OpenVPN Support Forum

Hello,
I'm configuring OpenVPN and I have a IT security requirement that all IP traffic goes over the tunnel and that only one (i.e. the VPN) network connection can be active.

I have a couple theory questions first:
Is this possible without dropping the connection to the server? How?

I've successfully forced all default traffic over the tunnel with "push redirect-gateway def1". However, I can still connect into locally connected subnets. Can this traffic be dropped as well? What is the best way to configure this?

Thanks in advance.

This is a matter of routing and firewall configuration. Any diagrams of the infrastructure is helpful.

The topology is about as simple as you can get. There is a shared server which multiple clients can connect to. This server is currently routing, though AFAIK that isn't a factor.

This is a client configuration question; administering firewalls and such on the server is simple. I need to know how to throttle the client so that all traffic goes over the VPN tunnel, and any traffic not destined for the VPN tunnel is dropped. I need this to not require a specific OS / client side configuration. I.E. I control the server, not the client. I can probably drop in a script to modify known tunables like the OS routing table, but I cannot rely on a controllable firewall on the client side.

So half the question is if this even possible through the openVPN client config.

Today I discussed this with the IT security manager and it turns out my interpretation of hit security spec was overly strict. Simply redirecting the default gateway traffic should be sufficient, I don't have to drop traffic for locally connected networks.

However, I'm still curious what the best way to do this would be. I've been focusing on Windows clients right now as I expect them to be the majority. For Windows I was thinking I would need to write a script which saves the routing table and then only leaves a route to get to the openVPN server and a default route into the tunnel. On shutdown I would need a script to restore the original routes.

On Linux it is a relatively safe assumption that iptables will be available. If not, the above method should work, too.

OpenVPN can call scripts on connect/disconnect, correct? Is there a better way? As I implied above this is largely academic at this point.

all traffic goes over the VPN tunnel, and any traffic not destined for the VPN tunnel is dropped

This can't be. If all traffic is going thru tunnel, what is the traffic not for the tunnel?

Mimiko wrote:This can't be. If all traffic is going thru tunnel, what is the traffic not for the tunnel?

Any traffic that would be picked up by local routes. If the routing tables contain routes for locally connected subnets, then that traffic would not go though the tunnel as it would not hit the default route. In the original, strict use case all traffic, including traffic to local subnets, would need to go though the tunnel. I believe for this the routing table would need to contain only the default route and a rule to allow the client to continue to talk to the VPN server.

Using "redirect-gateway" that implies redirecting all traffic thru tunnel, will leave on client only accesing to local lan, which will not be redirected thru tunnel, because of the more specific route. If you want to redirect that traffic thru tunnel also, you have to modify the routing table. And for dropping it - add a rule on the OpenVPN server. Althought, I don't see any meanings for redirecting traffic to the local lan thru the tunnel - there will not be any responce.