Page 1 of 1
Not routing through openvpn connection
Posted: Thu Mar 21, 2013 2:58 pm
by rdrifter
I setup an OpenVPN Server on Debian Squeeze system and when I connect to it from my office lan everything seems to be ok.
But when I connect to my domain it is not working. I did a tracert for my domain and for google, for google it's taking the correct path as it's using the openvpn gateway.
>tracert google.com
Tracing route to google.com [173.194.70.113]
over a maximum of 30 hops:
1 25 ms 23 ms 25 ms 10.8.0.1
2 27 ms 26 ms 25 ms speedport.ip [192.168.0.1]
But when I do the same for my domain it's using the office internet.
>tracert mydomain.com
Tracing route to mydomain.com [xxx.xxx.xx.x]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms actsd01-eth6-XXXXXX [10.49.0.241]
2 1 ms 1 ms 1 ms port-static.xx.be [xx.xx.xx.xx]
Please help me to troubleshoot this.
Re: Not routing through openvpn connection
Posted: Thu Mar 21, 2013 3:12 pm
by maikcat
post configs ,simple diagram of your network, what OS used etc
Michael.
Re: Not routing through openvpn connection
Posted: Thu Mar 21, 2013 3:28 pm
by rdrifter
Server OS is Debian 6 and client is Windows 7.
server.conf
Code: Select all
port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
max-clients 1
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"
client.conf
Code: Select all
client
dev tun
proto tcp
remote mydomain.com 80
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client01.crt
key client01.key
ns-cert-type server
comp-lzo
verb 3
Please note that mydomain.com is pointing to the same system where OpenVPN is installed.
Re: Not routing through openvpn connection
Posted: Fri Mar 22, 2013 8:45 am
by maikcat
hi there,
first remove these from your server config:
Code: Select all
push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"
can you post the output of:
iptables -L -t nat -v
on your openvpn server and
netstat -nr
on your client after you connect.
Michael.
Re: Not routing through openvpn connection
Posted: Thu Mar 28, 2013 2:31 pm
by rdrifter
below lines are removed from server.conf. but if I remove these lines I don't get any gateway on my client.
Code: Select all
push "route-metric 512"
push "route 0.0.0.0 0.0.0.0"
output for "iptables -L -t nat -v" command from server
Code: Select all
# iptables -L -t nat -v
Chain PREROUTING (policy ACCEPT 58344 packets, 5870K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 28488 packets, 1816K bytes)
pkts bytes target prot opt in out source destination
5626 305K MASQUERADE all -- any eth0 10.8.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT 9035 packets, 961K bytes)
pkts bytes target prot opt in out source destination
out put of "netstat -nr" command from server
Code: Select all
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
Re: Not routing through openvpn connection
Posted: Thu Mar 28, 2013 2:38 pm
by maikcat
hi there,
your server config has:
so your client should get new default gateway..
can you post the output of:
iptables -L -t nat -v
on your openvpn server and
netstat -nr
on your client after you connect.
output of iptables ...ok
output of netstat -nr on CLIENT...?? (after vpn is up).
please also post log from client.
regards
Michael.
Re: Not routing through openvpn connection
Posted: Thu Mar 28, 2013 2:53 pm
by rdrifter
but unfortunately I not getting a default gateway after removing those lines.
here is the netstat -nr output from client system. 10.8.0.0 is openVPN and 10.49.0.0 is the office internal IP.
The 10th line under IPV4 is the IP address on my home server, but the gateway for that is the office gateway, I am not sure if it's correct or not.
Code: Select all
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.49.0.26 10.49.1.38 266
0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 30
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 30
10.8.0.4 255.255.255.252 On-link 10.8.0.6 286
10.8.0.6 255.255.255.255 On-link 10.8.0.6 286
10.8.0.7 255.255.255.255 On-link 10.8.0.6 286
10.49.0.0 255.255.0.0 On-link 10.49.1.38 266
10.49.1.38 255.255.255.255 On-link 10.49.1.38 266
10.49.255.255 255.255.255.255 On-link 10.49.1.38 266
78.235.123.189 255.255.255.255 10.49.0.26 10.49.1.38 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
128.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 30
169.254.0.0 255.255.0.0 On-link 10.49.1.38 306
169.254.0.0 255.255.0.0 On-link 10.8.0.6 306
169.254.255.255 255.255.255.255 On-link 10.49.1.38 266
169.254.255.255 255.255.255.255 On-link 10.8.0.6 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.49.1.38 266
224.0.0.0 240.0.0.0 On-link 10.8.0.6 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.49.1.38 266
255.255.255.255 255.255.255.255 On-link 10.8.0.6 286
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.49.0.26 Default
===========================================================================
Re: Not routing through openvpn connection
Posted: Thu Mar 28, 2013 2:58 pm
by maikcat
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.49.0.26 10.49.1.38 266
0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 30
yes you DO get default gateway...
please read about the def1 statement...
can you do a tracert to 8.8.8.8 and post the output here?
Michael.
Re: Not routing through openvpn connection
Posted: Thu Mar 28, 2013 3:05 pm
by rdrifter
here is the client.log
Code: Select all
Thu Mar 28 15:05:11 2013 OpenVPN 2.3.0 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Mar 7 2013
Enter Management Password:
Thu Mar 28 15:05:11 2013 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Thu Mar 28 15:05:11 2013 Need hold release from management interface, waiting...
Thu Mar 28 15:05:12 2013 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Thu Mar 28 15:05:12 2013 MANAGEMENT: CMD 'state on'
Thu Mar 28 15:05:12 2013 MANAGEMENT: CMD 'log all on'
Thu Mar 28 15:05:12 2013 MANAGEMENT: CMD 'hold off'
Thu Mar 28 15:05:12 2013 MANAGEMENT: CMD 'hold release'
Thu Mar 28 15:05:12 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Mar 28 15:05:12 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Mar 28 15:05:12 2013 MANAGEMENT: >STATE:1364479512,RESOLVE,,,
Thu Mar 28 15:05:12 2013 Attempting to establish TCP connection with [AF_INET]78.235.123.189:80
Thu Mar 28 15:05:12 2013 MANAGEMENT: >STATE:1364479512,TCP_CONNECT,,,
Thu Mar 28 15:05:12 2013 TCP connection established with [AF_INET]78.235.123.189:80
Thu Mar 28 15:05:12 2013 TCPv4_CLIENT link local: [undef]
Thu Mar 28 15:05:12 2013 TCPv4_CLIENT link remote: [AF_INET]78.235.123.189:80
Thu Mar 28 15:05:12 2013 MANAGEMENT: >STATE:1364479512,WAIT,,,
Thu Mar 28 15:05:13 2013 MANAGEMENT: >STATE:1364479513,AUTH,,,
Thu Mar 28 15:05:13 2013 TLS: Initial packet from [AF_INET]78.235.123.189:80, sid=a435ab18 7d983f32
Thu Mar 28 15:05:13 2013 VERIFY OK: depth=1, C=DE, ST=SH, L=Hamburg, O=XXX-XXXX, CN=XXX-XXXX CA, emailAddress=my.email.address
Thu Mar 28 15:05:13 2013 VERIFY OK: nsCertType=SERVER
Thu Mar 28 15:05:13 2013 VERIFY OK: depth=0, C=DE, ST=SH, L=Hamburg, O=XXX-XXXX, CN=xxxxxx, emailAddress=my.email.address
Thu Mar 28 15:05:14 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar 28 15:05:14 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 28 15:05:14 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar 28 15:05:14 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 28 15:05:14 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Mar 28 15:05:14 2013 [xxxxxx] Peer Connection Initiated with [AF_INET]78.235.123.189:80
Thu Mar 28 15:05:16 2013 MANAGEMENT: >STATE:1364479516,GET_CONFIG,,,
Thu Mar 28 15:05:17 2013 SENT CONTROL [xxxxxx]: 'PUSH_REQUEST' (status=1)
Thu Mar 28 15:05:17 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Thu Mar 28 15:05:17 2013 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar 28 15:05:17 2013 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar 28 15:05:17 2013 OPTIONS IMPORT: route options modified
Thu Mar 28 15:05:17 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Mar 28 15:05:17 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Mar 28 15:05:17 2013 MANAGEMENT: >STATE:1364479517,ASSIGN_IP,,10.8.0.6,
Thu Mar 28 15:05:17 2013 open_tun, tt->ipv6=0
Thu Mar 28 15:05:17 2013 TAP-WIN32 device [xxxxxx] opened: \\.\Global\{4A5C54D3-89FE-4172-B027-48FBBAA09BFC}.tap
Thu Mar 28 15:05:17 2013 TAP-Windows Driver Version 9.9
Thu Mar 28 15:05:17 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {4A5C54D3-89FE-4172-B027-48FBBAA09BFC} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Mar 28 15:05:17 2013 Successful ARP Flush on interface [40] {4A5C54D3-89FE-4172-B027-48FBBAA09BFC}
Thu Mar 28 15:05:22 2013 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Thu Mar 28 15:05:22 2013 Route: Waiting for TUN/TAP interface to come up...
Thu Mar 28 15:05:27 2013 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Thu Mar 28 15:05:27 2013 C:\Windows\system32\route.exe ADD 78.235.123.189 MASK 255.255.255.255 10.49.0.26
Thu Mar 28 15:05:27 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=10 and dwForwardType=4
Thu Mar 28 15:05:27 2013 Route addition via IPAPI succeeded [adaptive]
Thu Mar 28 15:05:27 2013 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Thu Mar 28 15:05:27 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 28 15:05:27 2013 Route addition via IPAPI succeeded [adaptive]
Thu Mar 28 15:05:27 2013 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Thu Mar 28 15:05:27 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 28 15:05:27 2013 Route addition via IPAPI succeeded [adaptive]
Thu Mar 28 15:05:27 2013 MANAGEMENT: >STATE:1364479527,ADD_ROUTES,,,
Thu Mar 28 15:05:27 2013 C:\Windows\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Thu Mar 28 15:05:27 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 28 15:05:27 2013 Route addition via IPAPI succeeded [adaptive]
Thu Mar 28 15:05:27 2013 Initialization Sequence Completed
Thu Mar 28 15:05:27 2013 MANAGEMENT: >STATE:1364479527,CONNECTED,SUCCESS,10.8.0.6,78.235.123.189
Re: Not routing through openvpn connection
Posted: Thu Mar 28, 2013 3:11 pm
by rdrifter
Code: Select all
C:\>tracert 8.8.8.8
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 300 ms 321 ms 183 ms 10.8.0.1
2 178 ms 386 ms 420 ms home.router [192.168.0.1]
3 275 ms 385 ms 273 ms 217.0.119.35
4 149 ms 147 ms 152 ms 217.0.65.210
5 133 ms 269 ms 139 ms f-ed6-i.F.DE.NET.DTAG.DE [62.156.131.250]
6 446 ms 169 ms 337 ms 80.150.169.118
7 136 ms 129 ms 133 ms 209.85.248.12
8 123 ms 163 ms 158 ms 72.14.239.60
9 96 ms 92 ms 106 ms 209.85.254.114
10 * * * Request timed out.
11 116 ms 123 ms 137 ms google-public-dns-a.google.com [8.8.8.8]
Trace complete.
C:\>
Re: Not routing through openvpn connection
Posted: Thu Mar 28, 2013 3:25 pm
by rdrifter
This is the result of DNS test from
https://www.dns-oarc.net/oarc/services/dnsentropy
DNS Resolver(s) Tested:
212.203.218.15 (dns1.office) appears to have GREAT source port randomness and GREAT transaction ID randomness.
121.242.190.173 (dns-p1.tatacommunications.com) appears to have UNKNOWN source port randomness and UNKNOWN transaction ID randomness.
214.207.150.43 (f-dns-isp.t-ipnet.de) appears to have GREAT source port randomness and GREAT transaction ID randomness.
214.207.150.45 (f-dns-isp.t-ipnet.de) appears to have GREAT source port randomness and GREAT transaction ID randomness.
212.203.218.68 (dns2.office) appears to have GREAT source port randomness and GREAT transaction ID randomness.
214.207.148.4 appears to have GREAT source port randomness and GREAT transaction ID randomness.
Test time: 2013-03-28 14:55:40 UTC
Sources that sent less than 5 queries are listed as UNKNOWN
Re: Not routing through openvpn connection
Posted: Thu Mar 28, 2013 6:54 pm
by maikcat
Code: Select all
C:\>tracert 8.8.8.8
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 300 ms 321 ms 183 ms 10.8.0.1
2 178 ms 386 ms 420 ms home.router [192.168.0.1]
1st hop is openvpn server
2nd hop is openvpn's server gateway (your clients lan is 10.49.0.0/24 right?)
where is the problem...?
Michael.
Re: Not routing through openvpn connection
Posted: Thu Mar 28, 2013 10:20 pm
by rdrifter
the problem was when I try to connect to mydomain it's using the office gateway
>tracert mydomain.com
Tracing route to mydomain.com [xxx.xxx.xx.x]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms actsd01-eth6-XXXXXX [10.49.0.241]
2 1 ms 1 ms 1 ms port-static.xx.be [xx.xx.xx.xx]
the DNS leak test shows entries of office DNS.
DNS Resolver(s) Tested:
212.203.218.15 (dns1.office) appears to have GREAT source port randomness and GREAT transaction ID randomness.
121.242.190.173 (dns-p1.tatacommunications.com) appears to have UNKNOWN source port randomness and UNKNOWN transaction ID randomness.
214.207.150.43 (f-dns-isp.t-ipnet.de) appears to have GREAT source port randomness and GREAT transaction ID randomness.
214.207.150.45 (f-dns-isp.t-ipnet.de) appears to have GREAT source port randomness and GREAT transaction ID randomness.
212.203.218.68 (dns2.office) appears to have GREAT source port randomness and GREAT transaction ID randomness.
214.207.148.4 appears to have GREAT source port randomness and GREAT transaction ID randomnes
in the "netstat -nr" output my home server IP is having the office gateway.
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.49.0.26 10.49.1.38 266
0.0.0.0 128.0.0.0 10.8.0.5 10.8.0.6 30
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 30
10.8.0.4 255.255.255.252 On-link 10.8.0.6 286
10.8.0.6 255.255.255.255 On-link 10.8.0.6 286
10.8.0.7 255.255.255.255 On-link 10.8.0.6 286
10.49.0.0 255.255.0.0 On-link 10.49.1.38 266
10.49.1.38 255.255.255.255 On-link 10.49.1.38 266
10.49.255.255 255.255.255.255 On-link 10.49.1.38 266
78.235.123.189 255.255.255.255 10.49.0.26 10.49.1.38 10
basically I don't if these are correct or not. Is it the way it works?
Re: Not routing through openvpn connection
Posted: Fri Mar 29, 2013 8:12 am
by maikcat
if 78.235.123.189 is :
a) the ip of your openvpn server and
b) the website you are trying to access
then YES openvpns response is correct....
think about it,
when you connect to openvpn and redirecting ALL traffic through
tunnel , then how your system would reach openvpn server itself?
via its tunnel?..
you need a static route for openvpn server so traffic to server keep
going via your local router....
Michael.