Openvpn on Mac vs Linux

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
daveinlv
OpenVpn Newbie
Posts: 8
Joined: Sun Jan 10, 2016 1:16 am

Openvpn on Mac vs Linux

Post by daveinlv » Sun Nov 13, 2022 11:25 pm

I normally use Linux and Openvpn managed by the KUbuntu network manager. My use of Openvpn is strictly for use to allow access to internal hosts behind the firewall/Openvpn server, which is hosted on an Asus router and FreshTomato firmware, which incorporates Openvpn. When configuring a Linux host to use the vpn, I set the "use only for resources on this connection" switch in the ipv4 routing window and I can access internet hosts AND hosts on the internet also. I DO NOT want to direct ALL traffic from my laptop thru the vpn, just the traffic to hosts on my network.

Being a Linux guy since I retired in 2010, I decided to play around with MacOS, so I bought a cheap MacBookAir and proceeded to put the MacOS Openvpn client on it. Apparently, the default on the Mac (and Windows) Openvpn client is to direct ALL traffic thru the vpn. Of course, since I don't
have the correct gateway set, I can get to the internal hosts fine, but anything on the internet, I cannot connect to, until I turn off the vpn client.
I've searched thru the command switches that you'd put in the ovpn file and can't find anything that appears to do what the "use only for resources..." checkbox on the Linux network manager ipv4 routing page does.

Help?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Openvpn on Mac vs Linux

Post by openvpn_inc » Mon Nov 14, 2022 10:42 am

Hello daveinlv,

What's most likely going on is that your OpenVPN server is configured to instruct OpenVPN clients to redirect their Internet traffic. That should be fixed by configuring things correctly on the server side. Possibly there are instructions injected into the client side configuration files as well. You could post your server and client configurations (without certificates and private keys) and we can probably point out what needs to be removed so it is functioning as just an internal-resources-only VPN.

The network manager OpenVPN GUI plugin on Linux is known to have a rather unique way of looking at things, even by default turning on the default routes even if the OpenVPN solution did not ask for that. Likewise turning that off functions like an override which normally doesn't happen with OpenVPN clients. Normally, if OpenVPN is configured to operate a certain way, the client software doesn't usually override this. In your case apparently it seems to have done so, but that is not something you will usually encounter with OpenVPN client software. So it's better to fix the issue at the source - in the configuration of OpenVPN.

Try looking for redirect-gateway or routes that are 0.0.0.0/0 or 0.0.0.0/1 and 128.0.0.0/1.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

daveinlv
OpenVpn Newbie
Posts: 8
Joined: Sun Jan 10, 2016 1:16 am

Re: Openvpn on Mac vs Linux

Post by daveinlv » Mon Nov 14, 2022 9:04 pm

Here's the server config:

daemon openvpn-server1
port 1194
dev tun21
txqueuelen 1000
keepalive 15 60
verb 3
topology subnet
server 10.10.10.0 255.255.255.0
proto tcp-server
data-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
comp-lzo adaptive
push "route 192.168.240.0 255.255.255.0"
client-config-dir ccd
client-to-client
push "dhcp-option DOMAIN frandin.org"
push "dhcp-option DNS 192.168.240.1"
push "redirect-gateway def1"
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status 10

Here's the Mac client config:

# Config generated by FreshTomato 2022.5 K26ARM USB AIO-64K, requires OpenVPN 2.4.0 or newer
remote xxx.xxxx.org 1194
proto tcp-client
comp-lzo adaptive
dev tun
ncp-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
client
remote-cert-tls server
ca ca.pem
cert client.crt
key client.key
keepalive 15 60
resolv-retry infinite
nobind
float
verb 3
status status
; log /var/log/openvpn.log

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Openvpn on Mac vs Linux

Post by openvpn_inc » Mon Nov 14, 2022 9:10 pm

Hi there,

So this is the offending line;
push "redirect-gateway def1"

This basically tells the VPN client to send all Internet traffic through the VPN tunnel. I'd suggest commenting out this line and restarting the OpenVPN server.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

daveinlv
OpenVpn Newbie
Posts: 8
Joined: Sun Jan 10, 2016 1:16 am

Re: Openvpn on Mac vs Linux

Post by daveinlv » Tue Nov 15, 2022 4:37 pm

Thanks!! That was it.. Works as desired now. I must be losing my touch, that 'push "redirect-gateway"' should have jumped right out at me. Didn't even have to comment it out, seems the FreshTomato Openvpn GUI config has a "Direct clients to redirect internet traffic".. How I missed that I dunno.. Must have something to do with being retired and 72 y/o..

Thanks again!

Dave

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Openvpn on Mac vs Linux

Post by openvpn_inc » Tue Nov 15, 2022 5:54 pm

Hi Dave,

Yeah, I didn't know how you were creating the config - if there's a GUI option for it in your config generator then great. Otherwise if it's manual then it has to be commented out. Glad to hear that you got the solution.

Have a nice day,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply