OpenVPN client set up - creating a default route when I tell it not to

Discussion in 'Asuswrt-Merlin' started by ilium007, Dec 23, 2012.

  1. ilium007

    ilium007 Regular Contributor

    Joined:
    Dec 15, 2012
    Messages:
    50
    OpenVPN client set up - split tunnel does not function; wrong default route

    Hi - I have set up the OpenVPN client on the RTN66U running 3.0.0.4.264.22. I have selected:

    Redirect Internet traffic = No

    I thought this would mean that no default route would be created for this client config. ie - I could bring up a tunnel but still have the default route go out my PPPoE connection on ppp0.

    When I bring up the config and do a show route I see this:

    tun11 is the VPN tunnel interface

    [​IMG]

    And a traceroute with the VPN client running:

    Straight to a 209.x.x.x address - my OpenVPN provider in the USA

    When I shut down the OpenVPN Client1 connection I see this route table change:

    [​IMG]

    And a traceroute to the same host shows:

    Straight out the ppoe interface to my ISP

    This is the nvram with the "Redirect Internet traffic" option set to NO:


    This is the nvram with the "Redirect Internet traffic" option set to YES:

    The difference is in the line:

    vpn_client1_rgw=1

    This says to me that with the OpenVPN client running and the "Redirect Internet traffic" option set to NO I still get a default route out the VPN interface.

    Am I looking at this wrong ?
     
    Last edited: Dec 23, 2012
  2. ilium007

    ilium007 Regular Contributor

    Joined:
    Dec 15, 2012
    Messages:
    50
    I have just confirmed also that it is specific to the router as when I set up the exact same client on my Mac using an OpenVPN client and then look at the local routing table it is fine - the default route is not being changed.

    This confirms that the OpenVPN server is not pushing anything to the client that will force the default route.

    I basically want to be able to split tunnel on the RT-N66U whilst I have a VPN Client set up.
     
  3. ilium007

    ilium007 Regular Contributor

    Joined:
    Dec 15, 2012
    Messages:
    50
    If anyone else wants to test this I have a trial OpenVPN account and I can give you my certs and keys for you to test on your RT-N66U. My account is valid for another 1.5 days.

    I did some more low tech testing using this site:

    http://fmbip.com/

    With the "Redirect Internet traffic" turned Off I still get the US based IP come up in that site. When I disconnect the client OpenVPN tunnel I get my usual ISP IP.

    [​IMG]

    I am trying to get Hulu working in Australia but I cant do it with all my internet traffic routing out over the VPN tunnel. I want to set up specific routes for the Hulu traffic only - not ALL my network traffic.
     
  4. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    13,007
    Location:
    Canada
    I can't reproduce that behaviour here. I just configured a tunnel, and my default route is only the regular one on eth0:


    admin@RT-N66U:/tmp/home/root# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.108.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun21
    192.168.10.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
    192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun11
    192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    10.108.0.0 10.108.0.2 255.255.255.0 UG 0 0 0 tun21
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 192.168.10.1 0.0.0.0 UG 0 0 0 eth0


    I suspect it could be your VPN provider pushing the route to you (servers can push routes to the clients). Check Syslog for the details of what settings get pushed to you.

    You can reject routes being pushed to you through a config option:

    http://www.jbmurphy.com/2010/08/11/ignore-server-pushed-routes-in-openvpn-client/
     
    Last edited: Dec 23, 2012
  5. ilium007

    ilium007 Regular Contributor

    Joined:
    Dec 15, 2012
    Messages:
    50
    I had also lodged a question with the VPN vendor asking if they pushed a routeand just got a reply to say they did. I will need to use a script specified in the client config to remove the routes when then tunnel comes up.
     
  6. ilium007

    ilium007 Regular Contributor

    Joined:
    Dec 15, 2012
    Messages:
    50
    Is there anything special I need to do in the script I call after the tunnel comes up ? I was going to simply put something in the /jffs/scripts folder. Do I only need to remove the one default route out through tun11 ?
     
  7. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    13,007
    Location:
    Canada
    Just add the config option from the URL I linked, it should prevent your client from accepting the route pushed to it.
     
  8. ilium007

    ilium007 Regular Contributor

    Joined:
    Dec 15, 2012
    Messages:
    50
    Cool - I hadn't gotten as far as the link yet ! Cheers.
     
  9. ilium007

    ilium007 Regular Contributor

    Joined:
    Dec 15, 2012
    Messages:
    50
    I will add this in tonight and see how it goes. Thanks again.
     
  10. ilium007

    ilium007 Regular Contributor

    Joined:
    Dec 15, 2012
    Messages:
    50
    So that option worked fine. I am now having a small issue whereby I add a route option to the client config, for example, I want to route traffic to a certain host address across the tunnel:

    All good - my route table looks like:


    But if I do a traceroute to 87.106.130.14 I get no responses:

    Do I need to manually set up NAT rules ?
     
    Last edited: Dec 24, 2012

Share This Page