OpenVPN and redirect-gateway def1
What do i want to achieve…
I live in a country where it is sometimes difficult to reach all websites. Because of this i want to have one of my wireless networks at home always connected to a VPN provider in the US (SwitchVPN).
My internet connection sucks and from time to time different VPN servers gets blocked so i want to have 3 different OpenVPN connections up and running with fallback between them (this should be possible to do with Gateway groups).
pfsense release: 2.0.1-RELEASE (i386) (i have tried with the snapshot from 20121110-1842 too)
Basic configuration script (client side) - this one works but "redirect-gateway def1" sucks
auth-user-pass /conf/auth.conf;fast-io;reneg-sec 0;tun-mtu 1500;mssfix 1450;fragment 1500;verb 5;persist-key;redirect-gateway def1;
This results in the following routes…
As you can see the 0.0.0.0/1 makes everything more difficult.
If i check the PUSH_Reply message it looks like this…
'PUSH_REPLY,dhcp-option DNS 188.8.131.52,dhcp-option DNS 184.108.40.206,redirect-gateway,route-metric 1,route-gateway 10.10.0.1,route-gateway 10.10.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.10.0.242 255.255.255.0'
In this thread (http://forum.pfsense.org/index.php/topic,24436.msg126273.html)i found a way to bypass the
redirect-gateway with route-nopull and/or route-noexec. in the PUSH_REPLY there is also the
ifconfig that change the routes so i found at openvpn.net that i could use "ifcong-noexec" so that the routing
tables are "clean".
The logfile for OpenVPN looks like this….
If i try to add my own routes (I am not an expert in this area…) i have tried to use... (in the OpenVPN Advanced Configuration)
route 10.10.0.1 255.255.255.0
but none of these can change the routing table.
I must be doing something wrong here and i can't figure out what... (lack of know how when it comes to routing tables is my first guess)
Someone that can help me with this problem?
GruensFroeschli last edited by
The redirect-gateway def1 does not only add the 0.0.0.0/1 it also adds the 220.127.116.11/1 plus the x.x.x.74/32 pointing to your local gateway.
The route commands are to be used in a peer-to-peer connection and not in a PKI.
From your description i don't really see what your goal is.
If it is to simply have multiple VPN tunnels up and use failover pools between them:
In such a setup your routing table isn't relevant anyway.
You define gateways and traffic is forced to them directly, bypassing the routing table.