Problem using redirect-gateway

[wckong]

Hi,

I have successfully installed and configured OpenVPN on Debian using the listed configuration below. I am running the client on a Windows Vista x64 machine. If I do not use redirect-gateway, I can ping the server at 10.8.0.1, however internet traffic is not routed through the VPN. However when I use redirect-gateway, I no longer can ping the server (nor any web address), and all internet access ceases to operate. I had, by chance managed to get it to work once, but since I was manually playing with the "route add..." command, the settings were lost when I rebooted and since then, I have not been able to replicate the solution.

The purpose of this setup is so I can connect to the VPN and use the internet via the VPN.

If it is of any help, I have tried to monitor the tunnel device (tun0 in linux, and TAP-Win32 Adapter V9 on windows) using tcpdump on linux and windump on windows. When I try to ping the server, I do see the packets on the windows side, but they do not appear on the my server side (with redirect-gateway). Without redirect-gateway, pinging the server results in the packet showing up on both the client side and windows side.

Any help is greately appreciated. TIA.

Code: Select all

## Server configuration
tls-server
mode server
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
crl-verify /etc/openvpn/keys/crl.pem
client-config-dir /etc/openvpn/clients-configs

Code: Select all

 ## Client configuration
pull
client
dev tun
dev-node OpenVPN
proto udp
remote myserver.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ./pandora.vpn-keys/ca.crt
cert ./pandora.vpn-keys/wckong.crt
key ./pandora.vpn-keys/wckong.key
ns-cert-type server
tls-auth ./pandora.vpn-keys/ta.key 1
comp-lzo
cipher DES-EDE3-CBC  # Triple-DES
verb 3
# redirect-gateway def1

Code: Select all

 ## IPTables startup script
iptables -F
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -i tap+ -j ACCEPT
iptables -A FORWARD -i tap+ -j ACCEPT
iptables -t nat -F
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 94.23.154.95

[Douglas]

What version of openvpn are you running and what does cat /proc/sys/net/ipv4/ip_forward return?

[wckong]

On the server side, its OpenVPN 2.1_rc11 i486-pc-linux-gnu, and ip_forward returns 1.

On the client end, OpenVPN 2.1_rc19 i686-pc-mingw32.

[ecrist]

Topic Moved to the Configuration Sub-Forum

[bren]

I seem to be having the same problem as wckong.

I want to route all internet traffic through my openVPN server

If I do not use redirect-gateway, I can ping the server at 10.8.0.1, however internet traffic is not routed through the VPN. However when I use redirect-gateway, I no longer can ping the server (nor any web address), and all internet access ceases to operate.

192.168.101.0 is my local network

client netstat -nr

Code: Select all

0/1                10.8.0.5           UGSc            3        0    tun0
default            192.168.101.1      UGSc            5        0     en1
10.8/24            10.8.0.1           UGSc            0        0    tun0
10.8.0.5           10.8.0.6           UH              5        0    tun0
127                127.0.0.1          UCS             0        0     lo0
127.0.0.1          127.0.0.1          UH              2    24370     lo0
128.0/1            10.8.0.5           UGSc            1        0    tun0
169.254            link#5             UCS             0        0     en1
_SERVER_IP/32  192.168.101.1      UGSc            1        0     en1
192.168.101        link#5             UCS             4        0     en1
192.168.101.1      0:3:52:7:14:1a     UHLWI           2        5     en1   1196
192.168.101.153    127.0.0.1          UHS             2      918     lo0
192.168.101.255    ff:ff:ff:ff:ff:ff  UHLWbI          1        3     en1

Server config:

Code: Select all

dev tun
proto tcp
port 1194

ca      /etc/openvpn/easy-rsa/keys/ca.crt
cert    /etc/openvpn/easy-rsa/keys/server.crt
key     /etc/openvpn/easy-rsa/keys/server.key
dh      /etc/openvpn/easy-rsa/keys/dh1024.pem

user nobody
group nogroup
server 10.8.0.0 255.255.255.0

persist-key
persist-tun

client-to-client
push "redirect-gateway def1"

log-append vpn.log
verb 5
comp-lzo

iptables -t nat

Code: Select all

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.8.0.0/24          anywhere            to:_STATIC_IP_

viscosity config

Code: Select all

#-- Config Auto Generated By Viscosity --#
#viscosity startonopen false
#viscosity dhcp true
#viscosity dnssupport true
#viscosity name Seattle
remote _SERVER_IP_ 1194
persist-key
tls-client
proto tcp-client
ca ca.crt
dev tun
persist-tun
cert cert.crt
comp-lzo
nobind
key key.key
pull
route 10.8.0.0 255.255.255.0 10.8.0.1 default