docker-openvpn icon indicating copy to clipboard operation
docker-openvpn copied to clipboard

Published 20 hours ago • verified publisher icon kylemanna

All Traffic Going Through VPN

Open derks opened this issue 7 years ago • 18 comments

I've noticed recently that all traffic is going through the VPN, even though the setting for it is disabled in TunnelBlick. Even if the client setting is disabled, the server or underlying client configuration can override it as if it were enabled.

Do you have any suggestions on ensuring that only traffic destined for the VPN network goes over the VPN?

derks avatar Jun 30 '17 18:06 derks

https://github.com/kylemanna/docker-openvpn/blob/master/docs/faqs.md#how-do-i-set-up-a-split-tunnel

The client may still choose to send 0.0.0.0/0 traffic through the VPN, but it'll get dropped.

pieterlange avatar Jul 17 '17 13:07 pieterlange

https://github.com/kylemanna/docker-openvpn#openvpn-details

Remove the redirect-gateway def1 instruction in the client config file.

fsegouin avatar Jul 17 '17 14:07 fsegouin

@fsegouin I did try to remove that line from the client config, but then no traffic would make it over VPN and couldn't connect to anything.

derks avatar Jul 17 '17 16:07 derks

@pieterlange that link to the doc looks promising... I'll have to try that... though would ideally like to not regen the config if possible. I assume that would break existing clients, no?

derks avatar Jul 17 '17 16:07 derks

You will have to regen your config and usually that does not break existing clients, but you will have to make sure your clients do not have redirect-gateway def1 in their configuration as otherwise they'll try to send all traffic to the openvpn gateway. Make sure you set the networks you DO want to route from the gateway in $OVPN_ROUTES.

I would like to add that this is all documented and standard openvpn behaviour 🤓

pieterlange avatar Jul 17 '17 18:07 pieterlange

This worked by adding the following to ${OVPN_DATA}/ovpn_env.sh:

declare -x OVPN_DEFROUTE="0"
declare -x OVPN_ROUTES=("W.X.0.0/16" "W.Y.0.0/16")

Where W.X and W.Y are the obfuscated obviously. Setting OVPN_DEFROUTE="0" makes it automatically not include the redirect-gateway def1 in the generated client configs, but I will need to update existing clients manually.

@kylemanna would it make sense to add a note on this in the README? I burned a lot of time for something that was a quick fix... and I'd imagine would be a common request to not have all traffic go through VPN by default. Let me know and I can submit a PR if you like.

derks avatar Aug 14 '17 18:08 derks

Apologies, I spoke too soon.. the above change wasn't enough (no traffic is passing through VPN with that). So my issue is, I guess, that even with OVPN_ROUTES set (as above) ... no traffic goes over the VPN without redirect-gateway def1 on the client config.

derks avatar Aug 14 '17 19:08 derks

Hi BJ,

I believe you're after the split tunnel answer from the FAQ:

https://github.com/kylemanna/docker-openvpn/blob/master/docs/faqs.md

HTH,

Andrew

On 14/08/17 20:39, BJ Dierkes wrote:

Apologies, I spoke too soon.. the above change wasn't enough (no traffic is passing through VPN with that).

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/kylemanna/docker-openvpn/issues/288#issuecomment-322287997, or mute the thread https://github.com/notifications/unsubscribe-auth/AGOz2ayovIl2frvvlHxf6VEWsd5OOoqTks5sYKJXgaJpZM4OK62o.

andrewrembrandt avatar Aug 14 '17 20:08 andrewrembrandt

@andrewrembrandt thanks, you're right... and I've finally got it working, but I still needed to add the following configurations to openvpn.conf to get it to work:

push "route W.X.0.0 255.255.0.0 192.168.255.5 1"
push "route W.Y.0.0 255.255.0.0 192.168.255.5 1"

Where 192.168.255.5 is the remote side of the VPN server (I guess?)... from previous comments it sounded like setting OVPN_ROUTES should have done that.

Regardless... it's working for me now.

derks avatar Aug 14 '17 20:08 derks

Hi all, I have the OpnVPN server container (kylemanna) up&running. The clients are able to setup a VPN connection with the server (network 10.0.0.0/16). All the internet traffic goes via default gateway via client eth0 interface. Then I push "redirect-gateway def1" to the clients ovpn configuration file and now the internet traffic goes via VPN.

I add in iptables of the server: sudo iptables -A FORWARD -i tun0 -o ens3 -s 10.0.0.0/16 -j ACCEPT sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o ens3 -j MASQUERADE

and net.ipv4.ip_forward = 1

the problem is that the client is not able to go in internet (ping 8.8.8.8 doesn't work)

Can you suggest me something? thanks a lot

amaestrini avatar Jan 12 '18 10:01 amaestrini

Hi Split tunneling doesn't work for me either. I use this command to configure openvpn:

docker run \
    -v $OVPN_DATA:/etc/openvpn \
    --rm \
    kylemanna/openvpn \
    ovpn_genconfig \
    -N \
    -d \
    -p "route 5.45.192.0 255.255.192.0" \
    -p "route 5.255.192.0 255.255.192.0" \
    -p "route 37.9.64.0 255.255.192.0" \
    -p "route 37.140.128.0 255.255.192.0" \
    -p "route 77.88.0.0 255.255.192.0" \
    -r "5.45.192.0/18" \
    -r "5.255.192.0/18" \
    -r "37.9.64.0/18" \
    -r "37.140.128.0/18" \
    -r "77.75.152.0/21" \
    -r "77.88.0.0/18" \
    -e 'duplicate-cn' \
    -u udp://vpn.example.com

However I get two issues:

  1. Client adds default gw to VPN, making all traffic pass through VPN. I need only routes that I've specified to go through. I've checked client config. There is no redirect-gateway def1 in there.
  2. It doesn't work anyway. Packets never reach the destination.

What am I doing wrong? Please help.

gornostal avatar Jan 13 '18 21:01 gornostal

take out the

-r "5.45.192.0/18" \ -r "5.255.192.0/18" \ -r "37.9.64.0/18" \ -r "37.140.128.0/18" \ -r "77.75.152.0/21" \ -r "77.88.0.0/18" \

aficustree avatar Feb 24 '18 22:02 aficustree

I'm running into this too. I've gone over all the links in the comments but I haven't had any luck? I'd really like to run this split tunnel at work and otherwise w/o everything going thru the vpn. Can anyone offer insights? From route print I had a lot of issues getting route to push. I'm a novice at linux/docker and networking but hopefully I can hang. ${1} and ${OVPN_CN} yes? I dont see anywhere in the documentation suggesting to set these anywhere before running the authenicator commands?

`OVPN_DATA="ovpn-data-SERVERNAME"

docker volume create --name $OVPN_DATA

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.MYDNSNAME -2 -C AES-256-CBC

(Have tried this originally) docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.MYDNSNAME -2 -C AES-256-CBC (Have tried this AND this)docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -d -p "xxx.xxx.xxx.0 255.255.255.0" -u udp://VPN.MYDNSNAME -2 -C AES-256-CBC

docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki

docker run -v $OVPN_DATA:/etc/openvpn -d --name=vpn -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn

docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full nopass (do you actually type nopass or not --i have and haven't)

docker run -v $OVPN_DATA:/etc/openvpn --rm -t kylemanna/openvpn ovpn_otp_user

google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3
-l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator QR code doesnt work I have to hand type the passkey in Authenticator IOS app but then will work

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > `CLIENTNAME.ovpn``

vulcanjedi avatar Mar 16 '18 21:03 vulcanjedi

you have

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -d -p "xxx.xxx.xxx.0 255.255.255.0" -u udp://VPN.MYDNSNAME -2 -C AES-256-CBC

try adding the word 'route'

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -d -p "route xxx.xxx.xxx.0 255.255.255.0" -u udp://VPN.MYDNSNAME -2 -C AES-256-CBC

aficustree avatar Mar 16 '18 23:03 aficustree

I ended up doing this:Edit your /etc/openvpn/server.conf: (with the docker version of file ) https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Dual-operation:-LAN-&-VPN-at-the-same-time](url) and that seemed to work. I think i tried adding 'route' in the command before. Still not sure about ${1} and ${OVPN_CN} and if 'nopass' is an argument or not, but scanning the QR code for authenticator would be much nicer.

vulcanjedi avatar Mar 18 '18 18:03 vulcanjedi

Solved using only ovpn_genconfig: docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn -N -d -n _<local dns ip>_ -u udp://VPN.SERVERNAME.COM -p "route <local net range> <netmask>" -p "route <docker net range> <netmask>"

I thank QBIK for the help provided by this guide.

unclehook avatar Apr 06 '18 13:04 unclehook

Solved using only ovpn_genconfig: docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn -N -d -n _<local dns ip>_ -u udp://VPN.SERVERNAME.COM -p "route <local net range> <netmask>" -p "route <docker net range> <netmask>"

I thank QBIK for the help provided by this guide.

Thanks for the great answer! You made a small typo however, forgetting ovpn_genconfig. Here's the correct command:

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -d -n _<local dns ip>_ -u udp://VPN.SERVERNAME.COM -p "route <local net range> <netmask>" -p "route <docker net range> <netmask>"

Sugarv avatar Oct 29 '18 09:10 Sugarv

Thanks with that information I was able to set up my server to route all traffic through VPN ;)

rednag avatar Jun 17 '21 17:06 rednag