Prevent Default Route into Tunnel to be added on Client

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Fri Jun 09, 2017 12:24 pm

Using OpenVPN Connect 2.1.4, VPN Mode is Routing
When the tunnel becomes established I see that a default route is added to the route table on client PC (Win 7) with tunnel endpoint IP as gateway. Did not find any settings on Access Server GUI that is responsible for that.
How can I prevent this route to become added in client ?

rsenio
OpenVPN Power User
Posts: 91
Joined: Tue Nov 29, 2011 9:34 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by rsenio » Fri Jun 09, 2017 2:09 pm

rtfm ;-)

https://openvpn.net/index.php/access-se ... erver.html

When Yes is selected for the Should clients' Internet traffic be routed through the VPN? setting, the default route on a newly-connected VPN Client host is set to point to the VPN gateway's virtual IP address.

jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Wed Jun 14, 2017 6:51 am

Following settings are present:
- Should VPN clients have access to private subnets: Yes, using routing
10.130.0.0/15
10.132.0.0/15
172.16.0.0/16
- Should client Internet traffic be routed through the VPN: No
- Should clients to be allowed to access network services: No

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by novaflash » Wed Jun 14, 2017 11:26 am

So what does your routing table look like on your client system now? Specifically the entries for default routes.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Wed Jun 14, 2017 12:07 pm

I did not modify the settings as they already have been as shown above.
Therefore the route table is same as before:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 135.246.XX.X 135.246.XX.X 10
0.0.0.0 0.0.0.0 10.200.128.1 10.200.128.24 220
10.130.0.0 255.254.0.0 10.200.128.1 10.200.128.24 220
10.132.0.0 255.254.0.0 10.200.128.1 10.200.128.24 220
...

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by novaflash » Wed Jun 14, 2017 12:22 pm

According to that route table, the first rule has a higher priority (lower metric cost) than the second rule. So that one should win over the other one, for packets with a destination not specified elsewhere in your routing table.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Mon Jun 19, 2017 1:33 pm

That's correct, but my intention was to prevent this default route from being propagated to client at all and hopefully someone knows the button to switch it off.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Prevent Default Route into Tunnel to be added on Client

Post by Pippin » Mon Jun 19, 2017 2:02 pm


jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Mon Jun 19, 2017 2:57 pm

in client log is see the following:
0 [explicit-exit-notify]
1 [topology] [subnet]
2 [route-delay] [5] [30]
3 [dhcp-pre-release]
4 [dhcp-renew]
5 [dhcp-release]
6 [route-metric] [101]
7 [route-metric] [200]
8 [ping] [12]
9 [ping-restart] [50]
10 [auth-token] ...
11 [comp-lzo] [yes]
12 [redirect-private] [def1]
13 [redirect-private] [bypass-dhcp]
14 [redirect-private] [autolocal]
15 [redirect-private] [bypass-dns]
16 [route-gateway] [10.200.128.1]
17 [route] [10.200.200.0] [255.255.255.0]
18 [route] [172.16.0.0] [255.255.0.0]
19 [route] [10.130.0.0] [255.254.0.0]
20 [route] [10.132.0.0] [255.254.0.0]
21 [dhcp-option] [DOMAIN] [vlab.alu]
22 [dhcp-option] [DISABLE_NBT]
23 [block-ipv6]
24 [ifconfig] [10.200.128.3] [255.255.255.192]



Therefore I tried to add Client Config Directive via admin GUI:
pull-filter ignore "route-gateway"
but cannot see any change

Some lines below in the client log I see:
Tunnel Addresses:
10.200.128.3/26 -> 10.200.128.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ ENABLE AUTO_LOCAL DEF1 BYPASS_DHCP BYPASS_DNS IPv4 ]
Block IPv6: yes
Route Metric Default: 200
Add Routes:
10.200.200.0/24
172.16.0.0/16
10.130.0.0/15
10.132.0.0/15
Exclude Routes:

Isn't it possible via admin GUI ?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by novaflash » Mon Jun 19, 2017 3:09 pm

I'm afraid you'll have to use the open source client for now. This appears to be a problem with OpenVPN 3 codebase registering a connection in your Windows OS. The route is not being added by OpenVPN directives or configuration, and as such it cannot be solved with that. This is internally.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Wed Jun 28, 2017 8:17 am

Do we have to open a ticket in order to get this repaired ?

User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by novaflash » Wed Jun 28, 2017 7:14 pm

Of course, it's being looked into. Can't give you any more information than that at this point. Also note that most systems do not have an issue because their interface priorities are correct.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.

Post Reply