Connects no errors but no data goes through tunnel

[mrebbert]

So I switched from OpenVPNAS to just OPENVPN, configured server (Fedora 14) and client side (Windows Vista Ultimate) and got them to connect and I watch it go through the motions on both sides and I get no errors (had to run OpenVPN and OpenVPNGUI as admin to get that to work) but no traffic goes through tunnel. When I go to dslreports and do a whois/ip it shows my non-vpn connection ip address (Using my moto Droid with PDANet to connect to my home VPN). When I do a tracert it is showing it does not use my tunnel. It assigns 10.8.0.6 with a subnet 255.255.255.252 and a gateway of 10.8.0.5. Not sure where that is set though. Any insight? How do I get all traffic to go through the tunnel from my client? How do I get it to access shares on my home network 192.168.1.55.

Here is my server config. I added this one line before I had it working right and just left it in not sure if it effects it "push redirect-gateway 10.8.0.5"

port 1194

proto udp

dev tun

ca /home/Matthew/Downloads/openvpn-2.1.4/easy-rsa/2.0/keys/ca.crt
cert /home/Matthew/Downloads/openvpn-2.1.4/easy-rsa/2.0/keys/server.crt
key /home/Matthew/Downloads/openvpn-2.1.4/easy-rsa/2.0/keys/server.key # This file should be kept secret
dh /home/Matthew/Downloads/openvpn-2.1.4/easy-rsa/2.0/keys/dh1024.pem

server 10.8.0.0 255.255.255.0

push redirect-gateway 10.8.0.5

ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo

persist-key

persist-tun

status openvpn-status.log

verb 3

[Bebop]

You're doing OK so far, and are on the right track. Lets break it down and solve one problem at a time.

• Problem 1: you would like client traffic to go through the VPN. Which means, you can visit a website such as whatismyip.com from your client, and see the external IP of your VPN server. Am I understanding the first part of your problem correctly?

First:

Code: Select all

push redirect-gateway 10.8.0.5

^ won't do anything.

The correct syntax is:

Code: Select all

push "redirect-gateway def1"

The above code will redirect every client's traffic through the VPN. Next will be a proper IPTABLES or firewall setup, because OpenVPN it-self does not do forwarding.

Something like:

Code: Select all

 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
 iptables -A FORWARD -j REJECT
 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

--------------------------------------------------------------
With the above done. Take a break. Make sure it all works.
If not working, ask again how to get it working.
--------------------------------------------------------------

• Problem 2: Understand the local IP addressing

It assigns 10.8.0.6 with a subnet 255.255.255.252 and a gateway of 10.8.0.5. Not sure where that is set though. Any insight?

If you want an IP addressing scheme which is less mind boggling then add:

Code: Select all

topology subnet

to your server.conf.

Then your default gateway will be 10.8.0.1, and your client IP's will automatically be assigned as 10.8.0.2, 10.8.0.3, 10.8.0.4, etc.

[mrebbert]

So I did what you suggested and I am getting different results (so we are getting somewhere) however still no dice. So after removing my push statement and substituting yours now nothing works but pings to the gateway (10.8.0.1) on the client laptop. I turned off iptables to see if that was it and it was not. Tracert's to websites fail because it cannot resolve. Tracert's to ip's in my home network (with the exception of 10.8.0.1) fail from 1 on. According to my Client.log on my laptop it is accepting 128.0.0.0 128.0.0.0 10.8.0.5 and 0.0.0.0 128.0.0.0 10.8.0.5 so I believe the route on my laptop is right. For whatever reason it is not getting directed when it gets through the tunnel (my belief). Any other idea's? Need to see any logs, configs, etc...? I know the my VPNServer can reach out to the internet because thats what I am using to post this.

The funny thing is when I was using OpenVPNAS all this worked. Flawlessly. The only problem is once my server would reboot OpenVPNAS would not come up because of MD5 issues I was never able to fix. I would have to uninstall and reinstall openvpnas which clearly is not a good solution.

After I gave up on OpenVPNAS I reloaded Fedora 14 and loaded OpenVPN community and I have had just as much heart ache.

[janjust]

if you're using OpenVPN on Fedora then make sure that selinux is not interfering; for debugging purposes you're best off to disable SELinux altogether . A quick&dirty method for doing this is rebooting the box with a boot loader flag
selinux=0

[mrebbert]

Yeah I tried that too to no avail. I have given up and given in. I don't think OpenVPN is really designed for Fedora 14 yet. I am not sure if it is dependencies that it's not catching, or just incompatibilities. I have given up though. Over 30 hours have gone into trying to get a linux VPN Server and while I am not a linux SA I do perform a lot of linux functions at work on RHEL 5.4 servers, I am a network engineer mainly. So I do think its a bit silly that so much time has been wasted. I have ultimately given in and loaded Windows Vista on the box and will try openvpn all windows (server and client). I expect that to go much smoother, plus I don't have to worry about setting up linux to windows file shares. Thanks for all the help though. And perhaps the windows installs will give me headaches as well. For this thread though I am hitting the final nail in the coffin.

[Bebop]

after removing my push statement and substituting yours now nothing works but pings to the gateway (10.8.0.1) on the client laptop

Definitely a good sign. To me that means the traffic is getting to the VPN server and getting no further ('good' means its not bypassing the VPN completely as it did before). I would take it to suggest a firewall/forwarding problem on the VPN server.

Need to see any logs, configs, etc...?

Server.conf and Client.conf and IPTABLES rules would be ideal. Not necessarily logs yet.

I can show you a default working setup. Compare it to your own:

Server.conf

Code: Select all

port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log         ./openvpn.log
verb 3

Client.conf

Code: Select all

client
dev tun
proto udp
remote 333.333.333.333 #  <-- replace it with the public IP of VPN server
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key
ns-cert-type server

comp-lzo
verb 3
ping 10
ping-restart 60

firewall_setup_script.sh #chmod 755 and execute this from cmd line

Code: Select all

#!/bin/sh
# Accept responses to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept traceroutes
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
  
#Enable forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward

#Allow all TUN
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT  
 
#Accept connections on 1194 
 iptables -A INPUT -p udp --dport 1194 -j ACCEPT
 
#Apply forwarding

 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
 iptables -A FORWARD -j REJECT
 iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
 
# Display 
 iptables -L -v

I turned off iptables to see if that was it and it was not

A considerable under-estimate of the role which IPTABLES plays in achieving your goal. No IPTABLES = no forwarding. Not only do you need to enable IPTABLES, but you also the the specific FORWARD and MASQUERADE rules listed above. Unless you have the above codes in your IPATBLES aready, then that is the reason for no dice.

[janjust]

I run OpenVPN 2.1.4 on Fedora 12, 13 and 14 without any issues, but I mostly use it in client mode; I will test it in 'server' mode today.
You're able to ping the VPN remote endpoint - that is a good start. Your routing table looks OK. Is IP forwarding enabled on the server? Is the firewall allowing inbound traffic on tun+? Forwarding traffic on tun+ ?
For debugging purposes, try

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/iptables stop

(provided that your default firewall policy is not DROP)