Community Support Forum
 
  OpenVPN.net  •  Forum Index  •  FAQ  

It is currently Sat Apr 19, 2014 6:51 am


Forum rules


If you would like help, here is a few things you will want to do in order to help us help you.

**Post your configs from client and server, without comments. you can strip comments in linux/bsd with something like this:
grep -vE '^#|^;|^$' server.conf
**Tell us your goal.
**If you are having problems connecting, post your logfiles from server and client after using verb 4 in both configs


Also, there are 2 things you should be aware of:

**Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
**You ONLY want to use dev tap if you are tunneling layer2 traffic, if you are using IP traffic you want tun. If you are using tap only for windows file sharing, look into running a WINS server instead.



Post new topic Reply to topic  [ 3 posts ] 
 split tunneling and disabling redirect gateway 
Author Message
 Post subject: split tunneling and disabling redirect gateway
PostPosted: Sun Oct 14, 2012 8:51 am 
OpenVpn Newbie

Joined: Sun Oct 14, 2012 8:33 am
Posts: 2
I setup my OpenVPN server a few months back using the redirect-gateway def1 option to configure all traffic from a client to traverse the OpenVPN server. Since the server was originally set up we no longer want this behavior and want to only have traffic destined for a specific subnet traverse the OpenVPN connection.

To accomplish I thought all i would need to do is:

1) added the push route statements for the appropriate subnets
2) commented out the push redirect-gateway lines

After changing our configuration and restarting the openvpn daemon I am still getting my default route on clients changed to flow through OpenVPN. I looked around and from what I've read/gathered from other forum posts removing the redirect-gateway line should stop the default route(s) from going out. Am I missing something? How can I stop these routes from going out?

Routes I don't want added:
Quote:
0.0.0.0 128.0.0.0 192.168.206.5 192.168.206.6 30
128.0.0.0 128.0.0.0 192.168.206.5 192.168.206.6 30


Client Received control message (I believe "route 192.168.206.1 is" in the server's PUSH line is the culprit):
Quote:
Sun Oct 14 01:46:17 2012 PUSH: Received control message: 'PUSH_REPLY,route 192.168.192.0 255.255.240.0,,dhcp-option DNS 192.168.195.10,dhcp-option DNS 192.168.195.11,dhcp-option DOMAIN sea1.office.priv,route 192.168.206.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.206.6 192.168.206.5'


Server config:
Quote:
local 0.0.0.0
port 1194
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key # This file should be kept secret
dh /etc/openvpn/certs/dh1024.pem
server 192.168.206.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.192.0 255.255.240.0"
push "dhcp-option DNS 192.168.195.10"
push "dhcp-option DNS 192.168.195.11"
push "dhcp-option DOMAIN mydomain.com"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/openvpn-ldap.config
tmp-dir /tmp
reneg-sec 0


client config:
Quote:
client
dev tun
proto udp
remote myvpn-server.mydomain.com 1194
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert USER.crt
key USER.key
ns-cert-type server
comp-lzo
verb 3
auth-user-pass


Offline
 Profile  
 
 Post subject: Re: split tunneling and disabling redirect gateway
PostPosted: Mon Oct 15, 2012 11:43 am 
Forum Team
User avatar

Joined: Wed Sep 22, 2010 3:18 am
Posts: 1565
As you read, push "redirect-gateway def1" is enough to stop routing anything thru tunnel. But also you need to completly restart client, may be even operating system.


Offline
 Profile  
 
 Post subject: Re: split tunneling and disabling redirect gateway
PostPosted: Tue Oct 16, 2012 5:45 pm 
OpenVpn Newbie

Joined: Sun Oct 14, 2012 8:33 am
Posts: 2
I was restarting the openvpn client to reconnect - but I guess something was being cached because an OS reboot and reconnect didn't push the default routes

Didn't think to try that one - thanks!


Offline
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 


 Who is online 

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron


phpBB SEO
[ Time : 0.169s | 14 Queries | GZIP : On ]

 
Index  |  FAQ


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group