Solved - Understanding Routing Table with OpenVPN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
pksml
DD-WRT Novice


Joined: 09 Dec 2014
Posts: 28

PostPosted: Thu Dec 11, 2014 19:59    Post subject: Solved - Understanding Routing Table with OpenVPN Reply with quote
Network layout: Laptop (OpenVPN client) <-> router with 192.168.1.xxx subnet <-> internet <-> Home router (running DD-WRT with OpenVPN server) with 192.168.11.xxx subnet

  • The VPN server is operating in layer 2 mode (bridge).
  • All of my internet traffic passes through the VPN tunnel.
  • My home router & VPN have an external IP of 68.64.127.82.

  • My laptop (VPN client) has an IP address on the physical LAN of 192.168.1.40.
  • My IP address on the VPN is 192.168.11.50.


Here is my question: What makes all the internet traffic pass through the VPN tunnel?

Code:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.40     20
              0.0.0.0        128.0.0.0     192.168.11.1    192.168.11.50     30


The first line says everything should go the router I'm physically connected to (not the VPN router).

The second line makes no sense to me. The 192.168.11.xxx subnet is on my VPN.
How can you have a 0.0.0.0 destination with a netmask?!?

Question 2: What does the 128.0.0.0 netmask mean with a 0.0.0.0 destination?

Question 3: Why does the second line take priority over the first line?

Thanks for your help!

----------

Code:
Here is my full routing table:

    C:\Users\owner>route print
    ===========================================================================
    Interface List
     19...00 ff 79 ee e1 6b ......TAP-Windows Adapter V9
     10...00 1a 4b 13 d2 92 ......Broadcom NetLink (TM) Gigabit Ethernet
      1...........................Software Loopback Interface 1
    ===========================================================================
   
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.40     20
              0.0.0.0        128.0.0.0     192.168.11.1    192.168.11.50     30
         68.64.127.82  255.255.255.255      192.168.1.1     192.168.1.40     20
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            128.0.0.0        128.0.0.0     192.168.11.1    192.168.11.50     30
          192.168.1.0    255.255.255.0         On-link      192.168.1.40    276
         192.168.1.40  255.255.255.255         On-link      192.168.1.40    276
        192.168.1.255  255.255.255.255         On-link      192.168.1.40    276
         192.168.11.0    255.255.255.0         On-link     192.168.11.50    286
        192.168.11.50  255.255.255.255         On-link     192.168.11.50    286
       192.168.11.255  255.255.255.255         On-link     192.168.11.50    286
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link      192.168.1.40    276
            224.0.0.0        240.0.0.0         On-link     192.168.11.50    286
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link      192.168.1.40    276
      255.255.255.255  255.255.255.255         On-link     192.168.11.50    286
    ===========================================================================


Here is my ipconfig:

Code:
    Windows IP Configuration
   
    Ethernet adapter Local Area Connection 2:
   
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : TAP-Windows Adapter V9
       Physical Address. . . . . . . . . : 00-FF-79-EE-E1-6B
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::c1f8:5d3:e14:dba6%19(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.11.50(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Thursday, December 11, 2014 11:20:53 AM
       Lease Expires . . . . . . . . . . : Friday, December 11, 2015 11:20:53 AM
       Default Gateway . . . . . . . . . :
       DHCP Server . . . . . . . . . . . : 192.168.11.0
       DHCPv6 IAID . . . . . . . . . . . : 520159097
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-A1-5A-F6-00-1A-4B-6B-D2-7C
   
       DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                           fec0:0:0:ffff::2%1
                                           fec0:0:0:ffff::3%1
       NetBIOS over Tcpip. . . . . . . . : Enabled
   
    Ethernet adapter Local Area Connection:
   
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
       Physical Address. . . . . . . . . : 00-1A-4B-13-D2-92
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::61c0:c604:f3e5:498%10(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.40(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Thursday, December 11, 2014 11:20:35 AM
       Lease Expires . . . . . . . . . . : Friday, December 12, 2014 11:20:35 AM
       Default Gateway . . . . . . . . . : 192.168.1.1
       DHCP Server . . . . . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . . : 234887755
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-A1-5A-F6-00-1A-4B-13-D2-92
   
       DNS Servers . . . . . . . . . . . : 192.168.1.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org


Last edited by pksml on Thu Dec 11, 2014 21:00; edited 2 times in total
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8043

PostPosted: Thu Dec 11, 2014 20:33    Post subject: Reply with quote
It's just a clever hack/trick.

There’s actually TWO important extra routes the VPN adds:

128.0.0.0/128.0.0.0 (covers 0.0.0.0 thru 127.255.255.255)
0.0.0.0/128.0.0.0 (covers 128.0.0.0 thru 255.255.255.255)

The reason this works is because when it comes to routing, a more specific route is always preferred over a more general route. And 0.0.0.0/0.0.0.0 (the default gateway) is as general as it gets. But if we insert the above two routes, the fact they are more specific means one of them will always be chosen before 0.0.0.0/0.0.0.0 since those two routes still cover the entire IP spectrum (0.0.0.0 thru 255.255.255.255).

VPNs do this to avoid messing w/ existing routes. They don’t need to delete anything that was already there, or even examine the routing table. They just add their own routes when the VPN comes up, and remove them when the VPN is shutdown. Simple.
pksml
DD-WRT Novice


Joined: 09 Dec 2014
Posts: 28

PostPosted: Thu Dec 11, 2014 20:53    Post subject: Reply with quote
Gotcha! Makes perfect sense now. I was wondering why a traceroute of IP addresses above 128.0.0.1 still went through the VPN. The 128.0.0.0/1 route entry went right over my head. Thanks for your help yet again eibgrad!
_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
pksml
DD-WRT Novice


Joined: 09 Dec 2014
Posts: 28

PostPosted: Thu Dec 11, 2014 21:23    Post subject: Reply with quote
Related question...

How does Windows process the routing table?
Would it start with the tightest netmask (i.e. from 255.255.255.255 and down) and see which one fits first?

_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8043

PostPosted: Thu Dec 11, 2014 21:25    Post subject: Reply with quote
Yes. All routing works the same regardless of platform. A mask of 255.255.255.255 is the complete opposite of 0.0.0.0 in that it is the MOST specific you can get; it defines one specific host.
pksml
DD-WRT Novice


Joined: 09 Dec 2014
Posts: 28

PostPosted: Thu Dec 11, 2014 21:28    Post subject: Reply with quote
Awesome! I feel like I'm starting to get this TCP/IP stuff Very Happy
_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum