16

I'm currently running an OpenVPN server for multiple clients. All traffic is directed through the VPN (it's set up as gateway; push "redirect-gateway def1").

So far, all is working fine. However, I'd like to connect a couple of servers to this virtual private network, without these servers using the OVPN daemon as gateway.

These servers have to be accessible from both their WAN as well as their LAN IP address. Certain services will be accessible only from the LAN side.

Is there any way, for a client, to ignore the push redirect-gateway option?

Kind regards, Tuinslak

Tuinslak
  • 1,435
  • 7
  • 30
  • 54

5 Answers5

16

Just add "route-nopull" to the client openvpn config, then all pushed commands from the server are ignored. To get access to the local net, you must now add e.g. "route 192.168.5.0 255.255.255.0" to the client openvpn config, if the local net you want to connect to is 192.168.5.0/24.

  • This causes some errors on connect but works as intended :) – Brian Ramsey Nov 01 '17 at 23:09
  • 2
    The best option nowadays (2.4 or later) would be `pull-filter ignore redirect-gateway` – mwfearnley Dec 10 '18 at 10:26
  • My knowledge of OpenVPN is *extremely* limited, but as you mentioned, `route-nopull` would result in all of the pushed commands being ignored. Isn't that a bad idea? I'm assuming the server is pushing those commands for a reason... – rinogo Mar 17 '22 at 22:54
8

if 'redirect-gateway' is required for some but not all clients then add a 'client-config-dir' option e.g.

  client-config-dir /etc/openvpn/clients

and inside that directory put files for each client CN, e.g. file Client1 would contain

  push-reset

that way the servers don't get the 'redirect-gateway' pushed by default.

HTH

Mikuz
  • 103
  • 4
janjust
  • 582
  • 2
  • 5
3

There is a newer, easier solution for this, as of December 2016.

You just need to put this line in your OpenVPN config:

pull-filter ignore redirect-gateway

Literally, it filters the options it pulls from the server, and ignores the redirect-gateway option.

(According to https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway, this was added in OpenVPN 2.4, which was released on 27 December 2016.1)

mwfearnley
  • 757
  • 9
  • 21
2

just replace the default gateway in --up script an you are all set. You don't even have to do anything in --down (I think) or just set it to up.sh as well.

in client.conf

up up.sh

in up.sh (chmod +x)

#!/bin/bash
/sbin/ip route replace default 1.2.3.4

where 1.2.3.4 is your client's default gateway

Aleksandar Ivanisevic
  • 3,327
  • 19
  • 24
-1

Remvoe "redirect-gateway" option in the client configure file, the client's default gateway won't change anymore. tested under Archlinux/OpenVPN 2.3.2.

shaozx
  • 1
  • 1
  • I guess this solution would depend on whether the gateway is configured on the client, or pushed from the server. – mwfearnley Dec 10 '18 at 09:45