How can I configure openvpn server without push default gateway?

Question

I need configure my openvpn server to provide some LAN resources, but I don't want route all traffic for my clients.

Here is my sample network description: My LAN is 192.168.1.0/24. Openvpn network is 192.168.100.0/24. I add push route 192.168.1.0 255.255.255.0 in my server side configuration. I would like to allow my clients can access 192.168.1.0/24, but not other traffic.

How can I do this from server side configuration? Is client side configuration the only way to do this?

score 37 · Answer 1 · edited Aug 07 '17 at 08:41

37

This is a client setting.

For Linux clients, in NetworkManager: Edit Connections -> VPN -> (select the vpn configuration you would like to edit) -> Edit -> IPv4/IPv6 -> Routes -> Check the box that says "Use this connection only for resources on its network"

edited Aug 07 '17 at 08:41

mueslo

103
3

answered Jan 15 '13 at 05:56

user154446

371
1
3
2

3

is there any way to make this the default in the configuration file? – Zoltán Sep 20 '18 at 08:03
It can also be a server setting. See @Zoredache's answer. – Supernormal Apr 20 '22 at 14:35

score 16 · Accepted Answer · answered Jul 16 '12 at 16:12

16

Simply do not add the redirect-gateway in the client or server configuration and the default gateway will not be changed.

answered Jul 16 '12 at 16:12

Zoredache

128,755
40
271
413

10

There is no `redirect-gateway` in server configuration. Maybe I missed something? – Solomon Jul 16 '12 at 16:32
3

Did you check on the client side as well? The option can be set on either side. Watch your OpenVPN log on the client when the connection is being established. You should see messages about the gateway being switched, and if the option was pushed from the server or not. – Zoredache Jul 16 '12 at 16:33
1

I use NetworkManager for convenience and get confusion. It works with new client side configuration and without NetworkManager. Thanks. – Solomon Jul 16 '12 at 16:57
@Solomon There might be something like `push "redirect-gateway def1 bypass-dhcp"` in `server.conf`. (At least in Ubuntu's default setup.) Changing that to `push "def1 bypass-dhcp"` makes the server not push a default gateway to clients. – Supernormal Apr 20 '22 at 14:34

score 7 · Answer 3 · answered Feb 14 '21 at 20:56

Due to I have ipv4 and ipv6, if I don't want openvpn to set my default gw, I had to add the following lines at my client configuration, and I had to add manually the ipv6 routes:

pull-filter ignore "route-gateway"
route-nopull

If I don't want all the ipv4 traffic necessarily going through my openvpn interface, I had to add only the following line

pull-filter ignore "route-gateway"

The line above would make that my traffic to hosts supporting ipv4 and pv6 will be going through my openvpn connection, while my traffic to hosts with only ipv4 will be going through my wireless interface.

My original client configuration before playing was:

client
dev tun
proto udp
remote ovpn.myserver.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3

Regards,

score 6 · Answer 4 · answered Mar 29 '18 at 14:48

6

route-nopull in the .ovpn file, or --route-nopull on the command line.

You'll then have to set up the routes yourself, of course.

answered Mar 29 '18 at 14:48

Anthony Hayward

161
1
3

score 2 · Answer 5 · answered Feb 13 '18 at 22:27

2

I found that removing

resolv-retry infinite

from my client.conf stops pushing default route from server.

answered Feb 13 '18 at 22:27

Jeff P

29
1

Thanks. This solved the problem for me. – Rob Allen Nov 25 '19 at 16:55

serfer2 · Answer 6 · 2020-11-11T18:17:05.437

Try adding pull-filter ignore "route-gateway" to you .ovpn file. Then, remember to set your custom routes.

Example:

...
pull-filter ignore "route-gateway"
route-method exe
route-delay 2
allow-pull-fqdn
route <some subnet IP> <subnet mask> <gateway IP>
route <other subnet IP> <subnet mask> <gateway IP>
...

NOTE:
It works when launching vpn connection from shell:

sudo openvpn --config /home/sfernandez/Documentos/config/sfernandez.ovpn

For work stations, if you are going to use .ovpn file for importing configuration to create a new connection:

sudo nmcli connection import file /path/to/your/file/vpn_config.ovpn type openvpn

Then, you'll need to set this option in your UI connection manager. Something like:

IPv4 Settings -> Routes -> [x] Use this connection only for resources on your network.

tijagi · Answer 7 · 2018-06-24T03:32:01.500

(For clients)

--pull-filter ignore "<the beginning of the command, which sets the route>"

To get the exact command, which server pushes, you must:

enable logging with verb 7 either in the config, or via command line;
wipe the log to see clearer, echo >/var/log/<whatever you named it>.log;
start openvpn;
in the log search for route or gateway;
add the command in the line with pull-filter ignore.

The command may look like redirect-gateway def1.

How can I configure openvpn server without push default gateway?

7 Answers7

Linked