Routing all of traffic through VPN and SSH

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
domtomcat
OpenVpn Newbie
Posts: 6
Joined: Thu Jun 30, 2011 8:04 am

Routing all of traffic through VPN and SSH

Post by domtomcat » Thu Jun 30, 2011 10:23 am

I have a problem concerning VPN over SSH.

I've got two very restrictive firewalls, a remote VPN server (where I don't have administrative access to) and a separate ssh server on the same subnet as the VPN server.

I can connect to the remote subnet by ssh, including port forwarding. Some of my applications don't seem to be able to use SOCKS proxy. That's why I want to try VPN over ssh. I'd like to redirect all internet traffic over VPN.

I followed this tutorial for having OpenVPN use the SSH as socks 5 server:
http://www.anonyproz.com/openvpnsshtunnel.pdf

Is it even possible to redirect all of the internet traffic to use the VPN which is tunnel through SSH ?
1. I log into the ssh server - works fine.
2. I connect to the VPN server, using the SSH SOCKS proxy - works fine.
3. Just when the connection has been established, the SSH connection crashes. Maybe because OpenVPN also tries to route SSH over the VPN ? (dead lock?)
4. All of the traffic is still routed through the local subnet. This might be due to 3. but it doesn't even seem to try to route through VPN, which itself thinks it is still only for 15+ seconds.

Does anyone have any experiences on that ?

Thank you in advance

I cannot provide the OpenVPN server config. I don't have access to it.

client config (Windows 7). VPN server is R.R.R.R. This is a config file which has already proven to work from other WLANs etc.

Code: Select all

client
auth-user-pass
dev tun
proto tcp
remote R.R.R.R 1194
resolv-retry infinite
nobind
ca wlanin.pemtls-auth wlanin.key 1
cipher AES-128-CBC
comp-lzo
verb 6
redirect-gateway
route-method exe
dhcp-option DOMAIN yyy.xx
dhcp-option DNS R.R.R.R2
Here is my routing table, with my virtual local IP being 192.168.199.94
My Local subnet is denoted by L.L.L.x

Code: Select all

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0   192.168.199.93   192.168.199.94     31
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255        L.L.L.254         L.L.L.162     21
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
          L.L.L.0    255.255.255.0   Auf Verbindung         L.L.L.162    276
        L.L.L.162  255.255.255.255   Auf Verbindung         L.L.L.162    276
        L.L.L.255  255.255.255.255   Auf Verbindung         L.L.L.162    276
    192.168.199.0    255.255.255.0   192.168.199.93   192.168.199.94     31
    192.168.199.1  255.255.255.255   192.168.199.93   192.168.199.94     31
   192.168.199.92  255.255.255.252   Auf Verbindung    192.168.199.94    286
   192.168.199.94  255.255.255.255   Auf Verbindung    192.168.199.94    286
   192.168.199.95  255.255.255.255   Auf Verbindung    192.168.199.94    286
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung         L.L.L.162    276
        224.0.0.0        240.0.0.0   Auf Verbindung    192.168.199.94    286
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung         L.L.L.162    276
  255.255.255.255  255.255.255.255   Auf Verbindung    192.168.199.94    286
===========================================================================
Only the last few log-outputs, including the route commands. (Since it was actually successful).

Code: Select all

Thu Jun 30 12:18:47 2011 us=376000 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.199.222/255.255.255.252 on interface {DF3D436A-82A7-4889-A93F-40C52E63E2EA} [DHCP-serv: 192.168.199.221, lease-time: 31536000]
Thu Jun 30 12:18:47 2011 us=376000 DHCP option string: 0f17696e 666f726d 6174696b 2e68752d 6265726c 696e2e64 6506048d 141432
Thu Jun 30 12:18:47 2011 us=376000 Successful ARP Flush on interface [24] {DF3D436A-82A7-4889-A93F-40C52E63E2EA}
Thu Jun 30 12:18:47 2011 us=376000 TCPv4_CLIENT WRITE [50] to 127.0.0.1:4444: P_ACK_V1 kid=0 pid=[ #40 ] [ 33 ]
Thu Jun 30 12:18:47 2011 us=391000 TCPv4_CLIENT WRITE [54] to 127.0.0.1:4444: P_ACK_V1 kid=0 pid=[ #41 ] [ 34 35 ]
Thu Jun 30 12:18:52 2011 us=539000 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Thu Jun 30 12:18:52 2011 us=539000 C:\WINDOWS\system32\route.exe ADD 127.0.0.1 MASK 255.255.255.255 L.L.L.254
 OK!
Thu Jun 30 12:18:52 2011 us=571000 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 L.L.L.254
 OK!
Thu Jun 30 12:18:52 2011 us=586000 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 192.168.199.221
 OK!
Thu Jun 30 12:18:52 2011 us=617000 WARNING: potential route subnet conflict between local LAN [192.168.199.220/255.255.255.252] and remote VPN [192.168.199.0/255.255.255.0]
Thu Jun 30 12:18:52 2011 us=617000 C:\WINDOWS\system32\route.exe ADD 192.168.199.0 MASK 255.255.255.0 192.168.199.221
 OK!
Thu Jun 30 12:18:52 2011 us=633000 C:\WINDOWS\system32\route.exe ADD 192.168.199.1 MASK 255.255.255.255 192.168.199.221
 OK!
Thu Jun 30 12:18:52 2011 us=649000 Initialization Sequence Completed
Thu Jun 30 12:18:53 2011 us=663000 TUN READ [100]
Thu Jun 30 12:18:53 2011 us=663000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:18:53 2011 us=663000 TUN READ [100]
Thu Jun 30 12:18:53 2011 us=663000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:18:56 2011 us=845000 TCPv4_CLIENT READ [69] from 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=68
Thu Jun 30 12:18:57 2011 us=672000 TUN READ [100]
Thu Jun 30 12:18:57 2011 us=672000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:18:57 2011 us=672000 TUN READ [100]
Thu Jun 30 12:18:57 2011 us=672000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:18:58 2011 us=701000 TUN READ [69]
Thu Jun 30 12:18:58 2011 us=701000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:18:58 2011 us=701000 TUN READ [60]
Thu Jun 30 12:18:58 2011 us=701000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:18:59 2011 us=700000 TUN READ [69]
Thu Jun 30 12:18:59 2011 us=700000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:18:59 2011 us=700000 TUN READ [69]
Thu Jun 30 12:18:59 2011 us=700000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:18:59 2011 us=700000 TUN READ [60]
Thu Jun 30 12:18:59 2011 us=700000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:18:59 2011 us=700000 TUN READ [60]
Thu Jun 30 12:18:59 2011 us=700000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:00 2011 us=698000 TUN READ [69]
Thu Jun 30 12:19:00 2011 us=698000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:00 2011 us=698000 TUN READ [69]
Thu Jun 30 12:19:00 2011 us=698000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:00 2011 us=698000 TUN READ [60]
Thu Jun 30 12:19:00 2011 us=698000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:00 2011 us=698000 TUN READ [60]
Thu Jun 30 12:19:00 2011 us=698000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:02 2011 us=165000 TUN READ [100]
Thu Jun 30 12:19:02 2011 us=165000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:19:02 2011 us=711000 TUN READ [69]
Thu Jun 30 12:19:02 2011 us=711000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:02 2011 us=711000 TUN READ [69]
Thu Jun 30 12:19:02 2011 us=711000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:02 2011 us=711000 TUN READ [60]
Thu Jun 30 12:19:02 2011 us=711000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:02 2011 us=711000 TUN READ [60]
Thu Jun 30 12:19:02 2011 us=711000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:03 2011 us=163000 TUN READ [100]
Thu Jun 30 12:19:03 2011 us=163000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:19:03 2011 us=163000 TUN READ [100]
Thu Jun 30 12:19:03 2011 us=163000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:19:04 2011 us=161000 TUN READ [100]
Thu Jun 30 12:19:04 2011 us=161000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:19:04 2011 us=161000 TUN READ [100]
Thu Jun 30 12:19:04 2011 us=161000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:19:06 2011 us=174000 TUN READ [100]
Thu Jun 30 12:19:06 2011 us=174000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:19:06 2011 us=174000 TUN READ [100]
Thu Jun 30 12:19:06 2011 us=174000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:19:06 2011 us=704000 TUN READ [69]
Thu Jun 30 12:19:06 2011 us=704000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:06 2011 us=704000 TUN READ [69]
Thu Jun 30 12:19:06 2011 us=704000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:06 2011 us=704000 TUN READ [60]
Thu Jun 30 12:19:06 2011 us=704000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:06 2011 us=704000 TUN READ [60]
Thu Jun 30 12:19:06 2011 us=704000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:10 2011 us=168000 TUN READ [100]
Thu Jun 30 12:19:10 2011 us=168000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:19:10 2011 us=168000 TUN READ [100]
Thu Jun 30 12:19:10 2011 us=168000 TCPv4_CLIENT WRITE [149] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=148
Thu Jun 30 12:19:12 2011 us=55000 TUN READ [60]
Thu Jun 30 12:19:12 2011 us=55000 TCPv4_CLIENT WRITE [117] to 127.0.0.1:4444: P_DATA_V1 kid=0 DATA len=116
Thu Jun 30 12:19:12 2011 us=570000 Connection reset, restarting [0]
Thu Jun 30 12:19:12 2011 us=570000 TCP/UDP: Closing socket
Thu Jun 30 12:19:12 2011 us=570000 C:\WINDOWS\system32\route.exe DELETE 192.168.199.1 MASK 255.255.255.255 192.168.199.221
 OK!
Thu Jun 30 12:19:12 2011 us=601000 C:\WINDOWS\system32\route.exe DELETE 192.168.199.0 MASK 255.255.255.0 192.168.199.221
 OK!
Thu Jun 30 12:19:12 2011 us=617000 C:\WINDOWS\system32\route.exe DELETE 127.0.0.1 MASK 255.255.255.255 L.L.L.254
 OK!
Thu Jun 30 12:19:12 2011 us=632000 C:\WINDOWS\system32\route.exe DELETE 0.0.0.0 MASK 0.0.0.0 192.168.199.221
 OK!
Thu Jun 30 12:19:12 2011 us=664000 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 0.0.0.0 L.L.L.254
 OK!
Thu Jun 30 12:19:12 2011 us=679000 Closing TUN/TAP interface
Thu Jun 30 12:19:12 2011 us=679000 SIGUSR1[soft,connection-reset] received, process restarting
Thu Jun 30 12:19:12 2011 us=679000 Restart pause, 5 second(s)

domtomcat
OpenVpn Newbie
Posts: 6
Joined: Thu Jun 30, 2011 8:04 am

Re: Routing all of traffic through VPN and SSH

Post by domtomcat » Thu Jun 30, 2011 10:25 am

"This is a config file which has already proven to work from other WLANs etc." By saying this, I only mean other computers and networks, not this particular windos 7 client behind a very strict firewall.

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Routing all of traffic through VPN and SSH

Post by maikcat » Thu Jun 30, 2011 10:30 am

hi there,

in your logs appears this:

>WARNING: potential route subnet conflict between local LAN
>[192.168.199.220/255.255.255.252] and remote VPN [192.168.199.0/255.255.255.0]

what is your local lan ip subnet?

[EDIT] i noticed that your peer gives you 192.168.199.222.

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

domtomcat
OpenVpn Newbie
Posts: 6
Joined: Thu Jun 30, 2011 8:04 am

Re: Routing all of traffic through VPN and SSH

Post by domtomcat » Thu Jun 30, 2011 12:14 pm

Oh, I actually didn't notice.

But strange, I don't know where the "local" subnet [192.168.199.220/255.255.255.252] originates. One adapter has a 129.... subnet, the others are deactivated (execpt for the tap device).

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Routing all of traffic through VPN and SSH

Post by maikcat » Thu Jun 30, 2011 12:24 pm

if you remove redirect gateway from your client,
does it changes anything?

what openvpn version are you using?

Michael
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

domtomcat
OpenVpn Newbie
Posts: 6
Joined: Thu Jun 30, 2011 8:04 am

Re: Routing all of traffic through VPN and SSH

Post by domtomcat » Thu Jun 30, 2011 12:49 pm

Ok, Bingo. That did solve the SSH problem. (loosing ssh connectivity after OpenVPN had connected).
Thanks heaps for that!

One more problem is remaining. I'm not a 100% sure, but the OpenVPN is supposed to push redirect gateway to the clients. If not, maybe that's the reason why the client config had that redirect.

The traffic still routes through the local ip instead of the VPN.
I did try a little with manual routing, but I guess I still haven't quite understood.
(e.g. changing route 0.0.0.0/0.0.0.0 to route to the VPN IP 192.168.199.158 again crashes SSH)

Do you (or someone else) have any idea on that ?

routing

Code: Select all

IPv4-Routentabelle
===========================================================================
Aktive Routen:
     Netzwerkziel    Netzwerkmaske          Gateway    Schnittstelle Metrik
          0.0.0.0          0.0.0.0  L.L.L.254  L.L.L.162     21
        127.0.0.0        255.0.0.0   Auf Verbindung         127.0.0.1    306
        127.0.0.1  255.255.255.255   Auf Verbindung         127.0.0.1    306
  127.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
          L.L.L.0    255.255.255.0   Auf Verbindung         L.L.L.162    276
        L.L.L.162  255.255.255.255   Auf Verbindung         L.L.L.162    276
        L.L.L.255  255.255.255.255   Auf Verbindung         L.L.L.162    276
    192.168.199.0    255.255.255.0  192.168.199.157  192.168.199.158     31
    192.168.199.1  255.255.255.255  192.168.199.157  192.168.199.158     31
  192.168.199.156  255.255.255.252   Auf Verbindung   192.168.199.158    286
  192.168.199.158  255.255.255.255   Auf Verbindung   192.168.199.158    286
  192.168.199.159  255.255.255.255   Auf Verbindung   192.168.199.158    286
        224.0.0.0        240.0.0.0   Auf Verbindung         127.0.0.1    306
        224.0.0.0        240.0.0.0   Auf Verbindung         L.L.L.162    276
        224.0.0.0        240.0.0.0   Auf Verbindung   192.168.199.158    286
  255.255.255.255  255.255.255.255   Auf Verbindung         127.0.0.1    306
  255.255.255.255  255.255.255.255   Auf Verbindung         L.L.L.162    276
  255.255.255.255  255.255.255.255   Auf Verbindung   192.168.199.158    286
===========================================================================

my OpenVPN Version

Code: Select all

OpenVPN 2.2.0 Win32-MSVC++ [SSL] [LZO2] built on Apr 26 2011

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Routing all of traffic through VPN and SSH

Post by maikcat » Thu Jun 30, 2011 1:10 pm

add this to your client config and try again

redirect-gateway def1

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

domtomcat
OpenVpn Newbie
Posts: 6
Joined: Thu Jun 30, 2011 8:04 am

Re: Routing all of traffic through VPN and SSH

Post by domtomcat » Thu Jun 30, 2011 2:22 pm

That did the trick! Now all's fine.
I still don't completely understand though... but nevermind.

And I was able to find the solution for a second, similar setup. There I had to explicitely add "redirect-gateway", so the other way around.

Thank you for making my day!

(Do I have to close the thread somehow?)

domtomcat
OpenVpn Newbie
Posts: 6
Joined: Thu Jun 30, 2011 8:04 am

Re: Routing all of traffic through VPN and SSH

Post by domtomcat » Thu Jun 30, 2011 2:53 pm

Maybe one more question:

The option

dhcp-option DNS a.b.c.d

doesn't seem to be used at connecting. It works if I go to network adapter settings, open IP4 settings and close again... (without changes). Is there any option for "flushing"/"renewing" the DNS upon connecting ?!

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Routing all of traffic through VPN and SSH

Post by maikcat » Sun Jul 03, 2011 8:49 am

well in windows if you issue ipconfig /flushdns flushses dns resolvers cache
maybe use it within a script help you out..

i will check it and tell you.

Michael.

ps:dont think you can close a thread,moderators can.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

Post Reply