openvpn default gateway not through the vpn

Home Page Forums Network Management ZeroShell openvpn default gateway not through the vpn

This topic contains 9 replies, has 0 voices, and was last updated by  lidocaineus 9 years, 4 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #42091

    lidocaineus
    Member

    I have an openvpn setup up and running, but I don’t want all traffic going through the vpn – just specific subnets. In my previous openvpn setup on a dedicated machine, I would just have it push over certain subnets to the routing table but not be the default gateway.

    Is it possible to get the same thing working with zs?

    #49241

    ppalias
    Member

    In my setup, I add the routes that I want to tunnel to the ZS to the client config with the command

    route 192.168.0.0 255.255.255.0 1.2.3.4 1
    #49242

    lidocaineus
    Member

    The problem isn’t sending specific subnets through the tunnel – the problem is that when the VPN comes up it routes ALL traffic through the VPN.

    As I said in my post, previously with my own openvpn setup, only specific subnets were pushed via the openvpn server config file to route through the tunnel. This also seems to be the default way openvpn operates unless a specific configuration option is given in the config file.

    This is a problem as if you bring up the VPN, all your existing connections will a) go through a much slower VPN tunnel and b) get disconnected since they’re now taking a completely different return path route.

    #49243

    ppalias
    Member
    root@zeroshell root> ps auxw | grep vpn
    root 10399 0.1 2.4 6704 4628 ? S Dec08 2:31 vpn --dev-type tap --dev VPN99 --mode server --tls-server --proto tcp-server --port 1194 --dh /etc/ssl/dh.pem --ca /var/register/system/openvpn/Auth/X509/CAFile --cert /var/register/system/openvpn/TLS/cert.pem --key /var/register/system/openvpn/TLS/key.pem --daemon VPN99_H2L --ifconfig-pool 10.14.149.178 10.14.149.190 255.255.255.240 --push route-gateway 10.14.149.177 --push --push dhcp-option DNS 10.14.149.1 --push route remote_host 255.255.255.255 net_gateway 1 --push route 10.14.149.176 255.255.255.240 --client-connect /root/kerbynet.cgi/scripts/ov_connect --client-disconnect /root/kerbynet.cgi/scripts/ov_disconnect --mute 3 --management 127.0.0.1 34099 --keepalive 5 60 --duplicate-cn

    This is my server side openvpn configuration taken from the shell. It doesn’t send any specific routes, but the DNS and the gateway. On my client file I inject the routes I wish my client to route through the tunnel. Hope this helps, if not please take a screenshot of the web interface page of the vpn configuration so we can take a look.

    #49244

    lidocaineus
    Member

    Mine is similar but has a –push-redirect-gateway option added on, which looks to be the problem – it’s causing the client to reroute everything over the vpn connection. I’ll look later, but if you know, where’s the easiest way to edit the command line?

    #49245

    lidocaineus
    Member

    nm found the vpn generating script.

    #49246

    ppalias
    Member

    Don’t mess with the scripts. Post here a screenshot of the webpage of your zeroshell vpn config.

    #49247

    lidocaineus
    Member

    Why not? There’s no way to remove –push-redirect-gateway from the web interface as it checks for the existence of multiple subnets (which I have) and if true, at that point adds in the redirect-gateway option – posting an image of it would be pointless as there’s nothing in the web interface – it’s all in the script.

    You can see this yourself in /root/kerbynet.cgi/scripts/vpn_start

    #49248

    ppalias
    Member

    Because in my openvpn it is not sending me the default gateway, so I believe there is a way to do it without messing with the scripts.

    #49249

    lidocaineus
    Member

    Here’s the relevant part of the script:

    NETS=`cat $REGISTER/system/openvpn/Nets 2>/dev/null`
    if [ -z "$NETS" ] ; then
    REDIRECTGW="redirect-gateway"
    else

    So I either make a non-zero Nets file or I edit the script line directly. Most likely the reason you’re not getting the –redirect-gateway is because you have a Nets file. I don’t. Since there is no documentation on what’s in that file or what it’s supposed to do there’s no obvious way to fix it from the GUI. The only thing that creates a Nets file is vpn_setnet, which uses a parameter when called to either set an empty Nets file or a Nets file with a newline character. I don’t feel like chasing down what actually CALLS vpn_setnet as my hack works for now.

    On the next version I’ll re-evaluate if the hack stays or something else gets done.

    #49250

    ppalias
    Member

    Take a look here.
    Most likely all you need to do is add the networks to send to the client.

    http://www.flickr.com/photos/35949154@N02/4189979524/sizes/o/

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.