Page 1 of 1

Cant connect to openvpn server with a static route

Posted: Sat Jun 19, 2021 9:26 am
by imfiringmylaser12
Goal: force all traffic through VPN only.

Client: Windows in VM
VPN: OPENVPN

I delete the 0.0.0.0 route in the client. I make a route for the destination of my VPN server with my LAN default gateway as the gateway (192.168.1.1). So, in practice when I turn on openvpn, it attempts to connect to the server IP which has a route through my local LAN gateway, which would result in a connection and a new VPN connection established. And when the VPN connection drops, all traffic stops.

However, I am unable to connect to the VPN server. I can ping it though. I was able to replicate the same scenario in a windows VM with softether client and a third party VPN and can connect successfully. What am I doing wrong?

Re: Cant connect to openvpn server with a static route

Posted: Sat Jun 19, 2021 6:04 pm
by chilinux
What version of OpenVPN Access Server are you using?

Re: Cant connect to openvpn server with a static route

Posted: Sat Jun 19, 2021 6:31 pm
by imfiringmylaser12
openvpn version v2.8.3

Re: Cant connect to openvpn server with a static route

Posted: Sat Jun 19, 2021 8:43 pm
by imfiringmylaser12
OpenVPN has the server IP, and the gateway IP. The gateway IP is established only after the client connects to the server and under ipconfig this openvpn gateway ip shows under the adapter: "TAP-Windows Adapter V9 for OpenVPN Connect". This becomes the new default 0.0.0.0 route on the routing table.

So with the 0.0.0.0 default route (the LAN route, not the openvpn gateway) deleted and a static route to the openvpn server I can ping it no problem. The admin openvpn portal even shows "Current Active Users: 1" when I attempt to connect, but eventually drops off. So this means I can communicate with the server, but it wont establish a connection. Why it wont is beyond me. I was able to replicate the exact same scenario in an additonal VM but with softether client and a third party vpn.

My setup is Windows in VMware, the network connection settings for VMware is "bridged", with "replicate physical network conneciton state" check marked.

Heres a picture of my network, note the .78 ip is the openvpn server: https://i.imgur.com/zDN5gvR.png

Re: Cant connect to openvpn server with a static route

Posted: Sat Jun 19, 2021 9:26 pm
by imfiringmylaser12
Also, logs dont show any error. Appears as though I am connecting. https://i.imgur.com/4E5179X.png

Re: Cant connect to openvpn server with a static route

Posted: Sat Jun 19, 2021 10:15 pm
by chilinux
Is there any information in the client log (the icon in the upper right corner)?

Re: Cant connect to openvpn server with a static route

Posted: Sat Jun 19, 2021 10:28 pm
by imfiringmylaser12
Nothing on the client log. Heres also a picture of the openvpn server, when I attempt to conenct it shows briefly 1 active user before dropping off. https://i.imgur.com/w5LrdoZ.png

Re: Cant connect to openvpn server with a static route

Posted: Sun Jun 20, 2021 7:37 am
by imfiringmylaser12
The servers ports are open.

On the clients side (windows WM) I can also SSH in to the openvpn server using putty. The only solution so far is to add back the 0.0.0.0 192.168.1.1 route, and OpenVPN connections no problem, but that defeats the purpose as I want to force all traffic to only go through the VPN, and nothing else.

I also added a -p route for 172.16.0.0 255.255.255.255 192.168.1.1 just in case ( this is the network the VPN gateway is create on), but to no avail.

I do not understand how the openvpn cannot connect unless the 0.0.0.0 route is added. Any idea what I could do to fix this?

Re: Cant connect to openvpn server with a static route

Posted: Mon Jun 21, 2021 2:25 pm
by chilinux
You shouldn't need to manually change the routes on the client side.

Instead, in the administrative web panel, go to Configuration -> VPN Settings -> Should client Internet traffic be routed through the VPN?

Then make sure the setting is set to Yes.

Manually changing the default route will impact the route to the VPN servers itself. The VPN server can not be reached via the VPN, but rather must always must be routed through your internet service provider.

Re: Cant connect to openvpn server with a static route

Posted: Mon Jun 21, 2021 9:57 pm
by imfiringmylaser12
The "Should client Internet traffic be routed through the VPN?" is set to "yes".

However, I want all traffic to only be able to go through the VPN. This is extremely important, and the only fool-proof way of doing this is making a static route, so for what ever reason if the VPN flakes for 2 seconds or I somehow forget to connect to the VPN, im not leusin, aking my IP.

Theres got to be something going on here that OpenVPN is doing differently. The VPN server can be reached with a static route using my default gateway, I can even ping it. As I stated, I have no problem on a different machine connecting to a third-party VPN using softether using the exact same technique with only a static route to the VPN server. Any idea what it is?

Re: Cant connect to openvpn server with a static route

Posted: Tue Jun 22, 2021 9:39 am
by imfiringmylaser12
I have a persistent route to the VPN (160.50.59.40 255.255.255.255 192.168.1.1), I connect to the VPN then remove the default LAN gateway ( 0.0.0.0 0.0.0.0 192.168.1.1) so all traffic only goes through the VPN. I take a picture of this routing table.

I then restart windows with a fresh routing table (with the persistent route still) and add all these routes exactly as the seen in the picture I took, then I remove the default LAN gateway ( 0.0.0.0 0.0.0.0 192.168.1.1)... and I still cant connect.

I want to be clear here, I have have the exact same routing setup in another windows machine, with softether and a third party VPN (compared to the current windows machine with openvpn connect, and openvpn server running in oracle cloud) and I have had absolutley no problems connecting with the default LAN gateway route deleted, and just a default LAN gateway route to the VPN only. Ive been comparing both machines, their routing tables, their adapters, the software, and I cant understand how this is possible on one and not the other.

Note: Deleting the default LAN gateway ( 0.0.0.0 0.0.0.0 192.168.1.1) is to make it impossible for windows to leak your real IP if the VPN ever flakes for 2 seconds (which it will). I can also ping the VPN at anypoint because of the persitent route.

Re: Cant connect to openvpn server with a static route

Posted: Wed Jun 23, 2021 12:01 pm
by openvpn_inc
Hello imfiringmylaser12,

I saw your other ticket on the forum too about this issue. So it is a bug, but one that was solved a while ago. You are apparently using an older client?

Please get latest version here: https://openvpn.net/downloads/openvpn-c ... indows.msi and then try again.

Kind regards,
Johan