New --redirect-gateway mode to properly replace default rout

This is where we can discuss what we would like to see added or changed in OpenVPN.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
siemer
OpenVpn Newbie
Posts: 1
Joined: Sun May 27, 2012 5:43 am

New --redirect-gateway mode to properly replace default rout

Post by siemer » Sun Jun 17, 2012 6:11 pm

You know the --redirect-gatway, possibly with the def1 flag to create a new default route? It’s goal is basically to push “all” traffic through the tunnel once openvpn is up and running.

It normally does
1) create a host route to the --remote destination through the “old” gateway
2) replace the default route through the tunnel


But this has problems. – In my case: the default route is replaced when the network connectivity changes (could be defeated with the “def1” flag) and the official local default router may change (and nobody updates my route from rule 1).

Solution: Instead of 1) and 2) I do:
-create a route “everything but the --remote destination goes through the tunnel”

Normal routing tables don’t support this kind of route, so I use 32 routes (for IPv6 it would be 128) to accomplish the same. Example for --remote 114.246.179.45:

114.246.179.44/32 via 192.168.145.1 dev tun0
114.246.179.46/31 via 192.168.145.1 dev tun0
114.246.179.40/30 via 192.168.145.1 dev tun0
114.246.179.32/29 via 192.168.145.1 dev tun0
114.246.179.48/28 via 192.168.145.1 dev tun0
114.246.179.0/27 via 192.168.145.1 dev tun0
114.246.179.64/26 via 192.168.145.1 dev tun0
114.246.179.128/25 via 192.168.145.1 dev tun0
114.246.178.0/24 via 192.168.145.1 dev tun0
192.168.144.0/24 dev eth0 src 192.168.144.30
114.246.176.0/23 via 192.168.145.1 dev tun0
114.246.180.0/22 via 192.168.145.1 dev tun0
114.246.184.0/21 via 192.168.145.1 dev tun0
114.246.160.0/20 via 192.168.145.1 dev tun0
114.246.128.0/19 via 192.168.145.1 dev tun0
114.246.192.0/18 via 192.168.145.1 dev tun0
114.246.0.0/17 via 192.168.145.1 dev tun0
114.247.0.0/16 via 192.168.145.1 dev tun0
114.244.0.0/15 via 192.168.145.1 dev tun0
114.240.0.0/14 via 192.168.145.1 dev tun0
114.248.0.0/13 via 192.168.145.1 dev tun0
114.224.0.0/12 via 192.168.145.1 dev tun0
114.192.0.0/11 via 192.168.145.1 dev tun0
114.128.0.0/10 via 192.168.145.1 dev tun0
114.0.0.0/9 via 192.168.145.1 dev tun0
115.0.0.0/8 via 192.168.145.1 dev tun0
112.0.0.0/7 via 192.168.145.1 dev tun0
116.0.0.0/6 via 192.168.145.1 dev tun0
120.0.0.0/5 via 192.168.145.1 dev tun0
96.0.0.0/4 via 192.168.145.1 dev tun0
64.0.0.0/3 via 192.168.145.1 dev tun0
0.0.0.0/2 via 192.168.145.1 dev tun0
128.0.0.0/1 via 192.168.145.1 dev tun0

I wrote a Python script to do this for any IP and call it via --ipchange. This way I get --float working correctly (well, --float doesn’t work with TLS in openvpn (4 year old bug), but in static mode).

Would be a nice idea to have in openvpn natively, no? – The name “def1-32” came to mind after seeing the flag “def1”, but I’m flexible here... ;-)
Top
Post Reply

Return to “Wishlist”