How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
User avatar
fdanks
OpenVpn Newbie
Posts: 6
Joined: Fri Jun 18, 2021 9:11 pm

How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by fdanks » Sun Jun 20, 2021 2:08 pm

The subject line should say it all, but to reiterate, I want to ignore any default route directive from the server, accepting all other route directives.

I do not have the ability to reconfigure the server. It is part of a different organization and out of my control.

I am using Ubuntu Linus and I can achieve what I want with sudo route delete default tun0, but it has been very frustrating to have to do this manually every time, especially because it is not an always-on VPN and I enable it through the Ubuntu system tray.

I've read the manual, the howtos, and the sample config (only a very sparse one for client-side), and this page:

https://community.openvpn.net/openvpn/w ... ectGateway

none of which had this specific answer.

I looked at the route-related options redirect-gateway, route-nopull, and route-gateway, but got nowhere.

So, to sum it up, I want to configure the client to avoid installing a default route to the VPN gateway that the server is attempting to install, but to accept all other route directives. This is because the remote network has several subnets other than the one in which the VPN endpoint is associated with that I need to be able to access.
Last edited by fdanks on Sun Jun 20, 2021 2:17 pm, edited 1 time in total.

User avatar
Pippin
Forum Team
Posts: 997
Joined: Wed Jul 01, 2015 8:03 am

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by Pippin » Sun Jun 20, 2021 2:17 pm

Take a look at --pull-filter in the manual.

User avatar
fdanks
OpenVpn Newbie
Posts: 6
Joined: Fri Jun 18, 2021 9:11 pm

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by fdanks » Sun Jun 20, 2021 2:38 pm

Ok, so I tried all of these in my configuration and it did not work:

client

pull-filter ignore "route 0.0.0.0"
pull-filter ignore "route 0.0.0.0/0"
pull-filter ignore "route default"


Here is the syslog entry where the route is added:

Jun 20 09:31:12 mothra NetworkManager[1238]: <info> [1624199472.2589] vpn-connection[0xXXXXXXXXX,"openvpn test",9:(tun0)]: Data: Static Route: 0.0.0.0/0 Next Hop: 172.24.42.1

The manual is of no help here as there appears to be no explicit guidance on the format of the possible pull-filter patterns and the syslog entry appears to be of no help either. It would be nice if the syslog entry contained the explicit command responsible for a given log entry (if applicable) so that I could use it as guidance for the pull-filter command.
Last edited by fdanks on Sun Jun 20, 2021 3:33 pm, edited 2 times in total.

300000
OpenVPN Expert
Posts: 571
Joined: Tue May 01, 2012 9:30 pm

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by 300000 » Sun Jun 20, 2021 2:47 pm

If you list all subnet route to include and server gareway route to avoid i can help you do that .

User avatar
fdanks
OpenVpn Newbie
Posts: 6
Joined: Fri Jun 18, 2021 9:11 pm

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by fdanks » Sun Jun 20, 2021 3:09 pm

This is the routing table after the VPN is established:

Code: Select all

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.24.42.1     0.0.0.0         UG        0 0          0 tun0
0.0.0.0         192.168.86.1    0.0.0.0         UG        0 0          0 wlp3s0
10.0.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.8.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.10.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.60.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.126.0.0      172.24.42.1     255.255.0.0     UG        0 0          0 tun0
xxx.xxx.xxx.xxx 192.168.86.1    255.255.255.255 UGH       0 0          0 wlp3s0
xxx.xxx.0.0     0.0.0.0         255.255.0.0     U         0 0          0 wlp3s0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-4afce1fbcca8
172.20.0.0      172.24.42.1     255.255.0.0     UG        0 0          0 tun0
172.24.42.0     0.0.0.0         255.255.255.0   U         0 0          0 tun0
192.168.49.0    0.0.0.0         255.255.255.0   U         0 0          0 br-59ca3367fbf8
192.168.86.0    0.0.0.0         255.255.255.0   U         0 0          0 wlp3s0
192.168.86.1    0.0.0.0         255.255.255.255 UH        0 0          0 wlp3s0
I haven't tried this yet, but given the above, I believe that his will work:

client

route-nopull
route 10.0.0.0 255.255.0.0 172.24.42.1 0
route 10.8.0.0 255.255.0.0 172.24.42.1 0
route 10.10.0.0 255.255.0.0 172.24.42.1 0
route 10.60.0.0 255.255.0.0 172.24.42.1 0
route 10.126.0.0 255.255.0.0 172.24.42.1 0
route 172.20.0.0 255.255.255.0 172.24.42.1 0


But I was looking for a solution that would take into account any server-side changes in the future. The company I am working with is a start-up and their networks are prone to changes and updates that I would like to not have to keep up with.
Last edited by fdanks on Sun Jun 20, 2021 3:35 pm, edited 3 times in total.

User avatar
fdanks
OpenVpn Newbie
Posts: 6
Joined: Fri Jun 18, 2021 9:11 pm

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by fdanks » Sun Jun 20, 2021 3:19 pm

I tried the above and it did not work either. I just ended up with duplicate route entries:

Code: Select all

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.24.42.1     0.0.0.0         UG        0 0          0 tun0
0.0.0.0         192.168.86.1    0.0.0.0         UG        0 0          0 wlp3s0
10.0.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.0.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.8.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.8.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.10.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.10.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.60.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.60.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.126.0.0      172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.126.0.0      172.24.42.1     255.255.0.0     UG        0 0          0 tun0
xxx.xxx.xxx.xxx 192.168.86.1    255.255.255.255 UGH       0 0          0 wlp3s0
xxx.xxx.0.0     0.0.0.0         255.255.0.0     U         0 0          0 wlp3s0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-4afce1fbcca8
172.20.0.0      172.24.42.1     255.255.255.0   UG        0 0          0 tun0
172.20.0.0      172.24.42.1     255.255.0.0     UG        0 0          0 tun0
172.24.42.0     0.0.0.0         255.255.255.0   U         0 0          0 tun0
192.168.49.0    0.0.0.0         255.255.255.0   U         0 0          0 br-59ca3367fbf8
192.168.86.0    0.0.0.0         255.255.255.0   U         0 0          0 wlp3s0
192.168.86.1    0.0.0.0         255.255.255.255 UH        0 0          0 wlp3s0
Last edited by fdanks on Sun Jun 20, 2021 3:31 pm, edited 1 time in total.

User avatar
fdanks
OpenVpn Newbie
Posts: 6
Joined: Fri Jun 18, 2021 9:11 pm

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by fdanks » Sun Jun 20, 2021 3:26 pm

Here's the full config excluding the certificate information:

client

client
dev tun
proto tcp
route-nopull
route 10.0.0.0 255.255.0.0 172.24.42.1 0
route 10.8.0.0 255.255.0.0 172.24.42.1 0
route 10.10.0.0 255.255.0.0 172.24.42.1 0
route 10.60.0.0 255.255.0.0 172.24.42.1 0
route 10.126.0.0 255.255.0.0 172.24.42.1 0
route 172.20.0.0 255.0.255.0 172.24.42.1 0
remote vpn.not.shown.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-128-CBC
auth SHA1
comp-lzo
route-delay 4
verb 3
reneg-sec 0
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved

User avatar
TinCanTech
Forum Team
Posts: 9417
Joined: Fri Jun 03, 2016 1:17 pm

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by TinCanTech » Sun Jun 20, 2021 5:10 pm

Do not use --route-nopull because it breaks your VPN.

Why not just configure your server correctly ?
Edit: Ok, it's not your server .. so ask them to do it.

But all you need in the client config is:

Code: Select all

pull-filter ignore "redirect-gateway"

300000
OpenVPN Expert
Posts: 571
Joined: Tue May 01, 2012 9:30 pm

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by 300000 » Sun Jun 20, 2021 5:25 pm

fdanks wrote:
Sun Jun 20, 2021 3:26 pm
Here's the full config excluding the certificate information:

client

client
dev tun
proto tcp
route-nopull
route 10.0.0.0 255.255.0.0 172.24.42.1 0
route 10.8.0.0 255.255.0.0 172.24.42.1 0
route 10.10.0.0 255.255.0.0 172.24.42.1 0
route 10.60.0.0 255.255.0.0 172.24.42.1 0
route 10.126.0.0 255.255.0.0 172.24.42.1 0
route 172.20.0.0 255.0.255.0 172.24.42.1 0
remote vpn.not.shown.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-128-CBC
auth SHA1
comp-lzo
route-delay 4
verb 3
reneg-sec 0
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved

Here is all route you add into your config and should work as you like.

route 10.0.0.0 255.255.0.0 vpn_gateway
route 10.8.0.0 255.255.0.0 vpn_gateway
route 10.10.0.0 255.255.0.0 vpn_gateway
route 10.60.0.0 255.255.0.0 vpn_gateway
route 10.126.0.0 255.255.0.0 vpn_gateway
route 172.20.0.0 255.0.255.0 vpn_gateway
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway


This mean all route from server side will go over vpn but the rest will go local gateway so speed will as fast as your local internet . Try this then come back let me know if it work for you.

User avatar
fdanks
OpenVpn Newbie
Posts: 6
Joined: Fri Jun 18, 2021 9:11 pm

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by fdanks » Tue Jun 22, 2021 5:18 pm

TinCanTech wrote:
Sun Jun 20, 2021 5:10 pm
Do not use --route-nopull because it breaks your VPN.

Why not just configure your server correctly ?
Edit: Ok, it's not your server .. so ask them to do it.

But all you need in the client config is:

Code: Select all

pull-filter ignore "redirect-gateway"
Great suggestion, and I tried the above, but to no effect. My routing table still contains the default route to the gateway for some reason.

FYI: I am using the the integrated support for importing .ovpn files in Ubuntu 20.04, using the "Import from file..." option in the VPN Settings Control Panel. When I connect, syslog reports that this is the version of OpenVPN I am using:

Code: Select all

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
I also tried the below suggestion, but it fails to load the .ovpn config file with:

`The file "XXX.ovpn" could not be read or does not contain recognized VPN connection information`

I have narrowed that error down to the use of vpn_gateway and net_gateway in the config file. My client just does not seem to want to expand those variables/aliases correctly. The import succeeds if I replace them with an explicit IP address (e.g. 172.24.42.1)
300000 wrote:
Sun Jun 20, 2021 5:25 pm
Here is all route you add into your config and should work as you like.

route 10.0.0.0 255.255.0.0 vpn_gateway
route 10.8.0.0 255.255.0.0 vpn_gateway
route 10.10.0.0 255.255.0.0 vpn_gateway
route 10.60.0.0 255.255.0.0 vpn_gateway
route 10.126.0.0 255.255.0.0 vpn_gateway
route 172.20.0.0 255.0.255.0 vpn_gateway
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway


This mean all route from server side will go over vpn but the rest will go local gateway so speed will as fast as your local internet . Try this then come back let me know if it work for you.

300000
OpenVPN Expert
Posts: 571
Joined: Tue May 01, 2012 9:30 pm

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by 300000 » Tue Jun 22, 2021 6:11 pm

It this working as you like now or you are trying to sort it ? The client you use something new and not the standard so it doesn't know how to make it work. If this is must be an ip i think this route work for you

User avatar
TinCanTech
Forum Team
Posts: 9417
Joined: Fri Jun 03, 2016 1:17 pm

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Post by TinCanTech » Tue Jun 22, 2021 6:42 pm

300000 wrote:
Sun Jun 20, 2021 5:25 pm
Here is all route you add into your config and should work as you like.

route 10.0.0.0 255.255.0.0 vpn_gateway
route 10.8.0.0 255.255.0.0 vpn_gateway
route 10.10.0.0 255.255.0.0 vpn_gateway
route 10.60.0.0 255.255.0.0 vpn_gateway
route 10.126.0.0 255.255.0.0 vpn_gateway
route 172.20.0.0 255.0.255.0 vpn_gateway
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
This probably does work, so long as you REMOVE --route-nopull.

Other than that, it is log file time .. or I'm out.

Post Reply