OpenVPN Support Forum

Hi, I'm having an issue with the following configuration:

- router connected to internet via cable modem (LAN: 192.168.0.1, WAN: 222.X.X.X)
- mac connected to the router (LAN: 192.168.0.100)

The mac runs an openvpn client & apache webserver (apache configured to listen to 192.168.0.100:8888), and the router forwards port 8888 to 192.168.0.100 8888

With vpn turn off, the website running on the mac is available for external access (http://222.X.X.X:8888/). This is the needed behavior.

Once the openvpn is on, the website becomes only available from LAN (http://192.168.0.100:8888/)

the routes on the mac (netstat -n -r):

without VPN:

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.0.1 UGSc 13 24 en1
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 6 94416 lo0
169.254 link#5 UCS 0 0 en1
192.168.0 link#5 UCS 8 0 en1
192.168.0.1 28:4f:54:d4a5 UHLWI 13 67 en1 1195
192.168.0.100 127.0.0.1 UHS 34 13980 lo0
192.168.0.255 ff:ff:ff:ff:ff:ff UHLWbI 1 2 en1


OPENVPN runs the following when connected
/sbin/route add -net 223.X.X.X 192.168.0.1 255.255.255.255
/sbin/route add -net 0.0.0.0 10.13.65.21 128.0.0.0
/sbin/route add -net 128.0.0.0 10.13.65.21 128.0.0.0
/sbin/route add -net 10.13.65.1 10.13.65.21 255.255.255.255

and the routing table becomes:

Internet:
Destination Gateway Flags Refs Use Netif Expire
0/1 10.13.65.21 UGSc 1 0 tun0
default 192.168.0.1 UGSc 4 24 en1
10.13.65.1/32 10.13.65.21 UGSc 0 0 tun0
10.13.65.21 10.13.65.22 UH 5 0 tun0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 94444 lo0
128.0/1 10.13.65.21 UGSc 1 0 tun0
169.254 link#5 UCS 0 0 en1
192.168.0 link#5 UCS 11 0 en1
192.168.0.1 28:4f:54:d4a5 UHLWI 4 37 en1 1197
192.168.0.100 127.0.0.1 UHS 34 13980 lo0
192.168.0.255 ff:ff:ff:ff:ff:ff UHLWbI 0 1 en1
223.X.X.X/32 192.168.0.1 UGSc 1 0 en1


I need the website to be available via the WAN address and the mac to surf the internet via the VPN

This works fine if I use L2TP vpn. Routing table when connecting with L2TP is:

default 10.21.0.1 UGSc 5 0 ppp0
default 192.168.0.1 UGScI 0 0 en1
10 ppp0 USc 0 0 ppp0
10.21.0.1 10.21.0.100 UH 6 0 ppp0
127 127.0.0.1 UCS 0 0 lo0
127.0.0.1 127.0.0.1 UH 3 94718 lo0
169.254 link#5 UCS 0 0 en1
223.X.X.X 192.168.0.1 UGHS 1 45 en1
192.168.0 link#5 UCS 7 0 en1
192.168.0.1 28:4f:54:d4a5 UHLWI 4 98 en1 1194
192.168.0.100 127.0.0.1 UHS 34 13980 lo0
192.168.0.255 ff:ff:ff:ff:ff:ff UHLWbI 1 3 en1

Anyone has any idea why using the open vppn things fail? How to fix it ?

your openvpn server is pushing out (or this is listed in the client configuration). This causes all traffic to be redirected via the VPN tunnel, making your web server inaccessible.

You can overrule the 'redirect-gateway' stuff using but then you're responsible for adding all routes (like is the case for L2TP setups).

janjust wrote:your openvpn server is pushing out

Code: Select all

redirect-gateway def1

(or this is listed in the client configuration). This causes all traffic to be redirected via the VPN tunnel, making your web server inaccessible.

You can overrule the 'redirect-gateway' stuff using

Code: Select all

route-nopull

but then you're responsible for adding all routes (like is the case for L2TP setups).

I guess thats why they call you an expert...
Indeed adding to the config file removed the routes. Thanks!!!!


Now I need to figure out how to add the right rules...

The previously shown L2TP rules are added by the system when connecting... Would appreciate any pointers...

the l2tp routes are the ones which go via the 'ppp' device:

default 10.21.0.1 UGSc 5 0 ppp0
10 ppp0 USc 0 0 ppp0
10.21.0.1 10.21.0.100 UH 6 0 ppp0

so it looks like the L2TP setup also adds a default route, perhaps with a lower metric then the existing default. The second entry suggest that the entire 10/8 network is routed via the VPN (which is overkill IMHO). The third entry is the VPN IP address itself.

The second entry can be duplicated using in your openvpn client config (or using "push ...." on the server side)

janjust wrote:the l2tp routes are the ones which go via the 'ppp' device:

default 10.21.0.1 UGSc 5 0 ppp0
10 ppp0 USc 0 0 ppp0
10.21.0.1 10.21.0.100 UH 6 0 ppp0

so it looks like the L2TP setup also adds a default route, perhaps with a lower metric then the existing default. The second entry suggest that the entire 10/8 network is routed via the VPN (which is overkill IMHO). The third entry is the VPN IP address itself.

The second entry can be duplicated using

Code: Select all

route 10.0.0.0 255.0.0.0

in your openvpn client config (or using "push ...." on the server side)

I gotta admit... routes are not my strongest skill...

after a few unsuccessful tests i managed to get it right. I paste the solution here, if anyone encounters similar issues.

As suggested, I added "route-nopull" in my client config and I have the following scripts:

UP script DOWN script After bringing up the VPN, my routes look like this
My traffic goes over the VPN and the apache is serving the pages over the non VPN external IP.

Seams like my problem is solved. Thanks janjust for pointing me in the right direction...

Nice to hear!
BTW, as far as I know it is not necessary to use 'sudo' inside an 'UP' script: at that time openvpn is still running as 'root' so you can add routes all you want.
For a 'down' script sudo rights (or the down-root plugin) is required.

@janjust & @moonshine

Thank you for posting this! I was wanting to "send all traffic over VPN", while still having access to Web Sharing on Mac OS X 10.6 Snow Leopard.

The route "-ifscope" option was the solution. Brillant!

BTW, i believe using "-net" in not necessary when the target/destination is "Default"

Now I need to figure out how to add the right rules...

The previously shown L2TP rules are added by the system when connecting... Would appreciate any pointers...