Routing all client traffic through the VPN - Do non-Windows clients require some extra server-side scripting?

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
stevebiggs
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 18, 2017 4:24 pm

Routing all client traffic through the VPN - Do non-Windows clients require some extra server-side scripting?

Post by stevebiggs » Wed Jan 18, 2017 5:00 pm

NB: I am a networking noob so please assume I know nothing and explain things accordingly (or provide links to more info).


I am trying to set up an OpenVPN server such that all client traffic (including web-traffic) is routed through the VPN. I'm following the OpenVPN HOWTO and I've got as far as the "Routing all client traffic (including web-traffic) through the VPN" section (https://openvpn.net/index.php/open-sour ... l#redirect).

My setup is:
  • OpenVPN server (BeagleBone Black (BBB) on private network IP 10.240.233.2) connected to my broadband router at home (on private network IP 10.240.233.1).
  • Client (laptop running Xubuntu GNU/Linux) connected to an external network.
I can successfully:
  • Start OpenVPN server on the BBB on boot
  • Connect client to VPN
  • Ping OpenVPN server (10.8.0.1) from client (10.8.0.6) and vice versa
  • Ping the router (10.240.233.1) from the client
The latter was achieved by:
  • Adding the following directive to the server config file:

    Code: Select all

    push "route 10.240.233.0 255.255.255.0"
  • Enabling IP forwarding on the OpenVPN server by editing

    Code: Select all

    /etc/sysctl.conf
    (Here's the edit:

    Code: Select all

    # Uncomment the next line to enable packet forwarding for IPv4
        net.ipv4.ip_forward=1
    , after which the command

    Code: Select all

    sudo sysctl net.ipv4.ip_forward
    yields

    Code: Select all

    net.ipv4.ip_forward = 1
    )
  • Enabling tun forwarding using the following commands (from this guide: https://nikinuryadin.wordpress.com/2010 ... onnection/):

    Code: Select all

    sudo iptables -A INPUT -i tun+ -j ACCEPT
    and

    Code: Select all

    sudo iptables -A FORWARD -i tun+ -j ACCEPT
Now for the redirect bit...

I added the following directives to the server config file (from the OpenVPN HOWTO):

Code: Select all

push "redirect-gateway def1"
push "dhcp-option DNS 10.240.233.1"
NB: The pushed DNS IP is that of my broadband router, which I can successfully ping from the client when connected to the VPN and which the server is reporting as it's nameserver (

Code: Select all

cat /etc/resolv.conf
on the server yields

Code: Select all

nameserver 10.240.233.1
)

I then used the following command to NAT the VPN client traffic to the internet (from the OpenVPN HOWTO):

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
or non-Windows clients with some extra server-side scripting
(Yes, my connection from the OpenVPN server to the broadband router is reported by the server as

Code: Select all

eth0
(using

Code: Select all

ifconfig
))

Finally, I did the following commands to save the iptables and restart the VPN (from the Niki Nuryadin guide linked above):

Code: Select all

sudo iptables-save
sudo /etc/init.d/networking restart
sudo /etc/init.d/openvpn restart
I can successfully ping http://www.google.com and http://www.bbc.co.uk from the OpenVPN server. (I can also ping them from the laptop while not connected to the VPN, obv!). However, when connected to the VPN, I cannot ping those sites from the client.

Usually, if you try to ping something that's not available (e.g. ping 192.168.7.2), you get a result like this:

PING 192.168.7.2 (192.168.7.2) 56(84) bytes of data.

and then it just hangs. However, in this case, when the client is connected to the OpenVPN server and I try to ping Google or BBC, I get no output at all.

I can't find the answer anywhere. The only clue I have is that the OpenVPN HOWTO says:
[Using `push "dhcp-option DNS 10.240.233.1"] will configure Windows clients (or non-Windows clients with some extra server-side scripting) to use [10.240.233.1] as their DNS server.
So, do I need some extra server side scripting? Or is there some other problem?

Also, once I can ping websites and browse the internet, how can I check that all traffic is indeed going through the OpenVPN tunnel and not just bypassing it as it did before I took these steps?

Many thanks,
Steve


P.S. Some friends suggested the following:
  • Try to ping 8.8.8.8 - this actually works while connected to the VPN which is odd!
  • Traceroute -n 8.8.8.8 - gives the following: 1 - 10.8.0.1 (VPN server), 2 - 10.240.233.1 (braodband router), 3 - * * *, 4-7 - random IPs, 8 - 8.8.8.8

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Routing all client traffic through the VPN - Do non-Windows clients require some extra server-side scripting?

Post by TinCanTech » Wed Jan 18, 2017 5:48 pm

stevebiggs wrote:I am a networking noob so please assume I know nothing
So far what you have done looks good .. I am not so sure you are the noob you claim to be ;)
stevebiggs wrote:do I need some extra server side scripting? Or is there some other problem?
Infact you need this on the client side:

Linux requires the following client directives to have some options be successfully --push'ed
  • Client config:

    Code: Select all

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
You should find those scripts were installed when you installed openvpn. If they are not there then please see this to use the official openvpn repos.

Once DNS resolution is working you should be able to ping 8.8.8.8 (by ip address) and google.com (by name)

Note: Nobody appears to have spotted this before but the HOWTO appears to be wrong with respect to which side the script is required. It is definitely required on the client side as it installs the pushed DNS server addresses to resolv-conf.

stevebiggs
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 18, 2017 4:24 pm

Re: Routing all client traffic through the VPN - Do non-Windows clients require some extra server-side scripting?

Post by stevebiggs » Thu Jan 19, 2017 1:41 pm

OK, great. Thanks.

I will try that out tomorrow (not able to try it today).

So I put those directives in the client config file, right?

I do have the client laptop with me right now though and /etc/openvpn/update-resolv-conf does indeed exist and appears to be a bash script.

Thank you so much :)

P.S. Yes, might be worth updating the HOWTO to clarify where the scripts go and exactly how to do it.

stevebiggs
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 18, 2017 4:24 pm

Re: Routing all client traffic through the VPN - Do non-Windows clients require some extra server-side scripting?

Post by stevebiggs » Fri Jan 20, 2017 9:42 am

OK, I tried it (putting those directives in the client conf file) and IT WORKS :) Thanks!

Now that I have the VPN apparently working, how can I check that all traffic is indeed going through the OpenVPN tunnel and not just bypassing it as it did before I took these steps?

Also, when I want to disconnect from the VPN, I just hit Ctrl+C on the OpenVPN job in the terminal it's running in or run

Code: Select all

sudo killall openvpn
. But then I get loads of error messages like:

Code: Select all

RTNETLINK answers: Operation not permitted
Fri Jan 20 09:38:50 2017 ERROR: Linux route delete command failed: external program exited with error status: 2
and

Code: Select all

rm: cannot remove 'tun0.openvpn': Permission denied
Fri Jan 20 09:38:50 2017 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Fri Jan 20 09:38:50 2017 Exiting due to fatal error
How can I disconnect from the VPN properly?

Thanks,
Steve

stevebiggs
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 18, 2017 4:24 pm

Re: Routing all client traffic through the VPN - Do non-Windows clients require some extra server-side scripting?

Post by stevebiggs » Fri Jan 20, 2017 9:55 am

Also, if I then run

Code: Select all

sudo /etc/openvpn/update-resolv-conf
manually after the brute force disconnect, then my internet connection is way slower than it was before.

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Routing all client traffic through the VPN - Do non-Windows clients require some extra server-side scripting?

Post by TinCanTech » Fri Jan 20, 2017 12:39 pm

Please post your server config file.

Post Reply