While working with a client, we needed to be connected with VPN all the time, it is when we noticed there was always a delay in response when browsing the internet on my system because all the traffic was going through a VPN tunnel to the VPN server located in the far region and this was the case for every employee working for that client. So, what is the solution for this if you are a cost-conscious company? You want minimal use of resources and improve overall network performance. You do split-tunneling, which we will be discussing in this blog, and how you can achieve it.
What is Split tunneling?
Split Tunneling is a powerful feature in OpenVPN that allows clients to decide which traffic should be sent through the VPN tunnel and which traffic should be sent directly to the Internet. This means that the client can choose to route only specific traffic through the VPN, such as traffic destined for a corporate network, while allowing other traffic to bypass the VPN. This can be useful for increasing the speed and reliability of internet access for certain types of traffic, and for conserving bandwidth on the VPN server.
Why Split tunneling?
In a traditional VPN setup, all traffic from a client’s device is routed through the VPN tunnel, regardless of its destination. This can result in slow internet speeds, especially when the VPN server is located far away from the client. It can also lead to increased latency and packet loss, which can negatively impact the user experience.
Split Tunneling addresses these issues by allowing the client to selectively choose which traffic should be routed through the VPN tunnel, and which traffic should be sent directly to the Internet. This can be done using a variety of methods, such as by specifying a list of IP addresses or domains that should be routed through the VPN, or by using routing rules to determine which traffic should be sent through the VPN based on its destination.
One of the primary benefits of Split Tunneling is that it can greatly improve the speed and reliability of internet access for the client. By allowing certain types of traffic to bypass the VPN tunnel, such as traffic destined for local resources or for popular websites, the client can experience faster page load times and fewer connection issues. This can be especially beneficial for users who need to access cloud-based applications or services that are hosted on servers located in different regions.
Another benefit of Split Tunneling is that it can help to conserve bandwidth on the VPN server. By allowing certain types of traffic to bypass the VPN tunnel, the amount of data that needs to be routed through the VPN is reduced, which can help to reduce the load on the VPN server and improve overall performance. This can be especially useful for VPN providers that are operating on a limited budget, or for organizations that have a large number of remote users accessing the VPN simultaneously.
Possible risks of split tunneling?
However, it is also worth mentioning that Split Tunneling can also raise security concerns, as it can make it more difficult to secure all the traffic going in and out of the client device. It’s important to have a clearly defined set of rules on what traffic should be routed through the VPN, and a strict monitoring of traffic bypassing the VPN to avoid any potential data leak or malicious activity.
Overall, Split Tunneling is a powerful feature in OpenVPN that can greatly improve the user experience and performance of a VPN connection, while also helping to conserve bandwidth on the VPN server. It’s an important aspect to consider when setting up a VPN solution for an organization or for personal use, as it can have a significant impact on the overall performance and security of the VPN. It’s also important to have clear security policies to have a well-defined set of rules for traffic routing, so to ensure data integrity and security.
Below is a traditional setup diagram for VPN, in this type of setup all the traffic goes through VPN Server
Setting up split tunneling
Setting up split tunneling in OpenVPN on a Linux system typically involves modifying the client’s configuration file and adding specific routing rules.
If you already don’t have OpenVPN setup on your system, you can use our ansible role for OpenVPN, which you can use to setup OpenVPN, and create and delete client profiles.
Here’s an overview of the process:
Open the client configuration file for your OpenVPN connection. On most Linux systems, this file is located at /etc/openvpn/client.conf or /etc/openvpn/client.ovpn but If you have used the above ansible role for setting up OpenVPN the file will be located at /tmp/{{client_name}}.ovpn
Add the following line to the configuration file to enable split tunneling:
route-nopullThis tells the OpenVPN client not to add routes to the system’s routing table automatically.
Next, specify the routing rules that should be used to determine which traffic should be sent through the VPN and which traffic should be sent directly to the Internet.
Route specific IP addresses or domains through the VPN:
route xxxx.xxxx.xxxx subnet-mask
route xx.xx.xx.xx subnet-maskSave the modified configuration file and restart the OpenVPN client to apply the changes.
It is worth mentioning that the configuration process may vary depending on your OpenVPN version, the implementation of your Linux distribution, and the OpenVPN package on it. Always consult the official documentation for your specific setup, be mindful of your security policies, and have good security practices in place.
Diagram below represents split tunneling where only the traffic meant for VPN server goes through VPN tunnel rest of the traffic goes directly to the public internet
Conclusion:
Split Tunneling is a powerful feature in OpenVPN that allows users to selectively choose which traffic should be routed through the VPN tunnel and which traffic should be sent directly to the Internet. This feature can greatly improve the speed and reliability of internet access for the client, while also conserving bandwidth on the VPN server. However, it’s important to have a clearly defined set of rules on what traffic should be routed through the VPN and to strictly monitor traffic bypassing the VPN to avoid any potential security concerns. Setting up split tunneling in OpenVPN on a Linux system involves modifying the client’s configuration file and adding specific routing rules. By following the recommended practices and guidelines, users can effectively set up and use the Split Tunneling feature in OpenVPN to improve the performance and security of their VPN connection.
Blog Pundits: Mehul Sharma and Sandeep Rawat
Opstree is an End to End DevOps solution provider.
Connect with Us
Thank you for this dynamite blog post!
By following the recommended practices you can effectively set up and use split tunneling with OpenVPN.
Wayne