OpenVPN Tunnel network metric

pszafer

Hello,

I have config of openvpn like:

dev ovpns10
verb 1
dev-type tun
dev-node /dev/tun10
writepid /var/run/openvpn_server10.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local WANIP
engine rdrand
tls-server
server 10.94.0.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server10
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'MyVPN' 1"
lport 1197
management /var/etc/openvpn/server10.sock unix
push "dhcp-option DOMAIN ad.mydomain.com"
push "dhcp-option DNS 10.1.0.3"
ca /var/etc/openvpn/server10.ca
cert /var/etc/openvpn/server10.cert
key /var/etc/openvpn/server10.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server10.tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-192-CBC:AES-256-CBC
compress lz4-v2
topology subnet
fast-io
push "route 10.1.0.3 255.255.255.255 10.94.0.1 900"

It's suppose to be "service" vpn which gives connection only to AD server for purpose like changing passwords etc.
For this it needs to resolve dc1.ad.mydomain.com to local address (10.1.0.3).

And for "internet" connection I don't want computers to use this internal dns, as I have some domain overriden to LAN addresses which are blocked by default eg: projects.mydomain.com suppose to be resolved by external DNS not internal 10.1.0.3 as it would return address which is not available from service vpn.

Routes looks like this:


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.100.1    192.168.100.4     55
         10.1.0.3  255.255.255.255        10.94.0.1        10.94.0.9    900
        10.94.0.0    255.255.255.0         On-link         10.94.0.9    291
        10.94.0.9  255.255.255.255         On-link         10.94.0.9    291
      10.94.0.255  255.255.255.255         On-link         10.94.0.9    291
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
    192.168.100.0    255.255.255.0         On-link     192.168.100.4    311
    192.168.100.4  255.255.255.255         On-link     192.168.100.4    311
  192.168.100.255  255.255.255.255         On-link     192.168.100.4    311
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         10.94.0.9    291
        224.0.0.0        240.0.0.0         On-link     192.168.100.4    311
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link         10.94.0.9    291
  255.255.255.255  255.255.255.255         On-link     192.168.100.4    311

I think I need somehow to change this 3 lines:

10.94.0.0    255.255.255.0         On-link         10.94.0.9    291
10.94.0.9  255.255.255.255         On-link         10.94.0.9    291
10.94.0.255  255.255.255.255         On-link         10.94.0.9    291

to metric 900, so it would be higher than WiFi connection.

viragomann

@pszafer said in OpenVPN Tunnel network metric:

It's suppose to be "service" vpn which gives connection only to AD server for purpose like changing passwords etc.
For this it needs to resolve dc1.ad.mydomain.com to local address (10.1.0.3).

Why don't you simply access the server by using its IP address?

pszafer

IMO it's impossible to tell active directory domain member to not look for dns record of domain name.