Addressing and DNS problems

[kiwijuice]

Hi everybody,

First, sorry for my poor english, I'm french.

Server CONFIG :
I installed openVPN server 2.1.3-2 on a Debian Squeeze.
This machine is also a router directly connected to WAN in 193.X.X.X.
My private network is in 192.168.10.0/24
Routing is ON

Config file :

Code: Select all

port 1194
proto udp
dev tun

ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/server.crt
key /etc/openvpn/2.0/keys/server.key
dh /etc/openvpn/2.0/keys/dh1024.pem
tls-auth /etc/openvpn/2.0/keys/ta.key 0

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"

keepalive 10 120

cipher BF-CBC
comp-lzo
max-clients 2

user nobody
group nogroup
persist-key
persist-tun

status openvpn-status.log
verb 3
mute 20

Client CONFIG :
My client machine is connected in a private network in 172.31.33.0/24.
On the router behind this machine, the port 1194 is open.

Config file :

Code: Select all

client
dev tun
proto udp

remote 193.XX.XX.XX 1194

resolv-retry infinite
nobind

user nobody
group nogroup
persist-key
persist-tun

mute-replay-warnings

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/***.crt
key /etc/openvpn/keys/***.key

ns-cert-type server
tls-auth /etc/openvpn/keys/ta.key 1

cipher BF-CBC
comp-lzo

verb 3
mute 20

So, my question :
When I start the server daemon, and make ifconfig, i can see the tun0 interface which have ip 10.8.0.1.
I understood that, openvpn's dhcp makes "subnets" in /30 (255.255.255.252)
That means that for a first client connection PPTP, the network's address is 10.8.0.0, server's ip 10.8.0.1, client's ip 10.8.0.2 and broadcast address 10.8.0.3.
For a second connection, network's address will be 10.8.0.4, server 10.8.0.5, client 10.8.0.6 and broadcast 10.8.0.7... That's ok ?

My problem is that when I start now the client daemon, the ip which is attribuate is 10.8.0.6 (so the client's ip of the second subnet) and for this reason, the gateway is 10.8.0.5 (the server's ip of this subnet).
That's because I put the line in server.ovpn :

Code: Select all

push "redirect-gateway def1 bypass-dhcp"

With this configuration, I can ping 10.8.0.1 with 10.8.0.6, everyhting works great, exept the client gateway (so there's no internet on the VPN connection).

I tried to configure XP client or Debian client, I have the same problem.
On XP :

Code: Select all

ipconfig /all

says me that the gateway and the dhcp server are 10.8.0.5.


Anyone could help me please ?

[maikcat]

hi there,

to clear things up,
the openvpn is SSL based vpn and has nothing to do with PPtP...

to the point now,

the subneting stuff you mention is correct,
you dont have internet because your router (inside vpn network) doesnt know
about your vpn subnet..

there are 2 solutions

1)you use NAT on debian from traffic originating the vpn tunnel
2)you add a static route for the vpn subnet on your router.

cheers,

michael.

[kiwijuice]

Hi, thanks for your answer.

I talk about pptp because that's what appears on linux client or server when i make an ifconfig (in tun0 description).

If the "subneting stuff are correct", openvpn server should give the ip 10.8.0.2 to my client and there, it should not be any problem of gateway on the client : the server's ip corresponding to 10.8.0.2 is 10.8.0.1...

Right now, the gateway that server give to client (10.8.0.5) doesn't exist, I can't ping it.
I want :

- That the server give to my client 10.8.0.2 ip instead of 10.8.0.6
- And the gateway 10.8.0.1 instead of 10.8.0.5

1)you use NAT on debian from traffic originating the vpn tunnel

I forgot to mention that routing is ON on the client too. That's what you mean ?

And I also forgot to mention that I use openvpn in router mode, not bridge.

[janjust]

I talk about pptp because that's what appears on linux client or server when i make an ifconfig (in tun0 description).

a "default" tun setup creates a linux tunnel device, which is indeed a kernel Point-to-Point interface . It's easy to confuse this with PPTP (note the extra P) which is an entirely different VPN protocol

I want :

- That the server give to my client 10.8.0.2 ip instead of 10.8.0.6
- And the gateway 10.8.0.1 instead of 10.8.0.5

Add

Code: Select all

topology subnet

to your server config and restart.

The client does not need to have routing enabled, but your server-side LAN needs to know where to send replies when VPN traffic comes in. One way to do this is to use masquerading on the server

Code: Select all

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

another option is to add an extra route to the server-side GW/router to ensure that all replies to VPN traffic are sent to the VPN server

[kiwijuice]

Thanks.

Add
Code:
topology subnet

to your server config and restart.

I tryed that, and now my client have the ip 10.8.0.4... This is less normal than before, this is the ip of the second subnet .
That's what ifconfig says me (i tried first only on the server, and, on server and client:)

BEFORE changing, on client:

inet adr :10.8.0.6 P-t-P : 10.8.0.5

AFTER :

inet adr : 10.8.0.4 P-t-P : 10.8.0.4

BEFORE changing, on server:

inet adr :10.8.0.1 P-t-P : 10.8.0.2

AFTER :

inet adr : 10.8.0.1 P-t-P : 10.8.0.1

The client does not need to have routing enabled,

Debian don't need that to route between eth0 and tun0 ?

but your server-side LAN needs to know where to send replies when VPN traffic comes in. One way to do this is to use masquerading on the server

Thanks for the type. (there's actually no machine on LAN server, it's a lan for testing, the things that I want for the moment, is to configure client to route internet traffic over VPN connexion).

[janjust]

remove the line

Code: Select all

ifconfig-pool-persist ipp.txt

from the server config file; otherwise just delete the 'ipp.txt' file and restart the server.

IMHO the 'ifconfig-pool-persist' option is used far too often.

[kiwijuice]

I made it empty just before, that's not the problem. But i will remove this line.
Another idea ?

[janjust]

what happens when the first client connects? what is shown in the server log file? the first client should be assigned the address 10.8.0.2 after a restart of the openvpn server.

[kiwijuice]

So :

1° I rebooted client and server
2° Connected client
3° Watched /etc/openvpn/openvpn-status.log and saw that the last entry was my last friday's tests, so i rm -Rf the file to be recreated.
4° I reconnected the client : nothing appears in openvpn-status.log
5° Watched in /var/log/daemon.log : and saw these lines :

Code: Select all

Apr  5 13:19:43 openvpn openvpn[2004]: MULTI: Learn: 10.8.0.4 -> client1/193.XX.XX.XX:44710
Apr  5 13:19:43 openvpn openvpn[2004]: MULTI: primary virtual IP for client1/193.XX.XX.XX:44710: 10.8.0.4
Apr  5 13:19:45 openvpn openvpn[2004]: client1/193.XX.XX.XX:44710 PUSH: Received control message: 'PUSH_REQUEST'
Apr  5 13:19:45 openvpn openvpn[2004]: client1/193.XX.XX.XX:44710 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0' (status=1)

6° "route" on client

Code: Select all

openvpn.local   193.50.49.1     255.255.255.255 UGH   0      0        0 eth0
193.50.49.0     *               255.255.255.0   U     1      0        0 eth0
10.8.0.0        *               255.255.255.0   U     0      0        0 tun0
[b]default         10.8.0.1[/b]        128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         193.50.49.1     0.0.0.0         UG    0      0        0 eth0

In blod, my gateway for tun0, why does the client not have internet working through the vpn tunnel ?

Pings works fine, 10.8.0.1 to 10.8.0.4 and reverse.

[janjust]

did you restart the server with the 'ifconfig-pool-persist' line disabled?

if you can ping 10.8.0.1 from the client then the first part of the VPN is working.
The fact that you don't have internet access via the VPN is a routing issue ; how is routing done on the server side? are you using NAT/masquerading?

[kiwijuice]

Ping works well before all thoses things (10.8.0.1 - 10.8.0.6) but i thought that when ips will work in couple (server .1 client .2) gateway will be by default 10.8.0.1 so internet will works through the vpn.

I forget to disable ifconfig-pool-persistent, but if ipp.txt is empty it's not important ?
I don't use NAT/masquerading, because I thought that it is important only for LAN clients server side...

I try masquerading and disable ifconfig-pool-persistent... and give you route of server if it doesn't work.
Thanks a lot

[janjust]

did you restart the server after emptying the ipp.txt file?
what is listed in the ipp.txt file at this moment?

as for internet access/routing: how are packets routed after they arrive at the server? are they forwarded to some router connected to the internet? does this router know that packets with source address 10.8.0/24 need to go back to the VPN server?

[kiwijuice]

Everything works !!! You're a god

I made a new script for iptables, with masquerade on eth0 (which is my public interface) for vpn like you said, and on eth1 (prive) for my clients server side. Internet works through the tunnel vpn.
Without ifconfig-pool-persistent, my client have 10.8.0.2 !!!

Everythings are ok, thanks a lot

I will test with more than one clients to see if everything's good.
Theoretically, if another client connects to vpn, the server mount another interface (tun1) with ip 10.8.0.5 and client 10.8.0.6 ?

[janjust]

the second client will get ip 10.8.0.3 ; the server does not create a new tun device, it will keep using 10.8.0.1 .

[kiwijuice]

But, the submask in / 30 let only 2 bits for computers, which two of four addresses are used for network address and broadcast address...
The address 10.8.0.3 is the broacast address of 10.8.0.0/30...

I will test, but I don't think that it's possible to connect others clients without mounting a new interface... or I don't understand something.

[janjust]

the /30 network is just a trick to be able to use a point-to-point interface; with or without 'topology subnet' it is possible to connect many clients to a single server i/f (10.8.0.1) . Trust me, it works

[kiwijuice]

Ok

(i trust you, but i want to understand )

I'm installing the second client.

Next step is LDAP interaction.

[kiwijuice]

I'm still having a problem.

On my openvpn client, i have two networks to test :

The first 193.XX.XX.XX is a wan ip, so directly connected to internet. Everything works.
I switch cable on the wall : The second in 172.31.33.XX/24 is behind a router. I opened the port 1194. Everything works too, exept DNS. I can attack google with the ip but DNS do not work.

Normally, every packets (DNS too) are encapsullated in VPN transport packets... i don't understand, what's the difference between these two tests.

Does anyone have an idea ?

[janjust]

you're redirecting the gateway but you're not assigning a new DNS server - hence your client will try to reach the old DNS server via the VPN (which will fail); either add 'bypass-dns' to send DNS traffic to the original DNS servers or use new DNS servers which *are* reachable via the VPN.

[kiwijuice]

I found my problem :

My test on WAN are fixed ip, and the DNS is also 193.XX.XX.XX
But tests in network 172.31.33.XX are in DHCP. So DHCP gives to client a DNS.
I tryed to put in server.ovpn the line :

push "dhcp-option DNS 193.XX.XX.XX"
But my /etc/resolv.conf have also the DNS which are gived by DHCP : 172.31.21.XX.
How to says to client to use the DNS of tun0 interface and not eth0 ?

EDIT : crossed posts, i try your option.