Hi,

I'm establishing a VPN connection, but it doesn't seem to work like I thought. Here's the resulting routing table ant the traceroute output:


I tried to specify in my OVPN file route-metric 0 but no luck, all packets are still not using my VPN at all. What should I change to make my VPN interface tun0 to be default and the only interface for all TCP/IP communications on my machine?

First of all, please use a "code tag" on the above output to make it monospace (courier) and thus easier to read.

Then, please specify exactly what packets are "not behaving as you expected." What are the IP-addresses that you intend to be targeting? Also, what is the configuration of the server at the other side?

I expected the site www.whatismyipaddress.com to display my current IP address as if it were the VPN server address from OVPN file, but it is still showing me my original IP as if there're no VPN connection at all. Regarding the settings on the VPN server side all what I know it's a TP-Link router that supports OpenVPN server mode with quite a few settings available on its web GUI. But I used to see this model providing a correct VPN IP address for its clients, so I think there're might be a way of tweaking the client's OVPN file for achieving this.

1) you aren't secure if your routing table isn't. ipv6 btw "embeds software that can change your route table unless you know how to block it". i still use ipv4 just so i don't have to hack all the "support and software hack possibly malicious payloads in ipv6" actually. But i don't suggest you use VPN for anything except preventing weak attacks (ie, by neighbor teen gamers)

2) Try routed(1) or some equivalent program that writes the route table for you. TLDP.org used to have ipv4 docs how to do routing by hand I think they've "hidden it" and give only ubuntu instructions today - IDK. but it's a lengthy discussion.

it's very simply. the first valid route is where your packet will go ( UNLESS THE FIREWALL BLOCKS IT). if you have an erronous route table then no packet will go anywhere.

If you are using "tunneling" to do VPN and doing it by hand I suspect you'll need directions. Few would do that unless providig automated VPN for a new distribution. Maybe you should try installing software that sets it up for you if your anxious to get it working.

It's actually very simple: since your stated destination, 104.16.155.36, does not match any of the listed "destinations" as masked by their respective "genmasks," your traffic is simply being routed through the default, which is the first entry, which specifies eth0.

If you actually want all of your network traffic to pass through tun0, then your network routing rules must specify this as the "default route."

To clarify: the very-essential concept of "VPN" is that it presents itself to the rest of the system as "an otherwise-ordinary internet router or (maybe) switch." These devices customarily occupy a particular "non-routable" IP-address range, such as [b]10.8.0.x, which they use to communicate among themselves. To all of their clients, these addresses serve as "gateways."

Right now, as you are "browsing the internet," your home computer is "talking to the internet" through a "gateway" which is probably "192.168.1.1." And, the "subnet" that is covered by this gateway is ... "everything, everywhere." But, VPNs introduce another "gateway," through which some particular subset of network traffic is (securely ...) diverted. The clients of that gateway neither know nor care that the traffic thus diverted is "secure." Your current routing rules divert only three particular streams of traffic into that secure tunnel.

Maybe edit your resolv.conf
If it lists your ISP nameserver along with VPN nameserver, then you will see leaks as both connestions are active.