Overview
When VPN client internet traffic is routed through the VPN server, you can configure a bypass route to exclude specific subnets or IP addresses from the VPN tunnel. Traffic destined for those networks uses the client’s local internet connection instead.
As described in Tutorial: Manage User and Group Properties from the Command Line, Access Server supports bypass routes through the bypass_route.N directive, which specifies one or more excluded subnets or IP addresses using a numbered sequence. You can assign these to individual users, groups, or globally through the __DEFAULT__ user.
Known Issue
A known issue currently prevents users from inheriting bypass_route.N properties assigned to the __DEFAULT__ user. As a result, configuring bypass routes globally through _ doesn't work as expected.
This issue is planned to be addressed in a future release.
Workaround
As a workaround, configure bypass routes at the group level and assign users to that group. If you want the configuration applied broadly, you can designate the group as the default group.
Solution
- Connect to the console and get root privileges.
-
Create a new group:
sacli --user <GROUP_NAME> --key "type" --value "group" UserPropPut sacli --user <GROUP_NAME> --key "group_declare" --value "true" UserPropPut
-
Add a bypass/exclusion route to the new group:
sacli --user <GROUP_NAME> --key "bypass_route.0" --value <SUBNET> UserPropPut
Replace
<SUBNET>with the subnet or IP address you want to exclude from the VPN tunnel. -
(Optional) Configure the new group as the default group:
sacli --user "__DEFAULT__" --key "conn_group" --value <GROUP_NAME> UserPropPut
Users without an explicitly assigned group inherit the properties of the default group.
-
Refresh the Access Server configuration:
sacli start
If you don’t configure the new group as the default group, you can assign specific users to the group from the Admin Web UI.
If you have any questions, please submit a support ticket.
Comments
0 comments
Please sign in to leave a comment.