Not All Traffic is Routed Via VPN

[nikolay.zhelev]

Hi fellows,

I have one huge problem, which confuses me a lot.

I have a Linksys WRT54GL router with OpenVPN server (thanks to DD WRT firmware). My goal is to route all traffic (even ping requests and direct IP requests) through my VPN. In other words, I would like to disappear from my work network.

However on my windows XP client side, after connection to my router via VPN, everything is fine, the default gateway is my VPN gateway, but still I'm able to see all computers on my work network. At my workplace we have network printer and even when I'm connected to my VPN, I'm still able to print from my work printer, which confuses me a lot, because this means that not all of my traffic is routed via VPN. Is that normal? As far as I know, when I use udp tunnelling, everything has to be routed through the VPN, am I right?

My server config:

local [Router's external IP address"
mode server
tls-server
auth-user-pass-verify /tmp/custom.sh via-file
script-security 3
tmp-dir /tmp
server-bridge
dev tap0
proto udp
port 1194
persist-key
persist-tun
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
tls-auth /tmp/openvpn/ta.key
tls-cipher DHE-RSA-AES256-SHA
cipher BF-CBC
auth MD5
keepalive 10 120
comp-lzo
client-to-client
verb 6
mute 20
management localhost 5001
push "redirect-gateway def1"
push "dhcp-option DNS [Router's local IP address]"
reneg-sec 0


My client config:

client
dev tap0
proto udp
tls-client
remote [Router's IP address] 1194
nobind
persist-key
persist-tun
dev-node OpenVPN
auth-user-pass
ca "C:\\ca.crt"
cert "C:\\client1.crt"
key "C:\\client1.key"
tls-auth "C:\\ta.key"
tls-cipher DHE-RSA-AES256-SHA
cipher BF-CBC
pull "redirect-gateway def1"
pull "dhcp-option DNS [Router's local IP address]"
auth MD5
comp-lzo
ns-cert-type server
resolv-retry infinite
keepalive 10 120
verb 6
mute 20
reneg-sec 0


Overall the configuration is stable, but the above mentioned problem still exists, which drives me crazy!

Looking forward to hearing from you guys!

---
Kind Regards,
Zhelev

[janjust]

your local network is addressed using LAN routes , which take precedence over the default gateway. If you want to not see the internal network, remove all routes pointing to LAN resources except the OLD default gateway, which is most likely needed to reach the EC2 server.

[nikolay.zhelev]

Dear janjust,

Thank you for your reply!

I tried to remove all routes pointing to LAN resources except the OLD default gateway, but Windows XP is not allowing that. When I type the command and try to execute it, nothing happens. Even more the routes appear again in my table.

Is there any command for OpenVPN, which does this?

Looking forward to hearing from you!

---
Sincerely Yours,
Zhelev

[janjust]

there is no openvpn command to do this - removing existing routes is not something that OpenVPN does or should do. What output does the 'route' command give when you try to remove the old routes to the LAN?
what does your routing table look like in the first place, after bringing up the VPN?

Finally, why is it so bad that you'd have routes to the existing LAN? it's not as if you could really hide by removing the routes - as network admin I'd sure know you're there.

[nikolay.zhelev]

Dear janjust,

Thank you for your reply!

Today I made two screenshots of my routing table, using OpenVPN on my workplace.

Legend:

192.168.1.0 - network at my workplace
192.168.1.102 - my IP, given by the DHCP server at my workplace
192.168.1.254 - The Gateway of my workplace network

88.10.6.0 - OpenVPN network
88.10.6.1 - OpenVPN Gateway
88.10.6.50 - my OpenVPN IP

I'm sure you can read the routing table better than me, without this legend, but I hope it could help to other members.

This is a screenshot of my routing table:


This is the result after trying to delete all routes related to 192.168.1.0


Probably I'm not able to delete all routes related to 192.168.1.0, because I'll loose the route for OpenVPN connection, but when I try to delete my workplace gateway [192.168.1.254] the result is the same.

I'm looking forward to hearing from you!

---
Kind Regards,
Zhelev

[janjust]

seems to me you're running into Windows specifics here - I cannot delete the routes to any of my network adapters.
Perhaps you do it using 'netsh.exe' or you can first get a DHCP address and then reconfigure your adapter with static settings - if you're lucky you can remove the network routes then (though I doubt it).

However, this has nothing to do with OpenVPN, only with Windows IP addressing and routing.