Keep client from making itself the default?

[darkgreenmeme]

I have a Windows 7 machine upon which I am running an OpenVPN client.
On this machine, I have two wired NICs, connected to my LAN.
I use one of the interfaces for just the VPN client to use, all the other traffic should be going to the other NIC. I have "automatic metric" turned off and metric value set for both NICs so that the NIC1 is used by default.
I've got the OpenVPN client set up to use NIC2 by using local in the configuration. This is working fine.

What I want to do is continue to have internet traffic, by default, be routed to NIC1. I plan to run a small socks5 server locally on the machine and have it send its outgoing traffic to the interface of the tap adapter used by openvpn and have it serve on the NIC2 interface address.

The problem I'm having is that when the VPN is connected, it updates the routing table, and all internet traffic is going to the OpenVPN interface. I've adjusted the metric for the tap adapter, but this seems to have no effect, all WAN traffic goes through the VPN.

Here is the routing table with the VPN connected: (NIC1 is 192.168.1.3 and NIC2 is 192.168.1.6, and the tap adapter has been assigned 10.194.90.6 in this case)

Code: Select all

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.3     60
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.6     80
          0.0.0.0        128.0.0.0      10.194.90.5      10.194.90.6     70
      10.194.90.1  255.255.255.255      10.194.90.5      10.194.90.6     70
      10.194.90.4  255.255.255.252         On-link       10.194.90.6    326
      10.194.90.6  255.255.255.255         On-link       10.194.90.6    326
      10.194.90.7  255.255.255.255         On-link       10.194.90.6    326
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0      10.194.90.5      10.194.90.6     70
      192.168.1.0    255.255.255.0         On-link       192.168.1.3    286
      192.168.1.0    255.255.255.0         On-link       192.168.1.6    296
      192.168.1.3  255.255.255.255         On-link       192.168.1.3    286
      192.168.1.6  255.255.255.255         On-link       192.168.1.6    296
    192.168.1.255  255.255.255.255         On-link       192.168.1.3    286
    192.168.1.255  255.255.255.255         On-link       192.168.1.6    296
  198.144.156.144  255.255.255.255      192.168.1.1      192.168.1.3     31
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.3    286
        224.0.0.0        240.0.0.0         On-link       10.194.90.6    326
        224.0.0.0        240.0.0.0         On-link       192.168.1.6    296
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.3    286
  255.255.255.255  255.255.255.255         On-link       10.194.90.6    326
  255.255.255.255  255.255.255.255         On-link       192.168.1.6    296
===========================================================================
Persistent Routes:
  None

Here is the client configuration file (without the remote option)

Code: Select all

client
dev tun
proto udp
local 192.168.1.6
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass c:/Users/xxxxx/AppData/Local/piapwd.txt
comp-lzo
verb 1
reneg-sec 0

script-security 2 system
route-up "c:/scripts/piastart.bat"
down     "c:/scripts/piastop.bat"
explicit-exit-notify

[janjust]

most likely the openvpn server is pushing a 'redirect-gateway' ; you can overrule this on the client side using 'route-nopull' but then you have to add all VPN routes manually.

[darkgreenmeme]

Instead of re-adding all of the routes, is is possible to undo setting the default gateway? I'd like to know how to detect and change this condition from the Windows command line or a script.

[janjust]

the only way to do that would be write your own 'route-up' script and use

Code: Select all

route-up <FULLPATH>
route-noexec

This script could then NOT set the default GW.

[darkgreenmeme]

I think I am having a disconnect between what I think I understand about routing, and how it actually works.

How should that routing table be altered to do what I need it to do?

If I delete the vpn's routes: "route delete 0.0.0.0 if 22" and "route delete 128.0.0.0 if 22" how do create a route for WAN packets to the vpn interface that is not the default gateway route? When I delete those routes, then a script I use, which is to connect through the VPN to a web server and is locally bound to the tap interface ip, will report a timeout on receiving a reply (using LWP::UserAgent in perl)

[janjust]

you'll need to add an explicit route for all subnets that DO need to go via the VPN - isn't it easier to talk to the VPN server admin to explain what you want?

[darkgreenmeme]

I don't see why it would be neccessary to have the server side change the configuration. It seems I should be able to configure my own machine to do what I want.

I am using a commercial VPN service to give some privacy to my internet activity. However, there are web sites that require that you don't use an anonymous ip address, or certain services such as hulu that won't serve to non-US ip addresses. Also, I may want to connect directly to use the higher bandwidth and lower latency of the ISP's connection. Currently, I handle this situation by adding explict routes to these servers that directly connect through my LAN's default gateway.

This seems to me to be a more than complicated than neccessary solution. So what I am trying to do is run a proxy server that routes internet traffic through the VPN, but un-proxied traffic would be routed normally through the LAN. I also would have the advantage of being able to use the VPN service on any machine in the LAN by configuring the app to connect to this proxy server. In the proxy server, I plan to ban the addresses that have an issue with me using the VPN, so I know to disable using the proxy in the software to get to these sites.

I also run a p2p torrent client on this machine. I can have this application bind to the vpn's interface and I can set a port for incoming connections by requesting one through the VPN's provider's API.

What I am not understanding is why Windows wants to route WAN packets by default through the VPN interface, even though metric for this interface is higher than the metric for the normal route through the LAN.

[janjust]

your provider is using "redirect-gateway def1" which causes openvpn to set up 2 routes

• 0.0.0.0/1
  128.0.0.0/1

regular routing rules dictate that these routes take precedence over 0.0.0.0/0 which is the "normal" default GW. Note the /1 vs /0 here!