OpenVPN routing issue

The network is the forum.

Moderators: Steel, notfred

OpenVPN routing issue

Postposted on Sat Apr 06, 2013 9:58 pm

Hi all, originally posted this to openvpn.net forms, but I wanted to see if any network gurus here could give me some pointers.

When I connect from my laptop to the DD-wrt openvpn server from my internal network to the hostname "my.dynamic.dns.name", which resolves to (say) my.external.ip, I can only "partially" connect, (all the certificate stuff works, and port forwarding 1194 is enabled).

I cannot ping the 192.168.1.1 (router) address when connected.
I can ping external IP addresses (ie; googles 8.8.8.8 dns server) when connected.
I cannot resolve internet host names when connected (whether with DNS as an external server like open dns or my isp, or the internal router of 192.168.1.1)

When I connect to the openvpn server at address 192.168.1.1 instead of my.external.ip, everything works fine, and i can resolve hosts names and surf the net.

It seems like a routing issue, when I'm connecting from the external ip the vpn does not seem to route correctly or resolve hostnames. Google and man pages aren't helping, any ideas?
============
client.conf, running OpenVPN 2.3.1 i686-pc-linux-gnu, debian 6, kernel 3.7.1
remote my.dynamic.dns.name 1194
#same result with remote my.external.ip 1194
client
remote-cert-tls server
comp-lzo
#verb 4 - when needed
dev tun0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
float
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem

server.conf, running OpenVPN 2.3.0, DD-WRT v24-sp2 (03/17/13) mega - build 20979
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
key /tmp/openvpn/key.pem
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 208.67.222.222" #cause i like opendns
server 192.168.2.0 255.255.255.0
duplicate-cn
tls-server
push "redirect-gateway"
script-security 2
verb 5
dev tun0
proto udp
keepalive 60 180
port 1194
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001 #DD-wrt specific

Firewall on the dd-wrt router, note port forwarding for port 1194 on UPD is enabled for 192.168.1.1
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 -s 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o vlan2 -j MASQUERADE #vlan2 is the "internet" interface in this case

client log upon connection:
Sat Apr 6 11:51:31 2013 us=439751 Current Parameter Settings:
Sat Apr 6 11:51:31 2013 us=439871 config = 'config.ovpn'
Sat Apr 6 11:51:31 2013 us=439891 mode = 0
Sat Apr 6 11:51:31 2013 us=439908 persist_config = DISABLED
Sat Apr 6 11:51:31 2013 us=439924 persist_mode = 1
Sat Apr 6 11:51:31 2013 us=439940 show_ciphers = DISABLED
Sat Apr 6 11:51:31 2013 us=439956 show_digests = DISABLED
Sat Apr 6 11:51:31 2013 us=439972 show_engines = DISABLED
Sat Apr 6 11:51:31 2013 us=439988 genkey = DISABLED
Sat Apr 6 11:51:31 2013 us=440004 key_pass_file = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440020 show_tls_ciphers = DISABLED
Sat Apr 6 11:51:31 2013 us=440035 Connection profiles [default]:
Sat Apr 6 11:51:31 2013 us=440052 proto = udp
Sat Apr 6 11:51:31 2013 us=440068 local = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440084 local_port = 0
Sat Apr 6 11:51:31 2013 us=440100 remote = 'my.dynamic.dns.name'
Sat Apr 6 11:51:31 2013 us=440117 remote_port = 1194
Sat Apr 6 11:51:31 2013 us=440135 remote_float = ENABLED
Sat Apr 6 11:51:31 2013 us=440150 bind_defined = DISABLED
Sat Apr 6 11:51:31 2013 us=440166 bind_local = DISABLED
Sat Apr 6 11:51:31 2013 us=440182 connect_retry_seconds = 5
Sat Apr 6 11:51:31 2013 us=440199 connect_timeout = 10
Sat Apr 6 11:51:31 2013 us=440215 connect_retry_max = 0
Sat Apr 6 11:51:31 2013 us=440231 socks_proxy_server = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440249 socks_proxy_port = 0
Sat Apr 6 11:51:31 2013 us=440264 socks_proxy_retry = DISABLED
Sat Apr 6 11:51:31 2013 us=440280 tun_mtu = 1500
Sat Apr 6 11:51:31 2013 us=440295 tun_mtu_defined = ENABLED
Sat Apr 6 11:51:31 2013 us=440311 link_mtu = 1500
Sat Apr 6 11:51:31 2013 us=440327 link_mtu_defined = DISABLED
Sat Apr 6 11:51:31 2013 us=440342 tun_mtu_extra = 0
Sat Apr 6 11:51:31 2013 us=440359 tun_mtu_extra_defined = DISABLED
Sat Apr 6 11:51:31 2013 us=440375 mtu_discover_type = -1
Sat Apr 6 11:51:31 2013 us=440391 fragment = 0
Sat Apr 6 11:51:31 2013 us=440407 mssfix = 1450
Sat Apr 6 11:51:31 2013 us=440423 explicit_exit_notification = 0
Sat Apr 6 11:51:31 2013 us=440468 Connection profiles END
Sat Apr 6 11:51:31 2013 us=440490 remote_random = DISABLED
Sat Apr 6 11:51:31 2013 us=440506 ipchange = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440521 dev = 'tun0'
Sat Apr 6 11:51:31 2013 us=440538 dev_type = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440554 dev_node = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440569 lladdr = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440587 topology = 1
Sat Apr 6 11:51:31 2013 us=440602 tun_ipv6 = DISABLED
Sat Apr 6 11:51:31 2013 us=440618 ifconfig_local = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440635 ifconfig_remote_netmask = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440651 ifconfig_noexec = DISABLED
Sat Apr 6 11:51:31 2013 us=440667 ifconfig_nowarn = DISABLED
Sat Apr 6 11:51:31 2013 us=440683 ifconfig_ipv6_local = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440700 ifconfig_ipv6_netbits = 0
Sat Apr 6 11:51:31 2013 us=440715 ifconfig_ipv6_remote = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=440731 shaper = 0
Sat Apr 6 11:51:31 2013 us=440747 mtu_test = 0
Sat Apr 6 11:51:31 2013 us=440762 mlock = DISABLED
Sat Apr 6 11:51:31 2013 us=440779 keepalive_ping = 0
Sat Apr 6 11:51:31 2013 us=440795 keepalive_timeout = 0
Sat Apr 6 11:51:31 2013 us=440811 inactivity_timeout = 0
Sat Apr 6 11:51:31 2013 us=440827 ping_send_timeout = 0
Sat Apr 6 11:51:31 2013 us=440843 ping_rec_timeout = 0
Sat Apr 6 11:51:31 2013 us=440859 ping_rec_timeout_action = 0
Sat Apr 6 11:51:31 2013 us=440875 ping_timer_remote = DISABLED
Sat Apr 6 11:51:31 2013 us=440891 remap_sigusr1 = 0
Sat Apr 6 11:51:31 2013 us=440906 persist_tun = ENABLED
Sat Apr 6 11:51:31 2013 us=440922 persist_local_ip = DISABLED
Sat Apr 6 11:51:31 2013 us=440938 persist_remote_ip = DISABLED
Sat Apr 6 11:51:31 2013 us=440954 persist_key = ENABLED
Sat Apr 6 11:51:31 2013 us=440970 passtos = DISABLED
Sat Apr 6 11:51:31 2013 us=440986 resolve_retry_seconds = 1000000000
Sat Apr 6 11:51:31 2013 us=441012 username = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441028 groupname = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441043 chroot_dir = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441059 cd_dir = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441075 writepid = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441090 up_script = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441106 down_script = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441122 down_pre = DISABLED
Sat Apr 6 11:51:31 2013 us=441137 up_restart = DISABLED
Sat Apr 6 11:51:31 2013 us=441153 up_delay = DISABLED
Sat Apr 6 11:51:31 2013 us=441168 daemon = DISABLED
Sat Apr 6 11:51:31 2013 us=441184 inetd = 0
Sat Apr 6 11:51:31 2013 us=441199 log = ENABLED
Sat Apr 6 11:51:31 2013 us=441215 suppress_timestamps = DISABLED
Sat Apr 6 11:51:31 2013 us=441231 nice = 0
Sat Apr 6 11:51:31 2013 us=441246 verbosity = 4
Sat Apr 6 11:51:31 2013 us=441262 mute = 0
Sat Apr 6 11:51:31 2013 us=441278 gremlin = 0
Sat Apr 6 11:51:31 2013 us=441294 status_file = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441309 status_file_version = 1
Sat Apr 6 11:51:31 2013 us=441325 status_file_update_freq = 60
Sat Apr 6 11:51:31 2013 us=441341 occ = ENABLED
Sat Apr 6 11:51:31 2013 us=441356 rcvbuf = 65536
Sat Apr 6 11:51:31 2013 us=441372 sndbuf = 65536
Sat Apr 6 11:51:31 2013 us=441388 mark = 0
Sat Apr 6 11:51:31 2013 us=441403 sockflags = 0
Sat Apr 6 11:51:31 2013 us=441419 fast_io = DISABLED
Sat Apr 6 11:51:31 2013 us=441435 lzo = 7
Sat Apr 6 11:51:31 2013 us=441451 route_script = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441469 route_default_gateway = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441486 route_default_metric = 0
Sat Apr 6 11:51:31 2013 us=441502 route_noexec = DISABLED
Sat Apr 6 11:51:31 2013 us=441518 route_delay = 0
Sat Apr 6 11:51:31 2013 us=441534 route_delay_window = 30
Sat Apr 6 11:51:31 2013 us=441551 route_delay_defined = DISABLED
Sat Apr 6 11:51:31 2013 us=441567 route_nopull = DISABLED
Sat Apr 6 11:51:31 2013 us=441583 route_gateway_via_dhcp = DISABLED
Sat Apr 6 11:51:31 2013 us=441600 max_routes = 100
Sat Apr 6 11:51:31 2013 us=441616 allow_pull_fqdn = DISABLED
Sat Apr 6 11:51:31 2013 us=441633 management_addr = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441650 management_port = 0
Sat Apr 6 11:51:31 2013 us=441665 management_user_pass = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441682 management_log_history_cache = 250
Sat Apr 6 11:51:31 2013 us=441701 management_echo_buffer_size = 100
Sat Apr 6 11:51:31 2013 us=441718 management_write_peer_info_file = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441735 management_client_user = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441751 management_client_group = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441768 management_flags = 0
Sat Apr 6 11:51:31 2013 us=441784 shared_secret_file = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=441800 key_direction = 0
Sat Apr 6 11:51:31 2013 us=441816 ciphername_defined = ENABLED
Sat Apr 6 11:51:31 2013 us=441833 ciphername = 'AES-256-CBC'
Sat Apr 6 11:51:31 2013 us=441850 authname_defined = ENABLED
Sat Apr 6 11:51:31 2013 us=441865 authname = 'SHA512'
Sat Apr 6 11:51:31 2013 us=441882 prng_hash = 'SHA1'
Sat Apr 6 11:51:31 2013 us=441898 prng_nonce_secret_len = 16
Sat Apr 6 11:51:31 2013 us=441915 keysize = 0
Sat Apr 6 11:51:31 2013 us=441931 engine = DISABLED
Sat Apr 6 11:51:31 2013 us=441948 replay = ENABLED
Sat Apr 6 11:51:31 2013 us=441964 mute_replay_warnings = DISABLED
Sat Apr 6 11:51:31 2013 us=441981 replay_window = 64
Sat Apr 6 11:51:31 2013 us=441996 replay_time = 15
Sat Apr 6 11:51:31 2013 us=442013 packet_id_file = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=442029 use_iv = ENABLED
Sat Apr 6 11:51:31 2013 us=442046 test_crypto = DISABLED
Sat Apr 6 11:51:31 2013 us=442062 tls_server = DISABLED
Sat Apr 6 11:51:31 2013 us=442079 tls_client = ENABLED
Sat Apr 6 11:51:31 2013 us=442095 key_method = 2
Sat Apr 6 11:51:31 2013 us=442112 ca_file = '[[INLINE]]'
Sat Apr 6 11:51:31 2013 us=442136 ca_path = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=442153 dh_file = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=442169 cert_file = '[[INLINE]]'
Sat Apr 6 11:51:31 2013 us=442186 priv_key_file = '[[INLINE]]'
Sat Apr 6 11:51:31 2013 us=442202 pkcs12_file = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=442218 cipher_list = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=442234 tls_verify = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=442250 tls_export_cert = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=442267 verify_x509_type = 0
Sat Apr 6 11:51:31 2013 us=442283 verify_x509_name = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=442299 crl_file = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=442315 ns_cert_type = 0
Sat Apr 6 11:51:31 2013 us=442332 remote_cert_ku[i] = 160
Sat Apr 6 11:51:31 2013 us=442348 remote_cert_ku[i] = 136
Sat Apr 6 11:51:31 2013 us=442364 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442380 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442397 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442412 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442429 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442444 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442461 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442476 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442492 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442508 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442524 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442540 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442557 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442573 remote_cert_ku[i] = 0
Sat Apr 6 11:51:31 2013 us=442590 remote_cert_eku = 'TLS Web Server Authentication'
Sat Apr 6 11:51:31 2013 us=442606 ssl_flags = 0
Sat Apr 6 11:51:31 2013 us=442623 tls_timeout = 2
Sat Apr 6 11:51:31 2013 us=442639 renegotiate_bytes = 0
Sat Apr 6 11:51:31 2013 us=442656 renegotiate_packets = 0
Sat Apr 6 11:51:31 2013 us=442671 renegotiate_seconds = 3600
Sat Apr 6 11:51:31 2013 us=442688 handshake_window = 60
Sat Apr 6 11:51:31 2013 us=442704 transition_window = 3600
Sat Apr 6 11:51:31 2013 us=442721 single_session = DISABLED
Sat Apr 6 11:51:31 2013 us=442737 push_peer_info = DISABLED
Sat Apr 6 11:51:31 2013 us=442753 tls_exit = DISABLED
Sat Apr 6 11:51:31 2013 us=442769 tls_auth_file = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=442799 server_network = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=442818 server_netmask = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=442838 server_network_ipv6 = ::
Sat Apr 6 11:51:31 2013 us=442856 server_netbits_ipv6 = 0
Sat Apr 6 11:51:31 2013 us=442874 server_bridge_ip = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=442893 server_bridge_netmask = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=442911 server_bridge_pool_start = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=442930 server_bridge_pool_end = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=442947 ifconfig_pool_defined = DISABLED
Sat Apr 6 11:51:31 2013 us=442964 ifconfig_pool_start = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=442982 ifconfig_pool_end = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=443001 ifconfig_pool_netmask = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=443018 ifconfig_pool_persist_filename = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=443034 ifconfig_pool_persist_refresh_freq = 600
Sat Apr 6 11:51:31 2013 us=443051 ifconfig_ipv6_pool_defined = DISABLED
Sat Apr 6 11:51:31 2013 us=443069 ifconfig_ipv6_pool_base = ::
Sat Apr 6 11:51:31 2013 us=443085 ifconfig_ipv6_pool_netbits = 0
Sat Apr 6 11:51:31 2013 us=443101 n_bcast_buf = 256
Sat Apr 6 11:51:31 2013 us=443117 tcp_queue_limit = 64
Sat Apr 6 11:51:31 2013 us=443133 real_hash_size = 256
Sat Apr 6 11:51:31 2013 us=443150 virtual_hash_size = 256
Sat Apr 6 11:51:31 2013 us=443166 client_connect_script = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=443182 learn_address_script = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=443198 client_disconnect_script = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=443214 client_config_dir = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=443238 ccd_exclusive = DISABLED
Sat Apr 6 11:51:31 2013 us=443255 tmp_dir = '/tmp'
Sat Apr 6 11:51:31 2013 us=443272 push_ifconfig_defined = DISABLED
Sat Apr 6 11:51:31 2013 us=443290 push_ifconfig_local = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=443309 push_ifconfig_remote_netmask = 0.0.0.0
Sat Apr 6 11:51:31 2013 us=443326 push_ifconfig_ipv6_defined = DISABLED
Sat Apr 6 11:51:31 2013 us=443344 push_ifconfig_ipv6_local = ::/0
Sat Apr 6 11:51:31 2013 us=443361 push_ifconfig_ipv6_remote = ::
Sat Apr 6 11:51:31 2013 us=443377 enable_c2c = DISABLED
Sat Apr 6 11:51:31 2013 us=443395 duplicate_cn = DISABLED
Sat Apr 6 11:51:31 2013 us=443411 cf_max = 0
Sat Apr 6 11:51:31 2013 us=443427 cf_per = 0
Sat Apr 6 11:51:31 2013 us=443444 max_clients = 1024
Sat Apr 6 11:51:31 2013 us=443460 max_routes_per_client = 256
Sat Apr 6 11:51:31 2013 us=443477 auth_user_pass_verify_script = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=443493 auth_user_pass_verify_script_via_file = DISABLED
Sat Apr 6 11:51:31 2013 us=443509 port_share_host = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=443526 port_share_port = 0
Sat Apr 6 11:51:31 2013 us=443542 client = ENABLED
Sat Apr 6 11:51:31 2013 us=443559 pull = ENABLED
Sat Apr 6 11:51:31 2013 us=443575 auth_user_pass_file = '[UNDEF]'
Sat Apr 6 11:51:31 2013 us=443597 OpenVPN 2.3.1 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on ...
Sat Apr 6 11:51:31 2013 us=443681 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Apr 6 11:51:31 2013 us=444569 LZO compression initialized
Sat Apr 6 11:51:31 2013 us=444763 Control Channel MTU parms [ L:1602 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Apr 6 11:51:31 2013 us=444836 Socket Buffers: R=[196608->131072] S=[196608->131072]
Sat Apr 6 11:51:31 2013 us=456956 Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Apr 6 11:51:31 2013 us=457039 Local Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Sat Apr 6 11:51:31 2013 us=457057 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Sat Apr 6 11:51:31 2013 us=457108 Local Options hash (VER=V4): '9c102b00'
Sat Apr 6 11:51:31 2013 us=457136 Expected Remote Options hash (VER=V4): 'aaa173e3'
Sat Apr 6 11:51:31 2013 us=457166 UDPv4 link local: [undef]
Sat Apr 6 11:51:31 2013 us=457187 UDPv4 link remote: [AF_INET]ip.address:1194
Sat Apr 6 11:51:31 2013 us=467319 TLS: Initial packet from [AF_INET]ip.address:1194, sid=725397de 1cce474a
Sat Apr 6 11:51:37 2013 us=651372 VERIFY OK: depth=1, CN=Server, emailAddress: =yep
Sat Apr 6 11:51:37 2013 us=653817 Validating certificate key usage
Sat Apr 6 11:51:37 2013 us=653877 ++ Certificate has key usage 00a0, expects 00a0
Sat Apr 6 11:51:37 2013 us=653896 VERIFY KU OK
Sat Apr 6 11:51:37 2013 us=653919 Validating certificate extended key usage
Sat Apr 6 11:51:37 2013 us=653940 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Apr 6 11:51:37 2013 us=653957 VERIFY EKU OK
Sat Apr 6 11:51:37 2013 us=653974 VERIFY OK: depth=0, CN=Server, emailAddress=yep
Sat Apr 6 11:51:43 2013 us=466985 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Apr 6 11:51:43 2013 us=467064 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Apr 6 11:51:43 2013 us=467085 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Apr 6 11:51:43 2013 us=467108 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Apr 6 11:51:43 2013 us=467228 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Sat Apr 6 11:51:43 2013 us=467311 [Server] Peer Connection Initiated with [AF_INET]external.ip:1194
Sat Apr 6 11:51:45 2013 us=924527 SENT CONTROL [Server]: 'PUSH_REQUEST' (status=1)
Sat Apr 6 11:51:45 2013 us=928423 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 208.67.222.222,redirect-gateway,route 192.168.2.1,topology net30,ping 60,ping-restart 180,ifconfig 192.168.2.6 192.168.2.5'
Sat Apr 6 11:51:45 2013 us=928630 OPTIONS IMPORT: timers and/or timeouts modified
Sat Apr 6 11:51:45 2013 us=928654 OPTIONS IMPORT: --ifconfig/up options modified
Sat Apr 6 11:51:45 2013 us=928670 OPTIONS IMPORT: route options modified
Sat Apr 6 11:51:45 2013 us=928685 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Apr 6 11:51:45 2013 us=928939 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlan0 HWADDR=...
Sat Apr 6 11:51:45 2013 us=929325 TUN/TAP device tun0 opened
Sat Apr 6 11:51:45 2013 us=929805 TUN/TAP TX queue length set to 100
Sat Apr 6 11:51:45 2013 us=929899 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Apr 6 11:51:45 2013 us=929971 /sbin/ifconfig tun0 192.168.2.6 pointopoint 192.168.2.5 mtu 1500
Sat Apr 6 11:51:45 2013 us=935815 /sbin/route add -net ip.address netmask 255.255.255.255 gw 192.168.1.1
Sat Apr 6 11:51:45 2013 us=940410 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Sat Apr 6 11:51:45 2013 us=945438 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.2.5
Sat Apr 6 11:51:45 2013 us=948881 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.5
Sat Apr 6 11:51:45 2013 us=950405 /sbin/route add -net 192.168.2.1 netmask 255.255.255.255 gw 192.168.2.5
Sat Apr 6 11:51:45 2013 us=951898 Initialization Sequence Completed
Last edited by ShadowEyez on Sun Apr 07, 2013 12:49 am, edited 1 time in total.
The finest tools are forged from the hottest fires
ShadowEyez
Gerbil XP
 
Posts: 338
Joined: Wed Dec 03, 2003 12:31 pm

Re: OpenVPN routing issue

Postposted on Sat Apr 06, 2013 10:06 pm

Lots of data there that it is too late for me to analyze in detail. :o

However: I am a long-time OpenVPN user and let me ask you a question that might be related to your routing issue:

1. What is the subnet of the *local* LAN where the client is sitting (e.g. your home network if you are logging into a server at work).
2. What is the subnet of the *server* LAN where the server is sitting (e.g. your work network).
3. Is the subnet of the local LAN == the server LAN? If the answer is yes, that could very easily be the source of your routing error. Basically, when you kick on the tunnel you have two subnets that are colliding together with the same address space and packets are getting dropped (ignore the 10.8.0.0 subnet, that only exists in the VPN setup).

[EDIT: If I am reading your above post right, then points 1 -3 are your problem. Easy solution: Tweak the subnet of your client/home LAN to be something other than 192.168.1.0/24. For example, make it 192.168.7.0/24 and you'll avoid the collision. Make sure to have all PCs on your home LAN reacquire new IPs]

4. If the answer to points 1 - 3 above is NO, then the next step is to make sure your server network is properly setup to do packet forwarding from the virtual 10.8.0.0 addresses assigned to your VPN clients into the real LAN where you want the packets to end up. I've done this under Linux, and things to watch out for are:
a. Making sure packet forwarding and proper packet forwarding rules are actually activated on the Linux server box. Watch out! Many Linux systems disable packet forwarding by default as a security measure and you need to turn it back on.
b. Making sure that your router in the server network has a static route to push the forwarded packets from the VPN server host to the other hosts on the network you want to reach. A corollary of this point is that any necessary holes need to be open in internal firefwalls if any are present.

Hope that helps!
4770K @ 4.7 GHz; 32GB DDR3-2133; GTX-770; 512GB 840 Pro (2x); Fractal Define XL-R2; NZXT Kraken-X60
--Many thanks to the TR Forum for advice in getting it built.
chuckula
Gerbil Elite
Gold subscriber
 
 
Posts: 563
Joined: Wed Jan 23, 2008 9:18 pm
Location: Probably where I don't belong.

Re: OpenVPN routing issue

Postposted on Sun Apr 07, 2013 12:47 am

chuckula wrote:Lots of data there that it is too late for me to analyze in detail. :o

However: I am a long-time OpenVPN user and let me ask you a question that might be related to your routing issue:

1. What is the subnet of the *local* LAN where the client is sitting (e.g. your home network if you are logging into a server at work).
2. What is the subnet of the *server* LAN where the server is sitting (e.g. your work network).
3. Is the subnet of the local LAN == the server LAN? If the answer is yes, that could very easily be the source of your routing error. Basically, when you kick on the tunnel you have two subnets that are colliding together with the same address space and packets are getting dropped (ignore the 10.8.0.0 subnet, that only exists in the VPN setup).

[EDIT: If I am reading your above post right, then points 1 -3 are your problem. Easy solution: Tweak the subnet of your client/home LAN to be something other than 192.168.1.0/24. For example, make it 192.168.7.0/24 and you'll avoid the collision. Make sure to have all PCs on your home LAN reacquire new IPs]

4. If the answer to points 1 - 3 above is NO, then the next step is to make sure your server network is properly setup to do packet forwarding from the virtual 10.8.0.0 addresses assigned to your VPN clients into the real LAN where you want the packets to end up. I've done this under Linux, and things to watch out for are:
a. Making sure packet forwarding and proper packet forwarding rules are actually activated on the Linux server box. Watch out! Many Linux systems disable packet forwarding by default as a security measure and you need to turn it back on.
b. Making sure that your router in the server network has a static route to push the forwarded packets from the VPN server host to the other hosts on the network you want to reach. A corollary of this point is that any necessary holes need to be open in internal firefwalls if any are present.

Hope that helps!


Thanks for the feedback. In the config, it shows the local subnet is 192.168.1.0/24, and the VPN subnet is 192.168.2.0/24 so that's not the issue.
Packet forwarding is enabled on the router/openvpn server (it is a router afterall), and the ip_forwarding varaible is "1".

Your point 4b about having a static route to forward packets from the VPN to the other hosts in the network... I have the iptables rules set up but maybe I'm missing one. And why would it work when I connect to the 192.168.1.1 address but not the external.ip address?


Laptop (192.168.1.13) ------ router/openvpn server (192.168.1.1) --- cable modem (external.ip)
The finest tools are forged from the hottest fires
ShadowEyez
Gerbil XP
 
Posts: 338
Joined: Wed Dec 03, 2003 12:31 pm


Return to Networking

Who is online

Users browsing this forum: No registered users and 3 guests