[resolved] Multiple clients on OpenVPN - Routing Issue

[orientalist]

Hello and thank you for reading this post.

I am based in China and, in order to access the internet unimpeded, have set up a linux VPS in a Eurpoean country. My aim is that 3 clients can connect to the VPS server and then browse the external internet through the VPS, at the same time.

Currently, all clients can connect to the VPS, without issue. My problem is that only one client is receiving the external IP address of the VPS. The other clients are connected to the VPS through openVPN, but do not take the VPS IP.

I have generated one set of server certs / keys and 3 sets of individual client crts / keys.

I would appreciate any assistance people can give with this. Thanks.

# SERVER.conf

Code: Select all

local xx.xxx.xxx.xxx # IP of the connection provided by my VPS provider
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 
dh dh1024.pem
server 10.8.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.8.1.0 255.255.255.0" 
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20

#CLIENT.conf

Code: Select all

client
dev tun
proto udp
remote xx.xxx.xxx.xxx 1194 #IP of the connection provided by my VPS provider
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert client-name.crt #differs for each client
key client-name.key #differs for each client
comp-lzo
verb 3
mute 20

#Route tables

Code: Select all

myname@server:~$ route -v
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.1.2        *               255.255.255.255 UH    0      0        0 tun0
10.8.1.0        10.8.1.2        255.255.255.0   UG    0      0        0 tun0
xx.xx.xx.xx    *               255.255.255.0   U     0      0        0 eth0
default         xx.xx.xx.xx    0.0.0.0         UG    100    0        0 eth0

#iptables status

Code: Select all

myname@server:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.8.0.0/24          anywhere            to:xx.xx.xx.xx 
MASQUERADE  all  --  10.8.1.0/24          anywhere            
SNAT       all  --  anywhere             anywhere            to:xx.xx.xx.xx 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

#UFW Status

Code: Select all

myname@server:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
1194                       ALLOW       Anywhere

[maikcat]

hi there,

>My problem is that only one client is receiving the external IP address of the VPS

can you explain this a little bit...(?)

can you post logs from this client?

Michael.

[orientalist]

Maikcat, many thanks for your reply. Sorry for the delay in replying but I have been figuring out how to access log files (I am both a linux command line and ovpn newbie).

My clients are:

1. Netbook running Ubuntu 32 (can access internet through VPS)
2. Laptop running Ubuntu 64 (connected to VPS but still using China ISP for internet)
3. HTC Desire HD running Cyanogenmod 7 with tun.ko installed and openvpn-settings app (connected to VPS but still using China ISP for internet)

Originally, despite me having enabled forwarding and setting up a server LAN as in my config above, clients 2 and 3 were not routing browser traffic through the VPN. For example, even though network manager on client 2 / 3 shows that I am connected to the VPS over the VPN, googling "What's my IP?" on client 2/3 returns the public IP address provided by my ISP in China, rather than that provided by my VPS provider in the UK.

Strangely, since you replied to my initial query, client 2 has suddenly started working and I am able to use both clients 1 and 2, simultaneously, with no problems.

As of now, it is just client 3, the Desire HD, that still has the problem of not being able to route packets through the VPN. I don't know how to generate a log for this and, to be honest, this is probably something for a site dedicated to openvpn-settings app.

Despite this 'problem' now being 'solved', I am posting the log outputs of clients 1 and 2 below, in case you can see anything obvious that could explain why this problem of not routing seemed to occur on client 2 for the last several days. I still do not fully understand the finer points of networking (such as IP allocation on LANs), routing and firewalls - so would appreciate any comments people may have on the below, if any.

Sorry for lack of knowledge of correct terminology to describe these problems and thanks again.

# Client 1 cat syslog (ubuntu netbook)

Code: Select all

Dec 14 19:11:32 richard-netbook NetworkManager: <info>  Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Dec 14 19:11:32 richard-netbook NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 6547
Dec 14 19:11:32 richard-netbook NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Dec 14 19:11:32 richard-netbook NetworkManager: <info>  VPN plugin state changed: 1
Dec 14 19:11:32 richard-netbook NetworkManager: <info>  VPN plugin state changed: 3
Dec 14 19:11:32 richard-netbook NetworkManager: <info>  VPN connection 'xx.xxx.xxx.xxx' (Connect) reply received.
Dec 14 19:11:32 richard-netbook nm-openvpn[6551]: OpenVPN 2.1.0 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Dec 14 19:11:32 richard-netbook nm-openvpn[6551]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Dec 14 19:11:32 richard-netbook nm-openvpn[6551]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 14 19:11:32 richard-netbook nm-openvpn[6551]: /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Dec 14 19:11:32 richard-netbook nm-openvpn[6551]: LZO compression initialized
Dec 14 19:11:32 richard-netbook nm-openvpn[6551]: UDPv4 link local: [undef]
Dec 14 19:11:32 richard-netbook nm-openvpn[6551]: UDPv4 link remote: [AF_INET]xx.xxx.xxx.xxx:1194
Dec 14 19:11:33 richard-netbook kernel: [ 4436.560054] wlan0: no IPv6 routers present
Dec 14 19:11:44 richard-netbook nm-openvpn[6551]: [server] Peer Connection Initiated with [AF_INET]xx.xxx.xxx.xxx:1194
Dec 14 19:11:47 richard-netbook nm-openvpn[6551]: Options error: unknown --redirect-gateway flag: bypass-dchp
Dec 14 19:11:47 richard-netbook NetworkManager:    SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Dec 14 19:11:47 richard-netbook NetworkManager:    SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Dec 14 19:11:47 richard-netbook nm-openvpn[6551]: TUN/TAP device tun0 opened
Dec 14 19:11:47 richard-netbook nm-openvpn[6551]: /sbin/ifconfig tun0 10.8.1.10 pointopoint 10.8.1.9 mtu 1500
Dec 14 19:11:47 richard-netbook nm-openvpn[6551]: /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper tun0 1500 1542 10.8.1.10 10.8.1.9 init
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  VPN connection 'xx.xxx.xxx.xxx' (IP Config Get) reply received.
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  VPN Gateway: xx.xxx.xxx.xxx
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  Internal Gateway: 10.8.1.9
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  Tunnel Device: tun0
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  Internal IP4 Address: 10.8.1.10
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  Internal IP4 Prefix: 32
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  Internal IP4 Point-to-Point Address: 10.8.1.9
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  Maximum Segment Size (MSS): 0
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  Static Route: 10.8.1.0/24   Next Hop: 10.8.1.0
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  Static Route: 10.8.1.1/32   Next Hop: 10.8.1.1
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  DNS Domain: '(none)'
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  Login Banner:
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  -----------------------------------------
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  (null)
Dec 14 19:11:47 richard-netbook NetworkManager: <info>  -----------------------------------------
Dec 14 19:11:47 richard-netbook nm-openvpn[6551]: Initialization Sequence Completed
Dec 14 19:11:48 richard-netbook NetworkManager: <info>  VPN connection 'xx.xxx.xxx.xxx' (IP Config Get) complete.
Dec 14 19:11:48 richard-netbook NetworkManager: <info>  Policy set 'xx.xxx.xxx.xxx' (tun0) as default for routing and DNS.
Dec 14 19:11:48 richard-netbook NetworkManager: <info>  VPN plugin state changed: 4

# Client 2 syslog (Ubuntu laptop)

Code: Select all

Dec 14 22:26:29 richard-laptop NetworkManager: <info>  Starting VPN service 'org.freedesktop.NetworkManager.openvpn'...
Dec 14 22:26:29 richard-laptop NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 1995
Dec 14 22:26:29 richard-laptop NetworkManager: <info>  VPN service 'org.freedesktop.NetworkManager.openvpn' just appeared, activating connections
Dec 14 22:26:29 richard-laptop NetworkManager: <info>  VPN plugin state changed: 1
Dec 14 22:26:29 richard-laptop NetworkManager: <info>  VPN plugin state changed: 3
Dec 14 22:26:29 richard-laptop NetworkManager: <info>  VPN connection 'xx.xxx.xxx.xxx' (Connect) reply received.
Dec 14 22:26:29 richard-laptop nm-openvpn[2000]: OpenVPN 2.1.0 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Jul 20 2010
Dec 14 22:26:29 richard-laptop nm-openvpn[2000]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Dec 14 22:26:29 richard-laptop nm-openvpn[2000]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Dec 14 22:26:29 richard-laptop nm-openvpn[2000]: WARNING: file '/etc/openvpn/config/richard-laptop.key' is group or others accessible
Dec 14 22:26:29 richard-laptop nm-openvpn[2000]: /usr/bin/openssl-vulnkey -q -b 1024 -m <modulus omitted>
Dec 14 22:26:30 richard-laptop nm-openvpn[2000]: LZO compression initialized
Dec 14 22:26:30 richard-laptop nm-openvpn[2000]: UDPv4 link local: [undef]
Dec 14 22:26:30 richard-laptop nm-openvpn[2000]: UDPv4 link remote: [AF_INET]xx.xxx.xxx.xxx:1194
Dec 14 22:26:41 richard-laptop nm-openvpn[2000]: [server] Peer Connection Initiated with [AF_INET]xx.xxx.xxx.xxx:1194
Dec 14 22:26:44 richard-laptop nm-openvpn[2000]: Options error: unknown --redirect-gateway flag: bypass-dchp
Dec 14 22:26:44 richard-laptop nm-openvpn[2000]: TUN/TAP device tun0 opened
Dec 14 22:26:44 richard-laptop nm-openvpn[2000]: /sbin/ifconfig tun0 10.8.1.6 pointopoint 10.8.1.5 mtu 1500
Dec 14 22:26:44 richard-laptop NetworkManager:    SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Dec 14 22:26:44 richard-laptop NetworkManager:    SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Dec 14 22:26:44 richard-laptop nm-openvpn[2000]: /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper tun0 1500 1542 10.8.1.6 10.8.1.5 init
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  VPN connection 'xx.xxx.xxx.xxx' (IP Config Get) reply received.
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  VPN Gateway: xx.xxx.xxx.xxx
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  Internal Gateway: 10.8.1.5
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  Tunnel Device: tun0
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  Internal IP4 Address: 10.8.1.6
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  Internal IP4 Prefix: 32
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  Internal IP4 Point-to-Point Address: 10.8.1.5
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  Maximum Segment Size (MSS): 0
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  Static Route: 10.8.1.0/24   Next Hop: 10.8.1.0
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  Static Route: 10.8.1.1/32   Next Hop: 10.8.1.1
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  DNS Domain: '(none)'
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  Login Banner:
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  -----------------------------------------
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  (null)
Dec 14 22:26:44 richard-laptop NetworkManager: <info>  -----------------------------------------
Dec 14 22:26:44 richard-laptop nm-openvpn[2000]: Initialization Sequence Completed
Dec 14 22:26:45 richard-laptop NetworkManager: <info>  VPN connection 'xx.xxx.xxx.xxx' (IP Config Get) complete.
Dec 14 22:26:45 richard-laptop NetworkManager: <info>  Policy set 'xx.xxx.xxx.xxx' (tun0) as default for routing and DNS.
Dec 14 22:26:45 richard-laptop NetworkManager: <info>  VPN plugin state changed: 4

[Mimiko]

First, update client's OpenVPN to latest version.
Second:

Dec 14 19:11:47 richard-netbook nm-openvpn[6551]: Options error: unknown --redirect-gateway flag: bypass-dchp

You are connecting to some other server config, than you wrote in first post.

[orientalist]

First, update client's OpenVPN to latest version.

I have tried using:

Code: Select all

apt-get install openvpn

but this just installs 2.1.0.

I have also tried to compile the latest version from the openvpn-2.2.1.tar.gz but when I then check the version it still says 2.1.0

For the time being I will leave it as 2.1.0 (I need the VPN to view this forum as it is blocked in China).

Second:
Quote:
Dec 14 19:11:47 richard-netbook nm-openvpn[6551]: Options error: unknown --redirect-gateway flag: bypass-dchp

You are connecting to some other server config, than you wrote in first post.

I only have one server config file in the /etc/openvpn/ directory on the server and it is set up as above. Could you help me further to understand:

"Options error: unknown --redirect-gateway flag: bypass-dhcp"

I appreciate your response and any further help you can offer in relation to this.

[orientalist]

I just want to confirm that updating to the latest version of OpenVPN solved this problem for me.

In my case, I added the Oneiric sources to my Ubuntu 10.04 server and ran 'apt-get update'.

Thanks Mimiko and maikcat for replies.