On Tue, Nov 21, 2017 at 05:46:23PM +0000, Joe wrote: > On Tue, 21 Nov 2017 22:35:24 +0900 > > Look at the --redirect-gateway startup option or (without leading --) > in the config file. The chances are that the default openvpn > configuration does this anyway, as there are two main uses for a VPN, > the remote access that you are using now, and the routing of all > traffic to a trusted network before it gets out unencrypted onto the > Internet. The latter use requires the gateway redirection. > > Have a look at the routing table with and without the VPN open to > check. Also look at the server configuration, which should contain > 'push "route..."' and 'push "redirect-gateway...."' lines. > > See the heading: > "Routing all client traffic (including web-traffic) through the VPN" > > in page > https://openvpn.net/index.php/open-source/documentation/howto.html >
Yep, this looks like what I was after. This actually claims to redirect ALL traffic through the VPN, and hints that this can cause trouble with DHCP, which sounds like a bit of a problem to be frank. Would have thought that would break a lot of networks. But I suppose I might get away with it if the hotel / whatever untrusted WiFi doesn't reassign IP addresses a lot. I just might have to do something on my home network's firewall to stop it attempting to service locally DHCP requests coming through the TUN. > It would also help if you have control of the tablet firewall code. > I've no idea if this is possible on Android. I have multiple iptables > rulesets for my netbook, two of which allow DHCP, web and either ssh > or openvpn out of the wifi interface, and a controlled set over the tun, > with only established and related connections allowed back in. Yes, this part would be necessary to stop the tablet responding to requests coming from the untrusted WiFi network, except maybe necessary things from the access point itself, eg DHCP... Anything coming from anyone else on the untrusted WiFI LAN I'd want to regard with extreme prejudice... I don't know if Android has iptables, but I will dig around to see what it does have. > > But the gateway redirect must be working for the right signals to get > to the right firewall rules. Without control of the firewall, the > redirect will still do most of what you want, but you would be able to > send packets to the local wifi network explicitly. I'm less worried about the tablet being able to send to the untrusted WiFi than I am about the untrusted WiFi being able to send to the tablet. ie if some service I'm unaware of (it's stuffed with Samsung bloatware after all) is listening on the device, I don't want it talking to strangers as it were... Thanks for your reply, sorry I took a while to respond but I was travelling for business. Mark
