OpenVPN and redirect-gateway def1



  • Hi!

    What do i want to achieve…
    I live in a country where it is sometimes difficult to reach all websites. Because of this i want to have one of my wireless networks at home always connected to a VPN provider in the US (SwitchVPN).
    My internet connection sucks and from time to time different VPN servers gets blocked so i want to have 3 different OpenVPN connections up and running with fallback between them (this should be possible to do with Gateway groups).

    pfsense release: 2.0.1-RELEASE (i386) (i have tried with the snapshot from 20121110-1842 too)

    Basic configuration script (client side) - this one works but "redirect-gateway def1" sucks
    auth-user-pass /conf/auth.conf;fast-io;reneg-sec 0;tun-mtu 1500;mssfix 1450;fragment 1500;verb 5;persist-key;redirect-gateway def1;

    This results in the following routes…

    As you can see the 0.0.0.0/1 makes everything more difficult.
    If i check the PUSH_Reply message it looks like this…
    'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway,route-metric 1,route-gateway 10.10.0.1,route-gateway 10.10.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.10.0.242 255.255.255.0'

    In this thread (http://forum.pfsense.org/index.php/topic,24436.msg126273.html)i found a way to bypass the
    redirect-gateway with route-nopull and/or route-noexec. in the PUSH_REPLY there is also the
    ifconfig that change the routes so i found at openvpn.net that i could use "ifcong-noexec" so that the routing
    tables are "clean".

    The logfile for OpenVPN looks like this….

    If i try to add my own routes (I am not an expert in this area…) i have tried to use... (in the OpenVPN Advanced Configuration)
    route 10.10.0.1
    route 10.10.0.1 255.255.255.0
    etc
    but none of these can change the routing table.

    I must be doing something wrong here and i can't figure out what... (lack of know how when it comes to routing tables is my first guess)

    Someone that can help me with this problem?

    //Micke







  • The redirect-gateway def1 does not only add the 0.0.0.0/1 it also adds the 128.0.0.0/1 plus the x.x.x.74/32 pointing to your local gateway.

    The route commands are to be used in a peer-to-peer connection and not in a PKI.

    From your description i don't really see what your goal is.
    If it is to simply have multiple VPN tunnels up and use failover pools between them:
    In such a setup your routing table isn't relevant anyway.
    You define gateways and traffic is forced to them directly, bypassing the routing table.


Log in to reply