I have an issue with my openvpn, although I only push a local LAN route, when I connect it seems to push all my traffic. The only way I get around it is to add "never-default = true" in my local connection file. (without this setting I only have access to the LAN on the VPN side no wan at all)
my server-side config is;
When connecting it seems to be pushing the vpn as default gateway;
Output of route on client when connected;
Output of route on client when connected using "never-default = true" in my local connection file. ;
in openvpn server log in response to "PUSH_REQUEST" i only see
How can I configure on server side that it should not redirect gateway?
my server-side config is;
port 1194
proto udp
dev tun
keepalive 10 120
comp-lzo
multihome
persist-key
persist-tun
ca /etc/pki/CA/ca.crt
cert /etc/pki/CA/vpn.crt
key /etc/pki/CA/private/vpn.key
dh /etc/pki/CA/ssl/dhp4096.pem
server 10.9.0.0 255.255.255.0
crl-verify /etc/openvpn/crl.pem
user nobody
group nobody
tls-auth /etc/pki/CA/private/ta.key
key-direction 0
# This needs to be in client.ovpn too though.
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
ncp-ciphers AES-256-GCM:AES-256-CBC
push "route 192.168.30.0 255.255.255.0"
log /var/log/openvpn-vpn.log
ifconfig-pool-persist /var/lib/openvpn/ipp.txt 120
status /var/lib/openvpn/openvpn-status-vpn.log
When connecting it seems to be pushing the vpn as default gateway;
Output of route on client when connected;
~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.9.0.5 0.0.0.0 UG 50 0 0 tun0
default 192.168.1.10 0.0.0.0 UG 100 0 0 eno1
10.9.0.1 10.9.0.5 255.255.255.255 UGH 50 0 0 tun0
10.9.0.5 * 255.255.255.255 UH 50 0 0 tun0
192.168.30.0 10.9.0.5 255.255.255.0 UG 50 0 0 tun0
<vpn ip> 192.168.1.10 255.255.255.255 UGH 100 0 0 eno1
link-local * 255.255.0.0 U 1000 0 0 eno1
192.168.1.0 * 255.255.255.0 U 100 0 0 eno1
Output of route on client when connected using "never-default = true" in my local connection file. ;
~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.10 0.0.0.0 UG 100 0 0 eno1
10.9.0.1 10.9.0.5 255.255.255.255 UGH 50 0 0 tun0
10.9.0.5 * 255.255.255.255 UH 50 0 0 tun0
192.168.30.0 10.9.0.5 255.255.255.0 UG 50 0 0 tun0
<vpn ip> 192.168.1.10 255.255.255.255 UGH 100 0 0 eno1
link-local * 255.255.0.0 U 1000 0 0 eno1
192.168.1.0 * 255.255.255.0 U 100 0 0 eno1
in openvpn server log in response to "PUSH_REQUEST" i only see
'PUSH_REPLY,route 192.168.30.0 255.255.255.0,route 10.9.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.9.0.6 10.9.0.5,peer-id 1,cipher AES-256-GCM' (status=1)
How can I configure on server side that it should not redirect gateway?
In VPN
Share this post:
Responses (5)
-
Accepted Answer
Sorry, but the Android OpenVPN-Connect client (the official client) does not redirect the gateway unless either your clients.conf says to with a:
or a variant of the line, or if your .ovpn has had something added like:push "redirect-gateway def1"
but this is not how it appears out of ClearOS. I don't think the Android client even has an option to switch it on its interface. If it redirects, it must be because you've changed the .ovpn file. Schwabe's client has that option.redirect-gateway def1
In Ubuntu, if the DNS settings do not get used I think you have to change the script security an the ovpn file and run some sort of update-reslover.sh script when you make and release the connection, but you'll need to research that. If you can provide feedback on that it would be appreciated. Then the docs can be updated.
[edit]
Configuring the DNS is not at all the same as redirecting the gateway and can be removed by removing the DNS settings from the OpenVPN webconfig, I believe.
[/edit] -
Accepted Answer
Nick Howitt wrote:
So is it a setting in Network Manager OpenVPN Gnome? I don't use Ubuntu so I can't really guide you much.
I tried in debain & openvpn app on android both seem to redirect gateway (including configuring dns for it which ubuntu fails to do).
Question is is it something misconfigured on server side or are all clients supposed to work this way? -
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
So there is no need to specify them.tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
ncp-ciphers AES-256-GCM:AES-256-CBC
I am not sure if all clients use 2.4 I am on Ubuntu 16.04 and the default is 2.3 (on my PC I added the repo and updated to 2.4)
Nick Howitt wrote:
What is your client and how is it configured? I suspect it is setting the the default route. I think I used kvpnc in the past and it used to automatically set the default route unless told otherwise.
I use mainly ubuntu 16.04 and 18.04 the openvpn clients vary between 2.3 & 2.4, i use network-manager-openvpn 1.1.93-1ubuntu1.1 network-manager-openvpn-gnome 1.1.93-1ubuntu1.1 for the front end client.
I cannot really use kvpnc as I need it to work for many users most (if not all) use network-manager-openvpn -
Accepted Answer
You've done a load of tinkering! I am nor sure it is particularly necessary. If all devices are using OpenVPN 2.4 or above, they will negotiate something like:
So there is no need to specify them.tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
ncp-ciphers AES-256-GCM:AES-256-CBC
There is nothing on your PUSH_REPLY to indicate a default route being pushed.
What is your client and how is it configured? I suspect it is setting the the default route. I think I used kvpnc in the past and it used to automatically set the default route unless told otherwise.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »