I'm connecting to a VPN service using OpenVPN and everything works fine.
Once I connect these are the rules that automatically are set:
root@linux:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:AA:1B:01:AC:FB
inet addr:192.168.1.201 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:46867 errors:0 dropped:0 overruns:0 frame:0
TX packets:29742 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37977382 (36.2 MiB) TX bytes:5098121 (4.8 MiB)
Interrupt:16
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.7.7.126 P-t-P:10.7.7.125 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:23284 errors:0 dropped:0 overruns:0 frame:0
TX packets:5817 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:31366374 (29.9 MiB) TX bytes:308591 (301.3 KiB)
root@linux:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.7.7.125 128.0.0.0 UG 0 0 0 tun0
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
5.120.121.114 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
10.7.7.1 10.7.7.125 255.255.255.255 UGH 0 0 0 tun0
10.7.7.125 * 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.7.7.125 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
Here is what I understand:
- my local IP address is 192.168.1.201
- local gateway is 191.168.1.1
- 5.120.121.114 is the VPN public ip
- tun0 is the VPN tunnel, my machine has 10.7.7.126 as address
- 10.7.7.125 is the p-t-p address I understand is the other "end" of the VPN
Regarding the routing table I understand that:
- by default all traffic is sent via 10.7.7.125 on interface tun0 (but why that mask?)
- 10.7.7.1 is reachable via tun0
- public ip of vpn is reachable via eth0
I don't understand the second default gateway, this is the default when the vpn is not active, is it simply bypassed?
What about the 10.7.7.1? looks like it is the gateway of the vpn…
Why the destination 128.0.0.0?
OpenVPN automatically creates all these rules. But based on what are those created?
I cannot control the server side of the VPN but only the client configuration.
Now what if I would like to:
- force all traffic to 216.58.213.174 to go via VPN tun0 and have all the rest going through eth0?
- can I have it established automatically when starting the VPN?
Thank you for your suggestion and support in understanding this.
KR,
dk
EDIT:
root@linux:~# ip route list
0.0.0.0/1 via 10.7.7.125 dev tun0
default via 192.168.1.1 dev eth0
5.152.210.249 via 192.168.1.1 dev eth0
10.7.7.1 via 10.7.7.125 dev tun0
10.7.7.125 dev tun0 src 10.7.7.126
128.0.0.0/1 via 10.7.7.125 dev tun0
192.168.1.0/24 dev eth0 src 192.168.1.201
Best Answer
This is one of OpenVPN's hacks to route traffic through your tunnel while maintaining your default gateway. The 0.0.0.0/1 and 128.0.0.0/1 routes take precedence over the 0.0.0.0/0 route since they are more specific while still matching all addresses. Search for "def1" in the OpenVPN documentation for more detail
Probably, yes
They are probably pushed from the server. I can provide more information if you can provide the output from your client while it's starting along with your configuration file
Yep, but the client is highly configurable such that you can override pretty much anything the server wants your client to do. Still, you'll need to meet your providers basic requirements in order to connect. You should also check your providers "Terms of Use" to make sure you don't end up pissing them off.
Yep, include "route 216.58.213.174 255.255.255.255 10.7.7.125" in your config. That should setup your desired route. You should be able to keep your other routes in place by removing the "redirect-gateway" option from your configuration
yes, see above
All of the options I've described and more can be found in OpenVPN's online documentation. https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage