OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

How to avoid unencrypted connection to re-appear

https://forums.openvpn.net/viewtopic.php?t=7682

Page 1 of 1

How to avoid unencrypted connection to re-appear

Posted: Thu Feb 24, 2011 12:56 pm
by andrus
Bridged connection is used to encrypt internet traffic between home wifi 192.168.4.1/24 notebook and work network 192.168.91.1/24 both running Windows Vista.

If openvpn client is started, all is ok. "route print" returns:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.91.1 192.168.91.123 30

After some time a line after that automaticaaly appears:

0.0.0.0 0.0.0.0 192.168.4.1 192.168.4.241 25

and internet traffic is sent unencrypted over 192.168.4.1
If second route is manually deleted using
route delete 0.0.0.0 192.168.4.1

uncrypted connection is restored. After some time this line appears again and connection is not encrypted again.

How to force internet access to be encrypted always ?

Andrus.

client config:

client
dev tap
remote mysite.com
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert andrus-notebook.crt
key andrus-notebook.key
mute 20


server config:

dev tap
dev-node tap-bridge
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server-bridge 192.168.91.1 255.255.255.0 192.168.91.123 192.168.91.254
push "redirect-gateway"
push dhcp-option DNS 1.2.3.4
keepalive 10 120
persist-key
persist-tun
mute 20

Re: How to avoid unencrypted connection to re-appear

Posted: Thu Feb 24, 2011 2:44 pm
by janjust
check the DHCP lease time of the wireless adapter - perhaps it is renewing too rapidly.
Try adding

Code: Select all

  route-metric 10
to the config file to give the VPN route a higher metric then the Wifi route.

Re: How to avoid unencrypted connection to re-appear

Posted: Thu Feb 24, 2011 3:01 pm
by andrus
I added route-metric 10 to both server and kiend config files, re-started openvpn service in server and re-connected client.

Metric is still 30
route-metric sets default value for route command.
I do'nt have any route commands in config so it does not take any effect.

How to set metric ?

Andrus.

Re: How to avoid unencrypted connection to re-appear

Posted: Thu Feb 24, 2011 3:06 pm
by andrus
I also tried to set static ip addres 192.168.91.121, default gateway 192.168.91.1 in client but in this case openvpn connection is not created, log reports netsh error.

Re: How to avoid unencrypted connection to re-appear

Posted: Thu Feb 24, 2011 3:39 pm
by janjust
The 'route-metric' should be added only on the client side.
You can also increase the metric of the wifi adapter in it's network control panel page.

Another thing to try is to use

Code: Select all

  push "redirect-gateway def1"
(i.e. add "def1")

Re: How to avoid unencrypted connection to re-appear

Posted: Thu Feb 24, 2011 4:11 pm
by andrus
Thank you.
Now animation icon in right corner is incorrect:

1. there is no earth icon
2. network control center shows that internet connection is used through unencrypted adapter.

How to fix ?

Re: How to avoid unencrypted connection to re-appear

Posted: Thu Feb 24, 2011 4:21 pm
by andrus
If def1 hack is used and vpn does not work for same reason,
all traffic is silently routed through unencrypted channel.
This is big security hole.
How to fix it ?

Andrus.

rout print if def1 is used looks like:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.4.1 192.168.4.241 25
0.0.0.0 128.0.0.0 192.168.91.1 192.168.91.123 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 192.168.91.1 192.168.91.123 30
192.168.4.0 255.255.255.0 On-link 192.168.4.241 281
192.168.4.241 255.255.255.255 On-link 192.168.4.241 281
192.168.4.255 255.255.255.255 On-link 192.168.4.241 281
192.168.91.0 255.255.255.0 On-link 192.168.91.123 286
....
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/