OpenVPN on Windows 10 – Handling VPN Traffic Without Redirect-Gateway Option

My main aim here is for one particular Windows 10 machine to be accessible from anywhere, if you're connected to the VPN. That machine is on a super-fast connection in the office, which reaches a few 100mb download speed, but when fully connected to the VPN (with the default OpenVPN config with redirect-gateway def1 bypass-dhcp), that can drop down as low as 20mb.

On the VPN, the VPN server is 10.8.0.1, this machine is 10.8.0.2, and there will be about 5 other VPN clients on 10.8.0.x. All I want from the VPN is the 10.8.0.x machines have regular, non-VPN connectivity, and can talk to each other.

All connectivity is fine, until I try remove redirect-gateway .... No matter what config I try, without that line, when connected to the VPN, I have no internet connectivity, and DNS timeouts everywhere.

The main option I thought would work to only route VPN traffic through, is route 10.8.0.0 255.255.255.0, and while that does give the machine access to the other machines on the VPN, I still lose internet connectivity.

Do I have things misunderstood? I want all clients to only route VPN traffic through the VPN, and everything else through their regular routes. I thought that was achievable via the removal of redirect-gateway and adding static routes instead.

Output of tracert -d 8.8.8.8 when the VPN is connected, but without redirect-gateway (i.e. no internet connectivity / DNS issue):

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.247.28.1
  2     1 ms     1 ms     1 ms  80.169.236.161
  3    <1 ms    <1 ms    <1 ms  80.169.58.193
  4     1 ms     1 ms     1 ms  212.74.69.151
  5    12 ms    12 ms    12 ms  185.6.36.57
  6    12 ms    12 ms    12 ms  216.239.43.3
  7    11 ms    11 ms    11 ms  8.8.8.8

Trace complete.

No VPN:

ipconfig /all

Ethernet adapter Ethernet:

   Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
   Physical Address. . . . . . . . . : 2C-FD-A1-xxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.247.29.176(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Tuesday, June 26, 2018 5:55:10 PM
   Lease Expires . . . . . . . . . . : Tuesday, July 3, 2018 8:00:57 PM
   Default Gateway . . . . . . . . . : 10.247.28.1
   DHCP Server . . . . . . . . . . . : 10.247.28.1
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

route print -4

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.247.28.1    10.247.29.176     25
      10.247.28.0    255.255.254.0         On-link     10.247.29.176    281
    10.247.29.176  255.255.255.255         On-link     10.247.29.176    281
    10.247.29.255  255.255.255.255         On-link     10.247.29.176    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     10.247.29.176    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     10.247.29.176    281
===========================================================================
Persistent Routes:
  None

With VPN (without redirect-gateway / broken / no connectivity):

ipconfig /all

Ethernet adapter VPN:

   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-73-xxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1d1a:6e1c:e80e:3dcf%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, July 3, 2018 10:42:37 AM
   Lease Expires . . . . . . . . . . : Wednesday, July 3, 2019 10:42:36 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.254
   DHCPv6 IAID . . . . . . . . . . . : 5039xxxx
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-xxxx
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
   Physical Address. . . . . . . . . : 2C-FD-A1-xxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.247.29.176(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Tuesday, June 26, 2018 5:55:10 PM
   Lease Expires . . . . . . . . . . : Tuesday, July 3, 2018 8:00:56 PM
   Default Gateway . . . . . . . . . : 10.247.28.1
   DHCP Server . . . . . . . . . . . : 10.247.28.1
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

route print -4

IPv4 Route Table                                                            
=========================================================================== 
Active Routes:                                                              
Network Destination        Netmask          Gateway       Interface  Metric 
          0.0.0.0          0.0.0.0      10.247.28.1    10.247.29.176     25 
         10.8.0.0    255.255.255.0         On-link          10.8.0.2    259 
         10.8.0.2  255.255.255.255         On-link          10.8.0.2    259 
       10.8.0.255  255.255.255.255         On-link          10.8.0.2    259 
      10.247.28.0    255.255.254.0         On-link     10.247.29.176    281 
    10.247.29.176  255.255.255.255         On-link     10.247.29.176    281 
    10.247.29.255  255.255.255.255         On-link     10.247.29.176    281 
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331 
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331 
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331 
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331 
        224.0.0.0        240.0.0.0         On-link     10.247.29.176    281 
        224.0.0.0        240.0.0.0         On-link          10.8.0.2    259 
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331 
  255.255.255.255  255.255.255.255         On-link     10.247.29.176    281 
  255.255.255.255  255.255.255.255         On-link          10.8.0.2    259 
=========================================================================== 
Persistent Routes:                                                          
  None

And for completeness, with VPN and redirect-gateway,

ipconfig /all

Ethernet adapter VPN:

   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-73-xxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1d1a:6e1c:e80e:3dcf%3(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.0.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, June 28, 2018 5:50:04 PM
   Lease Expires . . . . . . . . . . : Friday, June 28, 2019 5:50:02 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.0.254
   DHCPv6 IAID . . . . . . . . . . . : 5039xxxx
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-xxxx
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet:

   Description . . . . . . . . . . . : Intel(R) I211 Gigabit Network Connection
   Physical Address. . . . . . . . . : 2C-FD-A1-xxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.247.29.176(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Tuesday, June 26, 2018 5:55:10 PM
   Lease Expires . . . . . . . . . . : Friday, June 29, 2018 9:01:01 PM
   Default Gateway . . . . . . . . . : 10.247.28.1
   DHCP Server . . . . . . . . . . . : 10.247.28.1
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled

route print -4

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.247.28.1    10.247.29.176     25
          0.0.0.0        128.0.0.0         10.8.0.1         10.8.0.2     35
         10.8.0.0    255.255.255.0         On-link          10.8.0.2    291
         10.8.0.2  255.255.255.255         On-link          10.8.0.2    291
       10.8.0.255  255.255.255.255         On-link          10.8.0.2    291
      10.247.28.0    255.255.254.0         On-link     10.247.29.176    281
    10.247.29.176  255.255.255.255         On-link     10.247.29.176    281
    10.247.29.255  255.255.255.255         On-link     10.247.29.176    281
     52.49.219.24  255.255.255.255      10.247.28.1    10.247.29.176     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
        128.0.0.0        128.0.0.0         10.8.0.1         10.8.0.2     35
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link          10.8.0.2    291
        224.0.0.0        240.0.0.0         On-link     10.247.29.176    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link          10.8.0.2    291
  255.255.255.255  255.255.255.255         On-link     10.247.29.176    281
===========================================================================
Persistent Routes:
  None

Best Answer

make sure to verify the following things when you remove the redirect-gateway directive:

Check your IP-configuration. Do you get it from the openvpn-server (program)? Or via DHCP from a real DHCP-Server behind the network or statically via your local openvpn config file or static via interface config?
Ensure to NOT get a default gateway ip address from any of the above configurations for the vpn-interface. Windows sometimes has strange behavoirs switching the gateway address to the tunnel interface and then losing connection to the server because the interface changed.
Ensure to NOT get a DNS-server for the tunnel interface if you do not need it.

The easiest option - at least for a test but not very dynamic - would be to statically configure the interface on your Windows 10 client. Only configure ip-address and subnetmask. Try using route PRINT -4 in cmd/powershell to analyze the default gateway right at that moment when you connect and the internet connection stops working.

Best Answer

Related Solutions

Windows Server 2003 VPN and Local network

OpenVPN client on a windows 7, packets not routed

Related Topic