OpenVPN not setting Default Gateway for connection

Weekly dev snapshots are available for testing.
We talk about them here. Testing features in the dev snapshot helps the features make it to stable.
Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Post Reply
marcexeu
OpenVpn Newbie
Posts: 1
Joined: Sun Jan 15, 2023 7:51 pm

OpenVPN not setting Default Gateway for connection

Post by marcexeu » Sun Jan 15, 2023 7:52 pm

Hi guys, can you please help me with this, no default gateway for my OpenVPN connection:



After connection on Windows
Unknown adapter OpenVPN Data Channel Offload:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::e818:b9c1:3c43:422f%48
IPv4 Address. . . . . . . . . . . : 10.8.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :


OpenVPN Server Config
port 443
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_H58ShHhi1u1KPFs7.crt
key server_H58ShHhi1u1KPFs7.key
auth SHA512
cipher AES-256-GCM
ncp-ciphers AES-256-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3


OpenVPN Client OVPN file

client
proto udp
explicit-exit-notify
remote MYADDRESS.ddns.net 443
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_H58ShHhi1u1KPFs7 name
auth SHA512
auth-nocache
cipher AES-256-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
verb 3



OpenVPN Client log:

Sun Jan 15 20:42:51 2023 OpenVPN 2.6_rc1 [git:v2.6_rc1/84e70c479e81eebe] Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] [DCO] built on Dec 28 2022
Sun Jan 15 20:42:51 2023 Windows version 10.0 (Windows 10 or greater), amd64 executable
Sun Jan 15 20:42:51 2023 library versions: OpenSSL 3.0.7 1 Nov 2022, LZO 2.10
Sun Jan 15 20:42:51 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jan 15 20:42:51 2023 Need hold release from management interface, waiting...
Sun Jan 15 20:42:51 2023 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:61916
Sun Jan 15 20:42:51 2023 MANAGEMENT: CMD 'state on'
Sun Jan 15 20:42:51 2023 MANAGEMENT: CMD 'log on all'
Sun Jan 15 20:42:51 2023 MANAGEMENT: CMD 'echo on all'
Sun Jan 15 20:42:51 2023 MANAGEMENT: CMD 'bytecount 5'
Sun Jan 15 20:42:51 2023 MANAGEMENT: CMD 'state'
Sun Jan 15 20:42:51 2023 MANAGEMENT: CMD 'hold off'
Sun Jan 15 20:42:51 2023 MANAGEMENT: CMD 'hold release'
Sun Jan 15 20:42:51 2023 MANAGEMENT: CMD 'password [...]'
Sun Jan 15 20:42:51 2023 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jan 15 20:42:51 2023 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 15 20:42:51 2023 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Sun Jan 15 20:42:51 2023 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Jan 15 20:42:51 2023 MANAGEMENT: >STATE:1673811771,RESOLVE,,,,,,
Sun Jan 15 20:42:51 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]80.183.119.164:443
Sun Jan 15 20:42:51 2023 ovpn-dco device [OpenVPN Data Channel Offload] opened
Sun Jan 15 20:42:51 2023 UDP link local: (not bound)
Sun Jan 15 20:42:51 2023 UDP link remote: [AF_INET]80.183.119.164:443
Sun Jan 15 20:42:51 2023 MANAGEMENT: >STATE:1673811771,WAIT,,,,,,
Sun Jan 15 20:42:51 2023 MANAGEMENT: >STATE:1673811771,AUTH,,,,,,
Sun Jan 15 20:42:51 2023 TLS: Initial packet from [AF_INET]80.183.119.164:443, sid=326fa072 97315f82
Sun Jan 15 20:42:51 2023 VERIFY OK: depth=1, CN=cn_Fgo3j0rHv7f7Vzlz
Sun Jan 15 20:42:51 2023 VERIFY KU OK
Sun Jan 15 20:42:51 2023 Validating certificate extended key usage
Sun Jan 15 20:42:51 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jan 15 20:42:51 2023 VERIFY EKU OK
Sun Jan 15 20:42:51 2023 VERIFY X509NAME OK: CN=server_H58ShHhi1u1KPFs7
Sun Jan 15 20:42:51 2023 VERIFY OK: depth=0, CN=server_H58ShHhi1u1KPFs7
Sun Jan 15 20:42:51 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
Sun Jan 15 20:42:51 2023 [server_H58ShHhi1u1KPFs7] Peer Connection Initiated with [AF_INET]80.183.119.164:443
Sun Jan 15 20:42:51 2023 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Sun Jan 15 20:42:51 2023 TLS: tls_multi_process: initial untrusted session promoted to trusted
Sun Jan 15 20:42:51 2023 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
Sun Jan 15 20:42:51 2023 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jan 15 20:42:51 2023 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jan 15 20:42:51 2023 OPTIONS IMPORT: route options modified
Sun Jan 15 20:42:51 2023 OPTIONS IMPORT: route-related options modified
Sun Jan 15 20:42:51 2023 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jan 15 20:42:51 2023 OPTIONS IMPORT: peer-id set
Sun Jan 15 20:42:51 2023 OPTIONS IMPORT: data channel crypto options modified
Sun Jan 15 20:42:51 2023 interactive service msg_channel=644
Sun Jan 15 20:42:51 2023 MANAGEMENT: >STATE:1673811771,ASSIGN_IP,,10.8.0.2,,,,
Sun Jan 15 20:42:51 2023 INET address service: add 10.8.0.2/24
Sun Jan 15 20:42:52 2023 IPv4 dns servers set using service
Sun Jan 15 20:42:52 2023 IPv4 MTU set to 1500 on interface 48 using service
Sun Jan 15 20:42:52 2023 Blocking outside dns using service succeeded.
Sun Jan 15 20:42:52 2023 C:\WINDOWS\system32\route.exe ADD 80.183.119.164 MASK 255.255.255.255 192.168.205.49
Sun Jan 15 20:42:52 2023 Route addition via service succeeded
Sun Jan 15 20:42:52 2023 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Sun Jan 15 20:42:52 2023 Route addition via service succeeded
Sun Jan 15 20:42:52 2023 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1
Sun Jan 15 20:42:52 2023 Route addition via service succeeded
Sun Jan 15 20:42:52 2023 Initialization Sequence Completed
Sun Jan 15 20:42:52 2023 MANAGEMENT: >STATE:1673811772,CONNECTED,SUCCESS,10.8.0.2,80.183.119.164,443,,

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1116
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN not setting Default Gateway for connection

Post by openvpn_inc » Wed Jan 25, 2023 10:05 pm

Hello marcexeu,

That is normal. Normally your computer should have only one default gateway. That's why it's called the default. Meaning one. And that will be on the network interface that provides you with Internet access. There are very rare cases where you would want a default gateway on the VPN interface but in almost all cases you really do not want that. So what you are seeing is expected.

To redirect Internet traffic through the VPN tunnel you implement routes like you have already;
Sun Jan 15 20:42:52 2023 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.1
Sun Jan 15 20:42:52 2023 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.1

Those 2 routes should route all ipv4 Internet traffic through the VPN tunnel just fine. You can verify with traceroute/tracert to see which hop packets will go through first. It should be the internal VPN IP of the OpenVPN server. In this case apparently 10.8.0.1.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply