Page 1 of 1

How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Sun Jun 20, 2021 2:08 pm
by fdanks
The subject line should say it all, but to reiterate, I want to ignore any default route directive from the server, accepting all other route directives.

I do not have the ability to reconfigure the server. It is part of a different organization and out of my control.

I am using Ubuntu Linus and I can achieve what I want with sudo route delete default tun0, but it has been very frustrating to have to do this manually every time, especially because it is not an always-on VPN and I enable it through the Ubuntu system tray.

I've read the manual, the howtos, and the sample config (only a very sparse one for client-side), and this page:

https://community.openvpn.net/openvpn/w ... ectGateway

none of which had this specific answer.

I looked at the route-related options redirect-gateway, route-nopull, and route-gateway, but got nowhere.

So, to sum it up, I want to configure the client to avoid installing a default route to the VPN gateway that the server is attempting to install, but to accept all other route directives. This is because the remote network has several subnets other than the one in which the VPN endpoint is associated with that I need to be able to access.

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Sun Jun 20, 2021 2:17 pm
by Pippin
Take a look at --pull-filter in the manual.

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Sun Jun 20, 2021 2:38 pm
by fdanks
Ok, so I tried all of these in my configuration and it did not work:

client

pull-filter ignore "route 0.0.0.0"
pull-filter ignore "route 0.0.0.0/0"
pull-filter ignore "route default"


Here is the syslog entry where the route is added:

Jun 20 09:31:12 mothra NetworkManager[1238]: <info> [1624199472.2589] vpn-connection[0xXXXXXXXXX,"openvpn test",9:(tun0)]: Data: Static Route: 0.0.0.0/0 Next Hop: 172.24.42.1

The manual is of no help here as there appears to be no explicit guidance on the format of the possible pull-filter patterns and the syslog entry appears to be of no help either. It would be nice if the syslog entry contained the explicit command responsible for a given log entry (if applicable) so that I could use it as guidance for the pull-filter command.

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Sun Jun 20, 2021 2:47 pm
by 300000
If you list all subnet route to include and server gareway route to avoid i can help you do that .

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Sun Jun 20, 2021 3:09 pm
by fdanks
This is the routing table after the VPN is established:

Code: Select all

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.24.42.1     0.0.0.0         UG        0 0          0 tun0
0.0.0.0         192.168.86.1    0.0.0.0         UG        0 0          0 wlp3s0
10.0.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.8.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.10.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.60.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.126.0.0      172.24.42.1     255.255.0.0     UG        0 0          0 tun0
xxx.xxx.xxx.xxx 192.168.86.1    255.255.255.255 UGH       0 0          0 wlp3s0
xxx.xxx.0.0     0.0.0.0         255.255.0.0     U         0 0          0 wlp3s0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-4afce1fbcca8
172.20.0.0      172.24.42.1     255.255.0.0     UG        0 0          0 tun0
172.24.42.0     0.0.0.0         255.255.255.0   U         0 0          0 tun0
192.168.49.0    0.0.0.0         255.255.255.0   U         0 0          0 br-59ca3367fbf8
192.168.86.0    0.0.0.0         255.255.255.0   U         0 0          0 wlp3s0
192.168.86.1    0.0.0.0         255.255.255.255 UH        0 0          0 wlp3s0
I haven't tried this yet, but given the above, I believe that his will work:

client

route-nopull
route 10.0.0.0 255.255.0.0 172.24.42.1 0
route 10.8.0.0 255.255.0.0 172.24.42.1 0
route 10.10.0.0 255.255.0.0 172.24.42.1 0
route 10.60.0.0 255.255.0.0 172.24.42.1 0
route 10.126.0.0 255.255.0.0 172.24.42.1 0
route 172.20.0.0 255.255.255.0 172.24.42.1 0


But I was looking for a solution that would take into account any server-side changes in the future. The company I am working with is a start-up and their networks are prone to changes and updates that I would like to not have to keep up with.

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Sun Jun 20, 2021 3:19 pm
by fdanks
I tried the above and it did not work either. I just ended up with duplicate route entries:

Code: Select all

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.24.42.1     0.0.0.0         UG        0 0          0 tun0
0.0.0.0         192.168.86.1    0.0.0.0         UG        0 0          0 wlp3s0
10.0.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.0.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.8.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.8.0.0        172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.10.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.10.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.60.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.60.0.0       172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.126.0.0      172.24.42.1     255.255.0.0     UG        0 0          0 tun0
10.126.0.0      172.24.42.1     255.255.0.0     UG        0 0          0 tun0
xxx.xxx.xxx.xxx 192.168.86.1    255.255.255.255 UGH       0 0          0 wlp3s0
xxx.xxx.0.0     0.0.0.0         255.255.0.0     U         0 0          0 wlp3s0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U         0 0          0 br-4afce1fbcca8
172.20.0.0      172.24.42.1     255.255.255.0   UG        0 0          0 tun0
172.20.0.0      172.24.42.1     255.255.0.0     UG        0 0          0 tun0
172.24.42.0     0.0.0.0         255.255.255.0   U         0 0          0 tun0
192.168.49.0    0.0.0.0         255.255.255.0   U         0 0          0 br-59ca3367fbf8
192.168.86.0    0.0.0.0         255.255.255.0   U         0 0          0 wlp3s0
192.168.86.1    0.0.0.0         255.255.255.255 UH        0 0          0 wlp3s0

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Sun Jun 20, 2021 3:26 pm
by fdanks
Here's the full config excluding the certificate information:

client

client
dev tun
proto tcp
route-nopull
route 10.0.0.0 255.255.0.0 172.24.42.1 0
route 10.8.0.0 255.255.0.0 172.24.42.1 0
route 10.10.0.0 255.255.0.0 172.24.42.1 0
route 10.60.0.0 255.255.0.0 172.24.42.1 0
route 10.126.0.0 255.255.0.0 172.24.42.1 0
route 172.20.0.0 255.0.255.0 172.24.42.1 0
remote vpn.not.shown.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-128-CBC
auth SHA1
comp-lzo
route-delay 4
verb 3
reneg-sec 0
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Sun Jun 20, 2021 5:10 pm
by TinCanTech
Do not use --route-nopull because it breaks your VPN.

Why not just configure your server correctly ?
Edit: Ok, it's not your server .. so ask them to do it.

But all you need in the client config is:

Code: Select all

pull-filter ignore "redirect-gateway"

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Sun Jun 20, 2021 5:25 pm
by 300000
fdanks wrote:
Sun Jun 20, 2021 3:26 pm
Here's the full config excluding the certificate information:

client

client
dev tun
proto tcp
route-nopull
route 10.0.0.0 255.255.0.0 172.24.42.1 0
route 10.8.0.0 255.255.0.0 172.24.42.1 0
route 10.10.0.0 255.255.0.0 172.24.42.1 0
route 10.60.0.0 255.255.0.0 172.24.42.1 0
route 10.126.0.0 255.255.0.0 172.24.42.1 0
route 172.20.0.0 255.0.255.0 172.24.42.1 0
remote vpn.not.shown.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-128-CBC
auth SHA1
comp-lzo
route-delay 4
verb 3
reneg-sec 0
up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved

Here is all route you add into your config and should work as you like.

route 10.0.0.0 255.255.0.0 vpn_gateway
route 10.8.0.0 255.255.0.0 vpn_gateway
route 10.10.0.0 255.255.0.0 vpn_gateway
route 10.60.0.0 255.255.0.0 vpn_gateway
route 10.126.0.0 255.255.0.0 vpn_gateway
route 172.20.0.0 255.0.255.0 vpn_gateway
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway


This mean all route from server side will go over vpn but the rest will go local gateway so speed will as fast as your local internet . Try this then come back let me know if it work for you.

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Tue Jun 22, 2021 5:18 pm
by fdanks
TinCanTech wrote:
Sun Jun 20, 2021 5:10 pm
Do not use --route-nopull because it breaks your VPN.

Why not just configure your server correctly ?
Edit: Ok, it's not your server .. so ask them to do it.

But all you need in the client config is:

Code: Select all

pull-filter ignore "redirect-gateway"
Great suggestion, and I tried the above, but to no effect. My routing table still contains the default route to the gateway for some reason.

FYI: I am using the the integrated support for importing .ovpn files in Ubuntu 20.04, using the "Import from file..." option in the VPN Settings Control Panel. When I connect, syslog reports that this is the version of OpenVPN I am using:

Code: Select all

OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021
I also tried the below suggestion, but it fails to load the .ovpn config file with:

`The file "XXX.ovpn" could not be read or does not contain recognized VPN connection information`

I have narrowed that error down to the use of vpn_gateway and net_gateway in the config file. My client just does not seem to want to expand those variables/aliases correctly. The import succeeds if I replace them with an explicit IP address (e.g. 172.24.42.1)
300000 wrote:
Sun Jun 20, 2021 5:25 pm
Here is all route you add into your config and should work as you like.

route 10.0.0.0 255.255.0.0 vpn_gateway
route 10.8.0.0 255.255.0.0 vpn_gateway
route 10.10.0.0 255.255.0.0 vpn_gateway
route 10.60.0.0 255.255.0.0 vpn_gateway
route 10.126.0.0 255.255.0.0 vpn_gateway
route 172.20.0.0 255.0.255.0 vpn_gateway
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway


This mean all route from server side will go over vpn but the rest will go local gateway so speed will as fast as your local internet . Try this then come back let me know if it work for you.

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Tue Jun 22, 2021 6:11 pm
by 300000
It this working as you like now or you are trying to sort it ? The client you use something new and not the standard so it doesn't know how to make it work. If this is must be an ip i think this route work for you

Re: How do I configure the OpenVPN client to accept all routes from the server EXCLUSIVE of the default route?

Posted: Tue Jun 22, 2021 6:42 pm
by TinCanTech
300000 wrote:
Sun Jun 20, 2021 5:25 pm
Here is all route you add into your config and should work as you like.

route 10.0.0.0 255.255.0.0 vpn_gateway
route 10.8.0.0 255.255.0.0 vpn_gateway
route 10.10.0.0 255.255.0.0 vpn_gateway
route 10.60.0.0 255.255.0.0 vpn_gateway
route 10.126.0.0 255.255.0.0 vpn_gateway
route 172.20.0.0 255.0.255.0 vpn_gateway
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
This probably does work, so long as you REMOVE --route-nopull.

Other than that, it is log file time .. or I'm out.