Avoid OpenVPN Client to act as default gateway

2

1

I have a bunch of OpenVPN profiles that can connect to my customers network. I use the latest windows openvpn GUI.

Some of these profiles are causing troubles because the VPN connection defines routes and name resolution to use the customer network exclusively. This is an issue because I only have access to a white list of servers (DNS server, internet gateway are not in this list).

So I'm looking for a way to setup my vpn connection to be used only for a very specific subnet, and to avoid resolving names with the customer DNS server.

Is there an universal way to do it?

I tried to add this to my profile:

pull-filter ignore "dhcp-option DNS"
pull-filter ignore "route"
route-nopull
route 10.0.0.0 255.255.0.0

The idea is to disable any route and option coming from the server, and to manually add a route to the customer subnet.

However, this is still not enough.

Route print before VPN connection :

Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
          0.0.0.0          0.0.0.0   192.168.20.254    192.168.20.58     55
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     192.168.20.0    255.255.255.0         On-link     192.168.20.58    311
    192.168.20.58  255.255.255.255         On-link     192.168.20.58    311
   192.168.20.255  255.255.255.255         On-link     192.168.20.58    311
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.20.58    311
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.20.58    311

nslookup shows that the ns is 192.168.20.254 (which is my local router).

After opening the VPN connection:

Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
          0.0.0.0          0.0.0.0   192.168.20.254    192.168.20.58     55
          0.0.0.0        128.0.0.0     10.100.100.5     10.100.100.6    291
         10.0.0.0      255.255.0.0     10.100.100.5     10.100.100.6    291
     10.100.100.4  255.255.255.252         On-link      10.100.100.6    291
     10.100.100.6  255.255.255.255         On-link      10.100.100.6    291
     10.100.100.7  255.255.255.255         On-link      10.100.100.6    291
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0     10.100.100.5     10.100.100.6    291
    185.118.18.66  255.255.255.255   192.168.20.254    192.168.20.58    311
     192.168.20.0    255.255.255.0         On-link     192.168.20.58    311
    192.168.20.58  255.255.255.255         On-link     192.168.20.58    311
   192.168.20.255  255.255.255.255         On-link     192.168.20.58    311
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      10.100.100.6    291
        224.0.0.0        240.0.0.0         On-link     192.168.20.58    311
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      10.100.100.6    291
  255.255.255.255  255.255.255.255         On-link     192.168.20.58    311
===========================================================================

it looks like routes are still added.

I can verify the wrong behavior with:

PS C:\WINDOWS\system32> Find-NetRoute -RemoteIPAddress 8.8.8.8 | Select IPAddress,NextHop

IPAddress    NextHop
---------    -------
10.100.100.6
             10.100.100.5

Thanks in advance for the help

Steve B

Posted 2018-02-05T09:16:57.143

Reputation: 1 580

You can try pull-filter ignore "redirect-gateway". – Turbo J – 2018-02-05T11:34:46.027

@TurboJ: you were right, I had a redirect-gateway def1 that was in the config file. Removing it + my addition solved the issue. you should post an answer if you want to be rewarded – Steve B – 2018-02-05T13:55:42.567

Answers

2

The additional routes are the result of the redirect-gateay option.

This adds 3 routes, the first two together span the whole internet and redirect into the tunnel:

dest   0.0.0.0  mask 128.0.0.0 gw 10.100.100.5
dest 128.0.0.0  mask 128.0.0.0 gw 10.100.100.5

These provide a "better" routing match than the default gateway (with a mask of zero) for all internet addresses.

The 3rd redirects the real VPN endpoint IP address to use the original gateway, and will be used for the encrypted VPN packets:

dest 185.118.18.66 mask 255.255.255.255 gw 192.168.20.254

This neat trick allows setting up the VPN without touching the default gateway route.

Turbo J

Posted 2018-02-05T09:16:57.143

Reputation: 1 919

so... how do you enable these routes on the client side? – Rebroad – 2019-12-25T13:40:33.883

Asked: 2018-02-05T09:16:57.143

Viewed: 8 839 times

Active: 2018-02-05T14:55:15.020