How to set client to use local gateway? aka use connection for resources on its network only

[gerapcik]

Hi,
sorry for this question, i tried to find a solution but nothing.
I want to configure clients to use local gateway, not server's one.
I just need to configure clients in way that they can see each other, but using local gateways.

here is my server.con file:

Code: Select all

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem

and client.conf file on server:

Code: Select all

ifconfig-push 10.8.0.99

and here is client.ovpn on client pc:

Code: Select all

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote a.b.c.d 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3

when i connect with this configuration, all traffic from client goes via vpn server. and i dont want that.

when on sever i look into /var/log/syslog i find:

Code: Select all

Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 TLS: Initial packet from [AF_INET]x.x.x.x:40795, sid=0fbd888b 778a14e6
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 CRL CHECK OK: CN=ChangeMe
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 VERIFY OK: depth=1, CN=ChangeMe
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 CRL CHECK OK: CN=gerard
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 VERIFY OK: depth=0, CN=gerard
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Nov 16 22:45:11 vpn ovpn-server[16286]: x.x.x.x:40795 [gerard] Peer Connection Initiated with [AF_INET]x.x.x.x:40795
Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI: new connection by client 'gerard' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI_sva: pool returned IPv4=10.8.0.99, IPv6=(Not enabled)
Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI: Learn: 10.8.0.99 -> gerard/x.x.x.x:40795
Nov 16 22:45:11 vpn ovpn-server[16286]: MULTI: primary virtual IP for gerard/x.x.x.x:40795: 10.8.0.99
Nov 16 22:45:12 vpn ovpn-server[16286]: gerard/x.x.x.x:40795 PUSH: Received control message: 'PUSH_REQUEST'
Nov 16 22:45:12 vpn ovpn-server[16286]: gerard/x.x.x.x:40795 send_push_reply(): safe_cap=940
Nov 16 22:45:12 vpn ovpn-server[16286]: gerard/x.x.x.x:40795 SENT CONTROL [gerard]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.99 255.255.255.0' (status=1)

and the end of this file there is PUSH_REPLY,route-gateway 10.8.0.1 but u didnt set it anywhere.

what am i missing?

please help!

[gerapcik]

On pptp vpn connection there is an option in windows 'use default gateway on remote network'. if it's not checked i can see computer in vpn lan, and default connection is via local gateway. is there anything similiar in opvnvpn?

[TinCanTech]

The first thing to point out is .. that is not your current server config file.

Your server is pushing ifconfig 10.8.0.99 255.255.255.0 which means it is reading the CCD file but there is no --client-connect-dir in your server config ..

The second thing to point out is there is no --redirect-gateway in either your server or client config files, so the client traffic is not being routed via your server.

The third thing to point out is setenv opt block-outside-dns is not required. Instead use --block-outside-dns .. but if you do you must make sure you push a DNS server to the client.

I suggest you read this:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

[gerapcik]

i am quite sure this is my current server config file.
/etc/openvpn/server.conf is:

View OriginalServer Config

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "redirect-gateway def1"
#push "dhcp-option DNS 10.8.0.1"
#push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
client-config-dir ccd

and this is when i restart openvpn service:

Code: Select all

Nov 18 23:52:37 vpn ovpn-server[3748]: event_wait : Interrupted system call (code=4)
Nov 18 23:52:37 vpn ovpn-server[3748]: Closing TUN/TAP interface
Nov 18 23:52:37 vpn ovpn-server[3748]: /sbin/ip addr del dev tun0 10.8.0.1/24
Nov 18 23:52:37 vpn systemd[1]: Stopping OpenVPN connection to server...
Nov 18 23:52:37 vpn systemd[1]: Stopped OpenVPN service.
Nov 18 23:52:37 vpn systemd[1]: Stopping OpenVPN service...
Nov 18 23:52:37 vpn ovpn-server[3748]: Linux ip addr del failed: external program exited with error status: 2
Nov 18 23:52:37 vpn systemd[1]: Starting OpenVPN service...
Nov 18 23:52:37 vpn systemd[1]: Started OpenVPN service.
Nov 18 23:52:37 vpn ovpn-server[3748]: SIGTERM[hard,] received, process exiting
Nov 18 23:52:37 vpn systemd[1]: Stopped OpenVPN connection to server.
Nov 18 23:52:37 vpn systemd[1]: Starting OpenVPN connection to server...
Nov 18 23:52:37 vpn ovpn-server[3867]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Nov 18 23:52:37 vpn ovpn-server[3867]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Nov 18 23:52:37 vpn systemd[1]: openvpn@server.service: PID file /run/openvpn/server.pid not readable (yet?) after start: No such file or directory
Nov 18 23:52:37 vpn systemd[1]: Started OpenVPN connection to server.
Nov 18 23:52:37 vpn ovpn-server[3873]: Diffie-Hellman initialized with 2048 bit key
Nov 18 23:52:37 vpn ovpn-server[3873]: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Nov 18 23:52:37 vpn ovpn-server[3873]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Nov 18 23:52:37 vpn ovpn-server[3873]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Nov 18 23:52:37 vpn ovpn-server[3873]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Nov 18 23:52:37 vpn ovpn-server[3873]: TUN/TAP device tun0 opened
Nov 18 23:52:37 vpn ovpn-server[3873]: TUN/TAP TX queue length set to 100
Nov 18 23:52:37 vpn ovpn-server[3873]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 18 23:52:37 vpn ovpn-server[3873]: /sbin/ip link set dev tun0 up mtu 1500
Nov 18 23:52:37 vpn ovpn-server[3873]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Nov 18 23:52:37 vpn ovpn-server[3873]: GID set to nogroup
Nov 18 23:52:37 vpn ovpn-server[3873]: UID set to nobody
Nov 18 23:52:37 vpn ovpn-server[3873]: UDPv4 link local (bound): [undef]
Nov 18 23:52:37 vpn ovpn-server[3873]: UDPv4 link remote: [undef]
Nov 18 23:52:37 vpn ovpn-server[3873]: MULTI: multi_init called, r=256 v=256
Nov 18 23:52:37 vpn ovpn-server[3873]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Nov 18 23:52:37 vpn ovpn-server[3873]: ifconfig_pool_read(), in='server-feltham,10.8.0.30', TODO: IPv6
Nov 18 23:52:37 vpn ovpn-server[3873]: succeeded -> ifconfig_pool_set()
Nov 18 23:52:37 vpn ovpn-server[3873]: ifconfig_pool_read(), in='gerard,10.8.0.99', TODO: IPv6
Nov 18 23:52:37 vpn ovpn-server[3873]: succeeded -> ifconfig_pool_set()
Nov 18 23:52:37 vpn ovpn-server[3873]: IFCONFIG POOL LIST
Nov 18 23:52:37 vpn ovpn-server[3873]: server-feltham,10.8.0.30
Nov 18 23:52:37 vpn ovpn-server[3873]: gerard,10.8.0.99
Nov 18 23:52:37 vpn ovpn-server[3873]: Initialization Sequence Completed

and what happens when i connect a client:

Code: Select all

Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 TLS: Initial packet from [AF_INET]a.b.c.d:47449, sid=935d62fc 34dc7cb0
Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 CRL CHECK OK: CN=ChangeMe
Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 VERIFY OK: depth=1, CN=ChangeMe
Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 CRL CHECK OK: CN=gerard
Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 VERIFY OK: depth=0, CN=gerard
Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Nov 18 23:53:34 vpn ovpn-server[3873]: a.b.c.d:47449 [gerard] Peer Connection Initiated with [AF_INET]a.b.c.d:47449
Nov 18 23:53:34 vpn ovpn-server[3873]: gerard/a.b.c.d:47449 MULTI_sva: pool returned IPv4=10.8.0.99, IPv6=(Not enabled)
Nov 18 23:53:34 vpn ovpn-server[3873]: gerard/a.b.c.d:47449 MULTI: Learn: 10.8.0.99 -> gerard/a.b.c.d:47449
Nov 18 23:53:34 vpn ovpn-server[3873]: gerard/a.b.c.d:47449 MULTI: primary virtual IP for gerard/a.b.c.d:47449: 10.8.0.99
Nov 18 23:53:35 vpn ovpn-server[3873]: gerard/a.b.c.d:47449 PUSH: Received control message: 'PUSH_REQUEST'
Nov 18 23:53:35 vpn ovpn-server[3873]: gerard/a.b.c.d:47449 send_push_reply(): safe_cap=940
Nov 18 23:53:35 vpn ovpn-server[3873]: gerard/a.b.c.d:47449 SENT CONTROL [gerard]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.99 255.255.255.0' (status=1)

i really appreciate your info about tunnelling, but i am very newbie, and i hoped that there is some simple setting that let clients use defautl local gateway for internet and for every connection to 10.8.0.0 would use vpn.

[TinCanTech]

i am quite sure this is my current server config file

And it is different to your first post ..

i hoped that there is some simple setting that let clients use defautl local gateway for internet and for every connection to 10.8.0.0 would use vpn.

That is exactly what your logs show you currently have,

Your client is not using the VPN for internet only for 10.8.0.0/24 .. ie. The client local gateway to the internet is in use.