Page 1 of 2
Addressing and DNS problems
Posted: Tue Apr 05, 2011 8:02 am
by kiwijuice
Hi everybody,
First, sorry for my poor english, I'm french.
Server CONFIG :
I installed openVPN server 2.1.3-2 on a Debian Squeeze.
This machine is also a router directly connected to WAN in 193.X.X.X.
My private network is in 192.168.10.0/24
Routing is ON
Config file :
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/2.0/keys/ca.crt
cert /etc/openvpn/2.0/keys/server.crt
key /etc/openvpn/2.0/keys/server.key
dh /etc/openvpn/2.0/keys/dh1024.pem
tls-auth /etc/openvpn/2.0/keys/ta.key 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
cipher BF-CBC
comp-lzo
max-clients 2
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
My client machine is connected in a private network in 172.31.33.0/24.
On the router behind this machine, the port 1194 is open.
Config file :
Code: Select all
client
dev tun
proto udp
remote 193.XX.XX.XX 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/***.crt
key /etc/openvpn/keys/***.key
ns-cert-type server
tls-auth /etc/openvpn/keys/ta.key 1
cipher BF-CBC
comp-lzo
verb 3
mute 20
When I start the server daemon, and make ifconfig, i can see the tun0 interface which have ip 10.8.0.1.
I understood that, openvpn's dhcp makes "subnets" in /30 (255.255.255.252)
That means that for a first client connection PPTP, the network's address is 10.8.0.0, server's ip 10.8.0.1, client's ip 10.8.0.2 and broadcast address 10.8.0.3.
For a second connection, network's address will be 10.8.0.4, server 10.8.0.5, client 10.8.0.6 and broadcast 10.8.0.7... That's ok ?
My problem is that when I start now the client daemon, the ip which is attribuate is 10.8.0.6 (so the client's ip of the second subnet) and for this reason, the gateway is 10.8.0.5 (the server's ip of this subnet).
That's because I put the line in server.ovpn :
Code: Select all
push "redirect-gateway def1 bypass-dhcp"
With this configuration, I can ping 10.8.0.1 with 10.8.0.6, everyhting works great, exept the client gateway (so there's no internet on the VPN connection).
I tried to configure XP client or Debian client, I have the same problem.
On XP :
says me that the gateway and the dhcp server are 10.8.0.5.
Anyone could help me please ?
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 8:21 am
by maikcat
hi there,
to clear things up,
the openvpn is SSL based vpn and has nothing to do with PPtP...
to the point now,
the subneting stuff you mention is correct,
you dont have internet because your router (inside vpn network) doesnt know
about your vpn subnet..
there are 2 solutions
1)you use NAT on debian from traffic originating the vpn tunnel
2)you add a static route for the vpn subnet on your router.
cheers,
michael.
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 8:42 am
by kiwijuice
Hi, thanks for your answer.
I talk about pptp because that's what appears on linux client or server when i make an ifconfig (in tun0 description).
If the "subneting stuff are correct", openvpn server should give the ip 10.8.0.2 to my client and there, it should not be any problem of gateway on the client : the server's ip corresponding to 10.8.0.2 is 10.8.0.1...
Right now, the gateway that server give to client (10.8.0.5) doesn't exist, I can't ping it.
I want :
- That the server give to my client 10.8.0.2 ip instead of 10.8.0.6
- And the gateway 10.8.0.1 instead of 10.8.0.5
1)you use NAT on debian from traffic originating the vpn tunnel
I forgot to mention that routing is ON on the client too. That's what you mean ?
And I also forgot to mention that I use openvpn in router mode, not bridge.
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 8:57 am
by janjust
I talk about pptp because that's what appears on linux client or server when i make an ifconfig (in tun0 description).
a "default" tun setup creates a linux tunnel device, which is indeed a kernel Point-to-Point interface . It's easy to confuse this with PPTP (note the extra P) which is an entirely different VPN protocol
I want :
- That the server give to my client 10.8.0.2 ip instead of 10.8.0.6
- And the gateway 10.8.0.1 instead of 10.8.0.5
Add
to your server config and restart.
The client does not need to have routing enabled, but your server-side LAN needs to know where to send replies when VPN traffic comes in. One way to do this is to use masquerading on the server
Code: Select all
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
another option is to add an extra route to the server-side GW/router to ensure that all replies to VPN traffic are sent to the VPN server
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 9:27 am
by kiwijuice
Thanks.
Add
Code:
topology subnet
to your server config and restart.
I tryed that, and now my client have the ip 10.8.0.4... This is less normal than before, this is the ip of the second subnet
.
That's what ifconfig says me (i tried first only on the server, and, on server and client:)
BEFORE changing, on client:
inet adr :10.8.0.6 P-t-P : 10.8.0.5
AFTER :
inet adr : 10.8.0.4 P-t-P : 10.8.0.4
BEFORE changing, on server:
inet adr :10.8.0.1 P-t-P : 10.8.0.2
AFTER :
inet adr : 10.8.0.1 P-t-P : 10.8.0.1
The client does not need to have routing enabled,
Debian don't need that to route between eth0 and tun0 ?
but your server-side LAN needs to know where to send replies when VPN traffic comes in. One way to do this is to use masquerading on the server
Thanks for the type. (there's actually no machine on LAN server, it's a lan for testing, the things that I want for the moment, is to configure client to route internet traffic over VPN connexion).
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 9:48 am
by janjust
remove the line
from the server config file; otherwise just delete the 'ipp.txt' file and restart the server.
IMHO the 'ifconfig-pool-persist' option is used far too often.
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 9:54 am
by kiwijuice
I made it empty just before, that's not the problem. But i will remove this line.
Another idea ?
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 10:04 am
by janjust
what happens when the first client connects? what is shown in the server log file? the first client should be assigned the address 10.8.0.2 after a restart of the openvpn server.
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 11:37 am
by kiwijuice
So :
1° I rebooted client and server
2° Connected client
3° Watched /etc/openvpn/openvpn-status.log and saw that the last entry was my last friday's tests, so i rm -Rf the file to be recreated.
4° I reconnected the client : nothing appears in openvpn-status.log
5° Watched in /var/log/daemon.log : and saw these lines :
Code: Select all
Apr 5 13:19:43 openvpn openvpn[2004]: MULTI: Learn: 10.8.0.4 -> client1/193.XX.XX.XX:44710
Apr 5 13:19:43 openvpn openvpn[2004]: MULTI: primary virtual IP for client1/193.XX.XX.XX:44710: 10.8.0.4
Apr 5 13:19:45 openvpn openvpn[2004]: client1/193.XX.XX.XX:44710 PUSH: Received control message: 'PUSH_REQUEST'
Apr 5 13:19:45 openvpn openvpn[2004]: client1/193.XX.XX.XX:44710 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.4 255.255.255.0' (status=1)
6° "route" on client
Code: Select all
openvpn.local 193.50.49.1 255.255.255.255 UGH 0 0 0 eth0
193.50.49.0 * 255.255.255.0 U 1 0 0 eth0
10.8.0.0 * 255.255.255.0 U 0 0 0 tun0
[b]default 10.8.0.1[/b] 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
default 193.50.49.1 0.0.0.0 UG 0 0 0 eth0
In blod, my gateway for tun0, why does the client not have internet working through the vpn tunnel ?
Pings works fine, 10.8.0.1 to 10.8.0.4 and reverse.
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 11:45 am
by janjust
did you restart the server with the 'ifconfig-pool-persist' line disabled?
if you can ping 10.8.0.1 from the client then the first part of the VPN is working.
The fact that you don't have internet access via the VPN is a routing issue ; how is routing done on the server side? are you using NAT/masquerading?
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 11:54 am
by kiwijuice
Ping works well before all thoses things (10.8.0.1 - 10.8.0.6) but i thought that when ips will work in couple (server .1 client .2) gateway will be by default 10.8.0.1 so internet will works through the vpn.
I forget to disable ifconfig-pool-persistent, but if ipp.txt is empty it's not important ?
I don't use NAT/masquerading, because I thought that it is important only for LAN clients server side...
I try masquerading and disable ifconfig-pool-persistent... and give you route of server if it doesn't work.
Thanks a lot
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 11:56 am
by janjust
did you restart the server after emptying the ipp.txt file?
what is listed in the ipp.txt file at this moment?
as for internet access/routing: how are packets routed after they arrive at the server? are they forwarded to some router connected to the internet? does this router know that packets with source address 10.8.0/24 need to go back to the VPN server?
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 12:47 pm
by kiwijuice
Everything works !!! You're a god
I made a new script for iptables, with masquerade on eth0 (which is my public interface) for vpn like you said, and on eth1 (prive) for my clients server side. Internet works through the tunnel vpn.
Without ifconfig-pool-persistent, my client have 10.8.0.2 !!!
Everythings are ok, thanks a lot
I will test with more than one clients to see if everything's good.
Theoretically, if another client connects to vpn, the server mount another interface (tun1) with ip 10.8.0.5 and client 10.8.0.6 ?
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 1:26 pm
by janjust
the second client will get ip 10.8.0.3 ; the server does not create a new tun device, it will keep using 10.8.0.1 .
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 1:31 pm
by kiwijuice
But, the submask in / 30 let only 2 bits for computers, which two of four addresses are used for network address and broadcast address...
The address 10.8.0.3 is the broacast address of 10.8.0.0/30...
I will test, but I don't think that it's possible to connect others clients without mounting a new interface... or I don't understand something.
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 1:41 pm
by janjust
the /30 network is just a trick to be able to use a point-to-point interface; with or without 'topology subnet' it is possible to connect many clients to a single server i/f (10.8.0.1) . Trust me, it works
Re: Some questions about PPTP
Posted: Tue Apr 05, 2011 1:52 pm
by kiwijuice
Ok
(i trust you, but i want to understand
)
I'm installing the second client.
Next step is LDAP interaction.
Re: Some questions about PPTP
Posted: Wed Apr 06, 2011 2:41 pm
by kiwijuice
I'm still having a problem.
On my openvpn client, i have two networks to test :
The first 193.XX.XX.XX is a wan ip, so directly connected to internet. Everything works.
I switch cable on the wall : The second in 172.31.33.XX/24 is behind a router. I opened the port 1194. Everything works too, exept DNS. I can attack google with the ip but DNS do not work.
Normally, every packets (DNS too) are encapsullated in VPN transport packets... i don't understand, what's the difference between these two tests.
Does anyone have an idea ?
Re: Some questions about PPTP
Posted: Wed Apr 06, 2011 2:59 pm
by janjust
you're redirecting the gateway but you're not assigning a new DNS server - hence your client will try to reach the old DNS server via the VPN (which will fail); either add 'bypass-dns' to send DNS traffic to the original DNS servers or use new DNS servers which *are* reachable via the VPN.
Re: Some questions about PPTP
Posted: Wed Apr 06, 2011 3:02 pm
by kiwijuice
I found my problem :
My test on WAN are fixed ip, and the DNS is also 193.XX.XX.XX
But tests in network 172.31.33.XX are in DHCP. So DHCP gives to client a DNS.
I tryed to put in server.ovpn the line :
push "dhcp-option DNS 193.XX.XX.XX"
But my /etc/resolv.conf have also the DNS which are gived by DHCP : 172.31.21.XX.
How to says to client to use the DNS of tun0 interface and not eth0 ?
EDIT : crossed posts, i try your option.