OpenVPN client set up - creating a default route when I tell it not to

[ilium007]

OpenVPN client set up - split tunnel does not function; wrong default route

Hi - I have set up the OpenVPN client on the RTN66U running 3.0.0.4.264.22. I have selected:

Redirect Internet traffic = No

I thought this would mean that no default route would be created for this client config. ie - I could bring up a tunnel but still have the default route go out my PPPoE connection on ppp0.

When I bring up the config and do a show route I see this:

tun11 is the VPN tunnel interface

And a traceroute with the VPN client running:

Straight to a 209.x.x.x address - my OpenVPN provider in the USA

macbookair:~ ilium007$ traceroute suncorp.com.au
traceroute to suncorp.com.au (203.0.222.10), 64 hops max, 52 byte packets
1 www.asusnetwork.net (192.168.10.1) 0.501 ms 0.324 ms 0.258 ms
2 * * *
3 bukbukimachicken.me (209.159.150.233) 271.299 ms 271.139 ms 271.226 ms
4 core-04-teb2.us.as19318.net (66.45.224.177) 270.821 ms 269.985 ms 271.813 ms
5 64.20.47.17 (64.20.47.17) 272.187 ms 271.781 ms 271.406 ms
6 209.197.17.197 (209.197.17.197) 272.036 ms 272.582 ms 271.756 ms
7 e2-4.r1.ch.hwng.net (209.197.0.33) 298.210 ms 302.850 ms 298.562 ms
8 * * *
9 209.234.240.250 (209.234.240.250) 343.281 ms 344.287 ms 348.065 ms
10 gi5-2.sjc-core01.net.telstraglobal.net (206.223.116.11) 347.926 ms 347.557 ms 348.087 ms
11 i-0-1-2-0.eqnx-core01.bi.telstraglobal.net (202.84.251.97) 348.306 ms
i-0-4-4-0.eqnx-core01.bi.telstraglobal.net (202.84.251.41) 347.618 ms 347.778 ms
12 i-0-6-0-1.sydo-core02.bx.telstraglobal.net (202.84.140.134) 492.584 ms 497.166 ms 492.293 ms
13 tengige0-2-0-5.oxf-gw1.sydney.telstra.net (203.50.13.13) 496.637 ms 496.485 ms 651.195 ms
14 bundle-ether1.ken-core4.sydney.telstra.net (203.50.6.5) 502.042 ms 498.418 ms 504.646 ms
15 bundle-ether5.cha-core4.brisbane.telstra.net (203.50.11.73) 522.165 ms 523.227 ms 524.742 ms
16 tengigabitethernet2-1.woo6.brisbane.telstra.net (203.50.50.144) 514.824 ms 507.352 ms 507.311 ms
17 suncor10.lnk.telstra.net (139.130.185.70) 515.273 ms 510.304 ms 513.485 ms
18 suncor10.lnk.telstra.net (139.130.185.70) 510.303 ms !X 510.789 ms !X 508.383 ms !X

When I shut down the OpenVPN Client1 connection I see this route table change:

And a traceroute to the same host shows:

Straight out the ppoe interface to my ISP

macbookair:~ ilium007$ traceroute suncorp.com.au
traceroute to suncorp.com.au (203.0.222.10), 64 hops max, 52 byte packets
1 www.asusnetwork.net (192.168.10.1) 0.800 ms 0.342 ms 0.328 ms
2 * * *
3 bri-sot-wic-csw2-gi-1-3.tpgi.com.au (202.7.173.137) 21.480 ms 20.656 ms 20.964 ms
4 bri-sot-wic-crt1-gi-2-0-0.tpgi.com.au (203.29.135.1) 21.392 ms 21.447 ms 21.710 ms
5 gigabitethernet3-3.woo7.brisbane.telstra.net (120.151.255.225) 36.399 ms 220.033 ms 174.475 ms
6 tengigabitethernet1-1.woo6.brisbane.telstra.net (203.50.51.144) 34.776 ms 34.793 ms 35.437 ms
7 suncor10.lnk.telstra.net (139.130.185.70) 38.098 ms 37.936 ms 37.191 ms
8 * suncor10.lnk.telstra.net (139.130.185.70) 38.280 ms !X *
9 * *^C

This is the nvram with the "Redirect Internet traffic" option set to NO:

admin@(none):/# nvram show | grep client1
vpn_client1_poll=0
vpn_crt_client1_static=
vpn_client1_nm=255.255.255.0
vpn_client1_cipher=DES-CBC
vpn_client1_addr=us3.vpnsecure.me
vpn_client1_reneg=-1
vpn_client1_username=
vpn_client1_comp=yes
vpn_client1_retry=30
vpn_client1_gw=
vpn_client1_adns=0
vpn_client1_tlsremote=0
vpn_client1_if=tun
vpn_crt_client1_crt=-----BEGIN CERTIFICATE-----
vpn_client1_custom=comp-lzo
vpn_client1_rgw=0
vpn_client1_remote=10.8.0.1
vpn_client1_rg=0
vpn_client1_crypt=tls
vpn_client1_useronly=0
vpn_client1_bridge=1
vpn_crt_client1_ca=-----BEGIN CERTIFICATE-----
size: 46592 bytes (18944 left)
vpn_client1_firewall=auto
vpn_client1_proto=udp
vpn_client1_port=1191
vpn_client1_password=
vpn_client1_hmac=-1
vpn_client1_userauth=0
vpn_client1_nat=1
vpn_crt_client1_key=-----BEGIN RSA PRIVATE KEY-----
vpn_client1_local=10.8.0.2
admin@(none):/#

This is the nvram with the "Redirect Internet traffic" option set to YES:

admin@(none):/# nvram show | grep client1
vpn_client1_poll=0
vpn_crt_client1_static=
vpn_client1_nm=255.255.255.0
vpn_client1_cipher=DES-CBC
vpn_client1_addr=us3.vpnsecure.me
vpn_client1_reneg=-1
vpn_client1_username=
vpn_client1_comp=yes
vpn_client1_retry=30
vpn_client1_gw=
vpn_client1_adns=0
vpn_client1_tlsremote=0
vpn_client1_if=tun
vpn_crt_client1_crt=-----BEGIN CERTIFICATE-----
vpn_client1_custom=comp-lzo
vpn_client1_rgw=1
vpn_client1_remote=10.8.0.1
vpn_client1_rg=0
vpn_client1_crypt=tls
vpn_client1_useronly=0
vpn_client1_bridge=1
vpn_crt_client1_ca=-----BEGIN CERTIFICATE-----
vpn_client1_proto=udp
vpn_client1_firewall=auto
vpn_client1_port=1191
vpn_client1_password=
vpn_client1_hmac=-1
vpn_client1_userauth=0
vpn_client1_nat=1
vpn_crt_client1_key=-----BEGIN RSA PRIVATE KEY-----
size: 46592 bytes (18944 left)
vpn_client1_local=10.8.0.2
admin@(none):/#

The difference is in the line:

vpn_client1_rgw=1

This says to me that with the OpenVPN client running and the "Redirect Internet traffic" option set to NO I still get a default route out the VPN interface.

Am I looking at this wrong ?

 

[ilium007]

I have just confirmed also that it is specific to the router as when I set up the exact same client on my Mac using an OpenVPN client and then look at the local routing table it is fine - the default route is not being changed.

This confirms that the OpenVPN server is not pushing anything to the client that will force the default route.

I basically want to be able to split tunnel on the RT-N66U whilst I have a VPN Client set up.

 

[ilium007]

If anyone else wants to test this I have a trial OpenVPN account and I can give you my certs and keys for you to test on your RT-N66U. My account is valid for another 1.5 days.

I did some more low tech testing using this site:

http://fmbip.com/

With the "Redirect Internet traffic" turned Off I still get the US based IP come up in that site. When I disconnect the client OpenVPN tunnel I get my usual ISP IP.

I am trying to get Hulu working in Australia but I cant do it with all my internet traffic routing out over the VPN tunnel. I want to set up specific routes for the Hulu traffic only - not ALL my network traffic.

 

[RMerlin]

I can't reproduce that behaviour here. I just configured a tunnel, and my default route is only the regular one on eth0:


admin@RT-N66U:/tmp/home/root# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.108.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
192.168.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun11
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.108.0.0 10.108.0.2 255.255.255.0 UG 0 0 0 tun21
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.10.1 0.0.0.0 UG 0 0 0 eth0


I suspect it could be your VPN provider pushing the route to you (servers can push routes to the clients). Check Syslog for the details of what settings get pushed to you.

You can reject routes being pushed to you through a config option:

http://www.jbmurphy.com/2010/08/11/ignore-server-pushed-routes-in-openvpn-client/

 

[ilium007]

I had also lodged a question with the VPN vendor asking if they pushed a routeand just got a reply to say they did. I will need to use a script specified in the client config to remove the routes when then tunnel comes up.

 

[ilium007]

Is there anything special I need to do in the script I call after the tunnel comes up ? I was going to simply put something in the /jffs/scripts folder. Do I only need to remove the one default route out through tun11 ?

 

[RMerlin]

I had also lodged a question with the VPN vendor asking if they pushed a routeand just got a reply to say they did. I will need to use a script specified in the client config to remove the routes when then tunnel comes up.

Just add the config option from the URL I linked, it should prevent your client from accepting the route pushed to it.

 

[ilium007]

Cool - I hadn't gotten as far as the link yet ! Cheers.

 

[ilium007]

Add “route-nopull” to your client’s config and you will no longer be a slave to the server’s “redirect-gateway”

I will add this in tonight and see how it goes. Thanks again.

 

[ilium007]

So that option worked fine. I am now having a small issue whereby I add a route option to the client config, for example, I want to route traffic to a certain host address across the tunnel:

route 87.106.130.14 255.255.255.255 vpn_gateway

All good - my route table looks like:

admin@(none):/tmp/home/root# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
87.106.130.14 10.8.0.157 255.255.255.255 UGH 0 0 0 tun11
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
10.8.0.157 0.0.0.0 255.255.255.255 UH 0 0 0 tun11
202.7.179.98 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun21
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 202.7.179.98 0.0.0.0 UG 0 0 0 ppp0
admin@(none):/tmp/home/root#

But if I do a traceroute to 87.106.130.14 I get no responses:

traceroute to 87.106.130.14 (87.106.130.14), 30 hops max, 38 byte packets
1 * * *
2 * * *
3 * * *
4

Do I need to manually set up NAT rules ?