Prevent Default Route into Tunnel to be added on Client

Post Reply
jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Fri Jun 09, 2017 12:24 pm

Using OpenVPN Connect 2.1.4, VPN Mode is Routing
When the tunnel becomes established I see that a default route is added to the route table on client PC (Win 7) with tunnel endpoint IP as gateway. Did not find any settings on Access Server GUI that is responsible for that.
How can I prevent this route to become added in client ?

rsenio
OpenVPN Power User
Posts: 84
Joined: Tue Nov 29, 2011 9:34 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by rsenio » Fri Jun 09, 2017 2:09 pm

rtfm ;-)

https://openvpn.net/index.php/access-se ... erver.html

When Yes is selected for the Should clients' Internet traffic be routed through the VPN? setting, the default route on a newly-connected VPN Client host is set to point to the VPN gateway's virtual IP address.

jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Wed Jun 14, 2017 6:51 am

Following settings are present:
- Should VPN clients have access to private subnets: Yes, using routing
10.130.0.0/15
10.132.0.0/15
172.16.0.0/16
- Should client Internet traffic be routed through the VPN: No
- Should clients to be allowed to access network services: No

novaflash
OpenVPN Expert
Posts: 410
Joined: Fri Apr 13, 2012 8:43 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by novaflash » Wed Jun 14, 2017 11:26 am

So what does your routing table look like on your client system now? Specifically the entries for default routes.

jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Wed Jun 14, 2017 12:07 pm

I did not modify the settings as they already have been as shown above.
Therefore the route table is same as before:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 135.246.XX.X 135.246.XX.X 10
0.0.0.0 0.0.0.0 10.200.128.1 10.200.128.24 220
10.130.0.0 255.254.0.0 10.200.128.1 10.200.128.24 220
10.132.0.0 255.254.0.0 10.200.128.1 10.200.128.24 220
...

novaflash
OpenVPN Expert
Posts: 410
Joined: Fri Apr 13, 2012 8:43 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by novaflash » Wed Jun 14, 2017 12:22 pm

According to that route table, the first rule has a higher priority (lower metric cost) than the second rule. So that one should win over the other one, for packets with a destination not specified elsewhere in your routing table.

jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Mon Jun 19, 2017 1:33 pm

That's correct, but my intention was to prevent this default route from being propagated to client at all and hopefully someone knows the button to switch it off.

Pippin
OpenVPN Expert
Posts: 248
Joined: Wed Jul 01, 2015 8:03 am

Re: Prevent Default Route into Tunnel to be added on Client

Post by Pippin » Mon Jun 19, 2017 2:02 pm


jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Mon Jun 19, 2017 2:57 pm

in client log is see the following:
0 [explicit-exit-notify]
1 [topology] [subnet]
2 [route-delay] [5] [30]
3 [dhcp-pre-release]
4 [dhcp-renew]
5 [dhcp-release]
6 [route-metric] [101]
7 [route-metric] [200]
8 [ping] [12]
9 [ping-restart] [50]
10 [auth-token] ...
11 [comp-lzo] [yes]
12 [redirect-private] [def1]
13 [redirect-private] [bypass-dhcp]
14 [redirect-private] [autolocal]
15 [redirect-private] [bypass-dns]
16 [route-gateway] [10.200.128.1]
17 [route] [10.200.200.0] [255.255.255.0]
18 [route] [172.16.0.0] [255.255.0.0]
19 [route] [10.130.0.0] [255.254.0.0]
20 [route] [10.132.0.0] [255.254.0.0]
21 [dhcp-option] [DOMAIN] [vlab.alu]
22 [dhcp-option] [DISABLE_NBT]
23 [block-ipv6]
24 [ifconfig] [10.200.128.3] [255.255.255.192]



Therefore I tried to add Client Config Directive via admin GUI:
pull-filter ignore "route-gateway"
but cannot see any change

Some lines below in the client log I see:
Tunnel Addresses:
10.200.128.3/26 -> 10.200.128.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ ENABLE AUTO_LOCAL DEF1 BYPASS_DHCP BYPASS_DNS IPv4 ]
Block IPv6: yes
Route Metric Default: 200
Add Routes:
10.200.200.0/24
172.16.0.0/16
10.130.0.0/15
10.132.0.0/15
Exclude Routes:

Isn't it possible via admin GUI ?

novaflash
OpenVPN Expert
Posts: 410
Joined: Fri Apr 13, 2012 8:43 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by novaflash » Mon Jun 19, 2017 3:09 pm

I'm afraid you'll have to use the open source client for now. This appears to be a problem with OpenVPN 3 codebase registering a connection in your Windows OS. The route is not being added by OpenVPN directives or configuration, and as such it cannot be solved with that. This is internally.

jloscher
OpenVpn Newbie
Posts: 7
Joined: Thu Jun 08, 2017 1:16 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by jloscher » Wed Jun 28, 2017 8:17 am

Do we have to open a ticket in order to get this repaired ?

novaflash
OpenVPN Expert
Posts: 410
Joined: Fri Apr 13, 2012 8:43 pm

Re: Prevent Default Route into Tunnel to be added on Client

Post by novaflash » Wed Jun 28, 2017 7:14 pm

Of course, it's being looked into. Can't give you any more information than that at this point. Also note that most systems do not have an issue because their interface priorities are correct.

Post Reply