LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   How do I stop the VPN interface from being the default route when openvpn is started? (https://www.linuxquestions.org/questions/linux-networking-3/how-do-i-stop-the-vpn-interface-from-being-the-default-route-when-openvpn-is-started-4175494356/)

miceagol 02-09-2014 02:20 PM

How do I stop the VPN interface from being the default route when openvpn is started?
 
I'm trying to set up all traffic for a specific user on my server to use the VPN interface (tun0). But when I start the vpn service with
Code:

sudo service openvpn start
tun0 automatically becomes the default route for all users. I'd like it to keep eth0 as the default route.

How do I make this happen?

yongitz 02-10-2014 11:02 AM

Something like this would work. You could make a tiny script to include the startup of VPN service then after that change the default route to eth0 by executing the command:

Quote:

route add default gw YOUR_DEFAULT_GW_IP_ADDRESS eth0
Hope this helps.

miceagol 02-10-2014 01:39 PM

When I run the route command you gave me after starting openvpn, I get the following error:
Code:

user@host:~$ sudo route add default gw 192.168.19.1 eth0
SIOCADDRT: File exists

Output of netstat -r is:
Code:

user@host:~$ netstat -r
Kernel IP routing table
Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
default        10.153.1.5      128.0.0.0      UG        0 0          0 tun0
default        192.168.19.1    0.0.0.0        UG        0 0          0 eth0
default        192.168.19.1    0.0.0.0        UG        0 0          0 eth0
10.153.1.1      10.153.1.5      255.255.255.255 UGH      0 0          0 tun0
10.153.1.5      *              255.255.255.255 UH        0 0          0 tun0
<external vpn ip> 192.168.19.1    255.255.255.255 UGH      0 0          0 eth0
128.0.0.0      10.153.1.5      128.0.0.0      UG        0 0          0 tun0
192.168.19.0    *              255.255.255.0  U        0 0          0 eth0
192.168.122.0  *              255.255.255.0  U        0 0          0 virbr0

So it seems the gateway route is already part of the route table even after openvpn is started. It looks like the first two rows should be swapped for this to be correct?

yongitz 02-11-2014 03:18 AM

I believe you should be changing the network scope of your openvpn configuration so just to cover the vpn network.

Btw, can you try running netstat again with the -n switch.

Quote:

netstat -rn

miceagol 02-11-2014 11:03 AM

Ok, here goes:
Code:

user@host:~/scripts$ netstat -rn
Kernel IP routing table
Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
0.0.0.0        10.127.1.9      128.0.0.0      UG        0 0          0 tun0
0.0.0.0        192.168.19.1    0.0.0.0        UG        0 0          0 eth0
0.0.0.0        192.168.19.1    0.0.0.0        UG        0 0          0 eth0
10.127.1.1      10.127.1.9      255.255.255.255 UGH      0 0          0 tun0
10.127.1.9      0.0.0.0        255.255.255.255 UH        0 0          0 tun0
128.0.0.0      10.127.1.9      128.0.0.0      UG        0 0          0 tun0
<external vpn ip> 192.168.19.1    255.255.255.255 UGH      0 0          0 eth0
192.168.19.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0
192.168.122.0  0.0.0.0        255.255.255.0  U        0 0          0 virbr0

Looks similar. :) Note that the vpn ip addresses have changed since yesterday.

yongitz 02-12-2014 05:57 AM

Your VPN network should be adjusted. When it's up it should not have a destination network of 0.0.0.0 but a defined network for VPN only.

Anyway, you can just delete the default network that's been added by VPN by
Quote:

route del default gw 10.27.1.9
That way your default gateway would now be 192.168.19.1.

miceagol 02-12-2014 04:36 PM

Quote:

Originally Posted by yongitz (Post 5116091)
Your VPN network should be adjusted. When it's up it should not have a destination network of 0.0.0.0 but a defined network for VPN only.

I don't really understand what you mean by a defined network. Could you please elaborate?

Quote:

Originally Posted by yongitz (Post 5116091)
Anyway, you can just delete the default network that's been added by VPN by
That way your default gateway would now be 192.168.19.1.

Your command didn't work, just got the following error (note! VPN ip has changed since last post):
Code:

user@host:~/scripts$ sudo route del default gw 10.136.1.5
SIOCDELRT: No such process

I guess that my gateway 192.168.19.1 is in fact the default route, even though the vpn gateway is on the top line.

Managed to delete the line with this command instead:
Code:

sudo route del -net 0.0.0.0 netmask 128.0.0.0 dev tun0
But I was still connected to vpn after removing it.

So I tried to remove one line at a time related to the vpn, and after removing all of them I finally was disconnected from the vpn tunnel. :)
Code:

user@host:~/scripts$ netstat -rn
Kernel IP routing table
Destination    Gateway        Genmask        Flags  MSS Window  irtt Iface
0.0.0.0        192.168.19.1    0.0.0.0        UG        0 0          0 eth0
0.0.0.0        192.168.19.1    0.0.0.0        UG        0 0          0 eth0
192.168.19.0    0.0.0.0        255.255.255.0  U        0 0          0 eth0
192.168.122.0  0.0.0.0        255.255.255.0  U        0 0          0 virbr0

Now the question is: How do I get the up script to remove these lines in the ip table automatically. The vpn ip addresses change all time, so the script must be able to fetch the numbers from the ip table somehow. Or is it possible to issue a route del command according to line number in the table? :confused:

miceagol 02-12-2014 04:54 PM

Well, there is another problem now. When I try to run the script to route only the specific user through the vpn, I get the following error.
Code:

user@host:~/scripts$ sudo ./vpn_singleuser.sh
RTNETLINK answers: No such process

So I guess the script can't find the routes I just deleted. So I'm really lost on how to make this work. :confused:

The code in the script is based on this guide.

yongitz 02-16-2014 04:18 AM

[QUOTE=miceagol;5116436]I don't really understand what you mean by a defined network. Could you please elaborate?

What I meant is that you should define your tunnel network instead of covering the 0.0.0.0(default) in your vpn script.

Your command didn't work, just got the following error (note! VPN ip has changed since last post):
Code:

user@host:~/scripts$ sudo route del default gw 10.136.1.5
SIOCDELRT: No such process

Where did you get the 10.136.1.5 I? Per your netstat your tunnel gateway should be 10.127.1.9

miceagol 02-19-2014 02:52 PM

Finally, I got this to work by adding route-nopull to the openvpn configuration file in /etc/openvpn/server.conf. Such a small command fixed everything. :)


All times are GMT -5. The time now is 09:42 AM.