"Redirect Internet traffic" - "All" vs. 192.168.1.0/24

[choleric]

I read the policy-based routing article, but have a question.

In terms of the "Redirect Internet traffic" setting for VPN clients, what is the effective difference between:

• Using "All" and
• Using "Policy Rules (strict)" with a 192.168.1.0/24 source IP and a 0.0.0.0 destination IP (on the VPN interface)?

Is there any real difference? Does using "All" not "take additional steps to ensure that there aren't any extra routes that could potentially bypass [the VPN] tunnel"?

My goal is for all traffic to go through the VPN. I understand that the aforementioned "Policy Rules (strict)" configuration accomplishes this, but just want to understand.

 

[Martineau]

I read the policy-based routing article, but have a question.

In terms of the "Redirect Internet traffic" setting for VPN clients, what is the effective difference between:

• Using "All" and
• Using "Policy Rules (strict)" with a 192.168.1.0/24 source IP and a 0.0.0.0 destination IP (on the VPN interface)?

Is there any real difference? Does using "All" not "take additional steps to ensure that there aren't any extra routes that could potentially bypass [the VPN] tunnel"?

My goal is for all traffic to go through the VPN. I understand that the aforementioned "Policy Rules (strict)" configuration accomplishes this, but just want to understand.

For VPN routing, they are effectively identical in function, but using Policy rules allows you to specify a KILL-switch to block WAN access for 192.168.1.0/24 if the VPN is DOWN.

 

[RMerlin]

"strict" actually takes extra steps to ensure that no stray route can bypass your rules, by validating the network interfaces used in the rules.

 

[Xentrk]

"strict" actually takes extra steps to ensure that no stray route can bypass your rules, by validating the network interfaces used in the rules.

Are the following definitions still applicable?

• Disabled: DNS servers pushed by VPN provided DNS server are ignored.
• Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
• Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN provided ones don’t respond).
• Exclusive: Only the pushed VPN provided DNS servers are used.

 

[RMerlin]

Are the following definitions still applicable?

• Disabled: DNS servers pushed by VPN provided DNS server are ignored.
• Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
• Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order (existing DNS servers are only used if VPN provided ones don’t respond).
• Exclusive: Only the pushed VPN provided DNS servers are used.

Yes, however note that we were referring to Policy mode, not DNS mode - they are two different things.

 

[#TY]

Noob question here.

On my OpenVPN Client setup page, the "Redirect Internet traffic" has always been set to NO but I still seem to be connected to the VPN from all the devices on my network. Have I been using this all wrong? Should the recommended setting be ALL?

 

[Xentrk]

Noob question here.

On my OpenVPN Client setup page, the "Redirect Internet traffic" has always been set to NO but I still seem to be connected to the VPN from all the devices on my network. Have I been using this all wrong? Should the recommended setting be ALL?

That is interesting. I will have to see if I can duplicate that behavior when I return home from being on the road. I never tested the behavior of the OpenVPN Client when Redirect Internet Traffic is set to "No".

If you want to route All Traffic, you can set Redirect Internet Traffic to All. However, if you set to Policy Rules Strict, you get the option to block traffic if the OpenVPN tunnel goes down along with the section to add rules.

I highly recommend you read the VPN Client Setup Guide @yorgi wrote as he explains the setting and other OpenVPN settings in detail.

 

[#TY]

Yeah it's very weird. To me, it looks like it could be a UI bug because like I said, every network device checks out using the VPN so it's possible that behind the scenes somewhere, it does default to ALL even though the pop-up menu for "Redirect Internet traffic" says No.

That being said, I did switch the setting it to ALL (simply because that's the proper thing to do) and everything seems to be working exactly like how it was when that setting was still at No.

Things that make you go hmmmmm....

 

[toxiroxi]

Noob question here.

On my OpenVPN Client setup page, the "Redirect Internet traffic" has always been set to NO but I still seem to be connected to the VPN from all the devices on my network. Have I been using this all wrong? Should the recommended setting be ALL?

I can confirm that i am experiencing the exact same issue. I've set my OVPN Client in my ac87u to "NO" for redirect internet traffic, but still everything is routed through the VPN.
Generally i would only like to get routed to the VPN when using an internal IP from the other network. (coming from 192.168.1.* - and when i need to access 10.0.0.*

any ideas how to fix that?

Thanks in advance

 

[Martineau]

I can confirm that i am experiencing the exact same issue. I've set my OVPN Client in my ac87u to "NO" for redirect internet traffic, but still everything is routed through the VPN.
Generally i would only like to get routed to the VPN when using an internal IP from the other network. (coming from 192.168.1.* - and when i need to access 10.0.0.*

any ideas how to fix that?

Working as @RMerlin designed?

VPN ISPs will usually push directive 'redirect-gateway def1' to override your WAN 'default' gateway (using a very clever trick which means they don't destroy the existing WAN default gateway)

ovpn-client?[nnnn]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,...........

and here are the magic VPN override routes

ovpn-client?[nnnn]: /usr/sbin/ip route add 0.0.0.0/1 via vpn.xxx.xxx.xxx
ovpn-client?[nnnn]: /usr/sbin/ip route add 128.0.0.0/1 via vpn.xxx.xxx.xxx

Back in 2015!!!!! I queried What's the point of 'Redirect Internet traffic=NO' ? when surely the acceptance of the WAN overrides should only occur if 'Redirect Internet traffic=ALL' is explicitly set?

Not sure if in 2019 the rational 'ensures backward compatibility' is still relevant anymore, as the setting is causing confusion either way.

Issue the following command and post the results

ip route show table main | grep -E "^0\.|^128.|^default"

 

[toxiroxi]

Working as @RMerlin designed?

VPN ISPs will usually push directive 'redirect-gateway def1' to override your WAN 'default' gateway (using a very clever trick which means they don't destroy the existing WAN default gateway)

ovpn-client?[nnnn]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,...........

and here are the magic VPN override routes

ovpn-client?[nnnn]: /usr/sbin/ip route add 0.0.0.0/1 via vpn.xxx.xxx.xxx
ovpn-client?[nnnn]: /usr/sbin/ip route add 128.0.0.0/1 via vpn.xxx.xxx.xxx

Back in 2015!!!!! I queried What's the point of 'Redirect Internet traffic=NO' ? when surely the acceptance of the WAN overrides should only occur if 'Redirect Internet traffic=ALL' is explicitly set?

Not sure if in 2019 the rational 'ensures backward compatibility' is still relevant anymore, as the setting is causing confusion either way.

View attachment 17715

Issue the following command and post the results

ip route show table main | grep -E "^0\.|^128.|^default"

Hello Martineau,

thank you for helping me in those regards - unfortunately i am not an network pro
So just a information for that setup - it is not an IP VPN i am using here - it is connecting to another home location so that i can access those services securly over the router without opening a port.

that's the output with activated vpn client:

ip route show table main | grep -E "^0\.|^128.|^default"

ip route show table main | grep -E "^0\.|^128.|^default"
0.0.0.0/1 via 10.8.0.5 dev tun11
128.0.0.0/1 via 10.8.0.5 dev tun11
default via 1.1.1.1 dev eth0 => here is my external ip shown

The router has been getting assigned the ip-address 10.8.0.6.
As far i understood now i need to add a route where i am able to access the internal network behind the vpn (which is 10.0.0.0 - 10.0.0.2544 - Gateway is 10.0.0.138)

When i look at those lines - do i just need to add the default geteway of the internal network which is the "destination" ? or is the last part of the syntax the name of the VPN connection saved in the router?

like this:
ovpn-client?[nnnn]: /usr/sbin/ip route add 0.0.0.0/1 via 10.0.0.138
ovpn-client?[nnnn]: /usr/sbin/ip route add 128.0.0.0/1 via vpn.xxx.xxx.xxx



That's what i also saw in the logfile of the router:
May 19 13:05:50 ovpn-client1[17393]: AEAD Decrypt error: bad packet ID (may be a replay): [ #112262 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Sorry for so many questions.

 

[Martineau]

Hello Martineau,

thank you for helping me in those regards - unfortunately i am not an network pro
So just a information for that setup - it is not an IP VPN i am using here - it is connecting to another home location so that i can access those services securly over the router without opening a port.

So you want Selective Routing...

Don't use 'Redirect Internet traffic=NO' but select either of the 'Policy Rules'

i.e. Every device on your LAN will be routed via the WAN, except anything destined to your other home location's network.

e.g.

That's what i also saw in the logfile of the router:
May 19 13:05:50 ovpn-client1[17393]: AEAD Decrypt error: bad packet ID (may be a replay): [ #112262 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings.

The above can probably be suppressed from the log, but I would check Syslog for VPN Client 1 to see if there are mismatches reported in the OpenVPN configuration.

 

[toxiroxi]

So you want Selective Routing...

Don't use 'Redirect Internet traffic=NO' but select either of the 'Policy Rules'

i.e. Every device on your LAN will be routed via the WAN, except anything destined to your other home location's network.


The above can probably be suppressed from the log, but I would check Syslog for VPN Client 1 to see if there are mismatches reported in the OpenVPN configuration.

Thanks a lot Martineau - it works like a charm now. I really appreciate it. Due to security i now decided to create a longer list of devices which are being allowed to use the VPN tunnel to the other location - so just a couple of more entries.

Thanks for your help - up and running now :-D

 

[Martineau]

Due to security i now decided to create a longer list of devices which are being allowed to use the VPN tunnel to the other location - so just a couple of more entries.

The 192.168.1.0/24 CIDR already covers ALL of your LAN subnet, so creating a 'longer' list doesn't seem to make sense - unless the new additions to the Selective Routing GUI are external to your LAN?

Do you actually mean you wanted to restrict access to your remote home's network to only a select-few authorised devices on your LAN?

 

[Kingp1n]

That is interesting. I will have to see if I can duplicate that behavior when I return home from being on the road. I never tested the behavior of the OpenVPN Client when Redirect Internet Traffic is set to "No".

If you want to route All Traffic, you can set Redirect Internet Traffic to All. However, if you set to Policy Rules Strict, you get the option to block traffic if the OpenVPN tunnel goes down along with the section to add rules.

I highly recommend you read the VPN Client Setup Guide @yorgi wrote as he explains the setting and other OpenVPN settings in detail.

After reading the yorgis guide , it mentions to set Accept DNS Configuration to "exclusive" however after reading the x3mtek guide, it says to set this option to either strict or disabled so the Diversion script works correctly. From site "There are two options available if you want the OpenVPN client to use DNSMASQ when using Policy Rules. This is done by setting “Accept DNS Configuration” to either “Strict”or “Disabled”." Also, my current setup is to redirect internet traffic policy rules (Strict ) due to my setup but I do have accept DNS configuration to exclusive...do I need to update?

 

[Martineau]

After reading the yorgis guide , it mentions to set Accept DNS Configuration to "exclusive" however after reading the x3mtek guide, it says to set this option to either strict or disabled so the Diversion script works correctly. From site "There are two options available if you want the OpenVPN client to use DNSMASQ when using Policy Rules. This is done by setting “Accept DNS Configuration” to either “Strict”or “Disabled”." Also, my current setup is to redirect internet traffic policy rules (Strict ) due to my setup but I do have accept DNS configuration to exclusive...do I need to update?

@yorgi hasn't been online for nearly a year so whilst his excellent guide is still valid, a couple of areas are now slightly out date of given the recent technology advancements such as DNS request handling etc.

I assume there is a reason you use a VPN to obfuscate not only your data traffic, but also the DNS requests for sites that provide or receive your data?

So in order to resolve your dilemma, I think the answer to the following may be important

"Q. What matters to you most ?"

A. Ad-Blocking (aka Diversion)
or
B. DNS request encrytion / validation (Stubby DoT)
or
C. Both?
​

Presumably the devices that use your VPN still show ads? - because you're bypassing the router's DNS cache which Diversion is intercepting to filter out the ads.

If you are not bothered about removing ads, are you concerned that you are have limited yourself to the 'Exclusive' VPN ISP's DNS servers when you could choose your own DNS preference, yet still be secure in the knowledge that neither your VPN ISP, nor your WAN ISP could track the DNS request nor could the returned result be tampered with to sneakily direct you to phishing sites.

I'd bet my house that the most-voted for choice for 99.9% of the forum members is

C. Both
​

but does this make your decision easier?

 

[toxiroxi]

The 192.168.1.0/24 CIDR already covers ALL of your LAN subnet, so creating a 'longer' list doesn't seem to make sense - unless the new additions to the Selective Routing GUI are external to your LAN?

Do you actually mean you wanted to restrict access to your remote home's network to only a select-few authorised devices on your LAN?

yes exactly, that's why i changed from 192.168.1.0/24 to certain ip-adresses to restrict acces to a handful devices. Just in case of any intrusion/malware/security incident i thought that makes sense. Now having 7 devices in the list which can access the network over VPN.