OpenVPN redirect-gateway does not work on Windows 7

[foxx]

hi! hope you guys can help me! i have set up openvpn, and it works. pinging from client to server and backwards works just fine. but now i wanted to redirect all the clients traffic through the vpn. so i did the following steps as mentioned in the docs.

on serverside:

in server.conf i put push "redirect-gateway def1"

and i enabled routing via iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

on clientside:

actually nothing, server does it all for the client, i start it on win7 with: openvpn.exe --config client.ovpn

now my routing table looks like this, Realtek is my physical network interface card and the physical gateway is 192.168.2.1. My pc's ip is 192.168.2.199:

http://pastebin.com/1XPVVeab

When using "push redirect-gateway" instead in the server.conf it looks like that:

http://pastebin.com/gPkupPSz

Both are not working, what am i doing wrong? I can't ping the gateway 10.8.0.5, but the vpn can't either ping it's gateway. I can ping vpn 10.8.0.1.

Guess there's something wrong with the routing table, but OpenVPN is creating it, not me

[Mimiko]

Read this topic: topic8685.html

[foxx]

and it still doesn't work... I set up a fresh windows 7 as client and a fresh debian as server. as I previously said pinging from client to server works just fine. I put "push redirect-gateway def1 bypass-dhcp" to the server's config and start the client.

here are the logs with verb 5:

http://pastebin.com/WyEJbxt3

here is the routing table before starting the server, after booting:

http://pastebin.com/DXg1MJ3K

routing table after starting the server:

http://pastebin.com/bGYf1cxM

routing table after changing settings in network manager and manually set ip/netmask/gw for vpn tap to 10.8.0.6/255.255.255.252/10.8.0.5, he seems to add a static route there obviously:

http://pastebin.com/8vsTi8mg

ipconfig looks like that after I started the server:

http://pastebin.com/ZZ5SKGPB

it seems it doesn't create a standard gw, think it should be 10.8.0.5, I don't have the slightest clue why..

server config:

http://pastebin.com/PDvMbYUv

client config:

http://pastebin.com/pdj81Qt0

thats just too frustrating, doing it exactly as told in the howto and it just doesn't work under win7. thought openvpn would pretty much work out of the box, but it seems to be rocket science to set it up properly argh..

Read this topic: topic8685.html

mimiko, I tried what the guy in this thread did but it did not work.

help is very much appreciated!! thx in advance!

[foxx]

ok guys of openvpn, the fact that you write great software is true, but the fact that your documentation is incomplete is also true and pretty bad. openvpn on win7 works perfect, it was the server that wasn't correctly configured, due to the fact that the documentation here http://openvpn.net/index.php/open-sourc ... l#redirect lacks a few important things, that have to be made on the serverside:

you have to enable ip forwarding and NAT on your linux vpn server, just like this:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

that took me hours, thanks for this

[Mimiko]

Do not set manualy IP on TAP adapter - you can loose connection.
On Realtek RTL8168D adapter with IP 192.168.2.101 set metric to "Auto". The 20 metric does not allow internet traffic thru the tunnel.

Also on Debian with OpenVPN server setup iptables: http://www.openvpn.net/index.php/open-s ... l#redirect

[foxx]

k thanks mimiko, but as I posted above the docs are lacking important informations. http works fine though, even with that metric.

[Bebop]

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

Congrats on solving the problem. your solution is not quite as elegant as it could be. You definitly don't need Masquerade more than once. Here's a slightly more refined example:

Code: Select all

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT    
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

There's a full walk-through for the iptables stuff here: topic7722.html

And some complete Debian+OpenVPN guides on the Internet [Example], but you are correct that some vital details are missing from the manual page.

[foxx]

Congrats on solving the problem. your solution is not quite as elegant as it could be. You definitly don't need Masquerade more than once. Here's a slightly more refined example:

Code: Select all

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT    
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward

There's a full walk-through for the iptables stuff here: topic7722.html

And some complete Debian+OpenVPN guides on the Internet [Example], but you are correct that some vital details are missing from the manual page.

Ok, thanks for the links!