Not routing through openvpn connection

[rdrifter]

I setup an OpenVPN Server on Debian Squeeze system and when I connect to it from my office lan everything seems to be ok.

But when I connect to my domain it is not working. I did a tracert for my domain and for google, for google it's taking the correct path as it's using the openvpn gateway.

>tracert google.com

Tracing route to google.com [173.194.70.113]
over a maximum of 30 hops:

1 25 ms 23 ms 25 ms 10.8.0.1
2 27 ms 26 ms 25 ms speedport.ip [192.168.0.1]

But when I do the same for my domain it's using the office internet.

>tracert mydomain.com

Tracing route to mydomain.com [xxx.xxx.xx.x]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms actsd01-eth6-XXXXXX [10.49.0.241]
2 1 ms 1 ms 1 ms port-static.xx.be [xx.xx.xx.xx]

Please help me to troubleshoot this.

[maikcat]

post configs ,simple diagram of your network, what OS used etc

Michael.

[rdrifter]

Server OS is Debian 6 and client is Windows 7.

server.conf

Code: Select all

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
max-clients 1
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"

client.conf

Code: Select all

client
dev tun
proto tcp
remote mydomain.com 80
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client01.crt
key client01.key
ns-cert-type server
comp-lzo
verb 3

Please note that mydomain.com is pointing to the same system where OpenVPN is installed.

[maikcat]

hi there,

first remove these from your server config:

Code: Select all

push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"

can you post the output of:

iptables -L -t nat -v

on your openvpn server and

netstat -nr

on your client after you connect.

Michael.

[rdrifter]

below lines are removed from server.conf. but if I remove these lines I don't get any gateway on my client.

Code: Select all

push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"

output for "iptables -L -t nat -v" command from server

Code: Select all

# iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 58344 packets, 5870K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 28488 packets, 1816K bytes)
 pkts bytes target     prot opt in     out     source               destination
 5626  305K MASQUERADE  all  --  any    eth0    10.8.0.0/24          anywhere

Chain OUTPUT (policy ACCEPT 9035 packets, 961K bytes)
 pkts bytes target     prot opt in     out     source               destination

out put of "netstat -nr" command from server

Code: Select all

# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0

[maikcat]

hi there,

your server config has:

Code: Select all

push "redirect-gateway def1"

so your client should get new default gateway..

can you post the output of:

iptables -L -t nat -v

on your openvpn server and

netstat -nr

on your client after you connect.

output of iptables ...ok
output of netstat -nr on CLIENT...?? (after vpn is up).

please also post log from client.

regards
Michael.

[rdrifter]

but unfortunately I not getting a default gateway after removing those lines.

here is the netstat -nr output from client system. 10.8.0.0 is openVPN and 10.49.0.0 is the office internal IP.

The 10th line under IPV4 is the IP address on my home server, but the gateway for that is the office gateway, I am not sure if it's correct or not.

Code: Select all

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.49.0.26       10.49.1.38    266
          0.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     30
         10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     30
         10.8.0.4  255.255.255.252         On-link          10.8.0.6    286
         10.8.0.6  255.255.255.255         On-link          10.8.0.6    286
         10.8.0.7  255.255.255.255         On-link          10.8.0.6    286
        10.49.0.0      255.255.0.0         On-link        10.49.1.38    266
       10.49.1.38  255.255.255.255         On-link        10.49.1.38    266
    10.49.255.255  255.255.255.255         On-link        10.49.1.38    266
    78.235.123.189  255.255.255.255       10.49.0.26       10.49.1.38     10
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0         10.8.0.5         10.8.0.6     30
      169.254.0.0      255.255.0.0         On-link        10.49.1.38    306
      169.254.0.0      255.255.0.0         On-link          10.8.0.6    306
  169.254.255.255  255.255.255.255         On-link        10.49.1.38    266
  169.254.255.255  255.255.255.255         On-link          10.8.0.6    286
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.49.1.38    266
        224.0.0.0        240.0.0.0         On-link          10.8.0.6    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.49.1.38    266
  255.255.255.255  255.255.255.255         On-link          10.8.0.6    286
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0       10.49.0.26  Default
===========================================================================

[maikcat]

===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.49.0.26 10.49.1.38 266
0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 30

yes you DO get default gateway...
please read about the def1 statement...

can you do a tracert to 8.8.8.8 and post the output here?

Michael.

[rdrifter]

here is the client.log

Code: Select all

Thu Mar 28 15:05:11 2013 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar  7 2013
Enter Management Password:
Thu Mar 28 15:05:11 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Mar 28 15:05:11 2013 Need hold release from management interface, waiting...
Thu Mar 28 15:05:12 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Mar 28 15:05:12 2013 MANAGEMENT: CMD 'state on'
Thu Mar 28 15:05:12 2013 MANAGEMENT: CMD 'log all on'
Thu Mar 28 15:05:12 2013 MANAGEMENT: CMD 'hold off'
Thu Mar 28 15:05:12 2013 MANAGEMENT: CMD 'hold release'
Thu Mar 28 15:05:12 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Mar 28 15:05:12 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Mar 28 15:05:12 2013 MANAGEMENT: >STATE:1364479512,RESOLVE,,,
Thu Mar 28 15:05:12 2013 Attempting to establish TCP connection with [AF_INET]78.235.123.189:80
Thu Mar 28 15:05:12 2013 MANAGEMENT: >STATE:1364479512,TCP_CONNECT,,,
Thu Mar 28 15:05:12 2013 TCP connection established with [AF_INET]78.235.123.189:80
Thu Mar 28 15:05:12 2013 TCPv4_CLIENT link local: [undef]
Thu Mar 28 15:05:12 2013 TCPv4_CLIENT link remote: [AF_INET]78.235.123.189:80
Thu Mar 28 15:05:12 2013 MANAGEMENT: >STATE:1364479512,WAIT,,,
Thu Mar 28 15:05:13 2013 MANAGEMENT: >STATE:1364479513,AUTH,,,
Thu Mar 28 15:05:13 2013 TLS: Initial packet from [AF_INET]78.235.123.189:80, sid=a435ab18 7d983f32
Thu Mar 28 15:05:13 2013 VERIFY OK: depth=1, C=DE, ST=SH, L=Hamburg, O=XXX-XXXX, CN=XXX-XXXX CA, emailAddress=my.email.address
Thu Mar 28 15:05:13 2013 VERIFY OK: nsCertType=SERVER
Thu Mar 28 15:05:13 2013 VERIFY OK: depth=0, C=DE, ST=SH, L=Hamburg, O=XXX-XXXX, CN=xxxxxx, emailAddress=my.email.address
Thu Mar 28 15:05:14 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar 28 15:05:14 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 28 15:05:14 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar 28 15:05:14 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 28 15:05:14 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Mar 28 15:05:14 2013 [xxxxxx] Peer Connection Initiated with [AF_INET]78.235.123.189:80
Thu Mar 28 15:05:16 2013 MANAGEMENT: >STATE:1364479516,GET_CONFIG,,,
Thu Mar 28 15:05:17 2013 SENT CONTROL [xxxxxx]: 'PUSH_REQUEST' (status=1)
Thu Mar 28 15:05:17 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Thu Mar 28 15:05:17 2013 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar 28 15:05:17 2013 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar 28 15:05:17 2013 OPTIONS IMPORT: route options modified
Thu Mar 28 15:05:17 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Mar 28 15:05:17 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Mar 28 15:05:17 2013 MANAGEMENT: >STATE:1364479517,ASSIGN_IP,,10.8.0.6,
Thu Mar 28 15:05:17 2013 open_tun, tt->ipv6=0
Thu Mar 28 15:05:17 2013 TAP-WIN32 device [xxxxxx] opened: \\.\Global\{4A5C54D3-89FE-4172-B027-48FBBAA09BFC}.tap
Thu Mar 28 15:05:17 2013 TAP-Windows Driver Version 9.9 
Thu Mar 28 15:05:17 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {4A5C54D3-89FE-4172-B027-48FBBAA09BFC} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Mar 28 15:05:17 2013 Successful ARP Flush on interface [40] {4A5C54D3-89FE-4172-B027-48FBBAA09BFC}
Thu Mar 28 15:05:22 2013 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Thu Mar 28 15:05:22 2013 Route: Waiting for TUN/TAP interface to come up...
Thu Mar 28 15:05:27 2013 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Thu Mar 28 15:05:27 2013 C:\Windows\system32\route.exe ADD 78.235.123.189 MASK 255.255.255.255 10.49.0.26
Thu Mar 28 15:05:27 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Thu Mar 28 15:05:27 2013 Route addition via IPAPI succeeded [adaptive]
Thu Mar 28 15:05:27 2013 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Thu Mar 28 15:05:27 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 28 15:05:27 2013 Route addition via IPAPI succeeded [adaptive]
Thu Mar 28 15:05:27 2013 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Thu Mar 28 15:05:27 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 28 15:05:27 2013 Route addition via IPAPI succeeded [adaptive]
Thu Mar 28 15:05:27 2013 MANAGEMENT: >STATE:1364479527,ADD_ROUTES,,,
Thu Mar 28 15:05:27 2013 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Thu Mar 28 15:05:27 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 28 15:05:27 2013 Route addition via IPAPI succeeded [adaptive]
Thu Mar 28 15:05:27 2013 Initialization Sequence Completed
Thu Mar 28 15:05:27 2013 MANAGEMENT: >STATE:1364479527,CONNECTED,SUCCESS,10.8.0.6,78.235.123.189

[rdrifter]

Code: Select all

C:\>tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1   300 ms   321 ms   183 ms  10.8.0.1
  2   178 ms   386 ms   420 ms  home.router [192.168.0.1]
  3   275 ms   385 ms   273 ms  217.0.119.35
  4   149 ms   147 ms   152 ms  217.0.65.210
  5   133 ms   269 ms   139 ms  f-ed6-i.F.DE.NET.DTAG.DE [62.156.131.250]
  6   446 ms   169 ms   337 ms  80.150.169.118
  7   136 ms   129 ms   133 ms  209.85.248.12
  8   123 ms   163 ms   158 ms  72.14.239.60
  9    96 ms    92 ms   106 ms  209.85.254.114
 10     *        *        *     Request timed out.
 11   116 ms   123 ms   137 ms  google-public-dns-a.google.com [8.8.8.8]

Trace complete.

C:\>

[rdrifter]

This is the result of DNS test from https://www.dns-oarc.net/oarc/services/dnsentropy

DNS Resolver(s) Tested:

212.203.218.15 (dns1.office) appears to have GREAT source port randomness and GREAT transaction ID randomness.
121.242.190.173 (dns-p1.tatacommunications.com) appears to have UNKNOWN source port randomness and UNKNOWN transaction ID randomness.
214.207.150.43 (f-dns-isp.t-ipnet.de) appears to have GREAT source port randomness and GREAT transaction ID randomness.
214.207.150.45 (f-dns-isp.t-ipnet.de) appears to have GREAT source port randomness and GREAT transaction ID randomness.
212.203.218.68 (dns2.office) appears to have GREAT source port randomness and GREAT transaction ID randomness.
214.207.148.4 appears to have GREAT source port randomness and GREAT transaction ID randomness.

Test time: 2013-03-28 14:55:40 UTC

Sources that sent less than 5 queries are listed as UNKNOWN

[maikcat]

Code: Select all

C:\>tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

  1   300 ms   321 ms   183 ms  10.8.0.1
  2   178 ms   386 ms   420 ms  home.router [192.168.0.1]

1st hop is openvpn server
2nd hop is openvpn's server gateway (your clients lan is 10.49.0.0/24 right?)

where is the problem...?

Michael.

[rdrifter]

the problem was when I try to connect to mydomain it's using the office gateway

>tracert mydomain.com

Tracing route to mydomain.com [xxx.xxx.xx.x]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms actsd01-eth6-XXXXXX [10.49.0.241]
2 1 ms 1 ms 1 ms port-static.xx.be [xx.xx.xx.xx]

the DNS leak test shows entries of office DNS.

DNS Resolver(s) Tested:

212.203.218.15 (dns1.office) appears to have GREAT source port randomness and GREAT transaction ID randomness.
121.242.190.173 (dns-p1.tatacommunications.com) appears to have UNKNOWN source port randomness and UNKNOWN transaction ID randomness.
214.207.150.43 (f-dns-isp.t-ipnet.de) appears to have GREAT source port randomness and GREAT transaction ID randomness.
214.207.150.45 (f-dns-isp.t-ipnet.de) appears to have GREAT source port randomness and GREAT transaction ID randomness.
212.203.218.68 (dns2.office) appears to have GREAT source port randomness and GREAT transaction ID randomness.
214.207.148.4 appears to have GREAT source port randomness and GREAT transaction ID randomnes

in the "netstat -nr" output my home server IP is having the office gateway.

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.49.0.26 10.49.1.38 266
0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 30
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 30
10.8.0.4 255.255.255.252 On-link 10.8.0.6 286
10.8.0.6 255.255.255.255 On-link 10.8.0.6 286
10.8.0.7 255.255.255.255 On-link 10.8.0.6 286
10.49.0.0 255.255.0.0 On-link 10.49.1.38 266
10.49.1.38 255.255.255.255 On-link 10.49.1.38 266
10.49.255.255 255.255.255.255 On-link 10.49.1.38 266
78.235.123.189 255.255.255.255 10.49.0.26 10.49.1.38 10

basically I don't if these are correct or not. Is it the way it works?

[maikcat]

if 78.235.123.189 is :
a) the ip of your openvpn server and
b) the website you are trying to access

then YES openvpns response is correct....

think about it,
when you connect to openvpn and redirecting ALL traffic through
tunnel , then how your system would reach openvpn server itself?
via its tunnel?..

you need a static route for openvpn server so traffic to server keep
going via your local router....

Michael.