OpenVPN - tap interfaces and default gateway

Question

Quick question just to verify i'm not going mental. If using device mode "tap" and i got a fully function connection in the sense that i can ping from client to server without any issues.

However, i want to force my traffic through the VPN and nothing can leak out, no matter what. I'm stuck on my head around this but shouldn't this be valid in the server.ovpn?

mode server
tls-server
...
dev tap
dev-node TAP1

ifconfig 192.168.0.1 255.255.255.0
ifconfig-pool 192.168.0.10 192.168.0.20
route-gateway 192.168.0.1
route 192.168.0.0 255.255.255.0 192.168.0.1

client-to-client
push "route 192.168.0.0 255.255.255.0 192.168.0.1"
push "route-gateway 192.168.0.1"
push "redirect-gateway def1"

The client.ovpn looks like:

client
tls-client
dev tap
dev-node TAP1
...
pull

The connection establishes and what not, the output of the clients log is:

ROUTE default_gateway=<external IP gateway>
PUSH: Recieved control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0 192.168.0.1,route-gateway...
Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.0.10/255.255.255.0 on interface ...
Successful ARP Flush
Added routes 139.. 127.. 192...

All appears to be fine except that a default gateway just isn't set when checking ipconfig /all

The output of the route print looks like:

Destination        Netmask         Gateway
0.0.0.0            0.0.0.0         <external Gateway>   <-- Wrong?
192.168.0.0        255.255.255.0   On-link
192.168.0.0        255.255.255.0   192.168.0.1

The routing table appears to be off?

server is running Windows 7, nothing outside of the config has been done. What i'm trying to acomplish is mainly a "dummy gateway" because certain software checks the default gateway parameter in windows for it's operation (mainly for connecting software to a "unknown" server) — Torxed, Feb 05 '13 at 20:28

score 6 · Accepted Answer · answered Feb 05 '13 at 20:28

6

All appears to be fine except that a default gateway just isn't 
set when checking 
...
push "redirect-gateway def1"

If you use that option, then you don't set a default gateway. Instead two routes should be added for 0.0.0.0/1, and 128.0.0.0/1 to your VPN.

answered Feb 05 '13 at 20:28

Zoredache

130,897
41
276
420

Ok is it possible to set a default gateway under `ipconfig /all` while still forcing all traffic through the VPN? – Torxed Feb 05 '13 at 20:31
Remove the `def1` option. Keep in mind that the `def1` option exists because some systems are buggy and will update the default gateway. For example, in the past some Linux systems would over-write the VPN provided default gateway, if the LAN interface was set to DHCP, and the renew time had occurred. The `def1` option is generally more reliable, the downside of windows not showing it in `ipconfig /all` is purely cosmetic in my opinion. – Zoredache Feb 05 '13 at 20:40
Thank you, the `def1` part was the dark sheep in my problem. I couldn't agree more that the `ipconfig /all` is purely cosmetic but as mentioned in another comment above, certain software depend on this to work properly and i have 0 control over that software for now even tho it's in house developed :) Thank you! – Torxed Feb 05 '13 at 20:52

score 4 · Answer 2 · answered Mar 27 '16 at 15:12

4

I realize this is an old question, but I wanted to add that in my experience, if everything works EXCEPT for the setting of a default gateway, running OpenVPN as administrator will solve the problem on Windows 10.

answered Mar 27 '16 at 15:12

Tom Daley

41
1

1

Yepp this completely slipped my mind and was rather obvious on later years of using VPN, but good addition for anyone ending up here and are new to these kinda things for sure! – Torxed Mar 27 '16 at 15:14

OpenVPN - tap interfaces and default gateway

2 Answers2