Route table operations performed by openvpn.

Discussion in 'Linux Networking' started by Hongyi Zhao, Apr 2, 2015.

  1. Hongyi Zhao

    Hongyi Zhao Guest

    Hi all,

    I use openvpn to connect to the vpn server.
    When it successfully done, I note the following route operations done by
    openvpn automatically:

    route add -net netmask gw
    route add -net netmask gw
    route add -net netmask gw

    I cann't figure out the following issues on the above commands:

    1- Does the execution order of these commands matter or not?

    2- I understand the first command is a host route table entry. But I
    cann't figure out the meaning of the other two commands performed by
    openvpn. Any hints?

    Hongyi Zhao, Apr 2, 2015
    1. Advertisements

  2. Hongyi Zhao

    detha Guest

    The first one creates a route to what is presumably your VPN server, so
    the encrypted packets always know where to go.

    The last two effectively create a default route for all traffic to go
    through the tunnel. Instead of doing a
    'route add -net mask gw'
    which would fight with the default route you already have installed, it
    splits it into two (slightly) more specifics. Because they are more
    specific, they take preference over your original default route.

    It is done this way so the original default route can be left in place,
    instead of the 'remove current default route, remember what is was,
    install a new one' because 1) remembering the original one is a pain, and
    2) should openvpn crash (and not have a chance to put the original
    default route back in place), it would leave the system in an unusable

    detha, Apr 2, 2015
    1. Advertisements

  3. Hongyi Zhao

    Hongyi Zhao Guest

    This should means that all of the source requests/packages from the
    client side will be routed to the Will it also fight
    with the route added by the first command or not?
    How to know they they are more specific than the original routes
    installed on my box?

    Following are the original routes for my case:

    [email protected]:~$ ip route
    default via dev eth0 proto static dev eth0 proto kernel scope link src

    Hongyi Zhao, Apr 2, 2015
  4. Hongyi Zhao

    detha Guest

    The first command adds a host route (a /32), so that only applies to
    packets to that particular host. The two /1 routes cover all others.
    The 'default' label is shorthand for The new routes added are and Since a /1 is more specific than a /0, the /1
    routes will be chosen for anything not in (since the /24 is
    more specific for that)
    detha, Apr 4, 2015
  5. Hongyi Zhao

    Hongyi Zhao Guest

    Got it, thanks a lot.

    Hongyi Zhao, Apr 4, 2015
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.