0

My setup consists of a client and a server where the client is connected to the server using OpenVPN. It's configured to route all traffic through the tunnel. This works well, the ip is the server ip and traceroute shows that the traffic is routed through the servers network.

There's one exception though, when connecting to a domain pointing to the same server, the traffic is routed outside the VPN tunnel, i.e. the server shows the clients real ip and traceroute shows the traffic being routed through the clients ISP.

My wish is to route all traffic through the the tunnel, even traffic which ends up on the server and it is necessary to use the domain name instead of the servers local ip. Any ideas?

The server is running Windows 10 and the issue appears on clients when using OpenVPN on Windows 10, Linux and OpenVPN Connect on iOS. The issue is NOT present when using OpenVPN Connect on Android. It would be interesting to understand why it works on Android as well.

Here's my server config:

port 1194
proto udp4
dev tun

ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist "C:\\Program Files\\OpenVPN\\log\\ipp.txt" 5
client-config-dir "C:\\Program Files\\OpenVPN\\config\\ccd"

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "route 255.255.255.0"

duplicate-cn
keepalive 10 120
cipher AES-256-CBC
persist-key
persist-tun
explicit-exit-notify 1

And client config:

client
dev tun_c_ovpn
proto udp4
remote <address> 1194
resolv-retry infinite
keepalive 5 10
nobind
persist-key
persist-tun
cipher AES-256-CBC
raksooo
  • 3
  • 2

1 Answers1

2

The reason that connections to your Web server (which is hosted on the same machine as your OpenVPN server) is not routed through your VPN tunnel is normal behavior.

If you would route all traffic destined to your OpenVPN/Web server through your OpenVPN tunnel, your encapsulated traffic would never be able to reach the VPN server because your system will try to route these over the same VPN tunnel which already encapsulated this traffic. Because of this the OpenVPN servers become unreachable and would disconnect.

I cannot say how Android does this exactly. A method could be policy based routing and can be achieved with iptables/nftables to mark the OpenVPN specific packets.

Policy based routing is not available on Windows OS's (AFAIK)!

Alternative Solution

An alternative solution is hosting your own DNS server and forward requests to the OpenDNS servers except for some zones you define yourself.

Create a zone in your DNS server and point your domain to the internal IP address of your tun device. From your configuration it seems like it is 10.8.0.1

Change the DNS push option in your server.conf to push "dhcp-option DNS 10.8.0.1

It might be needed to add some iptable/nftable rules to allow these requests.

eKKiM
  • 1,540
  • 9
  • 23