Setting default route, OpenVPN

Hi everyone!

I've got a question about setting default routes while using OpenVPN.
I have a wireless AP with OpenWrt 23.05.3.
And I use a OpenVPN client on that AP to bridge the AP into my home Lan.

Setup is as follows:

  • Dial-up the APs modem.
  • Connect the VPN client.
  • That gives me a tap device which is bridged into the APs Lan, which has a static IP.
  • DHCP is handled by Dnsmasq on my home router, where OVPN server is running as well.

Now every device in my home Lan gets a IP and a default route. But the devices that I connect via the AP, through the VPN tunnel, only get an IP address.
If I add the missing route by hand everything works fine. I can confirm that the VPN tunnel is working.

So my question is why do the clients connected to the AP don't get a route? I mean the network is bridged, all devices are in the same subnet. So it should be easy to get a route from Dnsmasq, right? What am I missing?

OpenVPN intercepts and processes DHCP requests. There is a way to turn that off though. It is supposed to work where the client's default route points at the VPN tunnel device, though there is no numeric gateway IP. The only reason for numeric gateway IPs is to facilitate ARP resolution on a multi-drop network, but since the tunnel is point to point it is feasible to put packets into the tunnel and the server will route them.

This isn't going to work without some tweaks for a lan-lan layer 2 tunnel. The layer 2 mode was intended for road warriors. Layer 2 between large networks should be avoided because there will be a lot of unnecessary multicast traffic that will load up the bandwidth of the VPN link.

Thank you very much for your reply!

I did turn off the DCHP handling by OpenVPN, or at least I though I did. The devices that I connect to my Lan, no matter if they are connected locally or through the VPN tunnel, get an IP address from Dnsmasq and they pop up in the lease file of my home router. Which lets me assume that OpenVPN is not interfering with DCHP.
But the default route is only set for devices connected locally. How do tell OpenVPN to just pass on the route provided by Dnsmasq?

I don't have a large network. Only a hand full devices. My use case is exactly, as you described, 'a road warrior'. I need to connect to my Lan from /where ever/.
And my setup is working. The very last puzzle piece is to get default route set automatically.
I can set the route by hand and it works as intended. But that's not very convenient.

It has been a long time ago I used a TAP setup but also for a TAP setup the OpenVPN server can send the default route, add in the OpenVPN server config:
push "redirect-gateway def1"

For a proper TAP setup the IP address of the router/server needs to be different then that of the client but in the same subnet, e.g., if the server is, then use for the client.

Thank you for your input!

Unfortunately redirect-gateway doesn't help me. Redirect-gateway comes with multiple flags, not just def1, that you can set. The 'local' flag seems to fit my use case best. But it doesn't seem to do anything. I also tested all the other flags without success.

Of course you're right. The server and client have to share same subnet. And this is the case for my setup. My home router and the AP have both static IPs, sharing the same subnet. So no routing is required as long as the packages stay in my Lan.

The ovpn server config is pretty simple:

port  12345
proto udp
dev   tap0

# keys configuration
askpass  ovpn/ovpn.pass
ca       ovpn/ca.crt
cert     ovpn/ovpn.crt
key      ovpn/ovpn.key
dh       ovpn/dh.pem
tls-auth ovpn/ovpn_tls.key 0

mode server

##testing gateway
##none of these flags help me
#push "redirect-gateway def1"
#push "redirect-gateway def1 bypass-dhcp"
#push "redirect-gateway bypass-dhcp"
#push "redirect-gateway block-local"
#push "redirect-gateway def1 local"

##this option also doesn't help me
##worse, setting static route here messes up the AP routing table
#push "route-gateway dhcp"

push "explicit-exit-notify 3"

cipher AES-256-GCM
data-ciphers AES-256-GCM
data-ciphers-fallback AES-256-CBC
auth SHA512

The same is true for the client, very simple:

proto udp
dev tap0
key-direction 1
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA512
remote my.vpn.server 12345
remote-cert-tls server

I still don't have an explanation why DHCP works for the IP address but fails for the gateway route. Strange.

Also there is an obvious solution: Go all static. Don't use DHCP.
That works. And since I currently only have two or three devices connecting to the AP that would be a (ugly) solution.

But I would prefer to get DHCP working correctly.

Things to try
Add to the server side: push "route-delay 15"

Alternatively block DHCP across the tunnel and let each side setup DHCP (of course different ranges) then redirect gateway def1 will take care of default routing

I think I found a way to make it work. I have to use static route to my home router and use redirect-gateway.

push "redirect-gateway def1"
push "route-gateway"

That works for my laptop.

Still fighting my phone for some reason.
Static setup works for my phone. But DHCP does not. Both devices are connected by Wifi. And they get the same GW and DNS. But my phone tells me: 'no internet connection'. -.-
I'm going to investigate further tomorrow.

And I do some reading on how to write a nftables rule to drop DHCP on one specific device in a bridged network. To separate the two Dnsmasq servers. Sounds fun!
Though I'm not sure if that's really necessary.

Thank you very much for your help!

1 Like