Connect to VPN Locally with Internet Access

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Locked
jdmillard
OpenVpn Newbie
Posts: 9
Joined: Sun Jun 14, 2015 11:39 pm

Connect to VPN Locally with Internet Access

Post by jdmillard » Sun Jun 21, 2015 3:55 am

I have OpenVPN server configured on my dd-wrt router. I can successfully connect remotely with my W7 laptop client. Everything works perfectly! I can connect with devices "behind" the router on its local network without any problems. I can route all internet traffic through my home router if I so chose. Absolutely no red flags or hiccups. I'm quite pleased with it.

When I come home with that laptop and connect to my home LAN, directly to that router over wifi, I lose internet access. Chrome gives me "DNS_PROBE_FINISHED_BAD_CONFIG". What's happening is the OpenVPN service runs automatically on startup when (as expected). I'm absolutely okay with that, I just want to fix my config so that it will allow me to connect to the VPN locally with internet access and obviously not breaking what does work remotely. I could just disable the OpenVPN service whenever i'm home, but that's not an option. I don't want to do that every day (or multiple times a day in many cases). The question: What can I add to my configuration that will allow the VPN connection to work either remotely or locally so that I don't have to manually change stuff all the time? It's worth noting that the VPN does work locally in every aspect except getting to the internet.

I know there are other DNS-related commands out there that I could use in my server config, but I'm hesitant to throw a bunch of stuff in there because everything worked flawlessly when connecting remotely (even routing all internet traffic through the tunnel). What suggestions do you have?

SERVER CONFIG:

Code: Select all

push "route 192.168.1.0 255.255.255.0"
server 192.168.66.0 255.255.255.0
push "redirect-gateway def1"
port 1194
dev tun0
proto tcp
keepalive 10 120
client-to-client
cipher AES-128-CBC
comp-lzo
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001
SERVER IPTABLES:

Code: Select all

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3749  593K ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:1194
 2947  405K ACCEPT     0    --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 DROP       udp  --  vlan2  any     anywhere             anywhere            udp dpt:route
    0     0 DROP       udp  --  br0    any     anywhere             anywhere            udp dpt:route
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:route
    0     0 ACCEPT     icmp --  vlan2  any     anywhere             anywhere
   50  1800 DROP       igmp --  any    any     anywhere             anywhere
    1    61 ACCEPT     0    --  lo     any     anywhere             anywhere            state NEW
 1369 96299 ACCEPT     0    --  br0    any     anywhere             anywhere            state NEW
  213 62294 DROP       0    --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 2051  153K ACCEPT     0    --  tun0   br0     anywhere             anywhere
 3418 4242K ACCEPT     0    --  br0    tun0    anywhere             anywhere
84051 6852K ACCEPT     0    --  any    any     192.168.1.0/24       anywhere
  877  126K ACCEPT     0    --  any    any     192.168.66.0/24      anywhere
    0     0 ACCEPT     gre  --  any    vlan2   192.168.1.0/24       anywhere
    0     0 ACCEPT     tcp  --  any    vlan2   192.168.1.0/24       anywhere            tcp dpt:1723
 166K  218M lan2wan    0    --  any    any     anywhere             anywhere
  246 12740 TCPMSS     tcp  --  any    any     anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
 166K  218M ACCEPT     0    --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  br0    br0     anywhere             anywhere
    0     0 TRIGGER    0    --  vlan2  br0     anywhere             anywhere            TRIGGER type:in match:0 relate:0
    0     0 trigger_out  0    --  br0    any     anywhere             anywhere
    0     0 ACCEPT     0    --  br0    any     anywhere             anywhere            state NEW
    0     0 DROP       0    --  any    any     anywhere             anywhere
CLIENT CONFIG:

Code: Select all

remote dynDNS 1194
client
remote-cert-tls server
dev tun0
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
float
ca ca.crt
cert laptop1.crt
key laptop1.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Connect to VPN Locally with Internet Access

Post by Traffic » Mon Jun 22, 2015 8:07 pm

jdmillard wrote:The question: What can I add to my configuration that will allow the VPN connection to work either remotely or locally so that I don't have to manually change stuff all the time?
You always have to change stuff ..

Did you try the "autolocal" flag for your gateway redirect ?

jdmillard
OpenVpn Newbie
Posts: 9
Joined: Sun Jun 14, 2015 11:39 pm

Re: Connect to VPN Locally with Internet Access

Post by jdmillard » Tue Jun 23, 2015 4:05 am

I have no problem changing stuff; that's not the issue. Changing stuff all the time (e.g. every time I get home) is a whole different story.

I just tried the autolocal flag and there appears to be no difference.

Another quick question: what if I configure it without the gateway redirect? The entire redirect line will be commented out. When I try it this way, I get identical local internet connectivity symptoms. I think this issue is independent of whether or not I direct internet traffic through the tunnel. I imagine that it's an issue with some other config command or my iptables.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Connect to VPN Locally with Internet Access

Post by Traffic » Tue Jun 23, 2015 10:35 am

The fact is, when you are at home (on the same LAN as your server) there is no need to use the VPN .. I would just stop the VPN while at home. Or you could block your router from accepting client connections from the LAN.

jdmillard
OpenVpn Newbie
Posts: 9
Joined: Sun Jun 14, 2015 11:39 pm

Re: Connect to VPN Locally with Internet Access

Post by jdmillard » Wed Jun 24, 2015 2:04 am

A fair point. Thanks for your input.
you could block your router from accepting client connections from the LAN.
I might look into this so I don't have to mess with the Windows services whenever I want internet access. Would that be an OpenVPN config setting? or a iptables setting?

eseelke
OpenVpn Newbie
Posts: 4
Joined: Sun Apr 12, 2015 2:47 pm

Re: Connect to VPN Locally with Internet Access

Post by eseelke » Wed Jun 24, 2015 8:27 pm

I had this running awhile back. I never found a proper method. But, I did add a hostname to the internal dns to point to IP 127.0.0.1. So, basically the domain that I was using for OpenVPN connections wouldn't work when starting on the home network.

If it was already running when I connected to home network, I would either have to reboot computer or restart OpenVPN service.

jdmillard
OpenVpn Newbie
Posts: 9
Joined: Sun Jun 14, 2015 11:39 pm

Re: Connect to VPN Locally with Internet Access

Post by jdmillard » Thu Jun 25, 2015 6:00 am

As is well known, the router firewall allows VPN connections through a given port when initiated by machines running proper configurations, certificates, keys, etc etc. I solved my issue by adding a rule that DROPs incoming connections through that port if they originated from the LAN. Now when I get home the VPN is unable to establish a connection, so the service just waits. Therefore, I'm not actually connected to the VPN and I'm to perform all normal functions being on the LAN side. I'm happy with it.

The side benefit is that my laptop now bypasses all the VPN/router overhead when I'm at home. I can't complain too much. Thanks for the input Traffic!

abjubeti
OpenVpn Newbie
Posts: 4
Joined: Sun Sep 27, 2015 9:47 pm

Re: Connect to VPN Locally with Internet Access

Post by abjubeti » Sat Jun 04, 2016 7:29 pm

DNS_PROBE_FINISHED_BAD_CONFIG problem

abjubeti
OpenVpn Newbie
Posts: 4
Joined: Sun Sep 27, 2015 9:47 pm

Re: Connect to VPN Locally with Internet Access

Post by abjubeti » Sun Jun 05, 2016 8:09 am

abjubeti wrote:DNS_PROBE_FINISHED_BAD_CONFIG problem
got the fix
http://www.deskdecode.com/dns_probe_fin ... ad_config/
its my chrome who making the problem

RancherLara
OpenVpn Newbie
Posts: 1
Joined: Thu Jun 01, 2017 10:18 am

Re: Connect to VPN Locally with Internet Access

Post by RancherLara » Thu Jun 01, 2017 10:19 am

abjubeti wrote:DNS_PROBE_FINISHED_BAD_CONFIG problem
Recently, I began receiving the DNS probe finished bad config error quite frequently. I tried to press in the wires of my router and checked the connections outside as well. turns out, I could have dealt with it easily by flushing the DNS. I don't know my way around Command Prompt, so I'm glad I found help online. still missed a video call with my parents on their anniversary.

Locked