Auto connecting to VPN
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 14
- Joined: Fri Jan 28, 2011 11:04 am
- Location: Halesowen - UK
Auto connecting to VPN
I'm sorry if this has been asked elsewhere of if there is a FAQ to cover it but I can't see anything.
I have managed to get OpenVPN to automatically start at boot up on a Windows 7 workstation which is part of our Windows Sever 2003 domain.
Is it also possible to get the client to auto connect to the server at this point too? In addition, can I force the internet traffic through the VPN connection so that the remote machine is subject to the same content filtering as the domain its connecting to?
Thanks in advance.
I have managed to get OpenVPN to automatically start at boot up on a Windows 7 workstation which is part of our Windows Sever 2003 domain.
Is it also possible to get the client to auto connect to the server at this point too? In addition, can I force the internet traffic through the VPN connection so that the remote machine is subject to the same content filtering as the domain its connecting to?
Thanks in advance.
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Auto connecting to VPN
yes this should be possible.
When OpenVPN is launched as a service it will start all configuration files named .*ovpn' from the OpenVPN config directory.
When the (current) OpenVPN GUI is used you can use the parameter
--connect blah.ovpn
to start connection profile 'blah'.
HTH,
JJK
When OpenVPN is launched as a service it will start all configuration files named .*ovpn' from the OpenVPN config directory.
When the (current) OpenVPN GUI is used you can use the parameter
--connect blah.ovpn
to start connection profile 'blah'.
HTH,
JJK
-
- OpenVpn Newbie
- Posts: 14
- Joined: Fri Jan 28, 2011 11:04 am
- Location: Halesowen - UK
Re: Auto connecting to VPN
Thats brilliant, got it to work first time by entering C:\Windows\System32\runas.exe /savecred /user:administrator "C:\Program Files (x86)\OpenVPN\bin\openvpn-gui-1.0.3.exe --connect Data_Centre.ovpn"
Ran it to test and it connected first time and assigned an IP address perfectly.
The last thing to try and configure now is getting all of the internet traffic to go through the VPN connection instead of the local connection. Is that something thats configurable within the VPN Client?
Thanks.
Ran it to test and it connected first time and assigned an IP address perfectly.
The last thing to try and configure now is getting all of the internet traffic to go through the VPN connection instead of the local connection. Is that something thats configurable within the VPN Client?
Thanks.
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Auto connecting to VPN
ah yes, forgot about that: yes, indeed, routing is controlled by the client or server configuration. On the client side you'd use
to route ALL traffic through the VPN. You can also "push" this from the server using
.
BTW, it is instructive to run : this will pop up a window with all possible options.
Code: Select all
redirect-gateway def1
Code: Select all
push "redirect-gateway def1"
BTW, it is instructive to run
Code: Select all
openvpn-gui-1.0.3.exe --help
-
- OpenVpn Newbie
- Posts: 14
- Joined: Fri Jan 28, 2011 11:04 am
- Location: Halesowen - UK
Re: Auto connecting to VPN
Hey no worries, I am grateful for your advise.
I'm struggling a little with this one. So far my config looks like this:
VPN still works but internet access seems really messed up now, only local pages are available, all internet just times out and displayes page could not be found page.
Thanks again.
I'm struggling a little with this one. So far my config looks like this:
I wasn't quite sure where to put in the extra line that you gave me so I just slotted it in. Have I put it in completely the wrong place?client
dev tun
proto tcp
remote 85.xxx.65.xx 1194
redirect-gateway def1
ip-win32 dynamic
resolv-retry infinite
nobind
ca "c:\\Program Files (x86)\\openvpn\\config\\Data_Centre\\ca.crt"
cert "c:\\Program Files (x86)\\openvpn\\config\\Data_Centre\\dc-user.crt"
key "c:\\Program Files (x86)\\openvpn\\config\\Data_Centre\\dc-user.key"
tls-auth "c:\\Program Files (x86)\\openvpn\\config\\Data_Centre\\ta.key" 1
comp-lzo
verb 5
float
VPN still works but internet access seems really messed up now, only local pages are available, all internet just times out and displayes page could not be found page.
Thanks again.
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Auto connecting to VPN
the 'redirect-gateway' statement can be inserted pretty much anywhere, so this is OK.
However, all traffic is now sent over the VPN tunnel (check the Windows routing table by opening up a command window and typing 'route print' ). Does the VPN server know where to redirect this traffic to? How is this server configured? In most cases some form of NATting of Masquerading is needed to redirect all network traffic via the VPN.
HTH,
JJK
However, all traffic is now sent over the VPN tunnel (check the Windows routing table by opening up a command window and typing 'route print' ). Does the VPN server know where to redirect this traffic to? How is this server configured? In most cases some form of NATting of Masquerading is needed to redirect all network traffic via the VPN.
HTH,
JJK
-
- OpenVpn Newbie
- Posts: 14
- Joined: Fri Jan 28, 2011 11:04 am
- Location: Halesowen - UK
Re: Auto connecting to VPN
Ah ok, that is where I may be going wrong then as I haven't configured anything on the server.
I don't usually get involved with the server side only the client side, this would be left upto my colleague.
I am only trying to get this to work for one user as they will be connecting from another country, so will I need my collegue to update the server settings? Will doing so apply it to all of our users?
I ran 'route print' but I don't really understand what I am looking at yet, does it look normal to you? (All I can pick out is that the local domain I am on is on the 22 subnet, and the VPN Subnet is 8 which I confirm is correct).
I don't usually get involved with the server side only the client side, this would be left upto my colleague.
I am only trying to get this to work for one user as they will be connecting from another country, so will I need my collegue to update the server settings? Will doing so apply it to all of our users?
I ran 'route print' but I don't really understand what I am looking at yet, does it look normal to you? (All I can pick out is that the local domain I am on is on the 22 subnet, and the VPN Subnet is 8 which I confirm is correct).
ThanksMicrosoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\hayleycz>route print
===========================================================================
Interface List
15...00 ff 18 a6 c4 d2 ......TAP-Win32 Adapter V9
12...64 31 50 21 e7 76 ......Realtek PCIe FE Family Controller
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
11...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.11.22.254 10.11.22.122 20
0.0.0.0 128.0.0.0 10.11.8.145 10.11.8.146 30
10.11.0.0 255.255.0.0 10.11.8.145 10.11.8.146 30
10.11.8.1 255.255.255.255 10.11.8.145 10.11.8.146 30
10.11.8.144 255.255.255.252 On-link 10.11.8.146 286
10.11.8.146 255.255.255.255 On-link 10.11.8.146 286
10.11.8.147 255.255.255.255 On-link 10.11.8.146 286
10.11.22.0 255.255.255.0 On-link 10.11.22.122 276
10.11.22.122 255.255.255.255 On-link 10.11.22.122 276
10.11.22.255 255.255.255.255 On-link 10.11.22.122 276
85.xxx.65.xx 255.255.255.255 10.11.22.254 10.11.22.122 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.11.8.145 10.11.8.146 30
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.11.22.122 276
224.0.0.0 240.0.0.0 On-link 10.11.8.146 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.11.22.122 276
255.255.255.255 255.255.255.255 On-link 10.11.8.146 286
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 276 fe80::/64 On-link
15 286 fe80::/64 On-link
15 286 fe80::1043:711f:c26f:e2d9/128
On-link
12 276 fe80::69ee:5808:860a:b442/128
On-link
1 306 ff00::/8 On-link
12 276 ff00::/8 On-link
15 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
C:\Users\hayleycz>
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Auto connecting to VPN
the routing tables looks OK. The entries
indicate that all traffic is redirected via the VPN.
On the server side something needs to be done so that packets with source address 10.11.8.X (i.e coming from the VPN) are routed out to the internet directly. This needs to be done for the server only once. In case it's Linux server this can most easily be achieved using
Code: Select all
0.0.0.0 128.0.0.0 10.11.8.145 10.11.8.146 30
128.0.0.0 128.0.0.0 10.11.8.145 10.11.8.146 30
On the server side something needs to be done so that packets with source address 10.11.8.X (i.e coming from the VPN) are routed out to the internet directly. This needs to be done for the server only once. In case it's Linux server this can most easily be achieved using
Code: Select all
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
-
- OpenVpn Newbie
- Posts: 14
- Joined: Fri Jan 28, 2011 11:04 am
- Location: Halesowen - UK
Re: Auto connecting to VPN
Ah ok, so everything looks good except for the small server config that needs adjusting.
Can I just clarify, by putting 'iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE' in to the server config, am I right in saying only this one test client will be forced to use my internal firewall/content filter for internet because it is the only client with 'redirect-gateway def1' in the config?
I will ask my colleague to take a look at doing this tomorrow because Linux scares me
Can I just clarify, by putting 'iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE' in to the server config, am I right in saying only this one test client will be forced to use my internal firewall/content filter for internet because it is the only client with 'redirect-gateway def1' in the config?
I will ask my colleague to take a look at doing this tomorrow because Linux scares me
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Auto connecting to VPN
whoops , no the 'iptables' thing is a linux routing/firewalling trick, it does NOT go into the server configuration.
The issue that needs to be resolved on the server side is that when VPN packets come in, they will have a source address of 10.11.8.xx ; these packets cannot be simply routed out onto the internet. Most ADSL modems use NATting for this. The person who manages the OpenVPN server needs to/should know what to do about this.
The issue that needs to be resolved on the server side is that when VPN packets come in, they will have a source address of 10.11.8.xx ; these packets cannot be simply routed out onto the internet. Most ADSL modems use NATting for this. The person who manages the OpenVPN server needs to/should know what to do about this.
-
- OpenVpn Newbie
- Posts: 14
- Joined: Fri Jan 28, 2011 11:04 am
- Location: Halesowen - UK
Re: Auto connecting to VPN
Ah ok, I'm sure if I tell my collegue what you have said he will understand far better then me.
I will speak with him tomorrow on his return and ask him to take a look. When we can test it I'll let you know how it goes.
Thanks again for all of your help.
I will speak with him tomorrow on his return and ask him to take a look. When we can test it I'll let you know how it goes.
Thanks again for all of your help.
-
- OpenVpn Newbie
- Posts: 14
- Joined: Fri Jan 28, 2011 11:04 am
- Location: Halesowen - UK
Re: Auto connecting to VPN
Hi, I have spoken with my colleague this morning who takes care of the server side of VPN.
I've gone through the suggestions made with him but he's not sure how this will effect the traffic over our network.
For example, we are in the UK and our remote user is in the Czech Republic.
If they request a URL in the Czech, instead of it going straight out to their ISP it will go to through the VPN tunnel to our network and content filter and then back to him in the Czech. Is that right?
If this assumption is correct it will be doubling network traffic for VPN users. So, will the user see much slower internet speeds. And if we have this enabled on roughly 50 remote users, will it be using much more of our internal networks bandwidth.
If anyone could expand on this and explain it to me I would be very grateful.
I've gone through the suggestions made with him but he's not sure how this will effect the traffic over our network.
For example, we are in the UK and our remote user is in the Czech Republic.
If they request a URL in the Czech, instead of it going straight out to their ISP it will go to through the VPN tunnel to our network and content filter and then back to him in the Czech. Is that right?
If this assumption is correct it will be doubling network traffic for VPN users. So, will the user see much slower internet speeds. And if we have this enabled on roughly 50 remote users, will it be using much more of our internal networks bandwidth.
If anyone could expand on this and explain it to me I would be very grateful.
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Auto connecting to VPN
well, you have to ask yourself what are you trying to achieve? if you want to use 'redirect-gateway' then yes all traffic will go via the VPN and yes, this will put a burden on the VPN server itself. That's how 'redirect-gateway' works: it redirects all traffic over the VPN. If this is not what you want, then don't use 'redirect-gateway', but then what *are* you trying to achieve?
-
- OpenVpn Newbie
- Posts: 14
- Joined: Fri Jan 28, 2011 11:04 am
- Location: Halesowen - UK
Re: Auto connecting to VPN
Good question!
I don't think enabling this will be the answer to what we want.
In a nutshell we would like to force all of our remote user’s internet access through the VPN connection or through a proxy connection to ensure they are subject to the same web content filtering that our onsite users are.
However, we are a relatively new department with other network issues and instability going on so at this point I do not want to add any further workload to our VPN server or connection.
Hmm, I suppose if we wanted to go down this route we would have to expect extra burden.
Ideally at this stage it would be good to add just this one user to see if they notice any speed issues or if it has any noticeable effect on the rest of our network but it doesn't look like it is possible
I don't think enabling this will be the answer to what we want.
In a nutshell we would like to force all of our remote user’s internet access through the VPN connection or through a proxy connection to ensure they are subject to the same web content filtering that our onsite users are.
However, we are a relatively new department with other network issues and instability going on so at this point I do not want to add any further workload to our VPN server or connection.
Hmm, I suppose if we wanted to go down this route we would have to expect extra burden.
Ideally at this stage it would be good to add just this one user to see if they notice any speed issues or if it has any noticeable effect on the rest of our network but it doesn't look like it is possible
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: Auto connecting to VPN
you can redirect all traffic for a single VPN user by using a 'client-config-dir' file. Read the HOWTO or manual page on how to set this up.