OpenVPN make redirect-gateway optional

Question

I'm currently running an OpenVPN server for multiple clients. All traffic is directed through the VPN (it's set up as gateway; push "redirect-gateway def1").

So far, all is working fine. However, I'd like to connect a couple of servers to this virtual private network, without these servers using the OVPN daemon as gateway.

These servers have to be accessible from both their WAN as well as their LAN IP address. Certain services will be accessible only from the LAN side.

Is there any way, for a client, to ignore the push redirect-gateway option?

Kind regards, Tuinslak

Great question... I was asking myself exactly the same thing. — Antoine Benkemoun, Apr 06 '10 at 08:05

score 16 · Answer 1 · answered Aug 03 '10 at 13:58

16

Just add "route-nopull" to the client openvpn config, then all pushed commands from the server are ignored. To get access to the local net, you must now add e.g. "route 192.168.5.0 255.255.255.0" to the client openvpn config, if the local net you want to connect to is 192.168.5.0/24.

answered Aug 03 '10 at 13:58

This causes some errors on connect but works as intended :) – Brian Ramsey Nov 01 '17 at 23:09
2

The best option nowadays (2.4 or later) would be `pull-filter ignore redirect-gateway` – mwfearnley Dec 10 '18 at 10:26
My knowledge of OpenVPN is *extremely* limited, but as you mentioned, `route-nopull` would result in all of the pushed commands being ignored. Isn't that a bad idea? I'm assuming the server is pushing those commands for a reason... – rinogo Mar 17 '22 at 22:54

score 8 · Answer 2 · edited Aug 30 '13 at 16:17

8

if 'redirect-gateway' is required for some but not all clients then add a 'client-config-dir' option e.g.

  client-config-dir /etc/openvpn/clients

and inside that directory put files for each client CN, e.g. file Client1 would contain

  push-reset

that way the servers don't get the 'redirect-gateway' pushed by default.

HTH

edited Aug 30 '13 at 16:17

Mikuz

103
4

answered Apr 06 '10 at 08:01

janjust

582
2
5

1

I guess this would reset every pushed option (including DNS servers)? – Tuinslak Feb 26 '12 at 00:59

mwfearnley · Answer 3 · 2022-03-18T12:37:51.293

3

There is a newer, easier solution for this, as of December 2016.

You just need to put this line in your OpenVPN config:

pull-filter ignore redirect-gateway

Literally, it filters the options it pulls from the server, and ignores the redirect-gateway option.

(According to https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway, this was added in OpenVPN 2.4, which was released on 27 December 2016.¹)

edited Mar 18 '22 at 12:37

answered Dec 10 '18 at 10:06

mwfearnley

757
9
21

score 2 · Answer 4 · answered Mar 13 '10 at 21:03

just replace the default gateway in --up script an you are all set. You don't even have to do anything in --down (I think) or just set it to up.sh as well.

in client.conf

up up.sh

in up.sh (chmod +x)

#!/bin/bash
/sbin/ip route replace default 1.2.3.4

where 1.2.3.4 is your client's default gateway

score -1 · Answer 5 · answered Oct 13 '13 at 02:29

-1

Remvoe "redirect-gateway" option in the client configure file, the client's default gateway won't change anymore. tested under Archlinux/OpenVPN 2.3.2.

answered Oct 13 '13 at 02:29

shaozx

1
1

I guess this solution would depend on whether the gateway is configured on the client, or pushed from the server. – mwfearnley Dec 10 '18 at 09:45

OpenVPN make redirect-gateway optional

5 Answers5

Linked