Hi @Hank21, 

Thanks for the reply! 

I did. I also compared the new .ovpn with the one generated when the Full Mode was enabled, and the only difference where the keys. 

Kind regards! 

  @ispeaknousa Why are you using your local mask as 16 bits and for VPN mask is 24 bits, running in the same network addresses/segments?

Hi @ObiWanKenobi,

I'd like that all VPN ips to be in 192.168.1.*, but the VPN clients should be able to access both 192.168.0.* and 192.168.1.* .

Kind regards!

  @ispeaknousa IMO the mask should be 24 (192.168.0.1/24 192.168.0.0/24), and reach networks via NAT/Firewall and not via mask.

Hi @ObiWanKenobi ,

Well, I'm still in the designated "private network" allocation, so that shouldn't be a problem (I can confirm that clients can access desired resources).
The issue I'm facing is that the clients do cross into internet through VPN.

Kind regards!

  @ispeaknousa 

Hi there, try to manually edit the .ovpn file, search for option

redirect-gateway def1

and put an hash before text, like #redirect-gateway def1

save and import the modified .ovpn file on client.

Hi @Liuck1975,

Unfortunately I don't have the option.
This is the .ovpn config (until the certificates part):

client
dev tun
proto udp
float
nobind
cipher AES-128-CBC
comp-lzo no
resolv-retry infinite
remote-cert-tls server
persist-key
auth-user-pass
remote <IP> 1194

Kind regards!

ispeaknousa wrote

Hi @Liuck1975,

 

Unfortunately I don't have the option.
This is the .ovpn config (until the certificates part):

 

client
dev tun
proto udp
float
nobind
cipher AES-128-CBC
comp-lzo no
resolv-retry infinite
remote-cert-tls server
persist-key
auth-user-pass
remote <IP> 1194

 

Kind regards!

  @ispeaknousa 

I found on the openvpn site the following instruction that could be useful for your scope:

Method 2: ignore

There are 2 options that can be used to ignore routes pushed by the server:

--route-noexec 
 Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables. 

--route-nopull 
 When used with --client or --pull, accept options pushed by server EXCEPT for routes and dhcp options like DNS servers. 
 When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note

You can give it a chance!!! :)

Hi @Liuck1975,

Thank you very much for the options, but my problem is not necessarily of being routed on my PC (I'm on Linux and can configure which traffic to go where), but on every other device (mobile phone, relative's hardware) the options should also be set.

This fix would be only client-side for a server-side issue. The fact is that the server routes traffic outside the network even if it shouldn't. That's what I want to stop from happening (both from client configuration convenience and security perspective).

I'm kind of hoping to get a confirmation if it's a firmware issue, or if someone has it working on ER605 v2.0 in which case it's my router's issue. 

Kind regards!