Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All Traffic Going Through VPN #288

Open
derks opened this issue Jun 30, 2017 · 18 comments
Open

All Traffic Going Through VPN #288

derks opened this issue Jun 30, 2017 · 18 comments

Comments

@derks
Copy link

derks commented Jun 30, 2017

I've noticed recently that all traffic is going through the VPN, even though the setting for it is disabled in TunnelBlick. Even if the client setting is disabled, the server or underlying client configuration can override it as if it were enabled.

Do you have any suggestions on ensuring that only traffic destined for the VPN network goes over the VPN?
@pieterlange
Copy link

https://github.com/kylemanna/docker-openvpn/blob/master/docs/faqs.md#how-do-i-set-up-a-split-tunnel

The client may still choose to send 0.0.0.0/0 traffic through the VPN, but it'll get dropped.

@fsegouin
Copy link

https://github.com/kylemanna/docker-openvpn#openvpn-details

Remove the redirect-gateway def1 instruction in the client config file.

@derks
Copy link
Author

derks commented Jul 17, 2017

@fsegouin I did try to remove that line from the client config, but then no traffic would make it over VPN and couldn't connect to anything.

@derks
Copy link
Author

derks commented Jul 17, 2017

@pieterlange that link to the doc looks promising... I'll have to try that... though would ideally like to not regen the config if possible. I assume that would break existing clients, no?

@pieterlange
Copy link

pieterlange commented Jul 17, 2017
edited
Loading

You will have to regen your config and usually that does not break existing clients, but you will have to make sure your clients do not have redirect-gateway def1 in their configuration as otherwise they'll try to send all traffic to the openvpn gateway.
Make sure you set the networks you DO want to route from the gateway in $OVPN_ROUTES.

I would like to add that this is all documented and standard openvpn behaviour 🤓

@derks
Copy link
Author

derks commented Aug 14, 2017

This worked by adding the following to ${OVPN_DATA}/ovpn_env.sh:

declare -x OVPN_DEFROUTE="0"
declare -x OVPN_ROUTES=("W.X.0.0/16" "W.Y.0.0/16")

Where W.X and W.Y are the obfuscated obviously. Setting OVPN_DEFROUTE="0" makes it automatically not include the redirect-gateway def1 in the generated client configs, but I will need to update existing clients manually.

@kylemanna would it make sense to add a note on this in the README? I burned a lot of time for something that was a quick fix... and I'd imagine would be a common request to not have all traffic go through VPN by default. Let me know and I can submit a PR if you like.

@derks
Copy link
Author

derks commented Aug 14, 2017
edited
Loading

Apologies, I spoke too soon.. the above change wasn't enough (no traffic is passing through VPN with that). So my issue is, I guess, that even with OVPN_ROUTES set (as above) ... no traffic goes over the VPN without redirect-gateway def1 on the client config.

@andrewrembrandt
Copy link
Contributor

andrewrembrandt commented Aug 14, 2017 via email

@derks
Copy link
Author

derks commented Aug 14, 2017

@andrewrembrandt thanks, you're right... and I've finally got it working, but I still needed to add the following configurations to openvpn.conf to get it to work:

push "route W.X.0.0 255.255.0.0 192.168.255.5 1"
push "route W.Y.0.0 255.255.0.0 192.168.255.5 1"

Where 192.168.255.5 is the remote side of the VPN server (I guess?)... from previous comments it sounded like setting OVPN_ROUTES should have done that.

Regardless... it's working for me now.

@amaestrini
Copy link

Hi all,
I have the OpnVPN server container (kylemanna) up&running.
The clients are able to setup a VPN connection with the server (network 10.0.0.0/16). All the internet traffic goes via default gateway via client eth0 interface.
Then I push "redirect-gateway def1" to the clients ovpn configuration file and now the internet traffic goes via VPN.

I add in iptables of the server:
sudo iptables -A FORWARD -i tun0 -o ens3 -s 10.0.0.0/16 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.0.0.0/16 -o ens3 -j MASQUERADE

and net.ipv4.ip_forward = 1

the problem is that the client is not able to go in internet (ping 8.8.8.8 doesn't work)

Can you suggest me something?
thanks a lot

@gornostal
Copy link

Hi
Split tunneling doesn't work for me either.
I use this command to configure openvpn:

docker run \
    -v $OVPN_DATA:/etc/openvpn \
    --rm \
    kylemanna/openvpn \
    ovpn_genconfig \
    -N \
    -d \
    -p "route 5.45.192.0 255.255.192.0" \
    -p "route 5.255.192.0 255.255.192.0" \
    -p "route 37.9.64.0 255.255.192.0" \
    -p "route 37.140.128.0 255.255.192.0" \
    -p "route 77.88.0.0 255.255.192.0" \
    -r "5.45.192.0/18" \
    -r "5.255.192.0/18" \
    -r "37.9.64.0/18" \
    -r "37.140.128.0/18" \
    -r "77.75.152.0/21" \
    -r "77.88.0.0/18" \
    -e 'duplicate-cn' \
    -u udp://vpn.example.com

However I get two issues:

  1. Client adds default gw to VPN, making all traffic pass through VPN. I need only routes that I've specified to go through.
    I've checked client config. There is no redirect-gateway def1 in there.
  2. It doesn't work anyway. Packets never reach the destination.

What am I doing wrong?
Please help.

@zerpex zerpex mentioned this issue Jan 26, 2018
Closed
@aficustree
Copy link

take out the

-r "5.45.192.0/18" \ -r "5.255.192.0/18" \ -r "37.9.64.0/18" \ -r "37.140.128.0/18" \ -r "77.75.152.0/21" \ -r "77.88.0.0/18" \

@vulcanjedi
Copy link

vulcanjedi commented Mar 16, 2018
edited
Loading

I'm running into this too. I've gone over all the links in the comments but I haven't had any luck?
I'd really like to run this split tunnel at work and otherwise w/o everything going thru the vpn. Can anyone offer insights?
From route print I had a lot of issues getting route to push.
I'm a novice at linux/docker and networking but hopefully I can hang.
${1} and ${OVPN_CN} yes?
I dont see anywhere in the documentation suggesting to set these anywhere before running the authenicator commands?

`OVPN_DATA="ovpn-data-SERVERNAME"

docker volume create --name $OVPN_DATA

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.MYDNSNAME -2 -C AES-256-CBC

(Have tried this originally) docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -u udp://VPN.MYDNSNAME -2 -C AES-256-CBC
(Have tried this AND this)docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -d -p "xxx.xxx.xxx.0 255.255.255.0" -u udp://VPN.MYDNSNAME -2 -C AES-256-CBC

docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn ovpn_initpki

docker run -v $OVPN_DATA:/etc/openvpn -d --name=vpn -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn

docker run -v $OVPN_DATA:/etc/openvpn --rm -it kylemanna/openvpn easyrsa build-client-full nopass (do you actually type nopass or not --i have and haven't)

docker run -v $OVPN_DATA:/etc/openvpn --rm -t kylemanna/openvpn ovpn_otp_user

google-authenticator --time-based --disallow-reuse --force --rate-limit=3 --rate-time=30 --window-size=3
-l "${1}@${OVPN_CN}" -s /etc/openvpn/otp/${1}.google_authenticator
QR code doesnt work I have to hand type the passkey in Authenticator IOS app but then will work

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_getclient CLIENTNAME > `CLIENTNAME.ovpn``

@aficustree
Copy link

you have

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -d -p "xxx.xxx.xxx.0 255.255.255.0" -u udp://VPN.MYDNSNAME -2 -C AES-256-CBC

try adding the word 'route'

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -d -p "route xxx.xxx.xxx.0 255.255.255.0" -u udp://VPN.MYDNSNAME -2 -C AES-256-CBC

@vulcanjedi
Copy link

vulcanjedi commented Mar 18, 2018
edited
Loading

I ended up doing this:Edit your /etc/openvpn/server.conf: (with the docker version of file )
https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Dual-operation:-LAN-&-VPN-at-the-same-time](url) and that seemed to work.
I think i tried adding 'route' in the command before.
Still not sure about ${1} and ${OVPN_CN} and if 'nopass' is an argument or not, but scanning the QR code for authenticator would be much nicer.

@unclehook
Copy link

Solved using only ovpn_genconfig:
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn -N -d -n _<local dns ip>_ -u udp://VPN.SERVERNAME.COM -p "route <local net range> <netmask>" -p "route <docker net range> <netmask>"

I thank QBIK for the help provided by this guide.

@Sugarv
Copy link

Sugarv commented Oct 29, 2018

Solved using only ovpn_genconfig:
docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn -N -d -n _<local dns ip>_ -u udp://VPN.SERVERNAME.COM -p "route <local net range> <netmask>" -p "route <docker net range> <netmask>"

I thank QBIK for the help provided by this guide.

Thanks for the great answer! You made a small typo however, forgetting ovpn_genconfig. Here's the correct command:

docker run -v $OVPN_DATA:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig -N -d -n _<local dns ip>_ -u udp://VPN.SERVERNAME.COM -p "route <local net range> <netmask>" -p "route <docker net range> <netmask>"

@rednag
Copy link

rednag commented Jun 17, 2021

Thanks with that information I was able to set up my server to route all traffic through VPN ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests