Категорії
Security

openvpn: Ignoring redirect-gateway

If you are running OpenVPN as a client, and the server you use is using push “redirect-gateway” then your client redirects all internet traffic over the VPN. Sometimes clients do not want this, but they can not change the server’s configuration. This page explains how to override redirect-gateway so the client does not need to redirect internet even though the server says to.

Примечание.

Начиная с версии 2.4 появились опции, которые облегчат это, а именно:

  • Добавлена опция pull-filter, позволяющая явно разрешить или запретить приём опций отправляемых сервером. Также добавлена опция push-remove для выборочного удаления опций из списка “push”;

Пример

Добавляем опцию ниже в конфиг клиента

pull-filter ignore redirect-gateway

 

Если у вас версия ниже 2.4, тогда для вас методы, которые описаны ниже.

Method 1: ignore

There are 2 options that can be used to ignore routes pushed by the server:

--route-noexec 
 Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables. 
--route-nopull 
 When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers. 
 When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

Method 2: override

Here we will simply add routes that override –redirect-gateway. This will work much like the def1 flag to –redirect-gateway works. This can be different if the server uses the def1 flag to the –redirect-gateway option or not (by checking the log while connecting). Note that net_gateway is an internal variable to openvpn and does not need to be changed to anything. If you do not know if your server uses def1 and do not want to check the logs to figure it out, just assume they DO use def1 and use the 4 routes. That will work no matter what.

def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.

If the server DOES NOT use def1 add the following options to the clients config:

route 0.0.0.0 128.0.0.0 net_gateway
route 128.0.0.0 128.0.0.0 net_gateway

If the server DOES use def1 or if you do not know, add the following options to the clients config:

route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway

Залишити відповідь

Ваша e-mail адреса не оприлюднюватиметься. Обов’язкові поля позначені *

Домашняя страничка Andy
Записки молодого админа
Самостоятельная подготовка к Cisco CCNA
Самостоятельная подготовка к Cisco CCNP
Powered by Muff