openvpn connect ignores "pull-filter"

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
straydogmatagram
OpenVpn Newbie
Posts: 3
Joined: Mon May 24, 2021 6:11 pm

openvpn connect ignores "pull-filter"

Post by straydogmatagram » Mon May 24, 2021 6:16 pm

I do not want to route default traffic through the vpn. I only need to connect to nodes that are also on the vpn.

For this, I have the following two lines in the config file:

pull-filter ignore redirect-gateway
pull-filter ignore "dhcp-option DNS"

This works for linux (using openvpn) and Mac (tunnelblick) clients. The default route is not changed when they connect to the VPN. However, this is not working on my iPhone. All traffic gets routed through the vpn.

How can I prevent all traffic from being routed through the vpn?

Thanks in advance!

Full client config file follows:

--------------------
client
dev tun
persist-key
persist-tun
proto udp
nobind
remote-cert-tls server
auth SHA512
verb 3
remote X.X.X.X 1194
ca ca.crt
cert client.crt
key client.key
tls-crypt server-ta.key
pull-filter ignore redirect-gateway
pull-filter ignore "dhcp-option DNS"

User avatar
TinCanTech
Forum Team
Posts: 9412
Joined: Fri Jun 03, 2016 1:17 pm

Re: openvpn connect ignores "pull-filter"

Post by TinCanTech » Mon May 24, 2021 6:30 pm

Change your server config to stop push them.

straydogmatagram
OpenVpn Newbie
Posts: 3
Joined: Mon May 24, 2021 6:11 pm

Re: openvpn connect ignores "pull-filter"

Post by straydogmatagram » Mon May 24, 2021 6:39 pm

TinCanTech wrote:
Mon May 24, 2021 6:30 pm
Change your server config to stop push them.
Hi TinCanTech. Thank you for the reply.

The server pushes them because there are other clients on the vpn who do want this feature. It is a good default in our workflow.

But openvpn has "pull-filter ignore" just so that things like this can be ignored. Are you suggesting that this is somehow the correct behavior, that this feature is not supposed to work on IOS and we must resort to workarounds like separate servers for different options?

User avatar
TinCanTech
Forum Team
Posts: 9412
Joined: Fri Jun 03, 2016 1:17 pm

Re: openvpn connect ignores "pull-filter"

Post by TinCanTech » Mon May 24, 2021 7:09 pm

What does your iOS log say ?

straydogmatagram
OpenVpn Newbie
Posts: 3
Joined: Mon May 24, 2021 6:11 pm

Re: openvpn connect ignores "pull-filter"

Post by straydogmatagram » Mon May 24, 2021 7:15 pm

TinCanTech wrote:
Mon May 24, 2021 7:09 pm
What does your iOS log say ?
Here is the relevant part:
-----
2021-05-24 14:13:18 UNUSED OPTIONS
2 [persist-key]
3 [persist-tun]
5 [nobind]
8 [verb] [3]
14 [pull-filter] [ignore] [redirect-gateway]
15 [pull-filter] [ignore] [dhcp-option DNS]
-----

I do not understand why the last two. It appears that openvpn connect is simply missing this important feature.

User avatar
TinCanTech
Forum Team
Posts: 9412
Joined: Fri Jun 03, 2016 1:17 pm

Re: openvpn connect ignores "pull-filter"

Post by TinCanTech » Mon May 24, 2021 7:17 pm

I guess you'll have to find another way.

toggenation
OpenVpn Newbie
Posts: 2
Joined: Sun Jun 20, 2021 8:40 am

Re: openvpn connect ignores "pull-filter"

Post by toggenation » Sun Jun 20, 2021 8:43 am

Just trying this on a Windows 10 OpenVPN Connect version 3.3.0(2171)

In my file I have

pull-filter ignore "dhcp-option DNS"

And I still get a DNS server assigned for the connection. So this effects Windows 10 and IOS

Might post this over in the windows section too

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 228
Joined: Tue Feb 16, 2021 10:41 am

Re: openvpn connect ignores "pull-filter"

Post by openvpn_inc » Mon Jun 21, 2021 7:41 am

Hello toggenation,

OpenVPN Connect v2 and v3 use the OpenVPN3 core. Not all pull-filter options are implemented there (yet). I'm sorry to say that for this particular case we do not have a solution yet, other than to advise you to use the community OpenVPN GUI program, as that is OpenVPN2 and will adhere to these settings.

We are still actively developing OpenVPN3 and more of these type of options are being added to OpenVPN3 too.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply