OpenVPN: Internet traffic not bypassing VPN connection
-
Hi OpenVPN Pros!
On my pfSense 2.4.4 release 1 server, I configured OpenVPN server. Despite OpenVPN's documentation at https://openvpn.net/community-resources/how-to/#routing-all-client-traffic-including-web-traffic-through-the-vpn saying
By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.
the clients' Internet traffic is not being bypassed.
We want to have this standard behaviour.
This is the clients' OVPN file:
dev tun persist-tun persist-key cipher AES-256-CBC ncp-ciphers AES-256-CBC auth SHA256 tls-client client resolv-retry infinite remote 123.231.123.231 5293 udp auth-user-pass ca myCompanys-ca.crt tls-auth myCompanys-tls.key 1 remote-cert-tls server comp-lzo no
This is the server's configuration:
<openvpn-server> <vpnid>4</vpnid> <mode>server_user</mode> <authmode>LDAP Server</authmode> <protocol>UDP4</protocol> <dev_mode>tun</dev_mode> <interface>wan</interface> <ipaddr></ipaddr> <local_port>5293</local_port> <description><![CDATA[Employee VPN]]></description> <custom_options>mssfix 1440; auth-nocache;</custom_options> <tls>TheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkeyTheTLSkey</tls> <tls_type>auth</tls_type> <caref>6t78re8f78g7f8</caref> <crlref></crlref> <certref>6t78re8f78g7f8</certref> <dh_length>4096</dh_length> <ecdh_curve>none</ecdh_curve> <cert_depth>1</cert_depth> <crypto>AES-256-CBC</crypto> <digest>SHA256</digest> <engine>none</engine> <tunnel_network>10.85.19.0/24</tunnel_network> <tunnel_networkv6></tunnel_networkv6> <remote_network></remote_network> <remote_networkv6></remote_networkv6> <gwredir></gwredir> <gwredir6></gwredir6> <local_network>192.168.169.0/23, 192.168.175.0/23</local_network> <local_networkv6></local_networkv6> <maxclients></maxclients> <compression>no</compression> <compression_push></compression_push> <passtos></passtos> <client2client></client2client> <dynamic_ip>yes</dynamic_ip> <topology>subnet</topology> <serverbridge_dhcp></serverbridge_dhcp> <serverbridge_interface>none</serverbridge_interface> <serverbridge_routegateway></serverbridge_routegateway> <serverbridge_dhcp_start></serverbridge_dhcp_start> <serverbridge_dhcp_end></serverbridge_dhcp_end> <dns_domain>myCompany.com</dns_domain> <dns_server1>192.168.169.2</dns_server1> <dns_server2>192.168.175.2</dns_server2> <dns_server3></dns_server3> <dns_server4></dns_server4> <sndrcvbuf></sndrcvbuf> <netbios_enable>yes</netbios_enable> <netbios_ntype>0</netbios_ntype> <netbios_scope></netbios_scope> <create_gw>both</create_gw> <verbosity_level>1</verbosity_level> <nbdd_server1></nbdd_server1> <ncp-ciphers>AES-256-CBC</ncp-ciphers> <ncp_enable>enabled</ncp_enable> </openvpn-server>
On the server's configuration the following three option are not enabled:
Redirect IPv4 Gateway Force all client-generated IPv4 traffic through the tunnel. Block Outside DNS Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers. Requires Windows 10 and OpenVPN 2.3.9 or later. Only Windows 10 is prone to DNS leakage in this way, other clients will ignore the option as they are not affected. Force DNS cache update Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation. This is known to kick Windows into recognizing pushed DNS servers.
Thanks for your time and help.
-
@reschi1 said in OpenVPN: Internet traffic not bypassing VPN connection:
the clients' Internet traffic is not being bypassed.
Why do you think so?
How did you determine that? Traceroute, public IP check?Post the routing table of the client computer, while the vpn is connected.
-
Hi viragomann,
thank you for your reply.
You're right, the internet traffic is bypassing the VPN connection.
My user reported otherwise.
The real issue seems to be recurring DNS latency in around 20% of the WWW queries (i.e. using the web browser when the VPN connection is established.)