1. Home
  2. pfSense® Software
  3. OpenVPN
  4. OpenVPN and redirect-gateway def1

OpenVPN and redirect-gateway def1

  • M

    Hi!

    What do i want to achieve…
    I live in a country where it is sometimes difficult to reach all websites. Because of this i want to have one of my wireless networks at home always connected to a VPN provider in the US (SwitchVPN).
    My internet connection sucks and from time to time different VPN servers gets blocked so i want to have 3 different OpenVPN connections up and running with fallback between them (this should be possible to do with Gateway groups).

    pfsense release: 2.0.1-RELEASE (i386) (i have tried with the snapshot from 20121110-1842 too)

    Basic configuration script (client side) - this one works but "redirect-gateway def1" sucks
    auth-user-pass /conf/auth.conf;fast-io;reneg-sec 0;tun-mtu 1500;mssfix 1450;fragment 1500;verb 5;persist-key;redirect-gateway def1;

    This results in the following routes…

    As you can see the 0.0.0.0/1 makes everything more difficult.
    If i check the PUSH_Reply message it looks like this…
    'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway,route-metric 1,route-gateway 10.10.0.1,route-gateway 10.10.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.10.0.242 255.255.255.0'

    In this thread (http://forum.pfsense.org/index.php/topic,24436.msg126273.html)i found a way to bypass the
    redirect-gateway with route-nopull and/or route-noexec. in the PUSH_REPLY there is also the
    ifconfig that change the routes so i found at openvpn.net that i could use "ifcong-noexec" so that the routing
    tables are "clean".

    The logfile for OpenVPN looks like this….

    If i try to add my own routes (I am not an expert in this area…) i have tried to use... (in the OpenVPN Advanced Configuration)
    route 10.10.0.1
    route 10.10.0.1 255.255.255.0
    etc
    but none of these can change the routing table.

    I must be doing something wrong here and i can't figure out what... (lack of know how when it comes to routing tables is my first guess)

    Someone that can help me with this problem?

    //Micke





    0
  • GruensFroeschli

    The redirect-gateway def1 does not only add the 0.0.0.0/1 it also adds the 128.0.0.0/1 plus the x.x.x.74/32 pointing to your local gateway.

    The route commands are to be used in a peer-to-peer connection and not in a PKI.

    From your description i don't really see what your goal is.
    If it is to simply have multiple VPN tunnels up and use failover pools between them:
    In such a setup your routing table isn't relevant anyway.
    You define gateways and traffic is forced to them directly, bypassing the routing table.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy