Skip to main content

OpenVPN on Windows 10 without redirect-gateway option, or with options just to handle VPN traffic [Resolved]

My main aim here is for one particular Windows 10 machine to be accessible from anywhere, if you're connected to the VPN. That machine is on a super-fast connection in the office, which reaches a few 100mb download speed, but when fully connected to the VPN (with the default OpenVPN config with redirect-gateway def1 bypass-dhcp), that can drop down as low as 20mb.

On the VPN, the VPN server is 10.8.0.1, this machine is 10.8.0.2, and there will be about 5 other VPN clients on 10.8.0.x. All I want from the VPN is the 10.8.0.x machines have regular, non-VPN connectivity, and can talk to each other.

All connectivity is fine, until I try remove redirect-gateway .... No matter what config I try, without that line, when connected to the VPN, I have no internet connectivity, and DNS timeouts everywhere.

The main option I thought would work to only route VPN traffic through, is route 10.8.0.0 255.255.255.0, and while that does give the machine access to the other machines on the VPN, I still lose internet connectivity.

Do I have things misunderstood? I want all clients to only route VPN traffic through the VPN, and everything else through their regular routes. I thought that was achievable via the removal of redirect-gateway and adding static routes instead.

Output of tracert -d 8.8.8.8 when the VPN is connected, but without redirect-gateway (i.e. no internet connectivity / DNS issue):

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.247.28.1
  2     1 ms     1 ms     1 ms  80.169.236.161
  3    <1 ms    <1 ms    <1 ms  80.169.58.193
  4     1 ms     1 ms     1 ms  212.74.69.151
  5    12 ms    12 ms    12 ms  185.6.36.57
  6    12 ms    12 ms    12 ms  216.239.43.3
  7    11 ms    11 ms    11 ms  8.8.8.8

Trace complete.

No VPN:

ipconfig /all

Ethernet adapter Ethernet:

   Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
   Physical Address. . . . . . . . . : 2C-FD-A1-xxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.247.29.176(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Tuesday, June 26, 2018 5:55:10 PM
   Lease Expires . . . . . . . . . . : Tuesday, July 3, 2018 8:00:57 PM
   Default Gateway . . . . . . . . . : 10.247.28.1
   DHCP Server . . . . . . . . . . . : 10.247.28.1
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

route print -4

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.247.28.1    10.247.29.176     25
      10.247.28.0    255.255.254.0         On-link     10.247.29.176    281
    10.247.29.176  255.255.255.255         On-link     10.247.29.176    281
    10.247.29.255  255.255.255.255         On-link     10.247.29.176    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     10.247.29.176    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     10.247.29.176    281
===========================================================================
Persistent Routes:
  None

With VPN (without redirect-gateway / broken / no connectivity):

ipconfig /all

Ethernet adapter VPN:

   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-73-xxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1d1a:6e1c:e80e:3dcf%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, July 3, 2018 10:42:37 AM
   Lease Expires . . . . . . . . . . : Wednesday, July 3, 2019 10:42:36 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.254
   DHCPv6 IAID . . . . . . . . . . . : 5039xxxx
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-xxxx
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
   Physical Address. . . . . . . . . : 2C-FD-A1-xxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.247.29.176(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Tuesday, June 26, 2018 5:55:10 PM
   Lease Expires . . . . . . . . . . : Tuesday, July 3, 2018 8:00:56 PM
   Default Gateway . . . . . . . . . : 10.247.28.1
   DHCP Server . . . . . . . . . . . : 10.247.28.1
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

route print -4

IPv4 Route Table                                                            
=========================================================================== 
Active Routes:                                                              
Network Destination        Netmask          Gateway       Interface  Metric 
          0.0.0.0          0.0.0.0      10.247.28.1    10.247.29.176     25 
         10.8.0.0    255.255.255.0         On-link          10.8.0.2    259 
         10.8.0.2  255.255.255.255         On-link          10.8.0.2    259 
       10.8.0.255  255.255.255.255         On-link          10.8.0.2    259 
      10.247.28.0    255.255.254.0         On-link     10.247.29.176    281 
    10.247.29.176  255.255.255.255         On-link     10.247.29.176    281 
    10.247.29.255  255.255.255.255         On-link     10.247.29.176    281 
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331 
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331 
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331 
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331 
        224.0.0.0        240.0.0.0         On-link     10.247.29.176    281 
        224.0.0.0        240.0.0.0         On-link          10.8.0.2    259 
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331 
  255.255.255.255  255.255.255.255         On-link     10.247.29.176    281 
  255.255.255.255  255.255.255.255         On-link          10.8.0.2    259 
=========================================================================== 
Persistent Routes:                                                          
  None                                                                      

And for completeness, with VPN and redirect-gateway,

ipconfig /all

Ethernet adapter VPN:

   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-73-xxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1d1a:6e1c:e80e:3dcf%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, June 28, 2018 5:50:04 PM
   Lease Expires . . . . . . . . . . : Friday, June 28, 2019 5:50:02 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.254
   DHCPv6 IAID . . . . . . . . . . . : 5039xxxx
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-xxxx
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
   Physical Address. . . . . . . . . : 2C-FD-A1-xxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.247.29.176(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Tuesday, June 26, 2018 5:55:10 PM
   Lease Expires . . . . . . . . . . : Friday, June 29, 2018 9:01:01 PM
   Default Gateway . . . . . . . . . : 10.247.28.1
   DHCP Server . . . . . . . . . . . : 10.247.28.1
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

route print -4

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.247.28.1    10.247.29.176     25
          0.0.0.0        128.0.0.0         10.8.0.1         10.8.0.2     35
         10.8.0.0    255.255.255.0         On-link          10.8.0.2    291
         10.8.0.2  255.255.255.255         On-link          10.8.0.2    291
       10.8.0.255  255.255.255.255         On-link          10.8.0.2    291
      10.247.28.0    255.255.254.0         On-link     10.247.29.176    281
    10.247.29.176  255.255.255.255         On-link     10.247.29.176    281
    10.247.29.255  255.255.255.255         On-link     10.247.29.176    281
     52.49.219.24  255.255.255.255      10.247.28.1    10.247.29.176     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0         10.8.0.1         10.8.0.2     35
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link          10.8.0.2    291
        224.0.0.0        240.0.0.0         On-link     10.247.29.176    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link          10.8.0.2    291
  255.255.255.255  255.255.255.255         On-link     10.247.29.176    281
===========================================================================
Persistent Routes:
  None

Question Credit: seaders
Question Reference
Asked July 11, 2018
Posted Under: Network
10 views
2 Answers

So a friend of mine who's set up a ton of these things, and he recommended me do,

> tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

 1    <1 ms    <1 ms    <1 ms  10.247.28.1
 2     1 ms     1 ms     1 ms  80.169.236.161
 3    <1 ms    <1 ms    <1 ms  80.169.58.193
 4     1 ms     1 ms     1 ms  212.74.69.151
 5    12 ms    12 ms    12 ms  185.6.36.57
 6    12 ms    12 ms    12 ms  216.239.43.3
 7    11 ms    11 ms    11 ms  8.8.8.8

Trace complete.

Then,

> tracert -d 10.8.0.1

Tracing route to 10.8.0.1 over a maximum of 30 hops

 1    13 ms    13 ms    13 ms  10.8.0.1

Trace complete.

Then, on the server,

$ sudo netstat -tunpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      29471/memcached
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      22123/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      22123/sshd
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           17359/openvpn
udp        0      0 0.0.0.0:68              0.0.0.0:*                           966/dhclient

When he saw that, he recognised there was no DNS server on the server, and had me install DNSMasq,

$ sudo apt install dnsmasq

Then netstat on the server looked like this,

$ sudo netstat -tunpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      29471/memcached
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      22123/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      22123/sshd
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           17359/openvpn
udp        0      0 0.0.0.0:68              0.0.0.0:*                           966/dhclient

This still didn't work though, so I re-tried an option I had previously tried (but hadn't worked), on the Windows machine, dhcp-option DNS 10.8.0.1 back into its OpenVPN options... And everything worked.

So now, it's exactly as I wanted, I have the full speed of the office network, but full vpn connectivity as well.

Thanks to @felix-h and @kevin-k for helping me debug this problem, I have a much better understanding of it all now, but for my situation, the issue wasn't completely client-side.


credit: seaders
Answered July 11, 2018

make sure to verify the following things when you remove the redirect-gateway directive:

  1. Check your IP-configuration. Do you get it from the openvpn-server (program)? Or via DHCP from a real DHCP-Server behind the network or statically via your local openvpn config file or static via interface config?
  2. Ensure to NOT get a default gateway ip address from any of the above configurations for the vpn-interface. Windows sometimes has strange behavoirs switching the gateway address to the tunnel interface and then losing connection to the server because the interface changed.
  3. Ensure to NOT get a DNS-server for the tunnel interface if you do not need it.

The easiest option - at least for a test but not very dynamic - would be to statically configure the interface on your Windows 10 client. Only configure ip-address and subnetmask. Try using route PRINT -4 in cmd/powershell to analyze the default gateway right at that moment when you connect and the internet connection stops working.


credit: Felix H
Answered July 11, 2018
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA