[Solved] Connects enrypted but ISP can still read traffic

[FUjZxe]

Hey,

I configured my own VPN Server and can sucessfully connect to it:

Client LOG:

Code: Select all

Fri Aug 31 17:30:44 2018 NOTE: --user option is not implemented on Windows
Fri Aug 31 17:30:44 2018 NOTE: --group option is not implemented on Windows
Fri Aug 31 17:30:44 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Fri Aug 31 17:30:44 2018 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Aug 31 17:30:44 2018 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
Fri Aug 31 17:30:44 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Fri Aug 31 17:30:44 2018 Need hold release from management interface, waiting...
Fri Aug 31 17:30:44 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Fri Aug 31 17:30:44 2018 MANAGEMENT: CMD 'state on'
Fri Aug 31 17:30:44 2018 MANAGEMENT: CMD 'log all on'
Fri Aug 31 17:30:44 2018 MANAGEMENT: CMD 'echo all on'
Fri Aug 31 17:30:44 2018 MANAGEMENT: CMD 'bytecount 5'
Fri Aug 31 17:30:44 2018 MANAGEMENT: CMD 'hold off'
Fri Aug 31 17:30:44 2018 MANAGEMENT: CMD 'hold release'
Fri Aug 31 17:30:44 2018 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Aug 31 17:30:44 2018 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Aug 31 17:30:44 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]35.185.54.105:1194
Fri Aug 31 17:30:44 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Aug 31 17:30:44 2018 UDP link local: (not bound)
Fri Aug 31 17:30:44 2018 UDP link remote: [AF_INET]35.185.54.105:1194
Fri Aug 31 17:30:44 2018 MANAGEMENT: >STATE:1535729444,WAIT,,,,,,
Fri Aug 31 17:30:44 2018 MANAGEMENT: >STATE:1535729444,AUTH,,,,,,
Fri Aug 31 17:30:44 2018 TLS: Initial packet from [AF_INET]35.185.54.105:1194, sid=67916b4c e101bc5c
Fri Aug 31 17:30:45 2018 VERIFY OK: depth=1, C=US, ST=CA, L=Berkeley, O=TheImperium, OU=StormTroopers, CN=TheImperium CA, name=gh1server, emailAddress=nomail@here.com
Fri Aug 31 17:30:45 2018 VERIFY KU OK
Fri Aug 31 17:30:45 2018 Validating certificate extended key usage
Fri Aug 31 17:30:45 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Aug 31 17:30:45 2018 VERIFY EKU OK
Fri Aug 31 17:30:45 2018 VERIFY OK: depth=0, C=US, ST=CA, L=Berkeley, O=TheImperium, OU=StormTroopers, CN=server, name=gh1server, emailAddress=nomail@here.com
Fri Aug 31 17:30:45 2018 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 31 17:30:45 2018 [server] Peer Connection Initiated with [AF_INET]35.185.54.105:1194
Fri Aug 31 17:30:46 2018 MANAGEMENT: >STATE:1535729446,GET_CONFIG,,,,,,
Fri Aug 31 17:30:46 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Aug 31 17:30:46 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9,peer-id 1,cipher AES-256-GCM'
Fri Aug 31 17:30:46 2018 OPTIONS IMPORT: timers and/or timeouts modified
Fri Aug 31 17:30:46 2018 OPTIONS IMPORT: --ifconfig/up options modified
Fri Aug 31 17:30:46 2018 OPTIONS IMPORT: route options modified
Fri Aug 31 17:30:46 2018 OPTIONS IMPORT: peer-id set
Fri Aug 31 17:30:46 2018 OPTIONS IMPORT: adjusting link_mtu to 1624
Fri Aug 31 17:30:46 2018 OPTIONS IMPORT: data channel crypto options modified
Fri Aug 31 17:30:46 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Aug 31 17:30:46 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 31 17:30:46 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 31 17:30:46 2018 interactive service msg_channel=628
Fri Aug 31 17:30:46 2018 ROUTE_GATEWAY 192.168.8.1/255.255.255.0 I=21 HWADDR=00:1f:1f:46:83:22
Fri Aug 31 17:30:46 2018 open_tun
Fri Aug 31 17:30:46 2018 TAP-WIN32 device [Ethernet 5] opened: \\.\Global\{AB0CE83A-E33C-4EF2-9A71-4F85B5597C56}.tap
Fri Aug 31 17:30:46 2018 TAP-Windows Driver Version 9.21 
Fri Aug 31 17:30:46 2018 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.10/255.255.255.252 on interface {AB0CE83A-E33C-4EF2-9A71-4F85B5597C56} [DHCP-serv: 10.8.0.9, lease-time: 31536000]
Fri Aug 31 17:30:46 2018 Successful ARP Flush on interface [17] {AB0CE83A-E33C-4EF2-9A71-4F85B5597C56}
Fri Aug 31 17:30:46 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Aug 31 17:30:46 2018 MANAGEMENT: >STATE:1535729446,ASSIGN_IP,,10.8.0.10,,,,
Fri Aug 31 17:30:51 2018 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Fri Aug 31 17:30:51 2018 C:\WINDOWS\system32\route.exe ADD 35.185.54.105 MASK 255.255.255.255 192.168.8.1
Fri Aug 31 17:30:51 2018 Route addition via service succeeded
Fri Aug 31 17:30:51 2018 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.9
Fri Aug 31 17:30:51 2018 Route addition via service succeeded
Fri Aug 31 17:30:51 2018 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.9
Fri Aug 31 17:30:51 2018 Route addition via service succeeded
Fri Aug 31 17:30:51 2018 MANAGEMENT: >STATE:1535729451,ADD_ROUTES,,,,,,
Fri Aug 31 17:30:51 2018 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.9
Fri Aug 31 17:30:51 2018 Route addition via service succeeded
Fri Aug 31 17:30:51 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Aug 31 17:30:51 2018 Initialization Sequence Completed
Fri Aug 31 17:30:51 2018 MANAGEMENT: >STATE:1535729451,CONNECTED,SUCCESS,10.8.0.10,35.185.54.105,1194,,
Fri Aug 31 17:32:38 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #6427 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Fri Aug 31 17:32:38 2018 AEAD Decrypt error: bad packet ID (may be a replay): [ #6428 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

Server log:

Code: Select all

Fri Aug 31 15:30:43 2018 109.40.2.25:3011 TLS: Initial packet from [AF_INET]109.40.2.25:3011, sid=3ddf0f93 b4069bab
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 VERIFY OK: depth=1, C=US, ST=CA, L=Berkeley, O=TheImperium, OU=StormTroopers, CN=TheImperium CA, name=gh1server, emailAddress=nomail@here.com
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 VERIFY OK: depth=0, C=US, ST=CA, L=Berkeley, O=TheImperium, OU=StormTroopers, CN=client2, name=gh1server, emailAddress=nomail@here.com
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_VER=2.4.6
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_PLAT=win
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_PROTO=2
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_NCP=2
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_LZ4=1
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_LZ4v2=1
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_LZO=1
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_COMP_STUB=1
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_COMP_STUBv2=1
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_TCPNL=1
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 peer info: IV_GUI_VER=OpenVPN_GUI_11
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug 31 15:30:43 2018 109.40.2.25:3011 [client2] Peer Connection Initiated with [AF_INET]109.40.2.25:3011
Fri Aug 31 15:30:43 2018 MULTI: new connection by client 'client2' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Fri Aug 31 15:30:43 2018 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)
Fri Aug 31 15:30:43 2018 MULTI: Learn: 10.8.0.10 -> client2/109.40.2.25:3011
Fri Aug 31 15:30:43 2018 MULTI: primary virtual IP for client2/109.40.2.25:3011: 10.8.0.10
Fri Aug 31 15:30:44 2018 client2/109.40.2.25:3011 PUSH: Received control message: 'PUSH_REQUEST'
Fri Aug 31 15:30:44 2018 client2/109.40.2.25:3011 SENT CONTROL [client2]: 'PUSH_REPLY,redirect-gateway def1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9,peer-id 1,cipher AES-256-GCM' (status=1)
Fri Aug 31 15:30:44 2018 client2/109.40.2.25:3011 Data Channel: using negotiated cipher 'AES-256-GCM'
Fri Aug 31 15:30:44 2018 client2/109.40.2.25:3011 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 31 15:30:44 2018 client2/109.40.2.25:3011 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Fri Aug 31 15:55:14 2018 client2/109.40.2.25:3011 [client2] Inactivity timeout (--ping-restart), restarting
Fri Aug 31 15:55:14 2018 client2/109.40.2.25:3011 SIGUSR1[soft,ping-restart] received, client-instance restarting

My ip is changed to another US-IP (I connect from Germany):


But when I try to connect to a site (for reading scientific papers) which is blocked by my ISP (for copyright reasons) I see their webblock page instead of the desired page. That is surprising because I thought that my traffic is encrypted and cannot be read by my ISP. But it seems that I did not configure it properly but I do not know what to change. The log file says that the connection is encrypted and it seems that my IP also changed?!


My server configuration is as following:

View Originalserver

1

#################################################

2

3

# Sample OpenVPN 2.0 config file for #

4

5

# multi-client server. #

6

7

# #

8

9

# This file is for the server side #

10

11

# of a many-clients <-> one-server #

12

13

# OpenVPN configuration. #

14

15

# #

16

17

# OpenVPN also supports #

18

19

# single-machine <-> single-machine #

20

21

# configurations (See the Examples page #

22

23

# on the web site for more info). #

24

25

# #

26

27

# This config should work on Windows #

28

29

# or Linux/BSD systems. Remember on #

30

31

# Windows to quote pathnames and use #

32

33

# double backslashes, e.g.: #

34

35

# "C:\\Program Files\\OpenVPN\\config\\foo.key" #

36

37

# #

38

39

# Comments are preceded with '#' or ';' #

40

41

#################################################

42

43

44

45

# Which local IP address should OpenVPN

46

47

# listen on? (optional)

48

49

;local a.b.c.d

50

51

52

53

# Which TCP/UDP port should OpenVPN listen on?

54

55

# If you want to run multiple OpenVPN instances

56

57

# on the same machine, use a different port

58

59

# number for each one. You will need to

60

61

# open up this port on your firewall.

62

63

port 1194

64

65

66

67

# TCP or UDP server?

68

69

;proto tcp

70

71

proto udp

72

73

74

75

# "dev tun" will create a routed IP tunnel,

76

77

# "dev tap" will create an ethernet tunnel.

78

79

# Use "dev tap0" if you are ethernet bridging

80

81

# and have precreated a tap0 virtual interface

82

83

# and bridged it with your ethernet interface.

84

85

# If you want to control access policies

86

87

# over the VPN, you must create firewall

88

89

# rules for the the TUN/TAP interface.

90

91

# On non-Windows systems, you can give

92

93

# an explicit unit number, such as tun0.

94

95

# On Windows, use "dev-node" for this.

96

97

# On most systems, the VPN will not function

98

99

# unless you partially or fully disable

100

101

# the firewall for the TUN/TAP interface.

102

103

;dev tap

104

105

dev tun

106

107

108

109

# Windows needs the TAP-Win32 adapter name

110

111

# from the Network Connections panel if you

112

113

# have more than one. On XP SP2 or higher,

114

115

# you may need to selectively disable the

116

117

# Windows firewall for the TAP adapter.

118

119

# Non-Windows systems usually don't need this.

120

121

;dev-node MyTap

122

123

124

125

# SSL/TLS root certificate (ca), certificate

126

127

# (cert), and private key (key). Each client

128

129

# and the server must have their own cert and

130

131

# key file. The server and all clients will

132

133

# use the same ca file.

134

135

#

136

137

# See the "easy-rsa" directory for a series

138

139

# of scripts for generating RSA certificates

140

141

# and private keys. Remember to use

142

143

# a unique Common Name for the server

144

145

# and each of the client certificates.

146

147

#

148

149

# Any X509 key management system can be used.

150

151

# OpenVPN can also use a PKCS #12 formatted key file

152

153

# (see "pkcs12" directive in man page).

154

155

ca ca.crt

156

157

cert server.crt

158

159

key server.key # This file should be kept secret

160

161

162

163

# Diffie hellman parameters.

164

165

# Generate your own with:

166

167

# openssl dhparam -out dh2048.pem 2048

168

169

dh dh2048.pem

170

171

172

173

# Network topology

174

175

# Should be subnet (addressing via IP)

176

177

# unless Windows clients v2.0.9 and lower have to

178

179

# be supported (then net30, i.e. a /30 per client)

180

181

# Defaults to net30 (not recommended)

182

183

;topology subnet

184

185

186

187

# Configure server mode and supply a VPN subnet

188

189

# for OpenVPN to draw client addresses from.

190

191

# The server will take 10.8.0.1 for itself,

192

193

# the rest will be made available to clients.

194

195

# Each client will be able to reach the server

196

197

# on 10.8.0.1. Comment this line out if you are

198

199

# ethernet bridging. See the man page for more info.

200

201

server 10.8.0.0 255.255.255.0

202

203

204

205

# Maintain a record of client <-> virtual IP address

206

207

# associations in this file. If OpenVPN goes down or

208

209

# is restarted, reconnecting clients can be assigned

210

211

# the same virtual IP address from the pool that was

212

213

# previously assigned.

214

215

ifconfig-pool-persist ipp.txt

216

217

218

219

# Configure server mode for ethernet bridging.

220

221

# You must first use your OS's bridging capability

222

223

# to bridge the TAP interface with the ethernet

224

225

# NIC interface. Then you must manually set the

226

227

# IP/netmask on the bridge interface, here we

228

229

# assume 10.8.0.4/255.255.255.0. Finally we

230

231

# must set aside an IP range in this subnet

232

233

# (start=10.8.0.50 end=10.8.0.100) to allocate

234

235

# to connecting clients. Leave this line commented

236

237

# out unless you are ethernet bridging.

238

239

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

240

241

242

243

# Configure server mode for ethernet bridging

244

245

# using a DHCP-proxy, where clients talk

246

247

# to the OpenVPN server-side DHCP server

248

249

# to receive their IP address allocation

250

251

# and DNS server addresses. You must first use

252

253

# your OS's bridging capability to bridge the TAP

254

255

# interface with the ethernet NIC interface.

256

257

# Note: this mode only works on clients (such as

258

259

# Windows), where the client-side TAP adapter is

260

261

# bound to a DHCP client.

262

263

;server-bridge

264

265

266

267

# Push routes to the client to allow it

268

269

# to reach other private subnets behind

270

271

# the server. Remember that these

272

273

# private subnets will also need

274

275

# to know to route the OpenVPN client

276

277

# address pool (10.8.0.0/255.255.255.0)

278

279

# back to the OpenVPN server.

280

281

;push "route 192.168.10.0 255.255.255.0"

282

283

;push "route 192.168.20.0 255.255.255.0"

284

285

286

287

# To assign specific IP addresses to specific

288

289

# clients or if a connecting client has a private

290

291

# subnet behind it that should also have VPN access,

292

293

# use the subdirectory "ccd" for client-specific

294

295

# configuration files (see man page for more info).

296

297

298

299

# EXAMPLE: Suppose the client

300

301

# having the certificate common name "Thelonious"

302

303

# also has a small subnet behind his connecting

304

305

# machine, such as 192.168.40.128/255.255.255.248.

306

307

# First, uncomment out these lines:

308

309

;client-config-dir ccd

310

311

;route 192.168.40.128 255.255.255.248

312

313

# Then create a file ccd/Thelonious with this line:

314

315

# iroute 192.168.40.128 255.255.255.248

316

317

# This will allow Thelonious' private subnet to

318

319

# access the VPN. This example will only work

320

321

# if you are routing, not bridging, i.e. you are

322

323

# using "dev tun" and "server" directives.

324

325

326

327

# EXAMPLE: Suppose you want to give

328

329

# Thelonious a fixed VPN IP address of 10.9.0.1.

330

331

# First uncomment out these lines:

332

333

;client-config-dir ccd

334

335

;route 10.9.0.0 255.255.255.252

336

337

# Then add this line to ccd/Thelonious:

338

339

# ifconfig-push 10.9.0.1 10.9.0.2

340

341

342

343

# Suppose that you want to enable different

344

345

# firewall access policies for different groups

346

347

# of clients. There are two methods:

348

349

# (1) Run multiple OpenVPN daemons, one for each

350

351

# group, and firewall the TUN/TAP interface

352

353

# for each group/daemon appropriately.

354

355

# (2) (Advanced) Create a script to dynamically

356

357

# modify the firewall in response to access

358

359

# from different clients. See man

360

361

# page for more info on learn-address script.

362

363

;learn-address ./script

364

365

366

367

# If enabled, this directive will configure

368

369

# all clients to redirect their default

370

371

# network gateway through the VPN, causing

372

373

# all IP traffic such as web browsing and

374

375

# and DNS lookups to go through the VPN

376

377

# (The OpenVPN server machine may need to NAT

378

379

# or bridge the TUN/TAP interface to the internet

380

381

# in order for this to work properly).

382

383

;push "redirect-gateway def1 bypass-dhcp"

384

385

push "redirect-gateway def1"

386

387

388

389

# Certain Windows-specific network settings

390

391

# can be pushed to clients, such as DNS

392

393

# or WINS server addresses. CAVEAT:

394

395

# http://openvpn.net/faq.html#dhcpcaveats

396

397

# The addresses below refer to the public

398

399

# DNS servers provided by opendns.com.

400

401

;push "dhcp-option DNS 208.67.222.222"

402

403

;push "dhcp-option DNS 208.67.220.220"

404

405

406

407

# Uncomment this directive to allow different

408

409

# clients to be able to "see" each other.

410

411

# By default, clients will only see the server.

412

413

# To force clients to only see the server, you

414

415

# will also need to appropriately firewall the

416

417

# server's TUN/TAP interface.

418

419

;client-to-client

420

421

422

423

# Uncomment this directive if multiple clients

424

425

# might connect with the same certificate/key

426

427

# files or common names. This is recommended

428

429

# only for testing purposes. For production use,

430

431

# each client should have its own certificate/key

432

433

# pair.

434

435

#

436

437

# IF YOU HAVE NOT GENERATED INDIVIDUAL

438

439

# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,

440

441

# EACH HAVING ITS OWN UNIQUE "COMMON NAME",

442

443

# UNCOMMENT THIS LINE OUT.

444

445

;duplicate-cn

446

447

448

449

# The keepalive directive causes ping-like

450

451

# messages to be sent back and forth over

452

453

# the link so that each side knows when

454

455

# the other side has gone down.

456

457

# Ping every 10 seconds, assume that remote

458

459

# peer is down if no ping received during

460

461

# a 120 second time period.

462

463

keepalive 10 120

464

465

466

467

# For extra security beyond that provided

468

469

# by SSL/TLS, create an "HMAC firewall"

470

471

# to help block DoS attacks and UDP port flooding.

472

473

#

474

475

# Generate with:

476

477

# openvpn --genkey --secret ta.key

478

479

#

480

481

# The server and each client must have

482

483

# a copy of this key.

484

485

# The second parameter should be '0'

486

487

# on the server and '1' on the clients.

488

489

tls-auth ta.key 0 # This file is secret

490

491

key-direction 0

492

493

494

495

# Select a cryptographic cipher.

496

497

# This config item must be copied to

498

499

# the client config file as well.

500

501

# Note that 2.4 client/server will automatically

502

503

# negotiate AES-256-GCM in TLS mode.

504

505

# See also the ncp-cipher option in the manpage

506

507

cipher AES-128-CBC

508

509

auth SHA256

510

511

512

513

# Enable compression on the VPN link and push the

514

515

# option to the client (2.4+ only, for earlier

516

517

# versions see below)

518

519

;compress lz4-v2

520

521

;push "compress lz4-v2"

522

523

524

525

# For compression compatible with older clients use comp-lzo

526

527

# If you enable it here, you must also

528

529

# enable it in the client config file.

530

531

;comp-lzo

532

533

534

535

# The maximum number of concurrently connected

536

537

# clients we want to allow.

538

539

;max-clients 100

540

541

542

543

# It's a good idea to reduce the OpenVPN

544

545

# daemon's privileges after initialization.

546

547

#

548

549

# You can uncomment this out on

550

551

# non-Windows systems.

552

553

user nobody

554

555

group nogroup

556

557

558

559

# The persist options will try to avoid

560

561

# accessing certain resources on restart

562

563

# that may no longer be accessible because

564

565

# of the privilege downgrade.

566

567

persist-key

568

569

persist-tun

570

571

572

573

# Output a short status file showing

574

575

# current connections, truncated

576

577

# and rewritten every minute.

578

579

status openvpn-status.log

580

581

582

583

# By default, log messages will go to the syslog (or

584

585

# on Windows, if running as a service, they will go to

586

587

# the "\Program Files\OpenVPN\log" directory).

588

589

# Use log or log-append to override this default.

590

591

# "log" will truncate the log file on OpenVPN startup,

592

593

# while "log-append" will append to it. Use one

594

595

# or the other (but not both).

596

597

;log openvpn.log

598

599

log-append openvpn.log

600

601

602

603

# Set the appropriate level of log

604

605

# file verbosity.

606

607

#

608

609

# 0 is silent, except for fatal errors

610

611

# 4 is reasonable for general usage

612

613

# 5 and 6 can help to debug connection problems

614

615

# 9 is extremely verbose

616

617

verb 3

618

619

620

621

# Silence repeating messages. At most 20

622

623

# sequential messages of the same message

624

625

# category will be output to the log.

626

627

;mute 20

628

629

630

631

# Notify the client that when the server restarts so it

632

633

# can automatically reconnect.

634

1

port 1194

2

proto udp

3

dev tun

4

ca ca.crt

5

cert server.crt

6

key server.key

7

dh dh2048.pem

8

server 10.8.0.0 255.255.255.0

9

ifconfig-pool-persist ipp.txt

10

push "redirect-gateway def1"

11

keepalive 10 120

12

tls-auth ta.key 0

13

key-direction 0

14

cipher AES-128-CBC

15

auth SHA256

16

user nobody

17

group nogroup

18

persist-key

19

persist-tun

20

status openvpn-status.log

21

log-append openvpn.log

22

verb 3

And my client configuration as following:

View Originalclient

1

2

3

##############################################

4

5

# Sample client-side OpenVPN 2.0 config file #

6

7

# for connecting to multi-client server. #

8

9

# #

10

11

# This configuration can be used by multiple #

12

13

# clients, however each client should have #

14

15

# its own cert and key files. #

16

17

# #

18

19

# On Windows, you might want to rename this #

20

21

# file so it has a .ovpn extension #

22

23

##############################################

24

25

26

27

# Specify that we are a client and that we

28

29

# will be pulling certain config file directives

30

31

# from the server.

32

33

client

34

35

36

37

# Use the same setting as you are using on

38

39

# the server.

40

41

# On most systems, the VPN will not function

42

43

# unless you partially or fully disable

44

45

# the firewall for the TUN/TAP interface.

46

47

;dev tap

48

49

dev tun

50

51

52

53

# Windows needs the TAP-Win32 adapter name

54

55

# from the Network Connections panel

56

57

# if you have more than one. On XP SP2,

58

59

# you may need to disable the firewall

60

61

# for the TAP adapter.

62

63

;dev-node MyTap

64

65

66

67

# Are we connecting to a TCP or

68

69

# UDP server? Use the same setting as

70

71

# on the server.

72

73

;proto tcp

74

75

proto udp

76

77

78

79

# The hostname/IP and port of the server.

80

81

# You can have multiple remote entries

82

83

# to load balance between the servers.

84

85

remote 35.185.54.105

86

87

;remote my-server-2 1194

88

89

90

91

# Choose a random host from the remote

92

93

# list for load-balancing. Otherwise

94

95

# try hosts in the order specified.

96

97

;remote-random

98

99

100

101

# Keep trying indefinitely to resolve the

102

103

# host name of the OpenVPN server. Very useful

104

105

# on machines which are not permanently connected

106

107

# to the internet such as laptops.

108

109

resolv-retry infinite

110

111

112

113

# Most clients don't need to bind to

114

115

# a specific local port number.

116

117

nobind

118

119

120

121

# Downgrade privileges after initialization (non-Windows only)

122

123

user nobody

124

125

group nogroup

126

127

128

129

# Try to preserve some state across restarts.

130

131

persist-key

132

133

persist-tun

134

135

136

137

# If you are connecting through an

138

139

# HTTP proxy to reach the actual OpenVPN

140

141

# server, put the proxy server/IP and

142

143

# port number here. See the man page

144

145

# if your proxy server requires

146

147

# authentication.

148

149

;http-proxy-retry # retry on connection failures

150

151

;http-proxy [proxy server] [proxy port #]

152

153

154

155

# Wireless networks often produce a lot

156

157

# of duplicate packets. Set this flag

158

159

# to silence duplicate packet warnings.

160

161

;mute-replay-warnings

162

163

164

165

# SSL/TLS parms.

166

167

# See the server config file for more

168

169

# description. It's best to use

170

171

# a separate .crt/.key file pair

172

173

# for each client. A single ca

174

175

# file can be used for all clients.

176

177

#ca ca.crt

178

179

#cert client.crt

180

181

#key client.key

182

183

184

185

# Verify server certificate by checking that the

186

187

# certicate has the correct key usage set.

188

189

# This is an important precaution to protect against

190

191

# a potential attack discussed here:

192

193

# http://openvpn.net/howto.html#mitm

194

195

#

196

197

# To use this feature, you will need to generate

198

199

# your server certificates with the keyUsage set to

200

201

# digitalSignature, keyEncipherment

202

203

# and the extendedKeyUsage to

204

205

# serverAuth

206

207

# EasyRSA can do this for you.

208

209

remote-cert-tls server

210

211

212

213

# If a tls-auth key is used on the server

214

215

# then every client must also have the key.

216

217

tls-auth ta.key 1

218

219

220

221

# Select a cryptographic cipher.

222

223

# If the cipher option is used on the server

224

225

# then you must also specify it here.

226

227

# Note that 2.4 client/server will automatically

228

229

# negotiate AES-256-GCM in TLS mode.

230

231

# See also the ncp-cipher option in the manpage

232

233

cipher AES-128-CBC

234

235

auth SHA256

236

237

key-direction 1

238

239

# Enable compression on the VPN link.

240

241

# Don't enable this unless it is also

242

243

# enabled in the server config file.

244

245

#comp-lzo

246

247

248

249

# Set log file verbosity.

250

251

verb 3

252

253

254

255

# Silence repeating messages

256

257

;mute 20

258

259

260

261

# script-security 2

262

263

# up /etc/openvpn/update-resolv-conf

264

265

# down /etc/openvpn/update-resolv-conf

266

267

<ca>

268

--STRIPPED INLINE CA CERT--

269

</ca>

270

271

<cert>

272

--STRIPPED INLINE CERT--

273

</cert>

274

275

<key>

276

--STRIPPED INLINE KEY--

277

</key>

278

279

<tls-auth>

280

--STRIPPED INLINE TLS-AUTH KEY--

1

client

2

dev tun

3

proto udp

4

remote 35.185.54.105

5

resolv-retry infinite

6

nobind

7

user nobody

8

group nogroup

9

persist-key

10

persist-tun

11

remote-cert-tls server

12

tls-auth ta.key 1

13

cipher AES-128-CBC

14

auth SHA256

15

key-direction 1

16

verb 3

17

<ca>

18

--STRIPPED INLINE CA CERT--

19

</ca>

20

<cert>

21

--STRIPPED INLINE CERT--

22

</cert>

23

<key>

24

--STRIPPED INLINE KEY--

25

</key>

26

<tls-auth>

27

--STRIPPED INLINE TLS-AUTH KEY--

When my server boots up I use the command

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens4 -j MASQUERADE

to route the traffic through the VPN according to this how to: https://openvpn.net/index.php/open-sour ... l#redirect

[TinCanTech]

Your traffic is encrypted and your gateway is redirected ..

But your DNS is still local .. push a global DNS like google's 8.8.8.8

[FUjZxe]

Thank you, this worked.

I uncommented these two lines in the server configuration:

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"