Routing all traffic through the VPN.

This forum is for general conversation and user-user networking.
Post Reply
miciolampo89
OpenVpn Newbie
Posts: 2
Joined: Mon Mar 11, 2019 3:58 pm

Routing all traffic through the VPN.

Post by miciolampo89 » Thu May 30, 2019 9:16 am

Maybe someone can help me.
About the directive ** push "redirect-gateway def1" ** I have found the following explanation:

"Parameter def1: Instead of replacing the existing default gateway, OpenVPN
will add two new routes, 0.0.0.0/1 and 128.0.0.0/1. These routes together also
cover all IPv4 space, and are more specific (/1) than the regular gateway (/0).
Routing always takes place over the more specific routes, and thus all traffic
is sent over the VPN. The advantage of this trick is that the default gateway
is left intact. If the VPN connection is stopped, the original gateway can be
restored. Note that in this case, OpenVPN will add an explicit route to the
OpenVPN server itself, so the encrypted traffic itself will not be sent over the
tunnel."

From the above, and after some research in Internet, I undestand (I imagine that I am wrong...) that all IP packets transit through the VPN server, even those IP packets that are not destined to a host belonging to the VPN. To me this means the following: an IP packet destined to a host not belonging to the VPN
travels through the VPN tunnel until some an unspecified point, then it leaves the secure VPN tunnel in order to reach the "unsafe" host.
Now my (stupid?) question is: since sooner or later the IP packet will leave the secure VPN tunnel, what is the purpose to make it travel
through the secure VPN tunnel only for the first part of its trip? Why not use the unsafe direct way?

Any help is appreciated.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6135
Joined: Fri Jun 03, 2016 1:17 pm

Re: Routing all traffic through the VPN.

Post by TinCanTech » Thu May 30, 2019 3:45 pm

Redirecting your default gateway means no unencrypted packets will be seen on the LAN your client is connected to .. for instance an unprotected WiFi in a coffee shop.

Post Reply