OpenVPN not redirecting all traffic through VPN

iptables routing openvpn centos6

8,024

This is 100% expected behaviour. In order to route all traffic through your VPN connection, a default route is added with the virtual interface as a target. But this presents a problem - the network packets used to carry the VPN connection itself would also get routed to the VPN interface, creating a kind of routing loop. To resolve this a static host route to the VPN server is added using your normal Internet gatway as target. This way the packets created by OpenVPN could travel to the OpenVPN server over Internet while everything else gets directed over the VPN link.

Because of the host route, if you try to SSH to the Internet address of your VPN server, the connection will go over your regular Internet connection and you will see your IP in the output from who or last. On the other hand, if you SSH to the other end of the VPN tunnel, your connection will appear to originate from the IP address assigned to the client's end of the tunnel.

For example, this is how a typical OpenVPN virtual interface is configured:

$ ifconfig
...
tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet 10.10.11.9 --> 10.10.11.10 netmask 0xffffffff 
    open (pid 48658)

The remote end of the VPN tunnel in this case is 10.10.11.10. This is a BSD-style ifconfig output (actually OS X). The output on Linux is a bit different. And this is the corresponding host route (again in BSD format):

$ netstat -rn
Destination        Gateway            Flags        Refs      Use   Netif Expire
0/1                10.10.11.9         UGSc            0        0    tun0
default            10.0.1.1           UGSc           22        0     en0
10.0.1/24          link#4             UCS             1        0     en0
10.10.11/24        10.10.11.9         UGSc            0        0    tun0
10.10.11.9         10.10.11.10        UHr             5        0    tun0
yy.yy.yy.yy/32     10.0.1.1           UGSc            1        0     en0

The first route directs all traffic (except the one directed to the local network 10.0.1/24) to the tun0 interface, i.e. to OpenVPN. The static route to the OpenVPN server is the one on the last line. 10.0.1.1 in this case is the Internet gateway.

8,024

ABC

Updated on September 18, 2022

Comments

ABC over 1 year
I have just finished setting up my VPN, and google shows my IP to be that of my VPN, so this works fine. However, when I log in through SSH to the VPN server, it shows my last login to be that of my (non VPN'd) IP (even after multiple logins/outs). This makes me believe that not all data is passing through the VPN.

In my server.conf I have the following directives:
```
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
```
And iptables is setup with the following:
```
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
```
Is there a way to fix this? It
ABC over 10 years

So connecting to the same server with my VPN will go through my internet connection, but for all other IPs, it will go through the VPN? And thank you, that makes a lot of sense!
Hristo Iliev over 10 years

Yes, traffic to the IP of your VPN server will always get through your Internet connection as long as the static route is present. It is also possible to direct non-OpenVPN generated packets to that IP over the VPN link too. It is not trivial and requires understanding of packet tagging and policy routing under Linux, but is certanily doable. The basic idea is to have iptables tag outgoing OpenVPN traffic to the VPN server and then use the ip tool to instruct the kernel to consult a different routing table when dealing with marked packets. I don't think you really need this.