OpenVPN: Internet traffic not bypassing VPN connection



  • Hi OpenVPN Pros!

    On my pfSense 2.4.4 release 1 server, I configured OpenVPN server. Despite OpenVPN's documentation at https://openvpn.net/community-resources/how-to/#routing-all-client-traffic-including-web-traffic-through-the-vpn saying

    By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.
    

    the clients' Internet traffic is not being bypassed.

    We want to have this standard behaviour.

    This is the clients' OVPN file:

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    ncp-ciphers AES-256-CBC
    auth SHA256
    tls-client
    client
    resolv-retry infinite
    remote 123.231.123.231 5293 udp
    auth-user-pass
    ca myCompanys-ca.crt
    tls-auth myCompanys-tls.key 1
    remote-cert-tls server
    comp-lzo no
    

    This is the server's configuration:

    <openvpn-server>
    			<vpnid>4</vpnid>
    			<mode>server_user</mode>
    			<authmode>LDAP Server</authmode>
    			<protocol>UDP4</protocol>
    			<dev_mode>tun</dev_mode>
    			<interface>wan</interface>
    			<ipaddr></ipaddr>
    			<local_port>5293</local_port>
    			<description><![CDATA[Employee VPN]]></description>
    			<custom_options>mssfix 1440;
    auth-nocache;</custom_options>
    			<tls>TheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkey</tls>
    			<tls_type>auth</tls_type>
    			<caref>6t78re8f78g7f8</caref>
    			<crlref></crlref>
    			<certref>6t78re8f78g7f8</certref>
    			<dh_length>4096</dh_length>
    			<ecdh_curve>none</ecdh_curve>
    			<cert_depth>1</cert_depth>
    			<crypto>AES-256-CBC</crypto>
    			<digest>SHA256</digest>
    			<engine>none</engine>
    			<tunnel_network>10.85.19.0/24</tunnel_network>
    			<tunnel_networkv6></tunnel_networkv6>
    			<remote_network></remote_network>
    			<remote_networkv6></remote_networkv6>
    			<gwredir></gwredir>
    			<gwredir6></gwredir6>
    			<local_network>192.168.169.0/23, 192.168.175.0/23</local_network>
    			<local_networkv6></local_networkv6>
    			<maxclients></maxclients>
    			<compression>no</compression>
    			<compression_push></compression_push>
    			<passtos></passtos>
    			<client2client></client2client>
    			<dynamic_ip>yes</dynamic_ip>
    			<topology>subnet</topology>
    			<serverbridge_dhcp></serverbridge_dhcp>
    			<serverbridge_interface>none</serverbridge_interface>
    			<serverbridge_routegateway></serverbridge_routegateway>
    			<serverbridge_dhcp_start></serverbridge_dhcp_start>
    			<serverbridge_dhcp_end></serverbridge_dhcp_end>
    			<dns_domain>myCompany.com</dns_domain>
    			<dns_server1>192.168.169.2</dns_server1>
    			<dns_server2>192.168.175.2</dns_server2>
    			<dns_server3></dns_server3>
    			<dns_server4></dns_server4>
    			<sndrcvbuf></sndrcvbuf>
    			<netbios_enable>yes</netbios_enable>
    			<netbios_ntype>0</netbios_ntype>
    			<netbios_scope></netbios_scope>
    			<create_gw>both</create_gw>
    			<verbosity_level>1</verbosity_level>
    			<nbdd_server1></nbdd_server1>
    			<ncp-ciphers>AES-256-CBC</ncp-ciphers>
    			<ncp_enable>enabled</ncp_enable>
    		</openvpn-server>
    

    On the server's configuration the following three option are not enabled:

    
    Redirect IPv4 Gateway
    Force all client-generated IPv4 traffic through the tunnel.
    
    Block Outside DNS
    Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers. Requires Windows 10 and OpenVPN 2.3.9 or later. Only Windows 10 is prone to DNS leakage in this way, other clients will ignore the option as they are not affected.
    
    Force DNS cache update
    Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.
    
    
    

    Thanks for your time and help.



  • @reschi1 said in OpenVPN: Internet traffic not bypassing VPN connection:

    the clients' Internet traffic is not being bypassed.

    Why do you think so?
    How did you determine that? Traceroute, public IP check?

    Post the routing table of the client computer, while the vpn is connected.



  • Hi viragomann,

    thank you for your reply.

    You're right, the internet traffic is bypassing the VPN connection.

    My user reported otherwise.

    The real issue seems to be recurring DNS latency in around 20% of the WWW queries (i.e. using the web browser when the VPN connection is established.)


Log in to reply