Help NOT Routing all the traffic through the OpenVPN tunnel

Hi Everyone,
I open this thread to ask for help on a problem, I recently purchased the GL-X750 router. It has an excellent function to configure an openvpn client, the problem that by default redirects all traffic on the vpn tunnel. I would like to avoid redirecting all traffic on the vpn.
These are my configurations:

root@GL-X750:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6  tethering modem_1_1_2'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].enabled='0'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@include[0].reload='1'
firewall.glfw=include
firewall.glfw.type='script'
firewall.glfw.path='/usr/bin/glfw.sh'
firewall.glfw.reload='1'
firewall.guestzone=zone
firewall.guestzone.name='guestzone'
firewall.guestzone.network='guest'
firewall.guestzone.forward='REJECT'
firewall.guestzone.output='ACCEPT'
firewall.guestzone.input='REJECT'
firewall.guestzone_fwd=forwarding
firewall.guestzone_fwd.src='guestzone'
firewall.guestzone_fwd.dest='wan'
firewall.guestzone_fwd.enabled='0'
firewall.guestzone_dhcp=rule
firewall.guestzone_dhcp.name='guestzone_DHCP'
firewall.guestzone_dhcp.src='guestzone'
firewall.guestzone_dhcp.target='ACCEPT'
firewall.guestzone_dhcp.proto='udp'
firewall.guestzone_dhcp.dest_port='67-68'
firewall.guestzone_dns=rule
firewall.guestzone_dns.name='guestzone_DNS'
firewall.guestzone_dns.src='guestzone'
firewall.guestzone_dns.target='ACCEPT'
firewall.guestzone_dns.proto='tcp udp'
firewall.guestzone_dns.dest_port='53'
firewall.glservice_rule=rule
firewall.glservice_rule.name='glservice'
firewall.glservice_rule.dest_port='83'
firewall.glservice_rule.proto='tcp udp'
firewall.glservice_rule.src='wan'
firewall.glservice_rule.target='ACCEPT'
firewall.glservice_rule.enabled='0'
firewall.gls2s=include
firewall.gls2s.type='script'
firewall.gls2s.path='/var/etc/gls2s.include'
firewall.gls2s.reload='1'
firewall.glqos=include
firewall.glqos.type='script'
firewall.glqos.path='/usr/sbin/glqos.sh'
firewall.glqos.reload='1'
firewall.mwan3=include
firewall.mwan3.type='script'
firewall.mwan3.path='/var/etc/mwan3.include'
firewall.mwan3.reload='1'
firewall.vpn_zone=zone
firewall.vpn_zone.name='ovpn'
firewall.vpn_zone.input='ACCEPT'
firewall.vpn_zone.forward='REJECT'
firewall.vpn_zone.output='ACCEPT'
firewall.vpn_zone.network='ovpn'
firewall.vpn_zone.masq='1'
firewall.vpn_zone.mtu_fix='1'
firewall.forwarding_vpn1=forwarding
firewall.forwarding_vpn1.dest='ovpn'
firewall.forwarding_vpn1.src='lan'
firewall.forwarding_guest_ovpn=forwarding
firewall.forwarding_guest_ovpn.dest='ovpn'
firewall.forwarding_guest_ovpn.src='guestzone'

root@GL-X750:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd28:ba39:a699::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.hostname='GL-X750-27c'
network.lan.ipaddr='192.168.8.1'
network.lan.delegate='0'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wan.hostname='GL-X750-27c'
network.wan6=interface
network.wan6.ifname='eth0'
network.wan6.proto='dhcpv6'
network.guest=interface
network.guest.ifname='guest'
network.guest.type='bridge'
network.guest.proto='static'
network.guest.ipaddr='192.168.9.1'
network.guest.netmask='255.255.255.0'
network.guest.ip6assign='60'
network.tethering=interface
network.tethering.proto='dhcp'
network.tethering.ifname='usb0'
network.tethering.metric='30'
network.modem_1_1_2=interface
network.modem_1_1_2.ifname='3g-modem'
network.modem_1_1_2.service='fdd_lte'
network.modem_1_1_2.proto='3g'
network.modem_1_1_2.device='/dev/ttyUSB3'
network.modem_1_1_2.metric='40'
network.modem_1_1_2.disabled='0'
network.ovpn=interface
network.ovpn.ifname='tun0'
network.ovpn.proto='none'

dev tun
persist-tun
persist-key
cipher AES-128-CBC
ncp-ciphers AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote xx.xx.xx.xx1 1194 udp
verify-x509-name "firewall01.local" name
remote-cert-tls server
compress lz4
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
daemon

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

root@GL-X750:~# ip r
0.0.0.0/1 dev tun0 scope link 
default via 10.64.64.64 dev 3g-modem_1_1_2 proto static metric 40 
10.0.0.0/24 via 10.0.1.1 dev tun0 
10.0.1.0/24 dev tun0 proto kernel scope link src 10.0.1.10 
10.1.0.0/24 via 10.0.1.1 dev tun0 
10.2.0.0/24 via 10.0.1.1 dev tun0 
10.64.64.64 dev 3g-modem_1_1_2 proto kernel scope link src publicip 
vpnip via 10.64.64.64 dev 3g-modem_1_1_2 
128.0.0.0/1 dev tun0 scope link 
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1 
192.168.9.0/24 dev br-guest proto kernel scope link src 192.168.9.1 

Thanks in advance for the help

You may want to change this to REJECT/DROP.

If you control the other side of the tunnel you can remove the redirect-gateway def1, because I can see that you are advertising other networks too, so not pulling the routes on the client side would have side effects.

I set up like your advice:

uci set firewall.vpn_zone.input='DROP'
uci commit firewall

But the traffic continue route on tun0:

traceroute to heise.de (193.99.144.80), 30 hops max, 60 byte packets
 1  console.gl-inet.com (192.168.8.1)  1.231 ms  1.404 ms  1.650 ms
 2  10.0.1.1 (10.0.1.1)  56.711 ms  61.105 ms  61.494 ms                       <----- :(
 3  81-223-16-161.static.upcbusiness.at (81.223.16.161)  62.357 ms  66.358 ms  66.693 ms
 4  * * *
 5  80-241-21-29.static.upcbusiness.at (80.241.21.29)  78.229 ms  83.387 ms  84.177 ms
 6  at-vie01b-rc1-ae-31-2047.aorta.net (84.116.228.145)  84.530 ms  81.044 ms  81.243 ms
 7  at-vie05b-ri3-ae-4-0.aorta.net (213.46.173.117)  80.398 ms  60.006 ms  61.299 ms
 8  80.157.202.61 (80.157.202.61)  64.712 ms  79.998 ms  79.460 ms
 9  217.5.116.174 (217.5.116.174)  95.027 ms  129.923 ms  135.283 ms
10  217.5.116.174 (217.5.116.174)  107.818 ms  114.857 ms  120.179 ms
11  62.157.251.38 (62.157.251.38)  141.052 ms  142.293 ms  142.636 ms
12  82.98.102.7 (82.98.102.7)  140.669 ms 82.98.102.5 (82.98.102.5)  139.478 ms 82.98.102.7 (82.98.102.7)  81.095 ms
13  82.98.102.65 (82.98.102.65)  86.513 ms 82.98.102.23 (82.98.102.23)  93.812 ms 82.98.102.65 (82.98.102.65)  123.381 ms

root@GL-X750:~# ip r
0.0.0.0/1 dev tun0 scope link 
default via 10.64.64.64 dev 3g-modem_1_1_2 proto static metric 40 
10.0.0.0/24 via 10.0.1.1 dev tun0                                        <-----
10.0.1.0/24 dev tun0 proto kernel scope link src 10.0.1.10 <-----
10.1.0.0/24 via 10.0.1.1 dev tun0                                         <-----
10.2.0.0/24 via 10.0.1.1 dev tun0                                          <-----
10.64.64.64 dev 3g-modem_1_1_2 proto kernel scope link src publicip 
vpnip via 10.64.64.64 dev 3g-modem_1_1_2 
128.0.0.0/1 dev tun0 scope link 
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1 
192.168.9.0/24 dev br-guest proto kernel scope link src 192.168.9.1 

I would like to route only these 10.0.0.0/24, 10.0.1.0/24, 10.1.0.0/24 and 10.2.0.0/24 trough the vpn.

I also told you to remove the redirect-gateway def1 from the server. Did you do that?

Ok this:

redirect-gateway def1

there isn't on the openvpn server, this is the config:

dev ovpns2
verb 1
dev-type tun
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-128-CBC
auth SHA256
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
learn-address "/usr/local/sbin/openvpn.learn-address.sh local"
local *remoteip*
engine rdrand
tls-server
server 10.0.1.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server2
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'firewall01.local' 1"
lport 1194
management /var/etc/openvpn/server2.sock unix
push "route 10.0.0.0 255.255.255.0"
push "route 10.1.0.0 255.255.255.0"
push "route 10.2.0.0 255.255.255.0"
push "dhcp-option DNS 10.0.0.1"
push "dhcp-option DNS 8.8.8.8"
push "register-dns"
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server2.tls-auth 0
ncp-ciphers AES-128-GCM
compress lz4
persist-remote-ip
float
topology subnet

Is there something in client-config-dir ?

Nope nothing.
If I connect to the vpn with my laptop redirect only the correct subnets. For this reason I suppose there is something wrong on the router side.

Then disable it directly on the client.

Put the following two lines in your openvpn config

route-nopull
route-noexec

Put the vpn tunnel device in your wan zone.

Then use vpn-policy-routing to direct traffic from your desired network CIDRs through the tunnel interface.

I'm assuming here that your remote network has routable addresses and not private addresses. If the latter, the you will need a new firewall zone that does not do masquerading. In this case, duplicate the wan zone (say call it vpn) and turn off the masquerading. Make sure you have forwarding on from the lan zone or whatever zones you have defined for these networks to the new vpn zone.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.