OpenVPN force traffic disable and VPN Director

[Laxarus]

Hello,
I just noticed this but when I disable the Redirect Internet traffic through tunnel setting in the openvpn client, I lose all internet connection for all the devices when this openvpn client is connected.
I remember this was not used to be like this. Is it a specific problem for me or an intended behavior?

 

[eibgrad]

The behavior was changed in the most recent firmware.

It's possible for either the OpenVPN client or server to change the default gateway to the VPN using the "redirect-gateway def1" directive. Either the server can push it to the client, or the client can specify it in its config file. And every commercial OpenVPN provider indeed pushes it, since without it, the tunnel would be useless (at least for those NOT using policy based routing).

In the old firmware, specifying NO for "Redirect internet traffic through tunnel" would only guarantee the client does NOT specify the "redirect-gateway def1" directive, but it would NOT prevent the server from pushing it. So for commercial OpenVPN providers, the default gateway would be changed to the VPN regardless. But that's confusing. Here you are telling the OpenVPN client NOT to route the traffic through the tunnel, but it still is. The most recent firmware corrects that problem. It purposely rejects the push'd directive. So now when you say NO, it truly means NO!

 

[Laxarus]

I just checked and there is indeed a "redirect-gateway def1" directive in the client configuration. So, I am confused. When I say "no", it should redirect the traffic to the default gateway which is working fine but I lose the connection anyway. Why is that?

 

[eibgrad]

I just checked and there is indeed a "redirect-gateway def1" directive in the client configuration. So, I am confused. When I say "no", it should redirect the traffic to the default gateway which is working fine but I lose the connection anyway. Why is that?

You need to be more precise. It should redirect the traffic to *which* default gateway? You lose *which* connection? WAN? VPN?

I also have no idea how you configured the OpenVPN client. By hand? By importing a .ovpn config file from the OpenVPN provider? In the latter case, it's possible tbe provider has specified the directive and so it got imported.

 

[eibgrad]

One other thing to keep in mind.

IIRC, the router *ignores* any references to route directives (of which redirect-gateway is considered one) by specifying the route-noexec directive. IOW, the router *never* lets OpenVPN itself manage the routing, whether those are specifically route directives, or redirect-gateway directives. By specifying route-noexec, it causes any such routes to be processed by the router's routing scripts. And if you specify NO for "Redirect internet traffic through tunnel", those scripts will never allow redirect-gateway to have any effect, regardless where it comes from (server or client). At lease that's the way I remember it working last time I checked.

The user is never directly exposed to any of this, of course. All this is under the covers. All YOU need to be aware of is that as long as you specify NO for "Redirect internet traffic through tunnel", the router is NOT going to allow the default gateway to be changed to the VPN. And at that point, the OpenVPN client is effectively useless (at least if we're talking about a commercial OpenVPN provider). Using NO is intended for situations like your own personal OpenVPN server, where you're NOT interested in using it as an internet gateway, but just for the client to access resources on the remote network, or vice-versa (i.e., site-to-site).

 

[Laxarus]

You need to be more precise. It should redirect the traffic to *which* default gateway? You lose *which* connection? WAN? VPN?

I also have no idea how you configured the OpenVPN client. By hand? By importing a .ovpn config file from the OpenVPN provider? In the latter case, it's possible tbe provider has specified the directive and so it got imported.

It is configured by importing the openvpn configuration file from the VPN provider. The custom config of the file is:

remote-random
tls-client
pull
redirect-gateway def1
route-delay 3
remote-cert-tls server
cipher AES-128-CBC
mute-replay-warnings
persist-remote-ip

When I set "No", I lose WAN (Internet) connection which should not be the case. I cannot get WAN IP and there is no internet.

Like you stated, I am not using "No" option anyway. I have found this problem by chance and thought it didn't make sense. In your case, if you set "No", do you also lose WAN (Internet) connection?
My WAN settings: