OpenVPN Support Forum

Using OpenVPN Connect 2.1.4, VPN Mode is Routing
When the tunnel becomes established I see that a default route is added to the route table on client PC (Win 7) with tunnel endpoint IP as gateway. Did not find any settings on Access Server GUI that is responsible for that.
How can I prevent this route to become added in client ?

rtfm

https://openvpn.net/index.php/access-se ... erver.html

When Yes is selected for the Should clients' Internet traffic be routed through the VPN? setting, the default route on a newly-connected VPN Client host is set to point to the VPN gateway's virtual IP address.

Following settings are present:
- Should VPN clients have access to private subnets: Yes, using routing
10.130.0.0/15
10.132.0.0/15
172.16.0.0/16
- Should client Internet traffic be routed through the VPN: No
- Should clients to be allowed to access network services: No

So what does your routing table look like on your client system now? Specifically the entries for default routes.

I did not modify the settings as they already have been as shown above.
Therefore the route table is same as before:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 135.246.XX.X 135.246.XX.X 10
0.0.0.0 0.0.0.0 10.200.128.1 10.200.128.24 220
10.130.0.0 255.254.0.0 10.200.128.1 10.200.128.24 220
10.132.0.0 255.254.0.0 10.200.128.1 10.200.128.24 220
...

According to that route table, the first rule has a higher priority (lower metric cost) than the second rule. So that one should win over the other one, for packets with a destination not specified elsewhere in your routing table.

That's correct, but my intention was to prevent this default route from being propagated to client at all and hopefully someone knows the button to switch it off.

See --pull-filter in manual ?
https://community.openvpn.net/openvpn/w ... n24ManPage

in client log is see the following:
0 [explicit-exit-notify]
1 [topology] [subnet]
2 [route-delay] [5] [30]
3 [dhcp-pre-release]
4 [dhcp-renew]
5 [dhcp-release]
6 [route-metric] [101]
7 [route-metric] [200]
8 [ping] [12]
9 [ping-restart] [50]
10 [auth-token] ...
11 [comp-lzo] [yes]
12 [redirect-private] [def1]
13 [redirect-private] [bypass-dhcp]
14 [redirect-private] [autolocal]
15 [redirect-private] [bypass-dns]
16 [route-gateway] [10.200.128.1]
17 [route] [10.200.200.0] [255.255.255.0]
18 [route] [172.16.0.0] [255.255.0.0]
19 [route] [10.130.0.0] [255.254.0.0]
20 [route] [10.132.0.0] [255.254.0.0]
21 [dhcp-option] [DOMAIN] [vlab.alu]
22 [dhcp-option] [DISABLE_NBT]
23 [block-ipv6]
24 [ifconfig] [10.200.128.3] [255.255.255.192]



Therefore I tried to add Client Config Directive via admin GUI:
pull-filter ignore "route-gateway"
but cannot see any change

Some lines below in the client log I see:
Tunnel Addresses:
10.200.128.3/26 -> 10.200.128.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ ENABLE AUTO_LOCAL DEF1 BYPASS_DHCP BYPASS_DNS IPv4 ]
Block IPv6: yes
Route Metric Default: 200
Add Routes:
10.200.200.0/24
172.16.0.0/16
10.130.0.0/15
10.132.0.0/15
Exclude Routes:

Isn't it possible via admin GUI ?

I'm afraid you'll have to use the open source client for now. This appears to be a problem with OpenVPN 3 codebase registering a connection in your Windows OS. The route is not being added by OpenVPN directives or configuration, and as such it cannot be solved with that. This is internally.

Do we have to open a ticket in order to get this repaired ?

Of course, it's being looked into. Can't give you any more information than that at this point. Also note that most systems do not have an issue because their interface priorities are correct.