routed connection mystery - am I actually connected?

[cgjrdl]

Hi there. I'm a newbie to OpenVPN and was wondering if anyone may be able to help. I've set up OpenVPN server on a Xenserver VM running Ubuntu 10.04.2. The LAN IP address of the virtual server is 10.0.1.20. DHCP is handled by an Aiport Extreme router which has an address of 10.0.1.1. I've managed to connect using a routed connection to the VPN from a Mac using Tunnelblick but here's the problem:

- I can't ping/connect to other machines on the LAN from the client when connected to the VPN (the machines are set up to accept incoming connections of the type I'm trying to establish - I connect to them all the time when I am physically on the LAN; also, except for the server, all machines are Macs)?
- When I use whatismyip.com to query the external IP address of the client, it shows the location where I physically am rather than where the VPN server is. Can this be right? Surely I should show up as being at the server location?

In short then, Tunnelblick plus the openvpn-status.log shows I'm connected but it doesn't seem I really or functionally am. Any thoughts? Here's the relevant info (apologies if I've dumped too much data here but I thought it's more useful to give everything I have).

server.conf

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

server - ifconfig
eth0 Link encap:Ethernet HWaddr da:f7:f5:3c:ce:c8
inet addr:10.0.1.20 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::d8f7:f5ff:fe3c:cec8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:32886 errors:0 dropped:0 overruns:0 frame:0
TX packets:4468 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3200287 (3.2 MB) TX bytes:3893740 (3.8 MB)
Interrupt:18

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3676 errors:0 dropped:0 overruns:0 frame:0
TX packets:3676 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:602529 (602.5 KB) TX bytes:602529 (602.5 KB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:11 errors:0 dropped:0 overruns:0 frame:0
TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:640 (640.0 B) TX bytes:640 (640.0 B)

openvpn-status.log
OpenVPN CLIENT LIST
Updated,Sun Apr 24 20:55:41 2011
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
client1,[client external IP address]:50477,122002,121429,Sun Apr 24 20:05:48 2011
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,client1,[client external IP address]:50477,Sun Apr 24 20:55:36 2011
GLOBAL STATS
Max bcast/mcast queue length,1
END

client.conf

Code: Select all

client
dev tun
proto udp
remote [server external IP] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3
mute 20

client - ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet6 fdb0:589f:c133:bba8:6233:4bff:fe0b:64e1 prefixlen 128
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en1: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
ether 60:33:4b:0b:64:e1
inet 192.168.1.64 netmask 0xffffff00 broadcast 192.168.1.255
media: autoselect
status: active
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
lladdr e8:06:88:ff:fe:da:1d:d8
media: autoselect <full-duplex>
status: inactive
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether c4:2c:03:18:b2:c9
media: autoselect
status: inactive
vnic0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:1c:42:00:00:08
inet 10.211.55.2 netmask 0xffffff00 broadcast 10.211.55.255
media: autoselect
status: active
vnic1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:1c:42:00:00:09
inet 10.37.129.2 netmask 0xffffff00 broadcast 10.37.129.255
media: autoselect
status: active
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
open (pid 5263)

[krzee]

your vpn is doing what you asked it to. from what it sounds like you expected, i will assume your goal is as follows:

• You would like to access the LAN behind the server.
  You would like to redirect your internet connection over the vpn server.

The first goal normally has a different solution than the second, but the solution for the second will also make the first work, so we will just do that...

If my list of your goals is correct, here is what you need to do:

in the client config add the following:

Code: Select all

redirect-gateway def1

If you would like connections to the internet to fail when the vpn drops, remove def1 from the above config option.

Then you need to setup NAT on your server:

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

Then you need to turn on IP forwarding on your server:
for a temp solution (til reboot)

Code: Select all

echo "1" > /proc/sys/net/ipv4/ip_forward

for the permanent solution (takes place after reboot)

Code: Select all

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf

hope that helps!

[cgjrdl]

kreez: thanks a lot for your quick response. Your articulation of my goals is spot on. I implemented your changes but, as far as I can tell, I still can't access the LAN and, likewise, my IP is still that of the remote location. Are there any logfiles I could produce which would be helpful? If so, what verb level (I'm actually asking whether less than 6 is possible as 6 gives away my IP which is that of a friend's - or perhaps there's a way of 'grepping' it out)?

Btw, I probably should have asked this already: I'm using the routed approach rather than bridged ethernet. From what I can tell, my set up and objectives don't require the latter but I should probably check.