[Newbie] Help routing traffic through OpenVPN on Debian

[mukossan]

Hi!

I'm a newbie when it comes to OpenVPN and Linux but I have successfully installed OpenVPN and I have also been able to connect to my VPN service provider. I have a .ovpn and .ca.crt file.

I have done the following:
apt-get update
apt-get install openvpn

I then run the following command
sudo openvpn --client --redirect-gateway def1 --config /c/XXX.ovpn --ca /c/YYY.ca.crt

I then type in my login details and everything seems fine but when I runa traceroute it seems that the traffic isn't going through my VPN-provider. Am I missing something here?

I simply want all the traffic from my ReadyNAS (running Debian as far as I know) to go through OpenVPN.

Thank you kindly in advance!

Best regards
MK

[Mimiko]

Hello.

Please post /c/XXX.ovpn content.

After connecting, is OpenVPN server pinging? Show " route -n" results when OpenVPN is connected. Show logs of OpenVPN where routes are added.

[mukossan]

Hi!

This is the content of the .ovpn-file

Code: Select all

client

dev tap

proto udp

remote openvpn.anonine.net 1194
remote openvpn.anonine.net 1195
remote openvpn-2.anonine.net 1196
remote openvpn-2.anonine.net 1197
remote openvpn-3.anonine.net 1198
remote openvpn-3.anonine.net 1199
remote openvpn-4.anonine.net 1200
remote openvpn-4.anonine.net 1201

remote-random

resolv-retry infinite

auth-user-pass

nobind

persist-key
persist-tun

ca anonine.ca.crt

ns-cert-type server

comp-lzo

reneg-sec 0

verb 3

Route -n before running OpenVPN
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

Route -n after running:

Code: Select all

sudo openvpn --client --redirect-gateway def1 --config /c/XXX.ovpn --ca /c/YYY.ca.crt

Destination Gateway Genmask Flags Metric Ref Use Iface
178.73.215.173 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
188.126.74.128 0.0.0.0 255.255.255.128 U 0 0 0 tap0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 188.126.74.129 128.0.0.0 UG 0 0 0 tap0
128.0.0.0 188.126.74.129 128.0.0.0 UG 0 0 0 tap0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

If I then run the following:

Code: Select all

ping www.openvpn.net

I get this:

PING openvpn.net (174.36.59.154) 56(84) bytes of data.
From 74 (188.126.74.162) icmp_seq=2 Destination Host Unreachable
From 74 (188.126.74.162) icmp_seq=3 Destination Host Unreachable
From 74 (188.126.74.162) icmp_seq=4 Destination Host Unreachable
From 74 (188.126.74.162) icmp_seq=6 Destination Host Unreachable
From 74 (188.126.74.162) icmp_seq=7 Destination Host Unreachable
From 74 (188.126.74.162) icmp_seq=8 Destination Host Unreachable

[Mimiko]

Routes seems ok. Make "tracert www.openvpn.net -4 -n" to view where routing is going.

You didn't show the OpenVPN log.

[mukossan]

Mimiko: Thank you very much for you rapid responses!

This is the OpenVPN log:
Mon Aug 15 20:18:33 2011 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Enter Auth Username:XXXXX
Enter Auth Password:YYYYY
Mon Aug 15 20:18:37 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number as
signment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Aug 15 20:18:37 2011 LZO compression initialized
Mon Aug 15 20:18:37 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Aug 15 20:18:37 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Aug 15 20:18:37 2011 Local Options hash (VER=V4): 'd79ca330'
Mon Aug 15 20:18:37 2011 Expected Remote Options hash (VER=V4): 'f7df56b8'
Mon Aug 15 20:18:37 2011 UDPv4 link local: [undef]
Mon Aug 15 20:18:37 2011 UDPv4 link remote: 178.73.215.171:1197
Mon Aug 15 20:18:37 2011 TLS: Initial packet from 178.73.215.171:1197, sid=0eb06aaf 7c02bc56
Mon Aug 15 20:18:37 2011 VERIFY OK: depth=1, /C=SE/ST=Calisota/L=Ankeborg/O=Anonine/OU=VPN/CN=Anonine_CA/emailAddr
ess=support@anonine.com
Mon Aug 15 20:18:37 2011 VERIFY OK: nsCertType=SERVER
Mon Aug 15 20:18:37 2011 VERIFY OK: depth=0, /C=SE/ST=Calisota/L=Ankeborg/O=Anonine/CN=hati/emailAddress=support@a
nonine.com
Mon Aug 15 20:18:38 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 15 20:18:38 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 15 20:18:38 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 15 20:18:38 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 15 20:18:38 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Aug 15 20:18:38 2011 [hati] Peer Connection Initiated with 178.73.215.171:1197
Mon Aug 15 20:18:39 2011 SENT CONTROL [hati]: 'PUSH_REQUEST' (status=1)
Mon Aug 15 20:18:39 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option
DNS 80.67.0.2,dhcp-option DNS 91.213.246.2,route-gateway 188.126.75.129,ping 10,ping-restart 30,ifconfig 188.126.
75.188 255.255.255.128'
Mon Aug 15 20:18:39 2011 Options error: unknown --redirect-gateway flag: bypass-dhcp
Mon Aug 15 20:18:39 2011 OPTIONS IMPORT: timers and/or timeouts modified
Mon Aug 15 20:18:39 2011 OPTIONS IMPORT: --ifconfig/up options modified
Mon Aug 15 20:18:39 2011 OPTIONS IMPORT: route options modified
Mon Aug 15 20:18:39 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Aug 15 20:18:39 2011 TUN/TAP device tap0 opened
Mon Aug 15 20:18:39 2011 ifconfig tap0 188.126.75.188 netmask 255.255.255.128 mtu 1500 broadcast 188.126.75.255
Mon Aug 15 20:18:39 2011 route add -net 178.73.215.171 netmask 255.255.255.255 gw 192.168.1.1
Mon Aug 15 20:18:39 2011 route add -net 0.0.0.0 netmask 128.0.0.0 gw 188.126.75.129
Mon Aug 15 20:18:39 2011 route add -net 128.0.0.0 netmask 128.0.0.0 gw 188.126.75.129
Mon Aug 15 20:18:39 2011 Initialization Sequence Completed

I can't run your command "tracert www.openvpn.net -4 -n", I only get this:

# traceroute www.openvpn.net -4 -n
Version 1.4a12
Usage: traceroute [-dFIlnrvx] [-g gateway] [-i iface] [-f first_ttl]
[-m max_ttl] [ -p port] [-q nqueries] [-s src_addr] [-t tos]
[-w waittime] [-z pausemsecs] host [packetlen]

[Mimiko]

Ok,

Code: Select all

tracert www.openvpn.net -n

The "-4" options your Debian(?) does not know.

Mon Aug 15 20:18:33 2011 OpenVPN 2.0.9 i486-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 20 2007
Mon Aug 15 20:18:39 2011 Options error: unknown --redirect-gateway flag: bypass-dhcp

Could you update your OpenVPN client?

[mukossan]

I could run this (if it helps)
ReadyNAS:~# traceroute openvpn.net
traceroute to openvpn.net (174.36.59.154), 30 hops max, 40 byte packets
1 75 (188.126.75.188) 3006.444 ms !H 3006.830 ms !H 3005.964 ms !H

[mukossan]

Seems like I already have the latest version (?):
ReadyNAS:~# apt-get update
Get:1 http://archive.debian.org etch Release.gpg [1033B]
Hit http://archive.debian.org etch Release
Ign http://archive.debian.org etch/main Packages/DiffIndex
Ign http://archive.debian.org etch/non-free Packages/DiffIndex
Hit http://archive.debian.org etch/main Packages
Hit http://archive.debian.org etch/non-free Packages
Ign http://www.readynas.com 4.2.18/ Release.gpg
Ign http://www.readynas.com 4.2.18/ Release
Ign http://www.readynas.com 4.2.18/ Packages/DiffIndex
Hit http://www.readynas.com 4.2.18/ Packages
Fetched 1033B in 12s (81B/s)
Reading package lists... Done
ReadyNAS:~# apt-get install openvpn
Reading package lists... Done
Building dependency tree... Done
openvpn is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 40 not upgraded.

[Mimiko]

It's strange. 3 secundes response its too much.

Let see, can you get iptables configuration?

[mukossan]

Iptables, can you please be more specific

[Mimiko]

Run

Code: Select all

iptables -L

http://www.readynas.com/?p=4662
Do you have the lates firware?
It seems that the system is a particular build based on Debian, not the Debian itself. On the forum there are posts stating that OpenVPN is not working well. Some recomends to backup, reset to factory default and install OpenVPN on fresh system.

[mukossan]

Mimiko: Thanks again for all your patience!

I will try the code you posted and post back.

Yes, I'm running the latest firmware, I updated it just a few weeks ago.

[mukossan]

Code: Select all

# iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[Mimiko]

Read this http://www.readynas.com/forum/viewtopic ... pn#p314240
After a factory reset - it starts working usually.

[mukossan]

I found that thread also, but is there really anything wrong in the logs I've posted so far?

[Mimiko]

Yes. You client OpenVPN is old as for server OpenVPN. It may be incompatibilities that prevent smootly running the VPN. Also it may be helpful to see the OpenVPN server's config file, log and iptable.