All traffic crossing VPN despite "redirect all ipv4" unchecked

Troutpocket

This is for a user VPN endpoint that employees use to access network assets in a data center. The goal is to have all traffic destined for data center IPs should traverse the VPN, all other traffic should use their local gateway at home. It's my understanding that leaving the option "Redirect IPv4 Gateway" unchecked would facilitate this functionality, but it isn't. Left unchecked, the routing table is thus:

$ netstat -nr4
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.16.100.1    0.0.0.0         UG        0 0          0 tun0
0.0.0.0         10.24.24.1      0.0.0.0         UG        0 0          0 wlp0s20f3
10.24.24.0      0.0.0.0         255.255.255.0   U         0 0          0 wlp0s20f3
10.24.24.1      0.0.0.0         255.255.255.255 UH        0 0          0 wlp0s20f3
172.16.23.0     172.16.100.1    255.255.255.0   UG        0 0          0 tun0
172.16.33.0     172.16.100.1    255.255.255.0   UG        0 0          0 tun0
172.16.100.0    0.0.0.0         255.255.255.0   U         0 0          0 tun0

10.24.24.0/24 is the home network (.1 the home gateway). 172.16.100.0/24 is the VPN network with routes to 172.16.23.0/24 and 172.16.33.0/24 networks.

You can see that the VPN pushes a default GW with lower metric to my end user which ends up forcing all traffic over the VPN tunnel despite the intended destination.

$ ip route
default via 172.16.100.1 dev tun0 proto static metric 50 
default via 10.24.24.1 dev wlp0s20f3 proto dhcp metric 600

If I delete that default route ($ sudo ip route delete default via 172.16.100.1 dev tun0) then I get the desired outcome - traffic destined for the 172.16/24 networks goes over the VPN and everything else goes out the home gateway.

So... why is OpenVPN pushing the default route to move all traffic over the VPN despite the setting being unchecked? Is there a way to prevent this so I can keep non-work traffic from traversing the VPN?

Troutpocket

Note... this is the case with a Linux client and openvpn 2.5.5. I tested it in Windows and the routes behaved as they should - no default route through the VPN. The Windows version is 2.5.3.

@troutpocket Post you openvpn server settings please !!

viragomann

@troutpocket said in All traffic crossing VPN despite "redirect all ipv4" unchecked:

You can see that the VPN pushes a default GW with lower metric to my end user which ends up forcing all traffic over the VPN tunnel despite the intended destination.

All I can see here is, that a default route pointing to the VPN server is set on the device.
To see if it's pushed by the server you have to provide the client log or even the server settings.

Note... this is the case with a Linux client and openvpn 2.5.5.

What client do you use?

Troutpocket

@viragomann After further investigation I think this is a problem with Gnome's OpenVPN client. It defaults to sending all traffic over the connection no matter what I put in the config. There's a checkbox labeled "Use this connection only for resources on this network" which is not checked despite server or client config settings.

Otherwise, it works as expected for the Windows client.

viragomann

@troutpocket
I had this issue in former versions of the network manager OpenVPN client.
To workaround, I checked "don't pull routes" and entered the remote network manually above. As far as I remember, you only need to enter the network and mask and save it.