I am running a headless Ubuntu 18.04 server VM (bridged KVM) that has ens3 as its primary "ethernet" interface (in reality the virtual bridged interface).
I connect the VM to PrivateInternetAccess via OpenVPN, accepting the "redirect-gateway def1" option pushed by the PIA server. This creates what I understand are the default routes on my VM to ensure that all internet traffic is directed over the VPN tunnel (which is what I want).
When I start the OpenVPN client, the tunnel (tun1) is successfully established, the relevant routes are established, and leak tests (eg ipleak.net, akamai, ipinfo.io) all indicate that my IP address is that of PIA's server.
I also have iptables set up to ensure that, except for LAN traffic and some other limited exceptions (eg DNS and OpenVPN ports for tunnel establishment), only traffic over the VPN tunnel is allowed. When the tunnel is not established, this appears to work successfully as a "kill switch".
My issue is that when I look at the output of, eg, ifconfig, it shows that the vast bulk of traffic is incoming and outgoing over the ethernet interface (ens3), rather than the tunnel (tun1). I realise that the tunnel interface is a virtual overlay on the ethernet interface, but I would have expected the stats still to indicate that the tunnel is being used for the traffic. Am I wrong?
Relevant information below:
Client config
client
dev tun1
proto udp
remote au-sydney.privateinternetaccess.com 1197
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/client/pialogin.txt
auth-retry nointeract
compress
verb 3
reneg-sec 0
disable-occ
script-security 2
pull-filter ignore "dhcp-option DNS"
dhcp-option DNS 1.1.1.1
dhcp-option DNS 1.0.0.1
up /etc/openvpn/client/update-systemd-resolved
down /etc/openvpn/client/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .
dev tun1
proto udp
remote au-sydney.privateinternetaccess.com 1197
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/client/pialogin.txt
auth-retry nointeract
compress
verb 3
reneg-sec 0
disable-occ
script-security 2
pull-filter ignore "dhcp-option DNS"
dhcp-option DNS 1.1.1.1
dhcp-option DNS 1.0.0.1
up /etc/openvpn/client/update-systemd-resolved
down /etc/openvpn/client/update-systemd-resolved
down-pre
dhcp-option DOMAIN-ROUTE .
Routes established when the tunnel is active:
Code: Select all
$ ip route list
0.0.0.0/1 via 10.33.10.5 dev tun1
default via 10.0.77.1 dev ens3 proto dhcp src 10.0.77.11 metric 100
10.0.77.0/24 dev ens3 proto kernel scope link src 10.0.77.11
10.0.77.1 dev ens3 proto dhcp scope link src 10.0.77.11 metric 100
10.33.10.1 via 10.33.10.5 dev tun1
10.33.10.5 dev tun1 proto kernel scope link src 10.33.10.6
128.0.0.0/1 via 10.33.10.5 dev tun1
137.59.252.149 via 10.0.77.1 dev ens3