OpenVPN Tunnel network metric



  • Hello,

    I have config of openvpn like:

    dev ovpns10
    verb 1
    dev-type tun
    dev-node /dev/tun10
    writepid /var/run/openvpn_server10.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local WANIP
    engine rdrand
    tls-server
    server 10.94.0.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server10
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'MyVPN' 1"
    lport 1197
    management /var/etc/openvpn/server10.sock unix
    push "dhcp-option DOMAIN ad.mydomain.com"
    push "dhcp-option DNS 10.1.0.3"
    ca /var/etc/openvpn/server10.ca
    cert /var/etc/openvpn/server10.cert
    key /var/etc/openvpn/server10.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server10.tls-auth 0
    ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC:AES-192-CBC:AES-256-CBC
    compress lz4-v2
    topology subnet
    fast-io
    push "route 10.1.0.3 255.255.255.255 10.94.0.1 900"
    

    It's suppose to be "service" vpn which gives connection only to AD server for purpose like changing passwords etc.
    For this it needs to resolve dc1.ad.mydomain.com to local address (10.1.0.3).

    And for "internet" connection I don't want computers to use this internal dns, as I have some domain overriden to LAN addresses which are blocked by default eg: projects.mydomain.com suppose to be resolved by external DNS not internal 10.1.0.3 as it would return address which is not available from service vpn.

    Routes looks like this:

    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0    192.168.100.1    192.168.100.4     55
             10.1.0.3  255.255.255.255        10.94.0.1        10.94.0.9    900
            10.94.0.0    255.255.255.0         On-link         10.94.0.9    291
            10.94.0.9  255.255.255.255         On-link         10.94.0.9    291
          10.94.0.255  255.255.255.255         On-link         10.94.0.9    291
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        192.168.100.0    255.255.255.0         On-link     192.168.100.4    311
        192.168.100.4  255.255.255.255         On-link     192.168.100.4    311
      192.168.100.255  255.255.255.255         On-link     192.168.100.4    311
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
            224.0.0.0        240.0.0.0         On-link         10.94.0.9    291
            224.0.0.0        240.0.0.0         On-link     192.168.100.4    311
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      255.255.255.255  255.255.255.255         On-link         10.94.0.9    291
      255.255.255.255  255.255.255.255         On-link     192.168.100.4    311
    

    I think I need somehow to change this 3 lines:

    10.94.0.0    255.255.255.0         On-link         10.94.0.9    291
    10.94.0.9  255.255.255.255         On-link         10.94.0.9    291
    10.94.0.255  255.255.255.255         On-link         10.94.0.9    291
    

    to metric 900, so it would be higher than WiFi connection.



  • @pszafer said in OpenVPN Tunnel network metric:

    It's suppose to be "service" vpn which gives connection only to AD server for purpose like changing passwords etc.
    For this it needs to resolve dc1.ad.mydomain.com to local address (10.1.0.3).

    Why don't you simply access the server by using its IP address?



  • IMO it's impossible to tell active directory domain member to not look for dns record of domain name.