When routes are pushed to a Windows client, there are two methods for adding these routes to the system routing tables:
ROUTE.EXE
programIn most cases, the IPAPI method works fine, but sometimes, it is necessary to overrule this behavior. In this recipe, we will show how this is done and what to look for in the client log file to verify that the right method has been chosen.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 7 SP1 and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe in Chapter 2, Client-server IP-only Networks at hand. For the client, keep the configuration file, basic-udp-client.ovpn
, from the Using an ifconfig-pool block recipe in Chapter 2, Client-server IP-only Networks at hand.
[root@server]# openvpn --config basic-udp-server.conf
basic-udp-client.ovpn
configuration file:verb 5 route-method ipapi
example9-8.ovpn
. Start the OpenVPN client with this configuration.... C:WINDOWSsystem32 oute.exe ADD 10.198.0.0 MASK 255.255.0.0 10.200.0.1 ... Route addition via IPAPI succeeded ... Initialization Sequence Completed
Even though the route-method
directive was set to ipapi
, the log file prints out the path of the Windows route.exe
command. The second line shows that the route was actually added using the IPAPI helper functions.
example9-8.ovpn
, to the following:verb 5 route-method exe
route.exe
command was used. Instead, you will see something similar to this:... C:WINDOWSsystem32 oute.exe ADD 10.198.0.0 MASK 255.255.0.0 10.200.0.1 ... env_block: add PATH=C:WindowsSystem32;C:Windows;... ... Initialization Sequence Completed
The line starting with env_block
indicates that a set of environment variables were set up prior to launching the external route.exe
command.
The route-method
directive has three options:
adaptive
: First, try the IPAPI method, and fallback to the route.exe
method if IPAPI fails. This is the default.ipapi
: Always use the IPAPI helper functions to add routes.exe
: Always use the external program, route.exe
.Based on this directive, the OpenVPN client will choose how to add routes to the Windows routing tables. Note that if OpenVPN cannot add a route, it will not abort the connection. The current OpenVPN GUI does not detect this and will show a green icon in the taskbar, suggesting a fully successful connection.
OpenVPN is preconfigured to look for the route.exe
program in the directory where Windows is installed, usually C:WINDOWSsystem32
. If Windows is installed in a different directory, the win-sys
directive can be used. The win-sys
directive has two options:
env
, which means that the OpenVPN client will use the contents of the environment variable, windir
, to locate the Windows operating system. This environment variable is always set in a normal Windows setup. Starting with OpenVPN 2.3, this is the default setting and a warning message is printed if win-sys env
is specified.D:WINDOWS
. This should be used only if the route.exe
program is in a non-standard location.18.227.102.111