Internet routing

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
jcrawfordor
OpenVpn Newbie
Posts: 1
Joined: Tue Aug 31, 2010 5:00 am

Internet routing

Post by jcrawfordor » Tue Aug 31, 2010 5:09 am

Hello,
I'm running OpenVPN as a server on a machine running Windows Home Server (largely equivalent to Server 2003), and clients running various levels of Windows 7 64-bit. The server is running stable OpenVPN with GUI, the clients are running 2.1 rc15 (due to the signed driver requirement in 64-bit Windows).

I want all traffic from the clients (including general internet traffic) to route through the VPN tunnel. In order to do so I have added

Code: Select all

push "redirect-gateway def1"
to the configuration file. When a client connects, the log shows the following:

Code: Select all

Mon Aug 30 23:05:02 2010 [RioGrande] Peer Connection Initiated with 76.105.236.118:1194
Mon Aug 30 23:05:03 2010 SENT CONTROL [RioGrande]: 'PUSH_REQUEST' (status=1)
Mon Aug 30 23:05:03 2010 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.4.4,route-gateway 192.168.1.20,ping 10,ping-restart 120,ifconfig 192.168.1.21 255.255.255.0'
Mon Aug 30 23:05:03 2010 OPTIONS IMPORT: timers and/or timeouts modified
Mon Aug 30 23:05:03 2010 OPTIONS IMPORT: --ifconfig/up options modified
Mon Aug 30 23:05:03 2010 OPTIONS IMPORT: route options modified
Mon Aug 30 23:05:03 2010 OPTIONS IMPORT: route-related options modified
Mon Aug 30 23:05:03 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Aug 30 23:05:03 2010 ROUTE default_gateway=129.138.223.254
Mon Aug 30 23:05:03 2010 TAP-WIN32 device [Client-TAP] opened: \\.\Global\{CA63FE1A-47A7-4F86-8D46-9DC2DC0529D1}.tap
Mon Aug 30 23:05:03 2010 TAP-Win32 Driver Version 9.4 
Mon Aug 30 23:05:03 2010 TAP-Win32 MTU=1500
Mon Aug 30 23:05:03 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.1.21/255.255.255.0 on interface {CA63FE1A-47A7-4F86-8D46-9DC2DC0529D1} [DHCP-serv: 192.168.1.0, lease-time: 31536000]
Mon Aug 30 23:05:03 2010 Successful ARP Flush on interface [40] {CA63FE1A-47A7-4F86-8D46-9DC2DC0529D1}
Mon Aug 30 23:05:08 2010 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Mon Aug 30 23:05:08 2010 C:\WINDOWS\system32\route.exe ADD 76.105.236.118 MASK 255.255.255.255 129.138.223.254
Mon Aug 30 23:05:08 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Mon Aug 30 23:05:08 2010 Route addition via IPAPI succeeded [adaptive]
Mon Aug 30 23:05:08 2010 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.1.20
Mon Aug 30 23:05:08 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Aug 30 23:05:08 2010 Route addition via IPAPI succeeded [adaptive]
Mon Aug 30 23:05:08 2010 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.1.20
Mon Aug 30 23:05:08 2010 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Mon Aug 30 23:05:08 2010 Route addition via IPAPI succeeded [adaptive]
Mon Aug 30 23:05:08 2010 Initialization Sequence Completed
This shows the route add completing successfully.
When I examine the routing table, I see this at the top:

Code: Select all

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0          5.0.0.1     5.146.190.58   9256
          0.0.0.0          0.0.0.0   129.138.32.254    129.138.32.60     30
          0.0.0.0        128.0.0.0     192.168.1.20     192.168.1.21     30
          5.0.0.0        255.0.0.0         On-link      5.146.190.58   9256
     5.146.190.58  255.255.255.255         On-link      5.146.190.58   9256
    5.255.255.255  255.255.255.255         On-link      5.146.190.58   9256
   76.105.236.118  255.255.255.255   129.138.32.254    129.138.32.60     30
The client computers are not connecting to the internet through the VPN tunnel. They are instead using the direct connection. I think this is happening because the gateway is set to 192.168.1.20 (the server), which is not configured to behave as a gateway. Perhaps I'm simply bad at following the documentation, but I do not understand how to configure the server to function as a gateway.

It seems to me that it would work to set the gateway to 192.168.1.1, the gateway used on the remote network, but I do not know how to configure the server to do this.

Basically, it is very important for security reasons that all internet traffic go through the VPN tunnel. I would appreciate advice on the easiest way to achieve this. Sorry if I'm missing something I should have found.

Thanks!

User avatar
krzee
Forum Team
Posts: 728
Joined: Fri Aug 29, 2008 5:42 pm

Re: Internet routing

Post by krzee » Fri Sep 03, 2010 6:38 pm

you need to NAT the vpn subnet on the server
http://www.windowsnetworking.com/articl ... ation.html for a guide on setting up NAT in windows, or
http://www.nanodocumet.com/?p=14 for windows XP

not sure about your specific windows, as i do not actually use windows.

2.1.3 has a new tap driver, and it is signed correctly for windows :)

You probably dont want to be using 192.168.1.x for your vpn subnet

Your server must also have ip forwarding enabled.

Post Reply