New Setup - Need Assistance

[ruddyrum]

Hi,

A member of family has moved over to the middle east, and many internet features are blocked by the ISP (country only has one ISP) - the biggest issue is that Skype is blocked, and basic browsing of certain normal sites (BBC etc) are also blocked.

So i have setup openvpn on my etrayz server and am using static keys to connect as I only require one client to connect.

So my member of family is running openvpn gui on a windows 7 machine, and the icon in the taskbar indicates that all is working well... however when they open their internet browser, sites are still bocked by the ISP? shouldn't the internet traffic be routing through my open vpn server here in europe?

When I went out there a few weeks back i used a commercial VPN solution for a few days to just access my webmail, so I know it can be done! I do not want to have recommend a commercial solution as I have everything I need get this working.

Any help on the matter is greatly appreciated.

Edit: Attached Static keys.ovpn for analysis

Code: Select all

# this is a client
;client

# using tun device
dev tun

# protocol used
;proto tcp

# where to connect and with what port
remote myserver.dns.com port

# routing table
ifconfig 10.8.0.2 10.8.0.1
route 192.168.0.0 255.255.255.0 10.8.0.1
route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0
nobind

# using static key
secret static.key

# using certificates
;ca ca.crt
;cert client1.crt
;key client1.key

# to keep connection alive
persist-key
persist-tun
comp-lzo

[disciplefk]

I think there is an option to not have all traffic routed through the server. Do you have the server set to change clients DNS servers? Try changing them to a public DNS server like google's or openDNS.

[ruddyrum]

Im not to sure I understand, as I want all of the clients traffic routed through my server! I do not know where to find this option you mentioned... If you could tel me where to look, and how to have the server change the client DNS, that would be great.

On another note, I think that the issue is not the DNS, but perhaps the clients gateway?

[janjust]

as disciplefk said, you also will need to give them a DNS server which is accessible via the VPN.
to make sure that all IP traffic is routed via the VPN try doing a

Code: Select all

ping 74.125.79.99
tracert -d 74.125.79.99

(or 'traceroute -n') ; this should show whether traffic is sent via the VPN or not.

[ruddyrum]

as disciplefk said, you also will need to give them a DNS server which is accessible via the VPN.

Is this done in the normal way (editing network settings of the network card) or is this specifically something I need to do to the openvpn client?

The server running openvpn is also a DNS server, if that is what your trying to get at? The family member can access my server by typing in my DNS address into a web browser, and they can also ping it.

Also 74.125.79.99... seems to be a google IP? we can both ping it, but still traffic is not routing through my server?

Sorry for all the questions, but this is my first VPN and i thought it would be more straight forward than this

[janjust]

Is this done in the normal way (editing network settings of the network card) or is this specifically something I need to do to the openvpn client?

this can be done on the openvpn server using

Code: Select all

push "dhcp-option DNS <IP-of-DNS-server>"

Also 74.125.79.99... seems to be a google IP? we can both ping it, but still traffic is not routing through my server?

yes it's a google IP - the idea is to ensure that IP traffic flows via the VPN first; then you can make sure DNS queries also flow via the VPN.

Plz post the output of a 'tracert' (or 'traceroute') run - the first address in the list should be the address of the VPN server, otherwise the routing table was not set up correctly.

Instead of using all the separate routes on the client you can also simply use

Code: Select all

redirect-gateway def1

[ruddyrum]

this can be done on the openvpn server using

Code: Select all

push "dhcp-option DNS <IP-of-DNS-server>"

Do these go into the server config somewhere or do i need to execute this in the terminal on my server? also i say my server is also a DNS server, it is more a DNS server which associates a DNS address with my dynamic IP.

The traceroute does not go to my vpnserver first, so i guess thats where the problem is!

Instead of using all the separate routes on the client you can also simply use

Code: Select all

redirect-gateway def1

So I should change my Static keys.ovpn from:

Code: Select all

# routing table
ifconfig 10.8.0.2 10.8.0.1
route 192.168.0.0 255.255.255.0 10.8.0.1
route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0
nobind

to:

Code: Select all

# routing table
redirect-gateway def1

thanks for all the prompt replies and patience!

[janjust]

Do these go into the server config somewhere or do i need to execute this in the terminal on my server?

the line I mentioned is added to the openvpn server configuration file; a restart of the openvpn process afterwards is needed.

Change

Code: Select all

# routing table
ifconfig 10.8.0.2 10.8.0.1
route 192.168.0.0 255.255.255.0 10.8.0.1
route 0.0.0.0 128.0.0.0
route 128.0.0.0 128.0.0.0
nobind

to

Code: Select all

# routing table
ifconfig 10.8.0.2 10.8.0.1
route 192.168.0.0 255.255.255.0 10.8.0.1
redirect-gateway def1
nobind

[ruddyrum]

OK, so I have done a fair amount of research on the matter now, and came across the following in the howto section of the openvpn website: Routing all client traffic (including web-traffic) through the VPN

It stated that I should add a line you mentioned into the server config

Code: Select all

push "redirect-gateway def1"

I have done so, and have also cleaned up the client routing as you suggested.

However, on connection, I am getting the following errors from the client:

Code: Select all

Wed Apr 27 17:22:15 2011 ROUTE: route addition failed using
CreateIpForwardEntry: Access is denied.   [status=5 if_index=12]
The requested operation requires elevation.
Wed Apr 27 17:22:15 2011 ERROR: Windows route add command failed
[adaptive]: returned error code 1
Wed Apr 27 17:22:15 2011 ROUTE: route addition failed using
CreateIpForwardEntry: Access is denied.   [status=5 if_index=27]
The requested operation requires elevation.
Wed Apr 27 17:22:15 2011 ERROR: Windows route add command failed
[adaptive]: returned error code 1
Wed Apr 27 17:22:15 2011 ROUTE: route addition failed using
CreateIpForwardEntry: Access is denied.   [status=5 if_index=27]
The requested operation requires elevation.
Wed Apr 27 17:22:15 2011 ERROR: Windows route add command failed
[adaptive]: returned error code 1
Wed Apr 27 17:22:15 2011 WARNING: potential route subnet conflict
between local LAN [192.168.0.0/255.255.255.0] and remote VPN
[192.168.0.0/255.255.255.0]
Wed Apr 27 17:22:15 2011 ROUTE: route addition failed using
CreateIpForwardEntry: Access is denied.   [status=5 if_index=27]
The requested operation requires elevation.
Wed Apr 27 17:22:15 2011 ERROR: Windows route add command failed
[adaptive]: returned error code 1
Wed Apr 27 17:22:15 2011 Initialization Sequence Completed

[janjust]

on windows vista/7/2008 you need to run openvpn using elevated privileges, as otherwise it is not allowed to add routes.

I didn't mention

Code: Select all

push "redirect-gateway def1"

as you're not using client/server mode but are using static key mode instead; using 'push' only makes sense in client/server mode OR when you explicitly add 'pull' to the client configuration.

[ruddyrum]

Ok, it seems we are finally getting somewhere

Client can now successfully connect to the server, and when running tracert, all traffic is going through the VPN server.

However when browsing the web in my browser, no pages seem to load. I can only assume this is a DNS issue, as i cant ping google.com, but i can ping googles IP address.

So to clarify, I have in my server config the following line:

Code: Select all

push "dhcp-option DNS 8.8.8.8"

This is googles public DNS server

do i need to add a pull line to the client config?

[janjust]

do i need to add a pull line to the client config?

to pull in all server supplied push options, yes. But you only need to specify it once, so if you already added this for the 'push redirect-gateway' then you should be set.

On Windows clients the DNS settings are not picked up by the operating system immediately - add

Code: Select all

register-dns

to the client config to force a reload of the DNS settings on windows. After that the DNS server from the VPN server should be picked up.

[ruddyrum]

in the command console i can ping 74.125.79.99 but not google.com, even with the register dns command in my client config?!

Any other suggestions? in the meantime, I will try some other DNS server addresses to see if this resolves the issue

Edit: no joy using other DNS servers

[janjust]

if you have set up a public DNS server then what happens if you open a command window and type

Code: Select all

nslookup

? you should be using the public DNS server in this case. If not, then the assignment of the DNS servers did not succeed - what does the openvpn client connection log show with 'verb 5' set? this should list attempts to set the DNS settings. Finally, what does

Code: Select all

ipconfig /all

show? is the public DNS server associated with the tap-win32 adapter at all?

[ruddyrum]

After a successful connection ti the server, the following can be seen in the client log:

Code: Select all

Mon May 02 13:27:42 2011 WARNING: potential route subnet conflict
between local LAN [192.168.0.0/255.255.255.0] and remote VPN
[192.168.0.0/255.255.255.0]
Mon May 02 13:27:42 2011 Initialization Sequence Completed
Mon May 02 13:27:43 2011 C:\WINDOWS\system32\net.exe stop dnscache
The DNS Client service is stopping..
The DNS Client service could not be stopped.
Mon May 02 13:27:49 2011 C:\WINDOWS\system32\net.exe start dnscache
The requested service has already been started.
More help is available by typing NET HELPMSG 2182.
Mon May 02 13:27:49 2011 ERROR: Windows ipconfig command failed:
returned error code 2
Mon May 02 13:27:49 2011 C:\WINDOWS\system32\ipconfig.exe /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
Mon May 02 13:27:49 2011 C:\WINDOWS\system32\ipconfig.exe /registerdns
Windows IP Configuration
Registration of the DNS resource records for all adapters of this
computer has been initiated. Any errors will be reported in the Event
Viewer in 15 minutes

ipconfig /all:

Code: Select all

DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                   fec0:0:0:ffff::2%1
                                   fec0:0:0:ffff::3%1

Nslookup:

Code: Select all

Default Server:  cache1.service.virginmedia.net
Address:  194.168.4.100

from the above, I take it that the assignment of the DNS that i specified (8.8.8.8) did not work!
Can you explain what you mean by verb 5?

[janjust]

you cannot stop the dnscache service ? are you running with elevated privileges?

also, your DNS server settings seem to be IPv6 servers - do you really need IPv6? if not, can you try disabling it?

finally, what happens if you try (in a CMD windows)
nslookup www.google.com 8.8.8.8
does that work?