i read here: https://openvpn.net/community-resources ... /#redirect
that internet traffic is not routed via the VPN unless i configure it to
This is actually what I want. I want the clients to have internet access not routed via the VPN Server However, while the server IP Range is able to access intenet, the subnets are not. I can see from the log that [redirect-gateway] [def1] is set automatically even if there is nothing like that in the conf. Can someone help me understand why this is the case and how i can avoid that?By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.
My conf
Code: Select all
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/VPN.greenhive.at.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/VPN.greenhive.at.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun
status /tmp/openvpn-status.log
topology subnet
client-config-dir ccd
user nobody
group nogroup
comp-lzo no
### Route Configurations Below
route 192.168.254.0 255.255.255.0
route 10.0.0.0 255.255.255.0
route 10.0.1.0 255.255.255.0
route 10.0.3.0 255.255.255.0
route 10.0.4.0 255.255.255.0
route 10.0.5.0 255.255.255.0
route 10.0.6.0 255.255.255.0
route 10.0.7.0 255.255.255.0
route 10.0.8.0 255.255.255.0
route 10.0.9.0 255.255.255.0
route 10.0.10.0 255.255.255.0
route 10.0.11.0 255.255.255.0
route 10.0.12.0 255.255.255.0
route 10.0.13.0 255.255.255.0
route 10.0.14.0 255.255.255.0
route 10.0.15.0 255.255.255.0
route 10.0.16.0 255.255.255.0
route 10.0.17.0 255.255.255.0
route 10.0.18.0 255.255.255.0
route 10.0.19.0 255.255.255.0
route 10.0.20.0 255.255.255.0
route 10.0.21.0 255.255.255.0
route 10.0.22.0 255.255.255.0
### Push Configurations Below
#push "block-outside-dns"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "comp-lzo no"
push "route 172.17.0.0 255.255.255.0"Code: Select all
ifconfig-push 10.0.1.5 255.255.255.0Code: Select all
2022-04-30 03:36:06.054915 *Tunnelblick: macOS 12.3.1 (21E258); Tunnelblick 3.8.5beta05 (build 5650)
2022-04-30 03:36:06.361499 *Tunnelblick: Attempting connection with at_stmk/at_stmk_wachstumkoenig_pilot1 using shadow copy; Set nameserver = 769; monitoring connection
2022-04-30 03:36:06.365653 *Tunnelblick: openvpnstart start at_stmk/at_stmk_wachstumkoenig_pilot1.tblk 62876 769 0 1 0 34652464 -ptADGNWradsgnw 2.4.10-openssl-1.1.1j
2022-04-30 03:36:06.395617 *Tunnelblick: openvpnstart starting OpenVPN
2022-04-30 03:36:06.696372 OpenVPN 2.4.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Feb 25 2021
2022-04-30 03:36:06.696449 library versions: OpenSSL 1.1.1j 16 Feb 2021, LZO 2.10
2022-04-30 03:36:06.697761 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:62876
2022-04-30 03:36:06.697829 Need hold release from management interface, waiting...
2022-04-30 03:36:06.992142 *Tunnelblick: openvpnstart log:
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.4.10-openssl-1.1.1j/openvpn
--daemon
--log /Library/Application Support/Tunnelblick/Logs/-SUsers-Srobertk-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sat_stmk-Sat_stmk_wachstumkoenig_pilot1.tblk-SContents-SResources-Sconfig.ovpn.769_0_1_0_34652464.62876.openvpn.log
--cd /Library/Application Support/Tunnelblick/Users/robertk/at_stmk/at_stmk_wachstumkoenig_pilot1.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 5650 3.8.5beta05 (build 5650)"
--verb 3
--config /Library/Application Support/Tunnelblick/Users/robertk/at_stmk/at_stmk_wachstumkoenig_pilot1.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Users/robertk/at_stmk/at_stmk_wachstumkoenig_pilot1.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Users/robertk/at_stmk/at_stmk_wachstumkoenig_pilot1.tblk/Contents/Resources
--management 127.0.0.1 62876 /Library/Application Support/Tunnelblick/geeielmngfddkiiidnhcaaaogadlpdifnpjaepip.mip
--management-query-passwords
--management-hold
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2022-04-30 03:36:07.015813 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:62876
2022-04-30 03:36:07.059772 MANAGEMENT: CMD 'pid'
2022-04-30 03:36:07.059851 MANAGEMENT: CMD 'auth-retry interact'
2022-04-30 03:36:07.059879 MANAGEMENT: CMD 'state on'
2022-04-30 03:36:07.059904 MANAGEMENT: CMD 'state'
2022-04-30 03:36:07.059951 MANAGEMENT: CMD 'bytecount 1'
2022-04-30 03:36:07.060655 *Tunnelblick: Established communication with OpenVPN
2022-04-30 03:36:07.065673 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
2022-04-30 03:36:07.067133 MANAGEMENT: CMD 'hold release'
2022-04-30 03:36:07.073826 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2022-04-30 03:36:07.078621 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-30 03:36:07.078673 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2022-04-30 03:36:07.079180 MANAGEMENT: >STATE:1651282567,RESOLVE,,,,,,
2022-04-30 03:36:07.146432 TCP/UDP: Preserving recently used remote address: [AF_INET]213.136.74.54:1194
2022-04-30 03:36:07.146559 Socket Buffers: R=[786896->786896] S=[9216->9216]
2022-04-30 03:36:07.146588 UDP link local: (not bound)
2022-04-30 03:36:07.146610 UDP link remote: [AF_INET]213.136.74.54:1194
2022-04-30 03:36:07.146649 MANAGEMENT: >STATE:1651282567,WAIT,,,,,,
2022-04-30 03:36:07.205738 MANAGEMENT: >STATE:1651282567,AUTH,,,,,,
2022-04-30 03:36:07.205851 TLS: Initial packet from [AF_INET]213.136.74.54:1194, sid=2530e606 0d628ebe
2022-04-30 03:36:07.265540 VERIFY OK: depth=1, CN=greenhive
2022-04-30 03:36:07.266306 VERIFY KU OK
2022-04-30 03:36:07.266346 Validating certificate extended key usage
2022-04-30 03:36:07.266371 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2022-04-30 03:36:07.266394 VERIFY EKU OK
2022-04-30 03:36:07.266416 VERIFY OK: depth=0, CN=VPN.greenhive.at
2022-04-30 03:36:07.342181 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
2022-04-30 03:36:07.342419 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2022-04-30 03:36:07.342588 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2022-04-30 03:36:07.342650 [VPN.greenhive.at] Peer Connection Initiated with [AF_INET]213.136.74.54:1194
2022-04-30 03:36:08.481496 MANAGEMENT: >STATE:1651282568,GET_CONFIG,,,,,,
2022-04-30 03:36:08.481762 SENT CONTROL [VPN.greenhive.at]: 'PUSH_REQUEST' (status=1)
2022-04-30 03:36:08.575274 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,comp-lzo no,route 172.17.0.0 255.255.255.0,route-gateway 192.168.255.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.0.1.5 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2022-04-30 03:36:08.575522 OPTIONS IMPORT: timers and/or timeouts modified
2022-04-30 03:36:08.575542 OPTIONS IMPORT: compression parms modified
2022-04-30 03:36:08.575558 OPTIONS IMPORT: --ifconfig/up options modified
2022-04-30 03:36:08.575571 OPTIONS IMPORT: route options modified
2022-04-30 03:36:08.575583 OPTIONS IMPORT: route-related options modified
2022-04-30 03:36:08.575595 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2022-04-30 03:36:08.575607 OPTIONS IMPORT: peer-id set
2022-04-30 03:36:08.575619 OPTIONS IMPORT: adjusting link_mtu to 1624
2022-04-30 03:36:08.575632 OPTIONS IMPORT: data channel crypto options modified
2022-04-30 03:36:08.575646 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-04-30 03:36:08.575778 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-30 03:36:08.575796 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-04-30 03:36:08.577717 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2022-04-30 03:36:08.577844 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2022-04-30 03:36:08.577904 Opening utun (connect(AF_SYS_CONTROL)): Resource busy (errno=16)
2022-04-30 03:36:08.578505 Opened utun device utun3
2022-04-30 03:36:08.578552 MANAGEMENT: >STATE:1651282568,ASSIGN_IP,,10.0.1.5,,,,
2022-04-30 03:36:08.578583 /sbin/ifconfig utun3 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2022-04-30 03:36:08.593569 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2022-04-30 03:36:08.593695 /sbin/ifconfig utun3 10.0.1.5 10.0.1.5 netmask 255.255.255.0 mtu 1500 up
2022-04-30 03:36:08.598359 /sbin/route add -net 10.0.1.0 10.0.1.5 255.255.255.0
add net 10.0.1.0: gateway 10.0.1.5
2022-04-30 03:36:08.609525 /sbin/route add -net 213.136.74.54 192.168.88.1 255.255.255.255
add net 213.136.74.54: gateway 192.168.88.1
2022-04-30 03:36:08.612410 /sbin/route add -net 0.0.0.0 192.168.255.1 128.0.0.0
add net 0.0.0.0: gateway 192.168.255.1
2022-04-30 03:36:08.614837 /sbin/route add -net 128.0.0.0 192.168.255.1 128.0.0.0
add net 128.0.0.0: gateway 192.168.255.1
2022-04-30 03:36:08.617391 MANAGEMENT: >STATE:1651282568,ADD_ROUTES,,,,,,
2022-04-30 03:36:08.617448 /sbin/route add -net 172.17.0.0 192.168.255.1 255.255.255.0
add net 172.17.0.0: gateway 192.168.255.1
03:36:08 *Tunnelblick: **********************************************
03:36:08 *Tunnelblick: Start of output from client.up.tunnelblick.sh
03:36:10 *Tunnelblick: Retrieved from OpenVPN: name server(s) [ 8.8.8.8 8.8.4.4 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
03:36:10 *Tunnelblick: WARNING: Ignoring DomainName 'openvpn' because DomainName was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified
03:36:10 *Tunnelblick: WARNING: Ignoring ServerAddresses '8.8.8.8 8.8.4.4' because ServerAddresses was set manually and '-allowChangesToManuallySetNetworkSettings' was not specified
03:36:10 *Tunnelblick: Not replacing search domains 'openvpn' with 'openvpn' because the search domains were set manually, '-allowChangesToManuallySetNetworkSettings' was not selected, and 'Prepend domain name to search domains' was not selected
03:36:12 *Tunnelblick: Saved the DNS and SMB configurations so they can be restored
03:36:12 *Tunnelblick: Did not change DNS ServerAddresses setting of '8.8.8.8 8.8.4.4' (but re-set it)
03:36:12 *Tunnelblick: Did not change DNS SearchDomains setting of 'openvpn' (but re-set it)
03:36:12 *Tunnelblick: Changed DNS DomainName setting from '' to 'openvpn'
03:36:12 *Tunnelblick: Did not change SMB NetBIOSName setting of ''
03:36:12 *Tunnelblick: Did not change SMB Workgroup setting of ''
03:36:12 *Tunnelblick: Did not change SMB WINSAddresses setting of ''
03:36:12 *Tunnelblick: DNS servers '8.8.8.8 8.8.4.4' were set manually
03:36:12 *Tunnelblick: DNS servers '8.8.8.8 8.8.4.4' will be used for DNS queries when the VPN is active
03:36:12 *Tunnelblick: The DNS servers include only free public DNS servers known to Tunnelblick.
03:36:12 *Tunnelblick: Flushed the DNS cache via dscacheutil
03:36:12 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
03:36:12 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed
03:36:12 *Tunnelblick: Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running
03:36:12 *Tunnelblick: Setting up to monitor system configuration with process-network-changes
03:36:12 *Tunnelblick: End of output from client.up.tunnelblick.sh
03:36:12 *Tunnelblick: **********************************************
2022-04-30 03:36:12.163515 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2022-04-30 03:36:12.163553 Initialization Sequence Completed
2022-04-30 03:36:12.163567 MANAGEMENT: >STATE:1651282572,CONNECTED,SUCCESS,10.0.1.5,213.136.74.54,1194,,
2022-04-30 03:36:13.392302 *Tunnelblick: Routing info stdout:
route to: 8.8.4.4
destination: 8.8.4.4
gateway: 192.168.255.1
interface: en0
flags: <UP,GATEWAY,HOST,DONE,WASCLONED,IFSCOPE,IFREF,GLOBAL>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
0 0 0 0 0 0 1500 0
stderr:
2022-04-30 03:36:13.407498 *Tunnelblick: Warning: DNS server Address 8.8.4.4 is a known public DNS server but is not being routed through the VPN
2022-04-30 03:36:13.496102 *Tunnelblick: Routing info stdout:
route to: 8.8.8.8
destination: 8.8.8.8
gateway: 192.168.255.1
interface: en0
flags: <UP,GATEWAY,HOST,DONE,WASCLONED,IFSCOPE,IFREF,GLOBAL>
recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire
0 0 0 0 0 0 1500 0
stderr:
2022-04-30 03:36:13.515650 *Tunnelblick: Warning: DNS server Address 8.8.8.8 is a known public DNS server but is not being routed through the VPN
Code: Select all
30.4.2022, 03:48:02 OpenVPN core 3.git::58b92569 mac x86_64 64-bit built on Feb 16 2021 10:05:03
⏎30.4.2022, 03:48:02 EVENT: RESOLVE ⏎30.4.2022, 03:48:02 Frame=512/2048/512 mssfix-ctrl=1250
⏎30.4.2022, 03:48:02 UNUSED OPTIONS
1 [nobind]
⏎30.4.2022, 03:48:02 Contacting 213.136.74.54:1194 via UDP
⏎30.4.2022, 03:48:02 EVENT: WAIT ⏎30.4.2022, 03:48:02 UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock
{
"host" : "213.136.74.54",
"ipv6" : false,
"pid" : 1519
}
⏎30.4.2022, 03:48:02 Connecting to [VPN.greenhive.at]:1194 (213.136.74.54) via UDPv4
⏎30.4.2022, 03:48:02 EVENT: CONNECTING ⏎30.4.2022, 03:48:02 Tunnel Options:V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
⏎30.4.2022, 03:48:02 Creds: UsernameEmpty/PasswordEmpty
⏎30.4.2022, 03:48:02 Peer Info:
IV_VER=3.git::58b92569
IV_PLAT=mac
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1
IV_GUI_VER=OCmacOS_3.2.6-3136
IV_SSO=openurl
IV_BS64DL=1
⏎30.4.2022, 03:48:02 VERIFY OK: depth=1, /CN=greenhive
⏎30.4.2022, 03:48:02 VERIFY OK: depth=0, /CN=VPN.greenhive.at
⏎30.4.2022, 03:48:02 SSL Handshake: CN=VPN.greenhive.at, TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
⏎30.4.2022, 03:48:02 EVENT: GET_CONFIG ⏎30.4.2022, 03:48:02 Session is ACTIVE
⏎30.4.2022, 03:48:02 Sending PUSH_REQUEST to server...
⏎30.4.2022, 03:48:02 OPTIONS:
0 [redirect-gateway] [def1]
1 [dhcp-option] [DNS] [8.8.8.8]
2 [dhcp-option] [DNS] [8.8.4.4]
3 [comp-lzo] [no]
4 [route] [172.17.0.0] [255.255.255.0]
5 [route-gateway] [192.168.255.1]
6 [topology] [subnet]
7 [ping] [10]
8 [ping-restart] [60]
9 [ifconfig] [10.0.1.5] [255.255.255.0]
10 [peer-id] [0]
11 [cipher] [AES-256-GCM]
⏎30.4.2022, 03:48:02 PROTOCOL OPTIONS:
cipher: AES-256-GCM
digest: NONE
compress: LZO_STUB
peer ID: 0
⏎30.4.2022, 03:48:02 TunPersist: short-term connection scope
⏎30.4.2022, 03:48:02 EVENT: ASSIGN_IP ⏎30.4.2022, 03:48:02 TunPersist: new tun context
⏎30.4.2022, 03:48:02 CAPTURED OPTIONS:
Session Name: VPN.greenhive.at
Layer: OSI_LAYER_3
MTU: 1500
Remote Address: 213.136.74.54
Tunnel Addresses:
10.0.1.5/24 -> 192.168.255.1
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv6: no
Add Routes:
172.17.0.0/24
Exclude Routes:
DNS Servers:
8.8.8.8
8.8.4.4
Search Domains:
⏎30.4.2022, 03:48:02 SetupClient: transmitting tun setup list to /var/run/agent_ovpnconnect.sock
{
"config" :
{
"iface_name" : "",
"layer" : "OSI_LAYER_3",
"tun_prefix" : false
},
"pid" : 1519,
"tun" :
{
"adapter_domain_suffix" : "",
"add_routes" :
[
{
"address" : "172.17.0.0",
"gateway" : "",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
}
],
"block_ipv6" : false,
"dns_servers" :
[
{
"address" : "8.8.8.8",
"ipv6" : false
},
{
"address" : "8.8.4.4",
"ipv6" : false
}
],
"layer" : 3,
"mtu" : 1500,
"remote_address" :
{
"address" : "213.136.74.54",
"ipv6" : false
},
"reroute_gw" :
{
"flags" : 275,
"ipv4" : true,
"ipv6" : false
},
"route_metric_default" : -1,
"session_name" : "VPN.greenhive.at",
"tunnel_address_index_ipv4" : 0,
"tunnel_address_index_ipv6" : -1,
"tunnel_addresses" :
[
{
"address" : "10.0.1.5",
"gateway" : "192.168.255.1",
"ipv6" : false,
"metric" : -1,
"net30" : false,
"prefix_length" : 24
}
]
}
}
POST unix://[/var/run/agent_ovpnconnect.sock]/tun-setup : 200 OK
{
"iface_name" : "utun3",
"layer" : "OSI_LAYER_3",
"tun_prefix" : true
}
/sbin/ifconfig utun3 down
/sbin/ifconfig utun3 10.0.1.5 192.168.255.1 netmask 255.255.255.0 mtu 1500 up
/sbin/route add -net 10.0.1.0 -netmask 255.255.255.0 10.0.1.5
add net 10.0.1.0: gateway 10.0.1.5
/sbin/route add -net 172.17.0.0 -netmask 255.255.255.0 192.168.255.1
add net 172.17.0.0: gateway 192.168.255.1
/sbin/route add -net 213.136.74.54 -netmask 255.255.255.255 192.168.88.1
route: writing to routing socket: File exists
add net 213.136.74.54: gateway 192.168.88.1: File exists
/sbin/route add -net 0.0.0.0 -netmask 128.0.0.0 192.168.255.1
add net 0.0.0.0: gateway 192.168.255.1
/sbin/route add -net 128.0.0.0 -netmask 128.0.0.0 192.168.255.1
add net 128.0.0.0: gateway 192.168.255.1
MacDNSAction: FLAGS=F RD=1 SO=5000 DNS=8.8.8.8,8.8.4.4 DOM= ADS=
open utun3 SUCCEEDED
⏎30.4.2022, 03:48:02 Connected via utun3
⏎30.4.2022, 03:48:02 EVENT: CONNECTED VPN.greenhive.at:1194 (213.136.74.54) via /UDPv4 on utun3/10.0.1.5/ gw=[192.168.255.1/]⏎30.4.2022, 03:48:02 LZO-ASYM init swap=0 asym=1
⏎30.4.2022, 03:48:02 Comp-stub init swap=0
⏎