Openvpn – Don’t connect to OpenVPN when on internal network


We have an OpenVPN server – it's physically running in our internal subnet. Basically the when the VPN client connects, he gets an IP from the VPN's subnet and a route to the internal subnet is pushed to him. There are some devices such as phones or laptops, which are sometimes outside (so they use VPN to connect to the internal subnet) and sometimes inside (at the internal subnet; they don't need VPN).

Clients (either Win or Linux) have OpenVPN usually configured as a background service/job which automatically connects them to the VPN at startup. However, if they happen to be in the internal subnet the VPN connection is useless.

How to tell the OpenVPN (perhaps in the configuration file) not to connect when inside the internal subnet (or eqivalently: when the main server is reachable before the VPN connection is established)?

I've been searching for an answer for some time and the only solution I found so far is to set up a firewall rule on the VPN server which rejects VPN connections from the internal subnet.

An advantage is that this solution is independent of the client's OS. On the other hand, when a client comes to the internal network it results in a desperate endless connection attempts, possibly polluting the firewall logs. (Im aware of the max-retries option, but I want to keep it unlimited so in case of server maintenance or failure the VPN connection is automatically reestablished).

Did anyone come up with a better solution?

Best Answer

Sure, just make a firewall rule blocking traffic to your OpenVPN port from your internal subnet.

Related Topic