How to configre routes? E.g. disable replacing the default route

When I connect to the server from my Linux box, Pritunl seems to replace the default route with the new one. How to disable that and configure it properly, so that only work-related link would be routed?

Remove the 0.0.0.0/0 route from the server settings.

I don’t have access to the server settings. How to do it locally?

The Pritunl Client doesn’t provide any option to override this configuration.

Well, that’s too bad. Honestly, I can’t imagine a single scenario when one must route all the traffic via a work VPN.

This option may be included in the next client update. I looked into adding it and it should be simple to get added.

I’m using v1.3.3484.2 of the Pritunl Client on Ubuntun 22.04. I still don’t see an option to disable he default gateway. Was this option added? The GUI version of the client has this option. It would be great to include it in the CLI version.

It isn’t in the CLI but setting it in the GUI client will apply to the CLI client. It can also be set in the configuration file in /var/lib/pritunl ending in .conf. Search for the option disable_gateway and update the value to true. This will require restarting the background service to reload the configuration files.

Thanks. Found the config here:

/var/lib/pritunl-client/profiles

Updated the .conf file the default gateway is disabled now.

Is there a way to have this “Disable Default Gateway” setting set to ON by default when a user first downloads their profile?

We have a use case where we don’t want to default route all traffic for all users, but a small minority of users might need to occasionally route all traffic to make use of some server IP whitelisting.

Bonus feature: It would be nice if admins can set and push this setting as needed on a per user basis. :slight_smile:

It’s unlikely that option will be added. It’s difficult to add features like that, it’s not uncommon for an administrator to accidentally misconfigure those options and report issues with the software.

Hey @zach - There are a ton of things an Admin can do to a working system that could break it. This shouldn’t be a reason not to add an enhancement!

Having a companion client app that works with (and gets configuration information from) a running server is one of the benefits of Pritunl. You’re already pushing all kinds of config info for the client to use, why not add the ability for an Admin to deliver at least a starting configuration of the user adjustable settings.

Our use case is similar to others on this and other threads. We don’t want to route the entire internet over VPN by default, but there are occasions when only our company IPs can access certain third party services (due to whitelisting) and our remote workers need an easy way to “switch on” route-all traffic to connect to these services. It’s not practical to list all the IPs for all our partners and many of them use cloud services with load-balancing that utilize huge lists of IP blocks.

There are two possible enhancement I see to achieve this:

  1. Give admins a way to set the default configurable user options in the client to specific settings (in my case, I’d be looking to have “Disable Default Gateway” set to ON by default, with the user able to adjust it in the future

  2. Have a new client setting that (or reword the existing one for less confusion!) allows users to “Enable Default Routing”. This could be combined with the Server side setting of “Restrict Routing” set to OFF (Admin can turn that server side feature ON if they want to block default routing unless it was part of the server routes already)

Either way, the goal is the same. Don’t route all traffic by default, but give users the ability to if needed.

I’m sure most users have the same bellcurve use case: 80% don’t need route-all, 20% do. This is the use-case I’m after.

Thanks!
-Rob

It’s far better to create two VPN servers one with default gateway routed and one without. A lot of security protections are removed from servers with the 0.0.0.0/0 route. Additionally this will make it more clear to the user when all traffic is being routed.

The restrict routing option should not be disabled unless it is specifically interfering with a customized configuration.

We tried the dual Server config, the problem is we are also using Google SSO. Because of this, we can’t steer the user to the correct server without changing which “org_names” the user is in and we don’t want to have this burden put on our IT dept. We want this to be user selectable.

Is there anyway to have two Google SSO login profiles that can select from two different servers both using the same Google SSO setup?

The same organization can be attached to both servers and the servers could be labeled to indicate which server to connect to.

@zach - I was not aware you could assign the same org to different servers. I now see both profiles in the client and this solves our problem! Thanks for the tip!!

Even if we create second server with 0.0.0.0 , it allows internet BUT also allows access to all other resources which we do not want.