OVPN creates 2nd default route

Hey everybody.

everthing works fine, bun when i start the ovpn client connection (openwrt is the client)
a second default route is created and there is no internet connection any more.

Below the ovpen file wich i imported to the openwrt router

client
dev tun
proto udp
explicit-exit-notify
verify-x509-name "C=NA, ST=NA, L=NA, O=NA, OU=NA, CN=Appliance_Certificate_HbOvZ5Gd7YZMGW3, emailAddress=na@example.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
Mblalba
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
blabla
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
blala
-----END RSA PRIVATE KEY-----
</key>
auth-user-pass
cipher AES-128-CBC
auth SHA256
comp-lzo yes
;can_save no
;otp no
;run_logon_script no
;auto_connect 
route-delay 4
verb 3
reneg-sec 0
remote XXX.XXX.XXX 4443

Route printout WITHOUT active VPN

root@GL-MIFI:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.152.107.37   0.0.0.0         UG    40     0        0 wwan0
10.22.1.0       *               255.255.255.0   U     0      0        0 br-lan
10.152.107.36   *               255.255.255.252 U     40     0        0 wwan0
172.25.254.0    *               255.255.255.224 U     0      0        0 br-lan

Route printout with active VPN

root@GL-MIFI:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               128.0.0.0       U     0      0        0 tun0
default         10.152.107.37   0.0.0.0         UG    40     0        0 wwan0
10.22.1.0       *               255.255.255.0   U     0      0        0 br-lan
10.152.107.36   *               255.255.255.252 U     40     0        0 wwan0
10.244.90.25    172.25.22.10    255.255.255.255 UGH   0      0        0 tun0
128.0.0.0       *               128.0.0.0       U     0      0        0 tun0
153.92.30.205   10.152.107.37   255.255.255.255 UGH   40     0        0 wwan0
172.25.22.0     *               255.255.255.0   U     0      0        0 tun0
172.25.254.0    *               255.255.255.224 U     0      0        0 br-lan

google Ping

root@GL-MIFI:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C

google Ping with iface

root@GL-MIFI:~# ping -I wwan0 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=112 time=37.585 ms
64 bytes from 8.8.8.8: seq=1 ttl=112 time=44.937 ms
64 bytes from 8.8.8.8: seq=2 ttl=112 time=35.534 ms
64 bytes from 8.8.8.8: seq=3 ttl=112 time=35.517 ms

network config

root@GL-MIFI:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddb:0bc4:69b1::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option hostname 'GL-MIFI-257'
        option ipaddr '10.22.1.4'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option hostname 'GL-MIFI-257'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'
        option disabled '1'

config interface 'guest'
        option ifname 'guest'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'modem_1_1_2'
        option ifname 'wwan0'
        option service 'umts'
        option apn 'internet.telekom'
        option proto 'qmi'
        option device '/dev/cdc-wdm0'
        option node '1-1.2:1.4'
        option username 't-mobile'
        option password 'tm'
        option auth 'PAP'
        option metric '40'
        option disabled '0'

config redirect

config interface 'LTE_Backup'
        option ifname 'br-lan'
        option proto 'static'
        option ipaddr '172.25.254.2'
        option netmask '255.255.255.224'

config interface 'ovpn'
        option ifname 'tun0'
        option proto 'none'

firewall config

root@GL-MIFI:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 modem_1_1_2'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config zone 'guestzone'
        option name 'guestzone'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding 'guestzone_fwd'
        option src 'guestzone'
        option dest 'wan'
        option enabled '0'

config rule 'guestzone_dhcp'
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guestzone_dns'
        option name 'guestzone_DNS'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config rule 'sambasharewan'
        option src 'wan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'DROP'

config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'ILO'
        option src 'ovpn'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1443'
        option dest_ip 'XX.XX.XX.3'
        option dest_port '443'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'ESX'
        option src 'ovpn'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '443'
        option dest_ip 'XX.XX.XX.2'
        option dest_port '443'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'FIREWALL'
        option src 'ovpn'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '4444'
        option dest_ip 'XX.XX.XX.1'
        option dest_port '4444'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'ROUTER'
        option src 'ovpn'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '80'
        option dest_ip 'XX.XX.XX.4'
        option dest_port '80'
        option enabled '1'
        option gl '1'

config nat
        option src 'lan'
        option name 'SNAT'
        option target 'SNAT'
        option snat_ip 'XX.XX.XX.4'
        list proto 'all'

config zone 'vpn_zone'
        option name 'ovpn'
        option input 'DROP'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'ovpn'
        option masq '1'
        option mtu_fix '1'
        option masq6 '1'

config forwarding 'forwarding_vpn1'
        option dest 'ovpn'
        option src 'lan'

config forwarding 'forwarding_guest_ovpn'
        option dest 'ovpn'
        option src 'guestzone'

add route no-exec and route no-pull doesn't worked.

Please help me...

Thank you

The additional default routes that you see are normal. Try to disable lzo with comp_lzo no and try to reconnect.

What is the issue here? You do not want that default route? Or do you want that default route to work?

why should a compression setting has effect on the routing problem?
But i tested it, and as is aspected... no change

ah sorry. the issue is, there is no wan connection possible when ovpn tunnel is active

the tun0 route only exists when the ovpn tunnel is active.
as i see the metric is 0 and the default route for wwan is 40.

i think the problem is the tun0 default route.
i dont know why this route appears...

The correct syntax is route-nopull
You can try also pull-filter ignore route-gateway

It is not a routing problem. The openvpn server is pushing the default gateway so that all the traffic goes through the tunnel. If you want a split tunnel then you need to disable the gateway redirection and add the routes you want to tunnel manually, or use a package like VPN-PBR.
One more thing, what is the output of

ubus call system board

i know what you mean...
at the vpn server side i can choose the option full tunnel gateway (it is turned off), or i can specify some hosts or subnets.

root@GL-MIFI:~#
root@GL-MIFI:~# ubus call system board
{
        "kernel": "4.9.120",
        "hostname": "GL-MIFI",
        "system": "Atheros AR9330 rev 1",
        "model": "GL.iNet GL-MIFI",
        "board_name": "gl-mifi",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.1",
                "revision": "r7258-5eb055306f",
                "target": "ar71xx\/generic",
                "description": "OpenWrt 18.06.1 r7258-5eb055306f"

no, still not working

This version is very old and unsupported. 21.02 is the current stable version.

See it from a positive point of view, if you disable compression your data is now actually securely encrypted!

And now you can upgrade to 21.02 because in OpenVPN 2.5 compression is removed anyway as a function so now you have removed a future forum tread why your tunnel doesn’t work that you don’t have to write in the future.

Are you sure you have openwrt at all because you should write:

uci export firewall

To get this config file written like you have presented it?

Yes it is open wrt

BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07.7, r11306-c4a6851c72
 -----------------------------------------------------
root@GL-MIFI:~#

here the export of uci firewall

root@GL-MIFI:~# uci export firewall
package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 modem_1_1_2'

config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'

config include 'glfw'
        option type 'script'
        option path '/usr/bin/glfw.sh'
        option reload '1'

config include 'glqos'
        option type 'script'
        option path '/usr/sbin/glqos.sh'
        option reload '1'

config zone 'guestzone'
        option name 'guestzone'
        option network 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'

config forwarding 'guestzone_fwd'
        option src 'guestzone'
        option dest 'wan'
        option enabled '0'

config rule 'guestzone_dhcp'
        option name 'guestzone_DHCP'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'

config rule 'guestzone_dns'
        option name 'guestzone_DNS'
        option src 'guestzone'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'

config rule 'sambasharewan'
        option src 'wan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'DROP'

config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'ILO'
        option src 'ovpn'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '1443'
        option dest_ip '10.22.1.3'
        option dest_port '443'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'ESX'
        option src 'ovpn'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '443'
        option dest_ip '10.22.1.2'
        option dest_port '443'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'FIREWALL'
        option src 'ovpn'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '4444'
        option dest_ip '10.22.1.1'
        option dest_port '4444'
        option enabled '1'
        option gl '1'

config redirect
        option target 'DNAT'
        option name 'ROUTER'
        option src 'ovpn'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '80'
        option dest_ip '10.22.1.4'
        option dest_port '80'
        option enabled '1'
        option gl '1'

config nat
        option src 'lan'
        option name 'SNAT'
        option target 'SNAT'
        option snat_ip '10.22.1.4'
        list proto 'all'

config zone 'vpn_zone'
        option name 'ovpn'
        option input 'DROP'
        option forward 'DROP'
        option output 'ACCEPT'
        option network 'ovpn'
        option masq '1'
        option mtu_fix '1'
        option masq6 '1'
        option device 'tun0'

config forwarding 'forwarding_vpn1'
        option dest 'ovpn'
        option src 'lan'

config forwarding 'forwarding_guest_ovpn'
        option dest 'ovpn'
        option src 'guestzone'

config forwarding 'forwarding_lan_ovpn'
        option src 'ovpn'
        option dest 'lan'
        option enabled '0'

Keep one option, better the network, since you have it declared in network configuration that ovpn interface uses the tun0 ifname.

That's odd. Both options work just fine for me. As a final workaround, you could try using a hotplug script to remove the two additional static routes.

cat << "EOF" > /etc/hotplug.d/net/98-ovpnrmgw
#!/bin/sh

if [ "$ACTION" = "add" -a "$INTERFACE" = "tun0" ]; then
       ip route del 0.0.0.0/1
       ip route del 128.0.0.0/1
fi

exit 0
EOF
/etc/init.d/openvpn restart

Perfekt... It works
Thanks a lot

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.