search

angristan / openvpn-install

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
https://stanislas.blog
MIT License
13.76k stars 2.98k forks source link

Make routing all traffic optional #443

Open heutger opened 5 years ago

heutger commented 5 years ago

Allow disabling routing all traffic

angristan commented 5 years ago

Example use case?

heutger commented 5 years ago

Same, if you don't want to use OpenVPN as road warrior but as server connection, it's not the idea to send all traffic through this server. So it's the use case of a privileged connection instead of road warrior surfing.

ghost commented 4 years ago

Hi angristan,

First of all, thank you very much for that script.

I am wondering, if that feature was finished and how can I disable "redirect-gateway def1 bypass-dhcp" without losing Internet access.

angristan commented 4 years ago

Have you tried using --redirect-private? (cf. https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage)

ghost commented 4 years ago

Have you tried using --redirect-private? (cf. https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage)

Just tried. Nope, no Internet access.

angristan commented 4 years ago

Can you show the routes on your client?

ghost commented 4 years ago

server.conf

port 1194 proto udp dev tun user nobody group nogroup persist-key persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 1.0.0.1" push "dhcp-option DNS 1.1.1.1" push "redirect-gateway def1 bypass-dhcp" push "route 172.0.0.0 255.0.0.0" dh none ecdh-curve prime256v1 tls-crypt tls-crypt.key 0 crl-verify crl.pem ca ca.crt cert server_LNRlddfn2chIMbDj.crt key server_LNRlddfn2chIMbDj.key duplicate-cn auth SHA256 cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 status /var/log/openvpn/status.log reneg-sec 0 log-append /var/log/openvpn.log verb 3

client.conf

client proto udp remote ip 1194 dev tun resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server verify-x509-name server_LNRlddfn2chIMbDj name auth SHA256 auth-nocache push "redirect-private" cipher AES-128-GCM tls-client tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 setenv opt block-outside-dns # Prevent Windows 10 DNS leak verb 3

I ve tried both: to add redirect-private to server and client and it didnt work.

angristan commented 4 years ago

I meant the actual route table on the client (ip r on linux)

ghost commented 4 years ago

Openstack instance where openvpn is installed:

default via 192.168.1.1 dev ens3 proto dhcp src 192.168.1.220 metric 100 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 169.254.169.254 via 192.168.1.2 dev ens3 proto dhcp src 192.168.1.220 metric 100 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 192.168.1.0/24 dev ens3 proto kernel scope link src 192.168.1.220

Openstack host machine: default via 10.0.0.1 dev enp2s0f0 proto static 10.0.0.0/16 dev enp2s0f0 proto kernel scope link src 10.0.1.1 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 172.18.0.0/16 dev br-1f1efd0325fa proto kernel scope link src 172.18.0.1 linkdown 172.19.0.0/16 dev br-9cf76bf5fcac proto kernel scope link src 172.19.0.1 linkdown

angristan commented 4 years ago

That looks good to me though!

So if you ping, say, 8.8.8.8, it doesn't work? What about a traceroute?

ghost commented 4 years ago

I can ping 8.8.8.8 as it was mentioned here as well - https://github.com/angristan/openvpn-install/issues/431

Its just I cant open any websites in browser

angristan commented 4 years ago

So it's a DNS issue? What's your resolver (issue a dig and see what resolver is used)

ghost commented 4 years ago

http://prntscr.com/q3v04r - tracert;

http://prntscr.com/q3v4a0 - without vpn http://prntscr.com/q3v4jq - with vpn

angristan commented 4 years ago

What about with the VPN + 1.1.1.1?

ghost commented 4 years ago

http://prntscr.com/q3vaxb

angristan commented 4 years ago

You didn't use 1.1.1.1, you tried to resolve it. https://superuser.com/a/367974/668658

ghost commented 4 years ago

http://prntscr.com/q3zbek

angristan commented 4 years ago

And using 8.8.8.8, since you can ping it?

ghost commented 4 years ago

Same thingy

DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 8.8.8.8

DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to UnKnown timed-out

randshell commented 4 years ago

Allow disabling routing all traffic

@heutger you can remove the line push "redirect-gateway def1 bypass-dhcp" from /etc/openvpn/server.conf and restart openvpn server.

kdeiss commented 4 years ago

@randomshell: This is working, but this should be feature of the script itself?

hvanmegen commented 3 years ago

Can someone please tell me how I can set up an OpenVPN server and client profile so that my default gateway does NOT get changed to that of the OpenVPN server? I just want to use OpenVPN to connect to the remote network securely, not use it's internet connection as my own.

I'm really frustrated by the lack of good documentation on this.. been trying to set this up for days now, going at it off and on.. if at all possible, this should be the final question before you set up your OpenVPN server so that it remains optional.

I would very much like this feature.. thank you for requesting it, @heutger

tideodk commented 3 years ago

Im also about this. IF you remove push "redirect-gateway def1 bypass-dhcp", no traffic at all will be exchanged.

ignacioinnovo commented 1 year ago

Hello everyone!

First of all, I want to thank @angristan for this great script!

I was also trying not to route all Internet traffic through VPN and I´ve finally found a solution, so I think it may be useful for other people.

What you need to do (in /etc/openvpn/server.conf) is comment or remove all the lines that push DHCP parameters like the following: push "dhcp-option DNS X.X.X.X". Also the line: push "redirect-gateway def1 bypass-dhcp". The last thing to do here is add the routes that will help your client connect to the hosts through the VPN: push "route 172.16.0.0 255.255.0.0" (you can add more than one line).

Then you will need to edit the file: /etc/openvpn/client-template.txt. There you will remove 2 lines: ignore-unknown-option block-outside-dns and setenv opt block-outside-dns # Prevent Windows 10 DNS leak.

If you need to change the IP range you can edit the script (before running it, if you already did it you can Remove OpenVPN running it again and selecting the third option) replacing all the 10.8.0.1 occurrences with the IP you want for the OpenVPN server and all the 10.8.0.0 occurrences with the address of your new network. This procedure is based on: https://github.com/angristan/openvpn-install/pull/550

Now you will be able to create the clients and do not forget to restart the OpenVPN server with systemctl restart openvpn@server.service.