openvpn-install
openvpn-install copied to clipboard
angristan
Make routing all traffic optional
Same, if you don't want to use OpenVPN as road warrior but as server connection, it's not the idea to send all traffic through this server. So it's the use case of a privileged connection instead of road warrior surfing.
Hi angristan,
First of all, thank you very much for that script.
I am wondering, if that feature was finished and how can I disable "redirect-gateway def1 bypass-dhcp" without losing Internet access.
Have you tried using --redirect-private? (cf. https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage)
Have you tried using
--redirect-private? (cf. https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage)
Just tried. Nope, no Internet access.
server.conf
port 1194 proto udp dev tun user nobody group nogroup persist-key persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 1.0.0.1" push "dhcp-option DNS 1.1.1.1" push "redirect-gateway def1 bypass-dhcp" push "route 172.0.0.0 255.0.0.0" dh none ecdh-curve prime256v1 tls-crypt tls-crypt.key 0 crl-verify crl.pem ca ca.crt cert server_LNRlddfn2chIMbDj.crt key server_LNRlddfn2chIMbDj.key duplicate-cn auth SHA256 cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 status /var/log/openvpn/status.log reneg-sec 0 log-append /var/log/openvpn.log verb 3
client.conf
client proto udp remote ip 1194 dev tun resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server verify-x509-name server_LNRlddfn2chIMbDj name auth SHA256 auth-nocache push "redirect-private" cipher AES-128-GCM tls-client tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 setenv opt block-outside-dns # Prevent Windows 10 DNS leak verb 3
I ve tried both: to add redirect-private to server and client and it didnt work.
Openstack instance where openvpn is installed:
default via 192.168.1.1 dev ens3 proto dhcp src 192.168.1.220 metric 100 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 169.254.169.254 via 192.168.1.2 dev ens3 proto dhcp src 192.168.1.220 metric 100 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 192.168.1.0/24 dev ens3 proto kernel scope link src 192.168.1.220
Openstack host machine: default via 10.0.0.1 dev enp2s0f0 proto static 10.0.0.0/16 dev enp2s0f0 proto kernel scope link src 10.0.1.1 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 172.18.0.0/16 dev br-1f1efd0325fa proto kernel scope link src 172.18.0.1 linkdown 172.19.0.0/16 dev br-9cf76bf5fcac proto kernel scope link src 172.19.0.1 linkdown
That looks good to me though!
So if you ping, say, 8.8.8.8, it doesn't work? What about a traceroute?
I can ping 8.8.8.8 as it was mentioned here as well - https://github.com/angristan/openvpn-install/issues/431
Its just I cant open any websites in browser
So it's a DNS issue? What's your resolver (issue a dig and see what resolver is used)
http://prntscr.com/q3v04r - tracert;
http://prntscr.com/q3v4a0 - without vpn http://prntscr.com/q3v4jq - with vpn
You didn't use 1.1.1.1, you tried to resolve it. https://superuser.com/a/367974/668658
Same thingy
DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 8.8.8.8
DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to UnKnown timed-out
Allow disabling routing all traffic
@heutger you can remove the line push "redirect-gateway def1 bypass-dhcp" from /etc/openvpn/server.conf and restart openvpn server.
@randomshell: This is working, but this should be feature of the script itself?
Can someone please tell me how I can set up an OpenVPN server and client profile so that my default gateway does NOT get changed to that of the OpenVPN server? I just want to use OpenVPN to connect to the remote network securely, not use it's internet connection as my own.
I'm really frustrated by the lack of good documentation on this.. been trying to set this up for days now, going at it off and on.. if at all possible, this should be the final question before you set up your OpenVPN server so that it remains optional.
I would very much like this feature.. thank you for requesting it, @heutger
Im also about this. IF you remove push "redirect-gateway def1 bypass-dhcp", no traffic at all will be exchanged.
Hello everyone!
First of all, I want to thank @angristan for this great script!
I was also trying not to route all Internet traffic through VPN and I´ve finally found a solution, so I think it may be useful for other people.
What you need to do (in /etc/openvpn/server.conf) is comment or remove all the lines that push DHCP parameters like the following: push "dhcp-option DNS X.X.X.X". Also the line: push "redirect-gateway def1 bypass-dhcp". The last thing to do here is add the routes that will help your client connect to the hosts through the VPN: push "route 172.16.0.0 255.255.0.0" (you can add more than one line).
Then you will need to edit the file: /etc/openvpn/client-template.txt. There you will remove 2 lines: ignore-unknown-option block-outside-dns and setenv opt block-outside-dns # Prevent Windows 10 DNS leak.
If you need to change the IP range you can edit the script (before running it, if you already did it you can Remove OpenVPN running it again and selecting the third option) replacing all the 10.8.0.1 occurrences with the IP you want for the OpenVPN server and all the 10.8.0.0 occurrences with the address of your new network. This procedure is based on: https://github.com/angristan/openvpn-install/pull/550
Now you will be able to create the clients and do not forget to restart the OpenVPN server with systemctl restart [email protected].
