OpenVPN DNS and Routing Issue
I have been trying to configure an OpenVPN server on my Linode 360. I have configured the server and the client, a Vista laptop. The server starts fine and client connects to it just fine. However, I can only ping across the tunnel at what I think is the OpenVPN gateway (10.0.0.1). When I use tcpdump to scan tun0, tun0 shows the websites and icmp requests that I am sending. When I attempt to ping websites, the ping fails, as does nslookup, and tracert and 4.2.2.2. I have listed my server.conf and client.conf files below. Please help.
client.conf
client
dev tun
proto udp
remote 97.x.x.x 1194
ping 10
resolv-retry infinite
nobind
persist-key
persist-tun
cipher bf-cbc
ca ca1.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
pull
verb 3
route-method exe
route-delay 4
mssfix 1200
ifconfig 10.0.0.6 10.0.0.1
server.conf
dev tun
proto udp
port 1194
tls-server
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.0.0.0 255.255.255.0
keepalive 10 60
persist-key
persist-tun
cipher BF-CBC
push "redirect-gateway def1"
push "dhcp-option DNS 10.0.0.1"
push "dhcp-option DNS 4.2.2.2"
ifconfig 10.0.0.1 10.0.0.6
client-to-client
comp-lzo
24 Replies
Last week I had to reboot my linode due to a memory crash, and ever since I haven't been able to get openvpn to work. Configs didn't change, iptables routing is set up as per the openvpn howto, and I've had this working for the past 6 months….
I made sure that /proc/sys/net/ipv4/ip_forward is set to 1. I am/was able to ping the internal IP of the other side of my vpn but unable to route out.
server and client configs have not changed for openvpn. They are the same as they had always been…
Here I am using the stock install of Debian 5.0 from linode.
Step 1:
create a /dev/net/tun device since linode's default install doesn't seem to have it, but tun/tap is compiled into the kernel.
mknod /dev/net/tun c 10 200
Step 2:
Install openVPN. In my case on ubuntu/debian just:
(sudo or as root) apt-get install openVPN
Step 3:
Setup easy-rsa to create key system
(as root) cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
edit the vars file and update varables as needed:
export EASY_RSA="/etc/openvpn/easy-rsa"
export KEY_DIR="../keys"
Step 4:
Create server & keys using easy-rsa:
source ./vars
./clean-all
./build-ca – Set Common name to OpenVPN-CA
./build-key-server server -- Set Common name to server
./build-dh
Step 5:
Create user keys to they can login.
./build-key
Here is the breakdown of the key files:
File Needed By Purpose Secret
ca.crt server + all clients Root CA certificate NO
ca.key key signing machine only Root CA key YES
dh{n}.pem server only Diffie Hellman parameters NO
server.crt server only Server Certificate NO
server.key server only Server Key YES
client.crt client only Client Certificate NO
client.key client only Client Key YES
Simple Server Configuration File: server.conf
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
local 97.107.134.174
# Which TCP/UDP port should OpenVPN listen on?
port 4321
# TCP or UDP server?
proto udp
# Interface type
dev tun
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh keys/dh1024.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1\. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 10.8.0.0/24 255.255.255.0" # Push route to allow vpn users to talk to each other.
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 10 # Change as need 10 should be fine for all use small fry
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
log /var/log/openvpn.log
log-append /var/log/openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 6
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
Each client will need to have a folder that openVPN client uses. On windows this you can use the OpenVPN-GUI program and make a folder c:/program files/OpenVPN/config/myVPN
In this folder place the users .crt .key files as well as the server's ca.crt file along with a myVPN.ovpn configuration file.
(myVPN is a place holder for what every name you want)
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
client
dev tun
# Windows thing might need (don't need it here)
;dev-node MyTap
# Best Choice
proto udp
# slower fall back to get around retared router/firewall/Nat Boxes
;proto tcp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote myopenvpn.server.net 4321
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# Update this to your username
ca ca.crt
cert client.crt
key client.key
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
Happy VPNing
You might need to push additional routes to the clients.
push "route 172.16.16.0/24 255.255.255.0" for instance.
if you want to route all network traffic from clients though the VPN and they then get there internet access from you, you will need to setup NAT masquerading and add a gateway line to the client's config.
Hope this all helps someone..
also maybe you need to specify at your client were are dns , if your home router is giving you a dns server 192.168.0.x it would never be reached at tun interface, tell windows vista to route that traficc to local ethernet not tun interface
best regards, Efuoax
Thanks for your help.
Try adding the following line to the server configuration
push "redirect-gateway def1"
the do a masquerade with iptables to forward traffic and make all internet connection look like they came from the VPN server and not the client.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
where eth0 port on the server is connected to the internet..
you could also do this vi tun0 interface a the souce
iptables -t nat -A POSTROUTING -i tun0 -o eth0 -j MASQUERADE
They have there advantages and drawbacks, but ether one would get the job done.
if you open up a dos command box and type in "route print"
you should see windows route table.
you will notice that 0.0.0.0 is still pointing to your normal default gw. Thus nothing is going to the server.
Might need to set the default GW manually.
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.26 26
0.0.0.0 128.0.0.0 172.16.1.5 172.16.1.6 31
97.107.X.X 255.255.255.255 192.168.1.1 192.168.1.26 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 172.16.1.5 172.16.1.6 31
172.16.1.0 255.255.255.0 172.16.1.5 172.16.1.6 31
172.16.1.4 255.255.255.252 On-link 172.16.1.6 286
172.16.1.6 255.255.255.255 On-link 172.16.1.6 286
172.16.1.7 255.255.255.255 On-link 172.16.1.6 286
192.168.1.0 255.255.255.0 On-link 192.168.1.26 281
192.168.1.26 255.255.255.255 On-link 192.168.1.26 281
192.168.1.255 255.255.255.255 On-link 192.168.1.26 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.16.1.6 286
224.0.0.0 240.0.0.0 On-link 192.168.1.26 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.16.1.6 286
255.255.255.255 255.255.255.255 On-link 192.168.1.26 281
===========================================================================
If the route get pushed.. that first line shouldn't have 192.168.1.1 but should have 10.8.0.1 or whatever your using.
Figured it out here though.
Add "redirect-gateway" to the client config. Worked here.
Windows OpenVPN client dosn't seem to respond correctly to server push.
Add to client config file above:
# Redirect all traffic over VPN?
redirect-gateway
Worked here. (Famous last words)
If you loose all network connectivity, it works, you server nat/masquerade isn't setup right though.
Network breaking makes me think that it is working.. just the sever side routing / nat / masquerading isn't setup right..
When broken, could you ping your vpn root (10.8.0.1 in my case)
what dose your route table look like when it broke?
And here is my route print:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.26 26
0.0.0.0 128.0.0.0 172.16.1.5 172.16.1.6 31
97.107.140.101 255.255.255.255 192.168.1.1 192.168.1.26 26
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 172.16.1.5 172.16.1.6 31
172.16.1.0 255.255.255.0 172.16.1.5 172.16.1.6 31
172.16.1.4 255.255.255.252 On-link 172.16.1.6 286
172.16.1.6 255.255.255.255 On-link 172.16.1.6 286
172.16.1.7 255.255.255.255 On-link 172.16.1.6 286
192.168.1.0 255.255.255.0 On-link 192.168.1.26 281
192.168.1.26 255.255.255.255 On-link 192.168.1.26 281
192.168.1.255 255.255.255.255 On-link 192.168.1.26 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 172.16.1.6 286
224.0.0.0 240.0.0.0 On-link 192.168.1.26 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 172.16.1.6 286
255.255.255.255 255.255.255.255 On-link 192.168.1.26 281
===========================================================================
And here is this thing:
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-2F-36-11-DC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7956:6f0:26de:d10%17(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.1.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Lease Obtained. . . . . . . . . . : Wednesday, July 08, 2009 1:17:41 AM
Lease Expires . . . . . . . . . . : Thursday, July 08, 2010 1:17:40 AM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 172.16.1.5
DHCPv6 IAID . . . . . . . . . . . : 385941295
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-02-70-A7-00-1B-24-EA-F7-3
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : local
Description . . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
Physical Address. . . . . . . . . : 00-1D-E0-35-AA-65
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.26(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, July 07, 2009 7:04:58 PM
Lease Expires . . . . . . . . . . : Wednesday, July 08, 2009 3:04:57 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
Primary WINS Server . . . . . . . : 192.168.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.26 26 <– all traffic goes to our normal default gw
What it should be if you want all your traffic to go though the VPN:
0.0.0.0 0.0.0.0 172.16.1.0 172.16.1.6 ??
Unless you see that.. its not going to work..
When you make the networking on vista break. It probably had that as the default route and windows would try to send all network traffic to the linux VPN who just rejected it all. (which made windows think the networking was broken), but not broken..
–
redirect-gateway should update that first line of the route table.