I am setting up a server (VM to be precise) that runs CentOS 6.4. I have an eth0
adapter on the CentOS machine that has connection to the Internet (through a bridged network on the host). The eth0 adapter is configured through DHCP. So far, so good.
I also want to have a VPN client running on the server and to have it connect through the tun0
adapter to the Internet. The VPN client connects successfully using OpenVPN. It produces a default
route with metric 0.
So, first of all, this is possible, right? Second, as far as I understand, there are 2 ways to go about this: increase the metric of the route
that runs through eth0
or decrease the metric of the route
that runs through tun0
.
I have attempted to do both, but have been unsuccessful so far. I have tried these: adding a METRIC=100
line in /etc/sysconfig/network-scripts/ifcfg-eth0
, however it does not change the metric of the route.
I have also tried adding a metric
option to the client.conf
file for OpenVPN. This also had no effect (I believe this to be due to there being a pull
option in this file).
My most radical idea was to manually delete the route
for eth0
and replace it with the same route, but with higher metric. Unfortunately, I can not do that either, as restarting the network will reset the settings and having a daemon running that does it all the time doesn't seem a good solution.
I am open to suggestions and ideas.
Thanks.
Best Answer
So if I understand the problem correctly then you basically have a computer with an interface set to DHCP, and you want to connect to a VPN and pass all your traffic through the VPN.
You are having problems when the DHCP server renews the lease it is re-adding the gateway provided by the DHCP server.
I suggest you update your
client.conf
and replace theredirect-gateway
option with theredirect-gateway def1
. This instructs OpenVPN to add two routes that are more specific than the default gateway instead of removing the pre-existing default gateway and adding a new one.When you use
redirect-gateway def1
you get a route table that looks somewhat like below. Since the most specific matching route is the one that is used, the routes for0.0.0.0/1
, and128.0.0.0/1
take precednce over the default route, but without the messy business of having to remove/replace the default route. It also removes the requirement that you make sure no other software change the default route.If the
redirect-gateway
setting is not being set in yourclient.conf
, then you may need to also add the"route-nopull
option to ignore the routes being pulled from the VPN server.