Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN: Internet traffic not bypassing VPN connection

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 312 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reschi1
      last edited by

      Hi OpenVPN Pros!

      On my pfSense 2.4.4 release 1 server, I configured OpenVPN server. Despite OpenVPN's documentation at https://openvpn.net/community-resources/how-to/#routing-all-client-traffic-including-web-traffic-through-the-vpn saying

      By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.
      

      the clients' Internet traffic is not being bypassed.

      We want to have this standard behaviour.

      This is the clients' OVPN file:

      dev tun
      persist-tun
      persist-key
      cipher AES-256-CBC
      ncp-ciphers AES-256-CBC
      auth SHA256
      tls-client
      client
      resolv-retry infinite
      remote 123.231.123.231 5293 udp
      auth-user-pass
      ca myCompanys-ca.crt
      tls-auth myCompanys-tls.key 1
      remote-cert-tls server
      comp-lzo no
      

      This is the server's configuration:

      <openvpn-server>
      			<vpnid>4</vpnid>
      			<mode>server_user</mode>
      			<authmode>LDAP Server</authmode>
      			<protocol>UDP4</protocol>
      			<dev_mode>tun</dev_mode>
      			<interface>wan</interface>
      			<ipaddr></ipaddr>
      			<local_port>5293</local_port>
      			<description><![CDATA[Employee VPN]]></description>
      			<custom_options>mssfix 1440;
      auth-nocache;</custom_options>
      			<tls>TheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkey</tls>
      			<tls_type>auth</tls_type>
      			<caref>6t78re8f78g7f8</caref>
      			<crlref></crlref>
      			<certref>6t78re8f78g7f8</certref>
      			<dh_length>4096</dh_length>
      			<ecdh_curve>none</ecdh_curve>
      			<cert_depth>1</cert_depth>
      			<crypto>AES-256-CBC</crypto>
      			<digest>SHA256</digest>
      			<engine>none</engine>
      			<tunnel_network>10.85.19.0/24</tunnel_network>
      			<tunnel_networkv6></tunnel_networkv6>
      			<remote_network></remote_network>
      			<remote_networkv6></remote_networkv6>
      			<gwredir></gwredir>
      			<gwredir6></gwredir6>
      			<local_network>192.168.169.0/23, 192.168.175.0/23</local_network>
      			<local_networkv6></local_networkv6>
      			<maxclients></maxclients>
      			<compression>no</compression>
      			<compression_push></compression_push>
      			<passtos></passtos>
      			<client2client></client2client>
      			<dynamic_ip>yes</dynamic_ip>
      			<topology>subnet</topology>
      			<serverbridge_dhcp></serverbridge_dhcp>
      			<serverbridge_interface>none</serverbridge_interface>
      			<serverbridge_routegateway></serverbridge_routegateway>
      			<serverbridge_dhcp_start></serverbridge_dhcp_start>
      			<serverbridge_dhcp_end></serverbridge_dhcp_end>
      			<dns_domain>myCompany.com</dns_domain>
      			<dns_server1>192.168.169.2</dns_server1>
      			<dns_server2>192.168.175.2</dns_server2>
      			<dns_server3></dns_server3>
      			<dns_server4></dns_server4>
      			<sndrcvbuf></sndrcvbuf>
      			<netbios_enable>yes</netbios_enable>
      			<netbios_ntype>0</netbios_ntype>
      			<netbios_scope></netbios_scope>
      			<create_gw>both</create_gw>
      			<verbosity_level>1</verbosity_level>
      			<nbdd_server1></nbdd_server1>
      			<ncp-ciphers>AES-256-CBC</ncp-ciphers>
      			<ncp_enable>enabled</ncp_enable>
      		</openvpn-server>
      

      On the server's configuration the following three option are not enabled:

      
      Redirect IPv4 Gateway
      Force all client-generated IPv4 traffic through the tunnel.
      
      Block Outside DNS
      Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers. Requires Windows 10 and OpenVPN 2.3.9 or later. Only Windows 10 is prone to DNS leakage in this way, other clients will ignore the option as they are not affected.
      
      Force DNS cache update
      Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.
      
      
      

      Thanks for your time and help.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @reschi1
        last edited by

        @reschi1 said in OpenVPN: Internet traffic not bypassing VPN connection:

        the clients' Internet traffic is not being bypassed.

        Why do you think so?
        How did you determine that? Traceroute, public IP check?

        Post the routing table of the client computer, while the vpn is connected.

        1 Reply Last reply Reply Quote 0
        • R
          reschi1
          last edited by

          Hi viragomann,

          thank you for your reply.

          You're right, the internet traffic is bypassing the VPN connection.

          My user reported otherwise.

          The real issue seems to be recurring DNS latency in around 20% of the WWW queries (i.e. using the web browser when the VPN connection is established.)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.