OpenVPN tap/bridge: redirect-gateway - not working?

[daniel78]

Hi!

I have an OpenVPN server in bridge mode with a tap interface on OPNsense which is working so far: I can succesfully connect to the VPN, receive an internal IP (from OPNsense DHCP) and can reach internal resources in the remote OPNsense "LAN".

I have also  checked "Redirect Gateway" in the server config because I want to have all my local traffic sent through OpenVPN and use the remote Uplink (and its public ip) of the OPNsense server for "internet access" on the VPN-client.
This does not work reliable. The client still routes all traffic to its local default gateway. There is a "NOTE" in Windows 10 OpenVPN logfile:

Code: [Select]

Fri Jul 10 14:56:43 2020 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
The routing table looks like that and I think the "Metrik" is the problem? 192.168.41.1 is the local clients default gateway and 192.168.100.0/24 is the remote OPNsenses LAN to which I am bridged with, 192.168.100.7 beeing the local OpenVPN IP received from OPNsense DHCP:

Code: [Select]

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0     192.168.41.1    192.168.41.87     25
          0.0.0.0          0.0.0.0    192.168.100.1    192.168.100.7     25
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    331
...

If I manually set

Code: [Select]

route-gateway 192.168.100.1 (where 192.168.100.1 is the internal LAN adapter IP of the OPNsense) in my openvpn-client config it works as expected and all my traffic is sent through the tunnel. The routing table looks like:

Code: [Select]


IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0     192.168.41.1    192.168.41.87     25
          0.0.0.0          0.0.0.0    192.168.100.1    192.168.100.7     25
          0.0.0.0        128.0.0.0    192.168.100.1    192.168.100.7    281
....

Is this expected behaviour? DO I have to manually deploy the "route-gateway 192.168.100.1" to all my clients?

Thanks for any help with this.

Best regards

[mimugmail]

It doesn't really make sense to use redirect-gateway in bridge mode.
Usually your client should be in the same network as the remote, so you can just set the gateway at the client (or via DHCP)

[daniel78]

  Thanks for the help! After removing the "Redirect Gateway" option it now works. As expected. All internet traffic is going through the vpn to the OPNsense.

Just for understanding this: Yes, my VPN client has now received an IP from the OPNsenses LAN DHCP on the OpenVPN Adapter and an IP from the LOCAL DHCP (which provides also a default gateway) server. How does my Windows client "know" that he has to send everything through the OpenVPN tunnel?