[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] No gateway/default route set on openvpn client.

  • Subject: Re: [Openvpn-users] No gateway/default route set on openvpn client.
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Sat, 28 Jul 2007 00:08:21 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID609LgbFif0025X29

Elmar Athmer wrote:
> Hi
> I'm trying to secure my WLAN (WEP) with openvpn, but openvpn doesn't set
> the default route. If I add the default route manually the internet
> access from WLAN clients works as desired.
> The (OpenVPN) Server is an OpenBSD-Box, with 3 NICs.
> fxp0 ( for normal access from the OpenBSD Box to LAN.
> ath0 ( WLAN access point, openvpn server listens on this
> ip/device
> tun0 and dc0 are bridg0 (bridges for openvpn clients accessing the LAN).
> Maybe I should mention: tun devices on openbsd can also work like
> tap-devices on other OSs.


> So, long description (hope it's exact enough), here's my config:
> server:
> local
> port 1194
> proto udp
> dev tun0
> dev-type tap
> ca ca.crt
> cert server.crt
> key server.key  # This file should be kept secret
> dh dh1024.pem
> ifconfig-pool-persist ipp.txt
> server-bridge
> keepalive 10 120
> user _openvpn
> group _openvpn
> persist-key
> persist-tun
> status openvpn-status.log
> verb 3

For your setup, the client should be obtaining IP/addressing information
from the DHCP server so it can hand out the gateway, DNS, and any other
DHCP options your LAN uses.  By using the server-bridge directive in
your server config, the OpenVPN server itself is handing out the IP, not
your LAN DHCP server, and so it doesn't include necessary details like
the default gateway.  Assuming you don't hand out a default route on
your WLAN (because it sounds like you don't want WLAN clients to connect
to the Internet and be forced through OpenVPN instead) you should
replace the server-bridge directive with something like:

    mode server

You don't need to provide any IP details since the bridged device should
already have been configured on the server using your OS's networking tools.

As for the client, you simply tell the client to use DHCP for the tap
device using whatever mechanism your OS provides (Windows clients have
DHCP set in network config, *nix OS's set DHCP in their network config
files for that adapter, etc.)


Attachment: signature.asc
Description: OpenPGP digital signature