Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN and redirect-gateway def1

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 7.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MickeMannen
      last edited by

      Hi!

      What do i want to achieve…
      I live in a country where it is sometimes difficult to reach all websites. Because of this i want to have one of my wireless networks at home always connected to a VPN provider in the US (SwitchVPN).
      My internet connection sucks and from time to time different VPN servers gets blocked so i want to have 3 different OpenVPN connections up and running with fallback between them (this should be possible to do with Gateway groups).

      pfsense release: 2.0.1-RELEASE (i386) (i have tried with the snapshot from 20121110-1842 too)

      Basic configuration script (client side) - this one works but "redirect-gateway def1" sucks
      auth-user-pass /conf/auth.conf;fast-io;reneg-sec 0;tun-mtu 1500;mssfix 1450;fragment 1500;verb 5;persist-key;redirect-gateway def1;

      This results in the following routes…

      As you can see the 0.0.0.0/1 makes everything more difficult.
      If i check the PUSH_Reply message it looks like this…
      'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway,route-metric 1,route-gateway 10.10.0.1,route-gateway 10.10.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.10.0.242 255.255.255.0'

      In this thread (http://forum.pfsense.org/index.php/topic,24436.msg126273.html)i found a way to bypass the
      redirect-gateway with route-nopull and/or route-noexec. in the PUSH_REPLY there is also the
      ifconfig that change the routes so i found at openvpn.net that i could use "ifcong-noexec" so that the routing
      tables are "clean".

      The logfile for OpenVPN looks like this….

      If i try to add my own routes (I am not an expert in this area…) i have tried to use... (in the OpenVPN Advanced Configuration)
      route 10.10.0.1
      route 10.10.0.1 255.255.255.0
      etc
      but none of these can change the routing table.

      I must be doing something wrong here and i can't figure out what... (lack of know how when it comes to routing tables is my first guess)

      Someone that can help me with this problem?

      //Micke
      basic_configuration_routes.png
      basic_configuration_routes.png_thumb
      logfile_noexec.png
      logfile_noexec.png_thumb
      routes_noexec.png
      routes_noexec.png_thumb

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        The redirect-gateway def1 does not only add the 0.0.0.0/1 it also adds the 128.0.0.0/1 plus the x.x.x.74/32 pointing to your local gateway.

        The route commands are to be used in a peer-to-peer connection and not in a PKI.

        From your description i don't really see what your goal is.
        If it is to simply have multiple VPN tunnels up and use failover pools between them:
        In such a setup your routing table isn't relevant anyway.
        You define gateways and traffic is forced to them directly, bypassing the routing table.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.