Forward Traffic through VPN to Home Gateway

[kcghost]

I have an Ubuntu Openvpn server behind my router at home. Its configuration and the clients configuration is below. The router has port 1194 forwarded and makes use of DDNS so I don't have to keep track of the IP. The client is currently directly connecting to normal websites and for any 'local' ip it acts as if im on that network. I want ALL traffic forwarded through the VPN, so that when I check ipchicken it shows my home ip address. I tried the solution detailed here: http://www.openvpn.net/index.php/open-s ... l#redirect
but all traffic ceased to function - I don't think I am doing the iptables command correctly. How do I correctly forward the traffic from the VPN server to my home gateway?

Any help is greatly appreciated, I have tried several things that I cannot even keep track of and they have all lead to more frustration.

Home GW: 192.168.1.1
VPN Server local ip: 192.168.1.124
Home domain name (DDNS) : kcghost.com (not actually)

client.ovpn

Code: Select all

### Client configuration file for OpenVPN

# Specify that this is a client
client

# Bridge device setting
dev tap

# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote kcghost.com 1194

# Client does not need to bind to a specific local port
nobind


# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule. 
##You may need to comment it out.
resolv-retry infinite

# Preserve state across restarts
persist-key
persist-tun

# SSL/TLS parameters - files created previously
ca ca.crt
cert client.crt
key client.key

# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1

# Specify same cipher as server
cipher BF-CBC

# Use compression
comp-lzo

# Log verbosity (to help if there are problems)
verb 3

server.conf

Code: Select all

mode server
tls-server

local 192.168.1.124
port 1194
proto udp

dev tap0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

persist-key
persist-tun

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0

cipher BF-CBC
comp-lzo

ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.124 255.255.255.0 192.168.1.170 192.168.1.175
push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN kcghost.com"
max-clients 5

user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3

up.sh

Code: Select all

#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV

down.sh

Code: Select all

#!/bin/sh

BR=$1
DEV=$2

/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down

interfaces

Code: Select all

auto lo br0

iface lo inet loopback

iface br0 inet static
address 192.168.1.124
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports eth0

iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up it link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

[NiQ]

If you're gonna tunnel all Internet traffic through the VPN, make sure you exclude the VPN server's IP address, otherwise your system will attempt to send the VPN traffic through the VPN. That will (quite obviously) not work.

Since you're using a dynamic DNS service, you will need to run something like this before you modify your routing table to route table to run all Internet traffic through the VPN (make sure it runs as root):

Code: Select all

route add -host `host vpn.example.com | awk '{print $4}'` dev eth0

Replace vpn.example.com with your VPN server's DNS name (your DDNS service) and eth0 with your normal Internet connection interface (not the VPN).

[kcghost]

Sorry I forgot to mention the client is a Windows XP machine running OpenVPN GUI. I'm looking for a solution that would only involve the config file on the client side and/or any routing commands/config on the linux server.

OpenVPN provides a command "redirect-gateway" which I believe makes the client treat the VPN server as a gateway to the internet. It excludes itself as you mentioned so there is no looping. However I think I discovered a bug that made this ordeal frustrating. redirect-gateway is supposed to pick up the arg from 'route-gateway', so I could specify:

Code: Select all

route-gateway 192.168.1.1
redirect-gateway   #WITHOUT def1, important somehow

And everything should work properly. But it does not, 'route print' shows the gateway to be 192.168.1.124, the VPN server, not the gateway. An on the fly route command after the redirect-gateway fixes everything:

Code: Select all

route change 0.0.0.0 MASK 0.0.0.0 192.168.1.1

There theoretically should be a way to do that command after the fact just by using the config as well - as it allows for routing and *any* shell commands after a routing delay, but it seems like redirect-gateway is always the last thing done or something, because this* hasnt worked for me:

Code: Select all

redirect-gateway
route-delay 30
route-up 'route change 0.0.0.0 MASK 0.0.0.0 192.168.1.1'

[krzee]

There theoretically should be a way to do that command after the fact just by using the config as well - as it allows for routing and *any* shell commands after a routing delay, but it seems like redirect-gateway is always the last thing done or something, because this* hasnt worked for me:

Code: Select all

redirect-gateway
route-delay 30
route-up 'route change 0.0.0.0 MASK 0.0.0.0 192.168.1.1'

script hooks such as --up normally run scripts, which then run commands.
however, in the manual it seems that --route-up can take shell commands...
can you put the commands into a script and then:
route-up /path/to/script
see if that helps

[kcghost]

You were right krzee, although it was not the only problem. It was not executing my 'route-up' command at all without 'script-security 2' set so that it allowed external programs to execute. However for whatever reason it did not work just specifying the command there. My configuration now works great with a couple extra parameters and a batch file, here it is for the benefit of anyone else with this problem:

end of 'client.ovpn':

Code: Select all

script-security 2
redirect-gateway
route-up '.\route.bat'

'route.bat':

Code: Select all

C:\WINDOWS\system32\route.exe change 0.0.0.0 MASK 0.0.0.0 192.168.1.1 IF 5

I added the "IF 5" at the end so that it would change the default gateway for the TAP Interface only. When OpenVPN closes it resorts back to the original gateway. The interface code list can be found by using 'route print'.