About software, technology and random things


Using OpenVPN For All Network Traffic Except For LAN


Recently I noticed that my Android smartphone was not able to connect to YouTube via third-party apps. I narrowed it down to the issue with it being able to resolve hostnames to the correct IPv6 addresses but not being able to connect to them (somehow the IPv6 part of my internet connection is broken. A problem for a different time).

In order to work around the problem I am using an OpenVPN connection which automatically forces all outgoing connections to use IPv4, not IPv6. The only problem was that internal LAN connections did not work any more.

In the .ovpn configuration file I am using

redirect-gateway local def1

(because it is a WiFi connection), but I was also using

redirect-gateway def1

before that, which did not make any difference in that regard.

If add a route directive like the following one after the redirect-gateway directive, you can add a route to the routing table, directing all traffic for the specified route to the WiFi connection instead of the VPN connection:

redirect-gateway local def1
route net_gateway

You will probably have to adjust the network address and maybe even the subnet mask to match your network.

The routing table is basically a prioritized table which lets the operating system decide which network adapter it should use for a specific connection. With the above entry you add a rule with a higher priority, overriding the generic one(s) from the OpenVPN connection configuration. These ones are added because of redirect-gateway def1 and tell the operating system to send all traffic via the virtual VPN network adapter, effectively sending it all over the VPN.

If you are configuring this from the OpenVPN server side, of course you can still use these directives, but in the context of the push directive. I am not doing that, however, so I saved both directives in the client configuration.

Now I can watch / listen to YouTube videos with third-party apps AND connect to LAN devices!

I hope this was helpful to you.

Thank you for reading!


OpenVPN on Windows Vista / 7 – Ping says: TTL expired in transit

Hi there!

When I set up my VPN with OpenVPN yesterday, I found out about a little difficulty under Windows Vista and 7. Thankfully it was not that much of a hurdle as the UAC was the reason for this bug just like for a series of other bugs with different software I experimented with over the last few weeks. Nevertheless I hope that this piece of information helps you get rid of the following problem.

If you have set up your VPN and got it running without any major problems, and everything seems to be running just fine (connecting works), but you still can't establish connections to the other machines, you might find that pinging returns the error message "TTL expired in transit". This is due to the fact that Vista (or Windows 7) needs administrator privileges to adjust your computer's settings properly in order to function when you've connected to the VPN successfully. I think it's about the route.exe process, but I'm not 100% sure.

Windows Vista and 7 have the equally famous as infamous UAC (User Account Control) that prevents even administrator privileged accounts from executing programs with administrator rights by default. In order to enable these rights you have to right-click the program (or program shortcut) and click on "Run as administrator" next to the yellow-blue shield if it does not run with administrator rights exclusively anyway (in which case you'd see the yellow-blue shield in the bottom right corner of the program icon itself and would be asked for administrator privileges automatically when you launch it as any other program).

Please note that the following steps are for on-demand OpenVPN connections. For automatic connections, read further below.

OpenVPN on-demand connection

So what you need to do is launch the connection with UAC. But how do you do that if you usually launch OpenVPN connections with a right-click and "Start OpenVPN on this config file"? Even creating a shortcut to the .ovpn file doesn't give you the "Run as administrator" option.

A simple solution is to create a batch file that simply changes to the work directory and executes .ovpn with the openvpn.exe.

Example file "ovpn_connection1.bat":

@echo off
cd \Programs\OpenVPN\config-ondemand\
D:\Programs\OpenVPN\bin\openvpn.exe D:\Programs\OpenVPN\config-ondemand\connection1.ovpn

This batch file has the following parameters/assumptions:

  • Your OpenVPN dir is on the D: partition (otherwise change the drive letter in the respective paths and leave the "D:" line out altogether).
  • The path to your OpenVPN dir is D:\Programs\OpenVPN.
  • Your connection configuration file is located in the config-ondemand subdirectory.

Basically, you just switch to the work directory and execute OpenVPN's openvpn.exe located in its bin dir on the configuration. In a way, this works as a shortcut, but just as an executable batch.

The @echo off part is just so that you won't see the other commands displayed in the window each time you start the connection.

Now you either make a shortcut to this batch file or use it itself.

Whenever you want to start the connection, right-click on it and select "Run as administrator".

Done! Test your ping and it should be fine.

OpenVPN automatic connection

All you need to do is to move the .ovpn configuration file and all the other required files into the config subdirectory of your OpenVPN installation.

When the OpenVPN service (Start => Run => services.msc) is started, it will look for .ovpn files in its config subdirectory and execute them all - with SYSTEM privileges. No UAC circumvention needed.

So just set your OpenVPN service to "Automatic" and you're good to go!

OpenVPN on-demand connection with OpenVPN service

Just do what is described under the "OpenVPN automatic connection" paragraph except for setting the service to "Manual".

Now each time you want to launch the connection, you just need to type "net start OpenVPNService". To stop it, type "net stop OpenVPNService".

Note on using connections with the OpenVPN service

As the OpenVPN service feature executes *all* .ovpn configuration in the config subdirectory, there is no way to manually interfere with one particular connection of that directory and let's say disable it shortly. All config-connections are handled as a group with the OpenVPN service.

So if you need manual independency, look at the on-demand section.

I hope this wasn't all too fuzzy with the wordings and such.

Please comment or contact me if you have any questions on this matter.

Thanks for reading!

%d bloggers like this: