OpenVPN DNS and Routing Issue

Interesting you bring this up. I have the exact same problem….

Last week I had to reboot my linode due to a memory crash, and ever since I haven't been able to get openvpn to work. Configs didn't change, iptables routing is set up as per the openvpn howto, and I've had this working for the past 6 months….

I made sure that /proc/sys/net/ipv4/ip_forward is set to 1. I am/was able to ping the internal IP of the other side of my vpn but unable to route out.

server and client configs have not changed for openvpn. They are the same as they had always been…

Are my .conf files correct? I have never setup OpenVPN without a class C IP before. So I am wondering, if I need to push a route, or I have overlooked something?

OpenVPN configuration is a little weird. But here is the easy way to setup a local Certificate Authority and create self signed OpenVPN keys for roaming users to you.

Here I am using the stock install of Debian 5.0 from linode.

Step 1:

create a /dev/net/tun device since linode's default install doesn't seem to have it, but tun/tap is compiled into the kernel.

mknod /dev/net/tun c 10 200

Step 2:

Install openVPN. In my case on ubuntu/debian just:

(sudo or as root) apt-get install openVPN

Step 3:

Setup easy-rsa to create key system

(as root) cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa

cd /etc/openvpn/easy-rsa

edit the vars file and update varables as needed:

export EASY_RSA="/etc/openvpn/easy-rsa"

export KEY_DIR="../keys"

Step 4:

Create server & keys using easy-rsa:

source ./vars

./clean-all

./build-ca – Set Common name to OpenVPN-CA

./build-key-server server -- Set Common name to server

./build-dh

Step 5:

Create user keys to they can login.

./build-key Files get output to /etc/openvpn/keys

Here is the breakdown of the key files:

File        Needed By                  Purpose                    Secret
ca.crt      server + all clients       Root CA certificate        NO
ca.key      key signing machine only   Root CA key                YES
dh{n}.pem   server only                Diffie Hellman parameters  NO
server.crt  server only                Server Certificate         NO
server.key  server only                Server Key                 YES
client.crt  client only                Client Certificate         NO
client.key  client only                Client Key                 YES

Simple Server Configuration File: server.conf

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
local 97.107.134.174

# Which TCP/UDP port should OpenVPN listen on?
port 4321

# TCP or UDP server?
proto udp

# Interface type
dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh keys/dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1\. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 10.8.0.0/24 255.255.255.0"  # Push route to allow vpn users to talk to each other.

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 10  # Change as need 10 should be fine for all use small fry

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

Each client will need to have a folder that openVPN client uses. On windows this you can use the OpenVPN-GUI program and make a folder c:/program files/OpenVPN/config/myVPN

In this folder place the users .crt .key files as well as the server's ca.crt file along with a myVPN.ovpn configuration file.

(myVPN is a place holder for what every name you want)

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server.     #
#                                            #
# This configuration can be used by multiple #
# clients, however each client should have   #
# its own cert and key files.                #
#                                            #
# On Windows, you might want to rename this  #
# file so it has a .ovpn extension           #
##############################################

client
dev tun
# Windows thing might need (don't need it here)
;dev-node MyTap  

# Best Choice
proto udp
# slower fall back to get around retared router/firewall/Nat Boxes
;proto tcp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote myopenvpn.server.net 4321

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# Update this to your username
ca ca.crt
cert client.crt
key client.key

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

Happy VPNing :-)

If you use the setup above, or some other setup that gets you some basic connectivity via openVPN. You can forward the tun0 interface like a NAT or modem so allow access to other network.

You might need to push additional routes to the clients.

push "route 172.16.16.0/24 255.255.255.0" for instance.

if you want to route all network traffic from clients though the VPN and they then get there internet access from you, you will need to setup NAT masquerading and add a gateway line to the client's config.

Hope this all helps someone..

Thank you. I will give it a try and report back. 8)

Try to check if you linux box is marquerading your tun trafic … someting like sudo iptables -t nat -A POSTROUTING -s ip.ra.n.ge/24 -o eth0 -j MASQUERADE, and check echo 1 > /proc/sys/net/ipv4/ip_forward

also maybe you need to specify at your client were are dns , if your home router is giving you a dns server 192.168.0.x it would never be reached at tun interface, tell windows vista to route that traficc to local ethernet not tun interface

best regards, Efuoax

I have completely elimindate iptables. IP forward is at 1 and I have followed biovore's instructions. I am still unable to route out and surf the web. Biovore, you mentioned "add a gateway line to the client's config." How can I do that?

Thanks for your help.

you want to redirect all network traffic from the client though the VPN to the VPN server and out to the internet?

Try adding the following line to the server configuration

push "redirect-gateway def1"

the do a masquerade with iptables to forward traffic and make all internet connection look like they came from the VPN server and not the client.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

where eth0 port on the server is connected to the internet..

you could also do this vi tun0 interface a the souce

iptables -t nat -A POSTROUTING -i tun0 -o eth0 -j MASQUERADE

They have there advantages and drawbacks, but ether one would get the job done.

Yes I do. I have added push "redirect-gateway def1" in the server.

Is your client windows or linux?

Client is Windows Vista

There is a glitch that the default route sometimes doesn't get set on windows.

if you open up a dos command box and type in "route print"

you should see windows route table.

you will notice that 0.0.0.0 is still pointing to your normal default gw. Thus nothing is going to the server.

Might need to set the default GW manually.

This is what mine looks like. I think you are referring to the first line.

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.26 26

0.0.0.0 128.0.0.0 172.16.1.5 172.16.1.6 31

97.107.X.X 255.255.255.255 192.168.1.1 192.168.1.26 26

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

128.0.0.0 128.0.0.0 172.16.1.5 172.16.1.6 31

172.16.1.0 255.255.255.0 172.16.1.5 172.16.1.6 31

172.16.1.4 255.255.255.252 On-link 172.16.1.6 286

172.16.1.6 255.255.255.255 On-link 172.16.1.6 286

172.16.1.7 255.255.255.255 On-link 172.16.1.6 286

192.168.1.0 255.255.255.0 On-link 192.168.1.26 281

192.168.1.26 255.255.255.255 On-link 192.168.1.26 281

192.168.1.255 255.255.255.255 On-link 192.168.1.26 281

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 172.16.1.6 286

224.0.0.0 240.0.0.0 On-link 192.168.1.26 281

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 172.16.1.6 286

255.255.255.255 255.255.255.255 On-link 192.168.1.26 281

===========================================================================

You you got it.

If the route get pushed.. that first line shouldn't have 192.168.1.1 but should have 10.8.0.1 or whatever your using.

Figured it out here though.

Add "redirect-gateway" to the client config. Worked here.

Windows OpenVPN client dosn't seem to respond correctly to server push.

Add to client config file above:

# Redirect all traffic over VPN?
redirect-gateway

Worked here. (Famous last words)

If you loose all network connectivity, it works, you server nat/masquerade isn't setup right though.

Yes, the masquerading/Iptables are all off. I added redirect-gateway and I connected, but it broke my Vista networking. So I went to the server and removed push "route 172.16.1.0/24 255.255.255.0" and then reconnected. The networking didn't break, but I still can't surf or ping out to the internet. FWIW, I am using Openvpn 2.1 on Ubuntu 8.10.

did the default route on the windows client change to use the VPN network interface and not the 192.168.1.1 one?

Network breaking makes me think that it is working.. just the sever side routing / nat / masquerading isn't setup right..

When broken, could you ping your vpn root (10.8.0.1 in my case)

what dose your route table look like when it broke?

I was able to ping 172.16.1.5.

And here is my route print:

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.26 26

0.0.0.0 128.0.0.0 172.16.1.5 172.16.1.6 31

97.107.140.101 255.255.255.255 192.168.1.1 192.168.1.26 26

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

128.0.0.0 128.0.0.0 172.16.1.5 172.16.1.6 31

172.16.1.0 255.255.255.0 172.16.1.5 172.16.1.6 31

172.16.1.4 255.255.255.252 On-link 172.16.1.6 286

172.16.1.6 255.255.255.255 On-link 172.16.1.6 286

172.16.1.7 255.255.255.255 On-link 172.16.1.6 286

192.168.1.0 255.255.255.0 On-link 192.168.1.26 281

192.168.1.26 255.255.255.255 On-link 192.168.1.26 281

192.168.1.255 255.255.255.255 On-link 192.168.1.26 281

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 172.16.1.6 286

224.0.0.0 240.0.0.0 On-link 192.168.1.26 281

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 172.16.1.6 286

255.255.255.255 255.255.255.255 On-link 192.168.1.26 281

===========================================================================

And here is this thing:

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : TAP-Win32 Adapter V8

Physical Address. . . . . . . . . : 00-FF-2F-36-11-DC

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::7956:6f0:26de:d10%17(Preferred)

IPv4 Address. . . . . . . . . . . : 172.16.1.6(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.252

Lease Obtained. . . . . . . . . . : Wednesday, July 08, 2009 1:17:41 AM

Lease Expires . . . . . . . . . . : Thursday, July 08, 2010 1:17:40 AM

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . : 172.16.1.5

DHCPv6 IAID . . . . . . . . . . . : 385941295

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-02-70-A7-00-1B-24-EA-F7-3

DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1

fec0:0:0:ffff::2%1

fec0:0:0:ffff::3%1

NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : local

Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN

Physical Address. . . . . . . . . : 00-1D-E0-35-AA-65

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IPv4 Address. . . . . . . . . . . : 192.168.1.26(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . : Tuesday, July 07, 2009 7:04:58 PM

Lease Expires . . . . . . . . . . : Wednesday, July 08, 2009 3:04:57 AM

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Primary WINS Server . . . . . . . : 192.168.1.1

NetBIOS over Tcpip. . . . . . . . : Enabled

That Looks like its not working right. The default route should be differnet.

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.26 26 <– all traffic goes to our normal default gw

What it should be if you want all your traffic to go though the VPN:

0.0.0.0 0.0.0.0 172.16.1.0 172.16.1.6 ??

Unless you see that.. its not going to work..

When you make the networking on vista break. It probably had that as the default route and windows would try to send all network traffic to the linux VPN who just rejected it all. (which made windows think the networking was broken), but not broken..

I left the VPN tunnel on for several minutes. And it broke my Windows networking. All of my web traffic passes through my proxy server on my LAN. But everything else stops.

Looking at that route table. You got 2 default routes.. that makes windows very confused.. Thats what the "redirect-gateway" command suppose to do on the client side.. don't need to have a route defined..

–

redirect-gateway should update that first line of the route table.

I route -f on my Vista, rebooted and then connected to my VPN. The route print still comes up the same. I will tinker with it some more and read up on manually adding routes like you indicated or just move to PPTP. :?

problem with pptp is that microsoft implementation is flawed and dosn't really provide alot of security.. :-/

Well, I went ahead and set up Openvpn through Webmin, and sure enough, I had the same problem as I had mentioned before. However, this time, I setup Squid proxy and now I can access the web through the proxy.

I had to enable masquerade in the iptables. That's what made it work. :?