Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add set-default-route=[01] #741

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

add set-default-route=[01] #741

wants to merge 2 commits into from

Conversation

oto-ledger
Copy link

Ability to disable default route for VPN with explicit routing only.
Few fixes to split routes to avoid routes with 0.0.0.0 as their destination to be unaccessible.

@DimitriPapadopoulos DimitriPapadopoulos mentioned this pull request Jul 3, 2020
Closed
@aaronjg
Copy link
Contributor

aaronjg commented Jul 20, 2020

What is the difference between this option and the "--set-routes" option? It looks quite similar to me, so if there is a difference it should at least be made clearer in the help text.

@oto-ledger
Copy link
Author

Well, --set-routes does not set any routes. Here we just want to set the routes sent by the server but not the default route. (Use the VPN connection to only access particular machine but not push all the traffic through it).

@DimitriPapadopoulos
Copy link
Collaborator

This has been already discussed. See #22 and #371 for example.

@oto-ledger
Copy link
Author

Actually, it's not that I want to add particular routes, because I don't know them before connecting to the remote server. Those routes are dynamic on the server side. Therefore, I just wanted to apply them (needing some tweaks when they are specified using the default gateway), and avoid routing all the traffic through the vpn remote end.

@DimitriPapadopoulos
Copy link
Collaborator

DimitriPapadopoulos commented Jul 20, 2020
edited
Loading

Yes, I understand that. Yet if the FortiGate gateway admins have set it up to request all traffic to be directed through the gateway, we do as FortiClient and follow the admins' requests.

I'd rather address this as part of #678 - but not in the short term unfortunately.

@oto-ledger
Copy link
Author

Oh, ok.
Also, if I'm not mistaken, even if the fortigate server does not specifies it, the client sets up the default route through the VPN, isn't it?

@DimitriPapadopoulos
Copy link
Collaborator

Ah, I don't know, I'm not familiar with this part of the code. If so you have a case :-)

@mrbaseman
Copy link
Collaborator

Actually the server can use either default routing mode or split tunnel mode. In default routing mode a default route will be added whereas in split tunnel mode only the routes pushed by the fortigate are added. The fortigate pushes rotes to all destinations where accept policies via ssl vpn are configured for this particular account.

An alternative to the default route are two routes with netmask /1 ("half internet routes") which can be used on the client side instead of changing the default route.

@mrbaseman
Copy link
Collaborator

I think when the Fortigate pushes the default route, it doesn't push any other routes.

So, if you are attempting to avoid the default route through the vpn connection, you have to configure routing manually.

This would be --no-routes in combination with a pppd-ifup-script i.m.o.

@mrbaseman mrbaseman mentioned this pull request Feb 19, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@oto-ledger @aaronjg @DimitriPapadopoulos @mrbaseman