
Check these points and let me know how it goes.
Best regards,
At the moment, I’m testing on a local machine.
The VPN is working well, but client can’t get a mobile IP for the internet connection.
Same result.
I tried every possible combination with the interface.
Same result.
And the mobile IP is dynamic.
My task requires connecting from a static Ethernet IP, then obtaining the client’s mobile IP. It could also be something like a proxy server with login authentication, but I would still face the same problem.
