6

When openvpn client connects to a vpn server it creates a route for server ip with old default gateway. How can I tell openvpn not to use old default gateway but use my provided custom gateway ip.

I.e. when I have vpn server in another vpn network which is not default route on my machine.

igor
  • 173
  • 2
  • 2
  • 9
  • 1
    Please elaborate. Currently, I'm unable to understand what you would like to achieve. – gxx Dec 23 '16 at 15:26
  • @gf_ when I run openvpn it uses comman `/sbin/route add -net [VPN_SERVER_IP] [OLD_DEFAULT_GATEWAY] 255.255.255.255`, right? so I need way to specify my own [OLD_DEFAULT_GATEWAY] value – igor Dec 23 '16 at 17:47
  • 1
    If you remove the old default gateway from your routing table when bringing up the first VPN, won't the second one use the default set by the first one? You should be able to use `--redirect-gateway` *without* the `def1` flag (which preserves the old gateway), or write and run a script which has the same effect after the first VPN is brought up. – user4556274 Dec 23 '16 at 18:10
  • @user4556274 I also don't want the first VPN to be default gateway. I just need it only for certain subnet. – igor Dec 25 '16 at 14:14
  • @kitty No, openvpn uses command `/sbin/route add -net [VPN_SERVER_IP] [OLD_GATEWAY_FOR_VPN_SERVER_IP] 255.255.255.255`. So, while connecting to second vpn, if the vpnserver2 is routed through first VPN, then the correct route will automatically be added by openvpn. – Tanmay Dec 28 '16 at 11:47
  • @Tanmay for some reason it doesn't work for me. I have a route 172.30.1/24 to VPN1 and VPN2 server with address 172.30.1.5, but nevertheless it uses default gateway instead – igor Dec 31 '16 at 15:18
  • @Tanmay do you think its a bug? – igor Dec 31 '16 at 15:19
  • @kitty Which flags are you using with the `redirect-gateway` command in the second VPN's config files? (eg. `redirect-gateway autolocal` or `redirect-gateway def1`)? – Tanmay Jan 01 '17 at 18:51
  • If connection is started by connection-manager then solution is described there: https://ubuntuforums.org/showthread.php?t=1668165 – pawelg Feb 08 '18 at 10:23

4 Answers4

1

I also don't want the first VPN to be default gateway. I just need it only for certain subnet.

On the client side you can ignore any routes from vpn server with the following options

script-security 2
route-noexec
route-up setup-routing.sh

and configure your own routes with route-up script, that could be something like this

$ cat setup-routing.sh 

#!/bin/bash

ip ro add 192.168.10.0/24 via ${route_vpn_gateway}

Where route_vpn_gateway is environment variable that points to the default gateway used by --route options, as specified in either the --route-gateway option or the second parameter to --ifconfig when --dev tun is specified.

ALex_hha
  • 7,193
  • 1
  • 25
  • 40
0

Adding this two line to the Server Config File will force all traffic to go through your VPN

push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
akgren_soar
  • 181
  • 2
  • 7
  • 2
    sorry this is not what I'm asking :) – igor Dec 08 '16 at 11:04
  • I have two vpns and I want second vpn go through first vpn instead of going to real interface, which is default gateway – igor Dec 08 '16 at 11:06
  • I don't know how a client computer to have 2 openvpn connections at the same time but it is more likely to work if you use 2 different vpn services – akgren_soar Dec 08 '16 at 12:05
0

If you want to set a next-hop router for a specific subnet after both VPNs are established, use something like

ip -4 route add ${DESTINATION_SUBNET} via ${NEXT_HOP} dev ${INTERFACE_NAME}

for example

ip -4 route add 10.0.0.0/8 via 172.16.0.1 dev eth0

You don't need to modify either default gateway; the more specific route will be chosen over the default route.

user4556274
  • 223
  • 1
  • 5
  • 3
    that is exactly what I don't want to do - do something manually after establishing vpn connections. I want it to be inside openvpn client config file – igor Dec 25 '16 at 22:37
0

The redirect-gateway option may or may not change the gateway for reaching the OpenVPN server, depending on the flags provided to it.

According to man page of openvpn:

Option flags:

local -- Add the local flag if both OpenVPN servers are directly connected via a common subnet, such as with wireless. The local flag will cause step 1 above (Creation of a static route for the --remote address which forwards to the pre-existing default gateway) to be omitted.

So, just add a redirect-gateway local option in client config file, to override the pushed option. This will cause openvpn to just add a new default route, and not a specific route for the server. So the current route being used to connect to ther server will continue to be used.

If you want this behavior for all clients, edit the server config file and change the option push "redirect-gateway" to push "redirect-gateway local".

Tanmay
  • 225
  • 1
  • 2
  • 9