All traffic routed over VPN but not wanted

Got a problem with Viscosity or need help? Ask here!

DeadlyEdna

Posts: 1
Joined: Sun Aug 18, 2013 6:22 am

Post by DeadlyEdna » Sun Aug 18, 2013 6:32 am
Hi

I've seen numerous posts about how to route all traffic over a VPN. Unfortunately I seem to have the opposite issue!

I don't want all my network activity to route via the VPN, and I have the checkbox that would do this unticked, however it appears that all network activity IS routing via Viscosity - my external IP address checked via Google is my VPN IP, not my fixed home IP.

Any ideas what I'm doing wrong would be gladly listened to.

Thanks

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sun Aug 18, 2013 11:43 am
Hi DeadlyEdna,

The OpenVPN server would be pushing the "redirect-gateway" command, which is overriding Viscosity's "Send all traffic over VPN connection" checkbox. If you are in control of the OpenVPN server the easiest way to stop this is to simply edit your server's OpenVPN config to stop it from pushing the "redirect-gateway" command.

However if you have no control of the OpenVPN server things get a little more tricky. For more information on what you'll need to do please see this post on the forum:
http://www.sparklabs.com/forum/viewtopi ... 1049#p1049

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Schmye Bubbula

Posts: 26
Joined: Sun Mar 17, 2013 12:31 pm

Post by Schmye Bubbula » Sun Jun 08, 2014 1:11 pm
^ I've been using the routing table method to tear down my network in case of unexpected disconnection. (I really don't understand it; I just do it blindly, following instructions elsewhere on these forums, and I have an AppleScript to restore my network by simply turning my AirPort card off & back on when I'm ready after every disconnection — purposeful or otherwise.)

Today I tried adding the IP addresses to my incoming & outgoing email servers to my config's Networking section in accordance with your article linked above, "Routing Traffic For Websites & Applications," so that my email will not go over my VPN. (Google Gmail gets all annoyed when your email suddenly switches country locations.) In my Networking and Advanced tabs, left-to-right respectively, it all looks like this:

Image

Will this work? If so, does it matter in what order I have the email server addresses and the big guns of the 0.0.0.0 teardown?

How do I test whether the my emails send & receive through my regular, non-VPN IP address? (I looked in the email headers and couldn't figure it out.)

It's easy to test whether the network teardown itself works, because I can force a disconnect from my VPN service provider's end (they have a handy command in my account page on their website to disconnect from the VPN server as a test), and when I do that, my network is indeed dead.

Is there a trade-off or incompatibility between using the 0.0.0.0 route/IP Destination & SIGTERM commands to tear down the network and using the traffic routing technique? Can they not be used together? I want the traffic routing for my email program, but if I get an unwanted VPN disconnection, I want my network dead until I'm ready to re-establish it.

Afterthought: I read elsewhere here that the Networking tab's checkbox for "Routing: Send all traffic over VPN connection" can be overridden by the VPN server, so if it does, would that mess-up being able to do both of these functions (if they indeed are otherwise compatible)?

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Jun 09, 2014 12:43 am
Hi Schmye Bubbula,
I really don't understand it; I just do it blindly, following instructions elsewhere on these forums
You may like to refer to the following support article which has a greater discussion about the method (along with other techniques and information):
http://www.sparklabs.com/support/preven ... fic_leaks/
Will this work? If so, does it matter in what order I have the email server addresses and the big guns of the 0.0.0.0 teardown?
It should work. You'll most likely still lose access to your mail server once you disconnect however (as the route won't remain active after a disconnect). The order shouldn't matter.

Please also keep in mind that Google has a LOT of mail servers: if you've specified your SMTP server in your email client by address (e.g. smtp.gmail.com) there is no guarantee it will always resolve to the IP address you've entered (in this case 107.14.166.72). You're probably better off searching the Internet for the IP range/s you should use.
How do I test whether the my emails send & receive through my regular, non-VPN IP address?
Doing a "route get my.smtp.server.com" from the Terminal will allow you to quickly check what interface is being used while connected. A tunX/tapX interface indicates the VPN connection, while a enX indicates your computer's local network adapter.
Is there a trade-off or incompatibility between using the 0.0.0.0 route/IP Destination & SIGTERM commands to tear down the network and using the traffic routing technique?
No, the behaviour you want should be what occurs.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Schmye Bubbula

Posts: 26
Joined: Sun Mar 17, 2013 12:31 pm

Post by Schmye Bubbula » Mon Jun 09, 2014 3:24 am
Wow, thanks for such a helpful response, James!
Just three more questions:

• I don't suppose we could enter the URL address into our config's Networking section, e.g., smtp.gmail.com? If it wouldn't resolve, any chance of adding that to a future version of Viscosity? That would solve so many problems!

• What about this afterthought?: I read elsewhere here that the Networking tab's checkbox for "Routing: Send all traffic over VPN connection" can be overridden by the VPN server, so if I had mine unchecked as in my image above, but the VPN server handshaking overrode it to force sending all traffic over the VPN, would that mess-up being able to separate-out both of these routing functions?

• Do I understand correctly that if I make sure that all four Persist Options are unchecked in the config's Options tab, then I don't need to enter the "remap-usr1 SIGTERM" in the config's Advanced tab > Extra OpenVPN configuration commands? Any disadvantage to doing it that way?

Thanks again!

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Jun 09, 2014 11:21 pm
Hi Schmye Bubbula,
I don't suppose we could enter the URL address into our config's Networking section, e.g., smtp.gmail.com?
Yes, you can enter a DNS address into the Route/IP field, and OpenVPN will resolve it when you connect. However for services like Gmail where the DNS setup is highly complex (resolves to different IPs depending on your location, loading balancing, high availability, etc.) there is no guarantee that OpenVPN and your email client will end up using the same SMTP server IP address.
but the VPN server handshaking overrode it to force sending all traffic over the VPN, would that mess-up being able to separate-out both of these routing functions?
No, it shouldn't cause any problems for your setup.
Do I understand correctly that if I make sure that all four Persist Options are unchecked in the config's Options tab, then I don't need to enter the "remap-usr1 SIGTERM" in the config's Advanced tab > Extra OpenVPN configuration commands? Any disadvantage to doing it that way?
Not quite: a SIGTERM triggers a full disconnect of a connection: OpenVPN won't try to reconnect. Unticking the persist options without the SIGTERM will still cause OpenVPN to perform a reconnect, however it will fail because of your routing trick. Using the SIGTERM approach will give you smoother behaviour, however they'll both have a similar end result.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

Schmye Bubbula

Posts: 26
Joined: Sun Mar 17, 2013 12:31 pm

Post by Schmye Bubbula » Sun Jul 20, 2014 9:08 am
James, in the image within my above post which displays encircled in red one of my IP addresses to my incoming & outgoing email servers I entered into my Viscosity config's Networking section that I wished to bypass the VPN connection, I show the mask set to 255.255.255.255. Isn't that wrong? Shouldn't it be 255.255.255.0? I don't know why I set it that way (and I don't know how you didn't catch it if it's indeed wrong), but I think that the only reason I didn't notice it until today while reviewing this thread is that I must have told Google GMail before I set all this up to allow the Norway IP address location whose VPN server I always use, so by sheer coincidence I never got any more flags from Google when my config didn't work, passing my email through the VPN. Just want to make sure that I had made an error and the subnet mask really needs to 255.255.255.0, as your instructions say (pointed-to elsewhere in this thread).

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sun Jul 20, 2014 1:40 pm
Hi Schmye Bubbula,

A netmask of "255.255.255.255" is correct in this instance, as you only want to route that single IP address. If you wanted to all addresses from 107.14.166.1-107.14.166.254 you would need to set a netmask of "255.255.255.0" (and also have the IP as "107.14.166.0" rather than 107.14.166.72).

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

mpick92

Posts: 1
Joined: Sun Apr 10, 2016 8:23 am

Post by mpick92 » Sun Apr 10, 2016 8:37 am
This tip helped me out! My OpenVPN server is running on pfsense (very easy to set up), and all I had to do was uncheck "Redirect Gateway - Force all client generated traffic through the tunnel."
9 posts Page 1 of 1