Prevent Default Route into Tunnel to be added on Client
-
- OpenVpn Newbie
- Posts: 7
- Joined: Thu Jun 08, 2017 1:16 pm
Prevent Default Route into Tunnel to be added on Client
Using OpenVPN Connect 2.1.4, VPN Mode is Routing
When the tunnel becomes established I see that a default route is added to the route table on client PC (Win 7) with tunnel endpoint IP as gateway. Did not find any settings on Access Server GUI that is responsible for that.
How can I prevent this route to become added in client ?
When the tunnel becomes established I see that a default route is added to the route table on client PC (Win 7) with tunnel endpoint IP as gateway. Did not find any settings on Access Server GUI that is responsible for that.
How can I prevent this route to become added in client ?
-
- OpenVPN Power User
- Posts: 91
- Joined: Tue Nov 29, 2011 9:34 pm
Re: Prevent Default Route into Tunnel to be added on Client
rtfm
https://openvpn.net/index.php/access-se ... erver.html
When Yes is selected for the Should clients' Internet traffic be routed through the VPN? setting, the default route on a newly-connected VPN Client host is set to point to the VPN gateway's virtual IP address.
https://openvpn.net/index.php/access-se ... erver.html
When Yes is selected for the Should clients' Internet traffic be routed through the VPN? setting, the default route on a newly-connected VPN Client host is set to point to the VPN gateway's virtual IP address.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Thu Jun 08, 2017 1:16 pm
Re: Prevent Default Route into Tunnel to be added on Client
Following settings are present:
- Should VPN clients have access to private subnets: Yes, using routing
10.130.0.0/15
10.132.0.0/15
172.16.0.0/16
- Should client Internet traffic be routed through the VPN: No
- Should clients to be allowed to access network services: No
- Should VPN clients have access to private subnets: Yes, using routing
10.130.0.0/15
10.132.0.0/15
172.16.0.0/16
- Should client Internet traffic be routed through the VPN: No
- Should clients to be allowed to access network services: No
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Prevent Default Route into Tunnel to be added on Client
So what does your routing table look like on your client system now? Specifically the entries for default routes.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Thu Jun 08, 2017 1:16 pm
Re: Prevent Default Route into Tunnel to be added on Client
I did not modify the settings as they already have been as shown above.
Therefore the route table is same as before:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 135.246.XX.X 135.246.XX.X 10
0.0.0.0 0.0.0.0 10.200.128.1 10.200.128.24 220
10.130.0.0 255.254.0.0 10.200.128.1 10.200.128.24 220
10.132.0.0 255.254.0.0 10.200.128.1 10.200.128.24 220
...
Therefore the route table is same as before:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 135.246.XX.X 135.246.XX.X 10
0.0.0.0 0.0.0.0 10.200.128.1 10.200.128.24 220
10.130.0.0 255.254.0.0 10.200.128.1 10.200.128.24 220
10.132.0.0 255.254.0.0 10.200.128.1 10.200.128.24 220
...
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Prevent Default Route into Tunnel to be added on Client
According to that route table, the first rule has a higher priority (lower metric cost) than the second rule. So that one should win over the other one, for packets with a destination not specified elsewhere in your routing table.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Thu Jun 08, 2017 1:16 pm
Re: Prevent Default Route into Tunnel to be added on Client
That's correct, but my intention was to prevent this default route from being propagated to client at all and hopefully someone knows the button to switch it off.
- Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Re: Prevent Default Route into Tunnel to be added on Client
See --pull-filter in manual ?
https://community.openvpn.net/openvpn/w ... n24ManPage
https://community.openvpn.net/openvpn/w ... n24ManPage
-
- OpenVpn Newbie
- Posts: 7
- Joined: Thu Jun 08, 2017 1:16 pm
Re: Prevent Default Route into Tunnel to be added on Client
in client log is see the following:
0 [explicit-exit-notify]
1 [topology] [subnet]
2 [route-delay] [5] [30]
3 [dhcp-pre-release]
4 [dhcp-renew]
5 [dhcp-release]
6 [route-metric] [101]
7 [route-metric] [200]
8 [ping] [12]
9 [ping-restart] [50]
10 [auth-token] ...
11 [comp-lzo] [yes]
12 [redirect-private] [def1]
13 [redirect-private] [bypass-dhcp]
14 [redirect-private] [autolocal]
15 [redirect-private] [bypass-dns]
16 [route-gateway] [10.200.128.1]
17 [route] [10.200.200.0] [255.255.255.0]
18 [route] [172.16.0.0] [255.255.0.0]
19 [route] [10.130.0.0] [255.254.0.0]
20 [route] [10.132.0.0] [255.254.0.0]
21 [dhcp-option] [DOMAIN] [vlab.alu]
22 [dhcp-option] [DISABLE_NBT]
23 [block-ipv6]
24 [ifconfig] [10.200.128.3] [255.255.255.192]
Therefore I tried to add Client Config Directive via admin GUI:
pull-filter ignore "route-gateway"
but cannot see any change
Some lines below in the client log I see:
Tunnel Addresses:
10.200.128.3/26 -> 10.200.128.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ ENABLE AUTO_LOCAL DEF1 BYPASS_DHCP BYPASS_DNS IPv4 ]
Block IPv6: yes
Route Metric Default: 200
Add Routes:
10.200.200.0/24
172.16.0.0/16
10.130.0.0/15
10.132.0.0/15
Exclude Routes:
Isn't it possible via admin GUI ?
0 [explicit-exit-notify]
1 [topology] [subnet]
2 [route-delay] [5] [30]
3 [dhcp-pre-release]
4 [dhcp-renew]
5 [dhcp-release]
6 [route-metric] [101]
7 [route-metric] [200]
8 [ping] [12]
9 [ping-restart] [50]
10 [auth-token] ...
11 [comp-lzo] [yes]
12 [redirect-private] [def1]
13 [redirect-private] [bypass-dhcp]
14 [redirect-private] [autolocal]
15 [redirect-private] [bypass-dns]
16 [route-gateway] [10.200.128.1]
17 [route] [10.200.200.0] [255.255.255.0]
18 [route] [172.16.0.0] [255.255.0.0]
19 [route] [10.130.0.0] [255.254.0.0]
20 [route] [10.132.0.0] [255.254.0.0]
21 [dhcp-option] [DOMAIN] [vlab.alu]
22 [dhcp-option] [DISABLE_NBT]
23 [block-ipv6]
24 [ifconfig] [10.200.128.3] [255.255.255.192]
Therefore I tried to add Client Config Directive via admin GUI:
pull-filter ignore "route-gateway"
but cannot see any change
Some lines below in the client log I see:
Tunnel Addresses:
10.200.128.3/26 -> 10.200.128.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ ENABLE AUTO_LOCAL DEF1 BYPASS_DHCP BYPASS_DNS IPv4 ]
Block IPv6: yes
Route Metric Default: 200
Add Routes:
10.200.200.0/24
172.16.0.0/16
10.130.0.0/15
10.132.0.0/15
Exclude Routes:
Isn't it possible via admin GUI ?
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Prevent Default Route into Tunnel to be added on Client
I'm afraid you'll have to use the open source client for now. This appears to be a problem with OpenVPN 3 codebase registering a connection in your Windows OS. The route is not being added by OpenVPN directives or configuration, and as such it cannot be solved with that. This is internally.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
- OpenVpn Newbie
- Posts: 7
- Joined: Thu Jun 08, 2017 1:16 pm
Re: Prevent Default Route into Tunnel to be added on Client
Do we have to open a ticket in order to get this repaired ?
- novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Re: Prevent Default Route into Tunnel to be added on Client
Of course, it's being looked into. Can't give you any more information than that at this point. Also note that most systems do not have an issue because their interface priorities are correct.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.