All traffic crossing VPN despite "redirect all ipv4" unchecked
-
This is for a user VPN endpoint that employees use to access network assets in a data center. The goal is to have all traffic destined for data center IPs should traverse the VPN, all other traffic should use their local gateway at home. It's my understanding that leaving the option "Redirect IPv4 Gateway" unchecked would facilitate this functionality, but it isn't. Left unchecked, the routing table is thus:
$ netstat -nr4 Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 172.16.100.1 0.0.0.0 UG 0 0 0 tun0 0.0.0.0 10.24.24.1 0.0.0.0 UG 0 0 0 wlp0s20f3 10.24.24.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp0s20f3 10.24.24.1 0.0.0.0 255.255.255.255 UH 0 0 0 wlp0s20f3 172.16.23.0 172.16.100.1 255.255.255.0 UG 0 0 0 tun0 172.16.33.0 172.16.100.1 255.255.255.0 UG 0 0 0 tun0 172.16.100.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
10.24.24.0/24 is the home network (.1 the home gateway). 172.16.100.0/24 is the VPN network with routes to 172.16.23.0/24 and 172.16.33.0/24 networks.
You can see that the VPN pushes a default GW with lower metric to my end user which ends up forcing all traffic over the VPN tunnel despite the intended destination.
$ ip route default via 172.16.100.1 dev tun0 proto static metric 50 default via 10.24.24.1 dev wlp0s20f3 proto dhcp metric 600
If I delete that default route (
$ sudo ip route delete default via 172.16.100.1 dev tun0
) then I get the desired outcome - traffic destined for the 172.16/24 networks goes over the VPN and everything else goes out the home gateway.So... why is OpenVPN pushing the default route to move all traffic over the VPN despite the setting being unchecked? Is there a way to prevent this so I can keep non-work traffic from traversing the VPN?
-
Note... this is the case with a Linux client and openvpn 2.5.5. I tested it in Windows and the routes behaved as they should - no default route through the VPN. The Windows version is 2.5.3.
-
@troutpocket Post you openvpn server settings please !!
-
@troutpocket said in All traffic crossing VPN despite "redirect all ipv4" unchecked:
You can see that the VPN pushes a default GW with lower metric to my end user which ends up forcing all traffic over the VPN tunnel despite the intended destination.
All I can see here is, that a default route pointing to the VPN server is set on the device.
To see if it's pushed by the server you have to provide the client log or even the server settings.Note... this is the case with a Linux client and openvpn 2.5.5.
What client do you use?
-
@viragomann After further investigation I think this is a problem with Gnome's OpenVPN client. It defaults to sending all traffic over the connection no matter what I put in the config. There's a checkbox labeled "Use this connection only for resources on this network" which is not checked despite server or client config settings.
Otherwise, it works as expected for the Windows client.
-
@troutpocket
I had this issue in former versions of the network manager OpenVPN client.
To workaround, I checked "don't pull routes" and entered the remote network manually above. As far as I remember, you only need to enter the network and mask and save it.