Sending all Client traffic through VPN not working

[ar007]

Hello,

Trying to setup my Netgear router with dd-wrt installed to have all traffic of the client go through the VPN, but can't get it to work.
As soon as I add the line push "redirect-gateway local def1" in the addition config box, the clients can't access the public internet anymore.... They can connect to the local services. So looks like a DNS or firewall problem to me, but I cannot find the sollution.

The server setting is:

Code: Select all

push "redirect-gateway local def1"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option WNS 10.8.0.1"
server 10.8.0.0 255.255.255.0 

The firewall setting:

Code: Select all

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I FORWARD -source 10.8.0.0/24 -j ACCEPT  
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT 
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o vlan2 -j SNAT --to-source $(nvram get wan_ipaddr)

I set the operating mode of the rouser as "router" and the dynamic routing interface toption to "LAN & WLAN", but then I lose the local internet-connection on my computers, and then also the VPN client does not find any public internet pages.

Who can help me?

[ar007]

I tried to browse to a site on the internet using the IP-address, but that does not work. So it does not seem to be a DNS problem.

Can't figure this out...

It is a Netgear Nighthawk router. Should work ?

[TinCanTech]

Logs please ..

Please see:
HOWTO: Request Help !

[ar007]

Here is the client log

Code: Select all

Fri Feb 09 15:52:35 2018 OpenVPN 2.4.3 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 20 2017
Fri Feb 09 15:52:35 2018 Windows version 6.1 (Windows 7) 32bit
Fri Feb 09 15:52:35 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
Enter Management Password:
Fri Feb 09 15:52:35 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Fri Feb 09 15:52:35 2018 Need hold release from management interface, waiting...
Fri Feb 09 15:52:35 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Fri Feb 09 15:52:35 2018 MANAGEMENT: CMD 'state on'
Fri Feb 09 15:52:35 2018 MANAGEMENT: CMD 'log all on'
Fri Feb 09 15:52:35 2018 MANAGEMENT: CMD 'echo all on'
Fri Feb 09 15:52:35 2018 MANAGEMENT: CMD 'hold off'
Fri Feb 09 15:52:35 2018 MANAGEMENT: CMD 'hold release'
Fri Feb 09 15:52:35 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Fri Feb 09 15:52:36 2018 MANAGEMENT: >STATE:1518187956,RESOLVE,,,,,,
Fri Feb 09 15:52:42 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:1194
Fri Feb 09 15:52:42 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 09 15:52:42 2018 Attempting to establish TCP connection with [AF_INET]111.111.111.111:1194 [nonblock]
Fri Feb 09 15:52:42 2018 MANAGEMENT: >STATE:1518187962,TCP_CONNECT,,,,,,
Fri Feb 09 15:52:43 2018 TCP connection established with [AF_INET]111.111.111.111:1194
Fri Feb 09 15:52:43 2018 TCP_CLIENT link local: (not bound)
Fri Feb 09 15:52:43 2018 TCP_CLIENT link remote: [AF_INET]111.111.111.111:1194
Fri Feb 09 15:52:43 2018 MANAGEMENT: >STATE:1518187963,WAIT,,,,,,
Fri Feb 09 15:52:43 2018 MANAGEMENT: >STATE:1518187963,AUTH,,,,,,
Fri Feb 09 15:52:43 2018 TLS: Initial packet from [AF_INET]111.111.111.111:1194, sid=1a8e496c f54744f5
Fri Feb 09 15:52:44 2018 VERIFY OK: xxx
Fri Feb 09 15:52:44 2018 VERIFY OK: nsCertType=SERVER
Fri Feb 09 15:52:44 2018 VERIFY OK: xxx
Fri Feb 09 15:52:44 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Fri Feb 09 15:52:44 2018 [server] Peer Connection Initiated with [AF_INET]111.111.111.111:1194
Fri Feb 09 15:52:45 2018 MANAGEMENT: >STATE:1518187965,GET_CONFIG,,,,,,
Fri Feb 09 15:52:45 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Feb 09 15:52:46 2018 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 10.8.0.1,dhcp-option WINS 10.8.0.1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Fri Feb 09 15:52:46 2018 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 09 15:52:46 2018 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 09 15:52:46 2018 OPTIONS IMPORT: route options modified
Fri Feb 09 15:52:46 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Feb 09 15:52:46 2018 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Feb 09 15:52:46 2018 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 09 15:52:46 2018 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Feb 09 15:52:46 2018 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 09 15:52:46 2018 interactive service msg_channel=380
Fri Feb 09 15:52:46 2018 ROUTE_GATEWAY 172.20.10.1/255.255.255.240 I=11 HWADDR=00:18:de:c7:9d:05
Fri Feb 09 15:52:46 2018 open_tun
Fri Feb 09 15:52:46 2018 TAP-WIN32 device [LAN-verbinding 2] opened: \\.\Global\{9758A595-CA6E-4CEA-8BC3-4C6053C16BD0}.tap
Fri Feb 09 15:52:46 2018 TAP-Windows Driver Version 9.21 
Fri Feb 09 15:52:46 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {9758A595-CA6E-4CEA-8BC3-4C6053C16BD0} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Fri Feb 09 15:52:46 2018 Successful ARP Flush on interface [17] {9758A595-CA6E-4CEA-8BC3-4C6053C16BD0}
Fri Feb 09 15:52:46 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Feb 09 15:52:46 2018 MANAGEMENT: >STATE:1518187966,ASSIGN_IP,,10.8.0.6,,,,
Fri Feb 09 15:52:51 2018 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Fri Feb 09 15:52:51 2018 MANAGEMENT: >STATE:1518187971,ADD_ROUTES,,,,,,
Fri Feb 09 15:52:51 2018 C:\Windows\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.5
Fri Feb 09 15:52:51 2018 Route addition via service succeeded
Fri Feb 09 15:52:51 2018 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.5
Fri Feb 09 15:52:51 2018 Route addition via service succeeded
Fri Feb 09 15:52:51 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Feb 09 15:52:51 2018 Initialization Sequence Completed
Fri Feb 09 15:52:51 2018 MANAGEMENT: >STATE:1518187971,CONNECTED,SUCCESS,10.8.0.6,111.111.111.111,1194,172.20.10.3,49234
Fri Feb 09 15:54:10 2018 Connection reset, restarting [-1]
Fri Feb 09 15:54:10 2018 SIGUSR1[soft,connection-reset] received, process restarting
Fri Feb 09 15:54:10 2018 MANAGEMENT: >STATE:1518188050,RECONNECTING,connection-reset,,,,,
Fri Feb 09 15:54:10 2018 Restart pause, 5 second(s)
Fri Feb 09 15:54:15 2018 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Fri Feb 09 15:54:15 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]111.111.111.111:1194
Fri Feb 09 15:54:15 2018 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Feb 09 15:54:15 2018 Attempting to establish TCP connection with [AF_INET]111.111.111.111:1194 [nonblock]
Fri Feb 09 15:54:15 2018 MANAGEMENT: >STATE:1518188055,TCP_CONNECT,,,,,,
Fri Feb 09 15:54:16 2018 TCP connection established with [AF_INET]111.111.111.111:1194
Fri Feb 09 15:54:16 2018 TCP_CLIENT link local: (not bound)
Fri Feb 09 15:54:16 2018 TCP_CLIENT link remote: [AF_INET]111.111.111.111:1194
Fri Feb 09 15:54:16 2018 MANAGEMENT: >STATE:1518188056,WAIT,,,,,,
Fri Feb 09 15:54:16 2018 MANAGEMENT: >STATE:1518188056,AUTH,,,,,,
Fri Feb 09 15:54:16 2018 TLS: Initial packet from [AF_INET]111.111.111.111:1194, sid=171d6145 3da0eca6
Fri Feb 09 15:54:16 2018 VERIFY OK: 
Fri Feb 09 15:54:16 2018 VERIFY OK: nsCertType=SERVER
Fri Feb 09 15:54:16 2018 VERIFY OK: 
Fri Feb 09 15:54:16 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Fri Feb 09 15:54:16 2018 [server] Peer Connection Initiated with [AF_INET]111.111.111.111:1194
Fri Feb 09 15:54:17 2018 MANAGEMENT: >STATE:1518188057,GET_CONFIG,,,,,,
Fri Feb 09 15:54:17 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Feb 09 15:54:18 2018 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 10.8.0.1,dhcp-option WINS 10.8.0.1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'
Fri Feb 09 15:54:18 2018 OPTIONS IMPORT: timers and/or timeouts modified
Fri Feb 09 15:54:18 2018 OPTIONS IMPORT: --ifconfig/up options modified
Fri Feb 09 15:54:18 2018 OPTIONS IMPORT: route options modified
Fri Feb 09 15:54:18 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Feb 09 15:54:18 2018 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Feb 09 15:54:18 2018 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 09 15:54:18 2018 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Fri Feb 09 15:54:18 2018 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Feb 09 15:54:18 2018 Preserving previous TUN/TAP instance: LAN-verbinding 2
Fri Feb 09 15:54:18 2018 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Fri Feb 09 15:54:18 2018 C:\Windows\system32\route.exe DELETE 192.168.0.0 MASK 255.255.255.0 10.8.0.5
Fri Feb 09 15:54:18 2018 Route deletion via service succeeded
Fri Feb 09 15:54:18 2018 C:\Windows\system32\route.exe DELETE 10.8.0.0 MASK 255.255.255.0 10.8.0.5
Fri Feb 09 15:54:18 2018 Route deletion via service succeeded
Fri Feb 09 15:54:18 2018 Closing TUN/TAP interface
Fri Feb 09 15:54:34 2018 TAP: DHCP address released
Fri Feb 09 15:54:35 2018 interactive service msg_channel=380
Fri Feb 09 15:54:35 2018 ROUTE_GATEWAY 192.168.10.1/255.255.255.0 I=11 HWADDR=00:18:de:c7:9d:05
Fri Feb 09 15:54:35 2018 open_tun
Fri Feb 09 15:54:35 2018 TAP-WIN32 device [LAN-verbinding 2] opened: \\.\Global\{9758A595-CA6E-4CEA-8BC3-4C6053C16BD0}.tap
Fri Feb 09 15:54:35 2018 TAP-Windows Driver Version 9.21 
Fri Feb 09 15:54:35 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.10/255.255.255.252 on interface {9758A595-CA6E-4CEA-8BC3-4C6053C16BD0} [DHCP-serv: 10.8.0.9, lease-time: 31536000]
Fri Feb 09 15:54:35 2018 Successful ARP Flush on interface [17] {9758A595-CA6E-4CEA-8BC3-4C6053C16BD0}
Fri Feb 09 15:54:35 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Feb 09 15:54:35 2018 MANAGEMENT: >STATE:1518188075,ASSIGN_IP,,10.8.0.10,,,,
Fri Feb 09 15:54:40 2018 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Fri Feb 09 15:54:40 2018 MANAGEMENT: >STATE:1518188080,ADD_ROUTES,,,,,,
Fri Feb 09 15:54:40 2018 C:\Windows\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.9
Fri Feb 09 15:54:40 2018 Route addition via service succeeded
Fri Feb 09 15:54:40 2018 C:\Windows\system32\route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.9
Fri Feb 09 15:54:40 2018 Route addition via service succeeded
Fri Feb 09 15:54:40 2018 Initialization Sequence Completed
Fri Feb 09 15:54:40 2018 MANAGEMENT: >STATE:1518188080,CONNECTED,SUCCESS,10.8.0.10,111.111.111.111,1194,192.168.10.100,49251

I do not know how to get the log from the server (dd-wrt router)?

[ar007]

And the client configuration file:

View OriginalCLIENT

client
dev tun
proto tcp
remote 111.111.111.111 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ca1.crt
key ca1.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 3

[TinCanTech]

WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead

See --remote-cert-tls in The Manual v24x

Easiest solution to that is use EasyRSA 3.x to create a new PKI.
https://github.com/OpenVPN/easy-rsa/releases

You will need to see your server log to find out why the server is disconnecting you, I suggest your router manual and/or support web site.

Finally, you may not have problems yet but you will do because:

• NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN

• You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
  For example: 192.168.143.0/24

[ar007]

Thanks for your reply!

I found a syslog in the router and switched it on. I will try tomorrow and see what happens when I connect from mobile.

Thanks for the all the tips; I allready had an issue with the IP address and I was about to go and change them.

But I am not losing the connection; the router is not disconnecting me; I can get connection to all the local devices, but I can't redirect all the traffice from the client-vpn through the server....

[TinCanTech]

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o vlan2 -j SNAT --to-source $(nvram get wan_ipaddr)

I would check that with your router support.

HOWTO: Routing all client traffic (including web-traffic) through the VPN

[ar007]

I'v changed the local IP addresses in the network. And I activated the line in the server config:

Code: Select all

push "redirect-gateway local def1"

This is the log from the server when the device is making a connection from the outside world.

Code: Select all

Feb 10 20:20:55 XXX daemon.notice openvpn[18388]: TCP connection established with [AF_INET]188.206.73.xxx:16421
Feb 10 20:20:55 XXX daemon.notice openvpn[18388]: 188.206.73.xxx:16421 [aruiter] Peer Connection Initiated with [AF_INET]188.206.73.xxx:16421
Feb 10 20:20:55 XXX daemon.notice openvpn[18388]: user/188.206.73.xxx:16421 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Feb 10 20:20:55 XXX daemon.notice openvpn[18388]: user/188.206.73.xxx:16421 send_push_reply(): safe_cap=940