openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard
verified publisher icon OpenVPN

Can vpn_gateway still be used over a tap interface for default routing?

Open kabassanov opened this issue 4 weeks ago • 3 comments

Hi,

I set up a testbed with 2 clients (Ubuntu and Windows 11) and a Debian openvpn server using tap interfaces. Addresses on the vpn network are assigned by an external dhcp server belonging to the same network (inside the vpn lan). I'm trying to redirect traffic through the tunnel and the remote vpn_gateway. Linux does not set up routes. Linux client openvpn is started from the shell in order to avoid at beginning some Network Manager potential issues. I've looked a little bit, and it seems that even if the dhcp gateway option from the tunneled dhcp replies is catched, rl->spec.flags are not set to RTSA_REMOTE_ENDPOINT in redirect_default_route_to_vpn. So the first function's warning is triggered (redirect-gateway def1 and route-gateway dhcp are pushed from the server, thus the message "VPN gateway parameter (--route-gateway or --ifconfig) is missing" is strange). I've just temporarily disabled this test in the function and I got at least a route for the remote vpn server. 0.0.0.0 and 128.0.0.0 still fail, because the vpn_gateway value does not seem to be queried as possible gateway (once it has been instanciated).

It seems to work on Windows.

Do you have any suggestion? (Ubuntu distribution packet 2.6.14 and manully recompiled 2.6.17 have similar behavior).

Thanks.

kabassanov avatar Dec 11 '25 15:12 kabassanov

Hi,

On Thu, Dec 11, 2025 at 07:48:40AM -0800, kabassanov wrote:

Do you have any suggestion? (Ubuntu distribution packet 2.6.14 and manully recompiled 2.6.17 have similar behavior).

Don't use tap, unless you have a hard requirement for bridged network access.

For the issue at hand, it's well possible that the gateway code is getting confused in DHCP mode (I was not aware that "DHCP client on TAP" is even a supported way to run things on linux).

Can you share a client log with --verb 3 that shows what is coming in, what is ifconfig'ed, etc? So everything after (and including) PUSH_REPLY.

gert

-- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany @.***

cron2 avatar Dec 11 '25 15:12 cron2

(Multiple) Bridged networking is my primary goal... The server part seems to support it pretty well with some imagination...

The code is stripping router options from dhcp replies in order to manage them manually. This way, it allows people not to get default routes when only particular networks are managed through the tunnel.

unpatched.log

kabassanov avatar Dec 11 '25 16:12 kabassanov

Finally, the answer was in the documentation (but it is so cool to discover it by myself):

Image

kabassanov avatar Dec 11 '25 23:12 kabassanov