OpenVPN: Cannot connect with --pull-filter ignore redirect-gateway

I am trying to connect to the OpenVPN server. When I run openvpn --config config.ovpn, it connects normally and I have internet access and connections that bind TAP adapter can access internet. When I try openvpn --config config.ovpn --pull-filter ignore redirect-gateway, Windows network connection manager says “No internet connection” on VPN’s TAP adapter. Using --route-nopull and route-noexec give the same result.

I don’t need to route all traffic through OpenVPN, I just need to bind some connections to VPN’s TAP adapter, so I can’t use it without ignoring redirect-gateway.

Why does route change ignore breaks connection and how to make OpenVPN connect normally without changing routes?

Configuration: Free OpenVPN - Free VPN server in Germany (tcp version)

IPv4 routes before connection:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.100      2
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.0.0    255.255.255.0         On-link     192.168.0.100    257
    192.168.0.100  255.255.255.255         On-link     192.168.0.100    257
    192.168.0.255  255.255.255.255         On-link     192.168.0.100    257
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.0.100    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.0.100    257
===========================================================================

IPv4 routes with connection (with --pull-filter ignore redirect-gateway, no internet connection on TAP):

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.100      2
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.0.0    255.255.255.0         On-link     192.168.0.100    257
    192.168.0.100  255.255.255.255         On-link     192.168.0.100    257
    192.168.0.255  255.255.255.255         On-link     192.168.0.100    257
    192.168.244.0    255.255.255.0         On-link   192.168.244.232    281
  192.168.244.232  255.255.255.255         On-link   192.168.244.232    281
  192.168.244.255  255.255.255.255         On-link   192.168.244.232    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link   192.168.244.232    281
        224.0.0.0        240.0.0.0         On-link     192.168.0.100    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link   192.168.244.232    281
  255.255.255.255  255.255.255.255         On-link     192.168.0.100    257
===========================================================================

IPv4 routes with connection (without --pull-filter ignore redirect-gateway, normal internet connection on TAP):

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.100      2
          0.0.0.0        128.0.0.0    192.168.244.1  192.168.244.231     25
     5.154.181.23  255.255.255.255      192.168.0.1    192.168.0.100      1
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0    192.168.244.1  192.168.244.231     25
      192.168.0.0    255.255.255.0         On-link     192.168.0.100    257
    192.168.0.100  255.255.255.255         On-link     192.168.0.100    257
    192.168.0.255  255.255.255.255         On-link     192.168.0.100    257
    192.168.244.0    255.255.255.0         On-link   192.168.244.231    281
  192.168.244.231  255.255.255.255         On-link   192.168.244.231    281
  192.168.244.255  255.255.255.255         On-link   192.168.244.231    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link   192.168.244.231    281
        224.0.0.0        240.0.0.0         On-link     192.168.0.100    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link   192.168.244.231    281
  255.255.255.255  255.255.255.255         On-link     192.168.0.100    257
===========================================================================

You have to change interfaces metric as described in this post.

Add to OpenVPN client configuration following options:

pull-filter ignore redirect-gateway
pull-filter ignore "dhcp-option DNS"

Change interfaces metric in PS like:

Set-NetIPInterface -InterfaceAlias "Ethernet" -InterfaceMetric "2000" -PolicyStore "PersistentStore"
Set-NetIPInterface -InterfaceAlias "Ethernet" -InterfaceMetric "2000"
Set-NetIPInterface -InterfaceAlias "OpenVPN Wintun" -InterfaceMetric "3000" -PolicyStore "PersistentStore"
Set-NetIPInterface -InterfaceAlias "OpenVPN Wintun" -InterfaceMetric "3000"

Check them:

Get-NetIPInterface | Format-Table -AutoSize

But for what reason can’t I just use --pull-filter ignore redirect-gateway?

Route to specific address is calculated by combining metric of interface and metric of network route in route table.

Option --pull-filter ignore redirect-gateway just says client to miss adding following routes:

0.0.0.0        128.0.0.0    192.168.244.1  192.168.244.231     25
128.0.0.0      128.0.0.0    192.168.244.1  192.168.244.231     25

I’ve forgotten necessary OpenVPN client options:

route 0.0.0.0 0.0.0.0
route-ipv6 2000::/3

They must be added too.

Please explain, what do these routes exactly do. I’m not very experienced in networks configuration and routing, and I don’t like doing something I don’t know for what.

These two routes have high priority than 0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 2 rule.
Option redirect-gateway allow to ignore metric of interface.

Why is netmask set to 128.0.0.1?

128.0.0.0 you mean or /1. Mostly VPN clients have to split 0.0.0.0/0 route to two 0.0.0.0/1 and 128.0.0.0/1 to gain VPN goal (tunneling whole client traffic) despite of metric settings on client machine. You should shut this behavior off.

I don’t need to route all traffic through OpenVPN, I just need to bind some connections to VPN’s TAP adapter.

If you make all instructions traffic should be routed via default gateway of your main interface.

It will look like two rules:

          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.100     2002
          0.0.0.0          0.0.0.0    192.168.244.1  192.168.244.231     3025

Then you can bind outbound connections of specific applications.

Thanks, works for me without metric changing (I still don’t understand why I need to set metric of both interfaces).

Both connections have internet access, and app that is bound to TAP too.

Added to config:

pull-filter ignore redirect-gateway
pull-filter ignore "dhcp-option DNS"
route 0.0.0.0 0.0.0.0

Good.

To avoid unknown metric settings of current configuration of Windows. It just prevents metric value fluctuations.

What does the interface metric affect in this case?

I’ve already written:

To gain result like

The lowest value means highest priority.

Thank you for your answers.

1 Like