The goal I am trying to achieve is for the client to be able to route ALL traffic including internet traffic over the VPN.
Network Details
Code: Select all
DLink 624 Router connected to Internet (10.11.12.254 LAN IP/a.b.c.d Internet/Public WAN IP) (This is the Gateway for LAN)
Internal LAN Subnet 10.11.12.0/24
Laptop (10.9.0.1) --- VPN Tunnel --- OpenVPN Server(10.8.0.1/10.11.12.250) --- DLINK (10.11.12.254/a.b.c.d Public WAN IP) --- INTERNET
I have successfully set up OpenVPN and am able to connect/ping from the client to all LAN clients across the VPN, map shares etc.
However I am unable to ping any internet addresses, even by IP (been testing with 8.8.8.8 to take any DNS out of the equation).
I have configured the server with the "redirect-gatway def1" option to force all traffic through the VPN tunnel, as well as enable
IP Forwarding on the OpenVPN Server host.
Traceroute from client (10.9.0.1)
Code: Select all
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 136 ms 99 ms 99 ms RAID-1 [10.8.0.1]
2 139 ms 99 ms 99 ms 10.11.12.254 <--- Reaches DLINK Router OK
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
Code: Select all
4 18:38:35.031928 10.9.0.1 8.8.8.8 ICMP Echo (ping) request
Ethernet II, Src: 00:ff:10:d1:cd:18 (00:ff:10:d1:cd:18), Dst: 00:ff:11:d1:cd:18 (00:ff:11:d1:cd:18)
Internet Protocol, Src: 10.9.0.1 (10.9.0.1), Dst: 8.8.8.8 (8.8.8.8)
5 18:38:35.559574 10.11.12.254 10.9.0.1 ICMP Redirect (Redirect for host)
Ethernet II, Src: 00:ff:11:d1:cd:18 (00:ff:11:d1:cd:18), Dst: 00:ff:10:d1:cd:18 (00:ff:10:d1:cd:18)
Internet Protocol, Src: 10.11.12.254 (10.11.12.254), Dst: 10.9.0.1 (10.9.0.1)
Internet Control Message Protocol
Type: 5 (Redirect)
Code: 1 (Redirect for host)
Gateway address: a.b.c.d (a.b.c.d) <---- I think this is the problem,
DLINK(10.11.12.254) is telling to use the Public Internet IP?
Code: Select all
Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.11.12.254
2 * * * Request timed out.
3 130 ms 115 ms 118 ms z.y.x.w.static.exetel.com.au [w.x.y.z]
4 64 ms 34 ms 29 ms as15169.sydney.pipenetworks.com [218.100.2.98]
5 34 ms 34 ms 32 ms 66.249.95.226
6 138 ms 156 ms 158 ms 66.249.95.235
7 96 ms 110 ms 120 ms 72.14.237.21
8 119 ms 101 ms 119 ms google-public-dns-a.google.com [8.8.8.8]
Code: Select all
1 0.000000 10.9.0.1 8.8.8.8 ICMP Echo (ping) request
Ethernet II, Src: 00:ff:0a:8f:84:8b (00:ff:0a:8f:84:8b), Dst: 00:ff:09:8f:84:8b (00:ff:09:8f:84:8b)
Internet Protocol, Src: 10.9.0.1 (10.9.0.1), Dst: 8.8.8.8 (8.8.8.8)
4 0.000431 10.11.12.254 10.9.0.1 ICMP Redirect (Redirect for host)
Ethernet II, Src: 00:ff:09:8f:84:8b (00:ff:09:8f:84:8b), Dst: 00:ff:0a:8f:84:8b (00:ff:0a:8f:84:8b)
Internet Protocol, Src: 10.11.12.254 (10.11.12.254), Dst: 10.9.0.1 (10.9.0.1)
Internet Control Message Protocol
Type: 5 (Redirect)
Code: 1 (Redirect for host)
Gateway address: a.b.c.d (a.b.c.d) <---- I think this is the problem,
DLINK(10.11.12.254) is telling to use the Public Internet IP?
Now I am no networking expert, but from the searching I have done this seems to basically be a message from a gateway saying "Hey I found a better path for you to route these packets". The better path it is offering however is my external public facing IP (a.b.c.d), which the client is not going to be able to route to. So now I am a bit confused where to go from here. I have read that the ICMP Redirects can be disabled on Windows in the registry but I am not sure what effect this will have on other network functions and if it is advisable or not? Plus I can see the source is the DLINK Router (10.11.12.254) so I am not sure that will help anyway.
OpenVPN Server Details
Code: Select all
Windows 2003 Server x64 SP2 running OpenVPN 2.2.1 , IP 10.11.12.250
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-09-8F-84-8B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 10.11.12.254
DHCP Server . . . . . . . . . . . : 10.8.0.2
Lease Obtained. . . . . . . . . . : Monday, 12 December 2011 6:32:56 PM
Lease Expires . . . . . . . . . . : Tuesday, 11 December 2012 6:32:56 PM
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR8131 PCI-E Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 90-E6-BA-A8-66-D8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.11.12.250
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.11.12.254
DNS Servers . . . . . . . . . . . : 10.11.12.254
Code: Select all
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.11.12.254 10.11.12.250 20
10.11.12.0 255.255.255.0 10.11.12.250 10.11.12.250 20
10.11.12.250 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.11.12.250 10.11.12.250 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.142.0 255.255.255.0 192.168.142.1 192.168.142.1 20
192.168.142.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.142.255 255.255.255.255 192.168.142.1 192.168.142.1 20
224.0.0.0 240.0.0.0 10.11.12.250 10.11.12.250 20
224.0.0.0 240.0.0.0 192.168.142.1 192.168.142.1 20
255.255.255.255 255.255.255.255 10.11.12.250 10.11.12.250 1
255.255.255.255 255.255.255.255 10.11.12.250 3 1
255.255.255.255 255.255.255.255 192.168.142.1 192.168.142.1 1
Default Gateway: 10.11.12.254
Code: Select all
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.11.12.254 10.8.0.1 30
0.0.0.0 0.0.0.0 10.11.12.254 10.11.12.250 20
10.8.0.0 255.255.255.252 10.8.0.1 10.8.0.1 30
10.8.0.0 255.255.255.0 10.8.0.2 10.8.0.1 1
10.8.0.1 255.255.255.255 127.0.0.1 127.0.0.1 30
10.9.0.0 255.255.255.0 10.8.0.2 10.8.0.1 1
10.11.12.0 255.255.255.0 10.11.12.250 10.11.12.250 20
10.11.12.250 255.255.255.255 127.0.0.1 127.0.0.1 20
10.255.255.255 255.255.255.255 10.8.0.1 10.8.0.1 30
10.255.255.255 255.255.255.255 10.11.12.250 10.11.12.250 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.142.0 255.255.255.0 192.168.142.1 192.168.142.1 20
192.168.142.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.142.255 255.255.255.255 192.168.142.1 192.168.142.1 20
224.0.0.0 240.0.0.0 10.8.0.1 10.8.0.1 30
224.0.0.0 240.0.0.0 10.11.12.250 10.11.12.250 20
224.0.0.0 240.0.0.0 192.168.142.1 192.168.142.1 20
255.255.255.255 255.255.255.255 10.8.0.1 10.8.0.1 1
255.255.255.255 255.255.255.255 10.11.12.250 10.11.12.250 1
255.255.255.255 255.255.255.255 192.168.142.1 192.168.142.1 1
Default Gateway: 10.11.12.254
Code: Select all
local 10.11.12.250
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.11.12.0 255.255.255.0"
client-config-dir ccd
route 10.9.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.11.12.254"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 4
Code: Select all
ifconfig-push 10.9.0.1 10.9.0.2
Code: Select all
Windows 2003 Server x64 SP2 running OpenVPN 2.2.1
PPP adapter Telstra.DataPack:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.106.8.15
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.106.8.15
DNS Servers . . . . . . . . . . . : 10.4.176.234
10.4.85.138
NetBIOS over Tcpip. . . . . . . . : Disabled
Code: Select all
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.106.8.15 10.106.8.15 1
10.106.8.15 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.106.8.15 10.106.8.15 50
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.106.8.15 10.106.8.15 1
255.255.255.255 255.255.255.255 10.106.8.15 6 1
255.255.255.255 255.255.255.255 10.106.8.15 3 1
255.255.255.255 255.255.255.255 10.106.8.15 10008 1
255.255.255.255 255.255.255.255 10.106.8.15 2 1
255.255.255.255 255.255.255.255 10.106.8.15 10.106.8.15 1
Default Gateway: 10.106.8.15
Code: Select all
Network Destination Netmask Gateway Interface Metric
0.0.0.0 128.0.0.0 10.9.0.2 10.9.0.1 1
0.0.0.0 0.0.0.0 10.106.8.15 10.106.8.15 1
10.8.0.1 255.255.255.255 10.9.0.2 10.9.0.1 1
10.9.0.0 255.255.255.252 10.9.0.1 10.9.0.1 30
10.9.0.1 255.255.255.255 127.0.0.1 127.0.0.1 30
10.11.12.0 255.255.255.0 10.9.0.2 10.9.0.1 1
10.106.8.15 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.9.0.1 10.9.0.1 30
10.255.255.255 255.255.255.255 10.106.8.15 10.106.8.15 50
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
128.0.0.0 128.0.0.0 10.9.0.2 10.9.0.1 1
a.b.c.d 255.255.255.255 10.106.8.15 10.106.8.15 1 <---- This is my Public IP (a.b.c.d)
224.0.0.0 240.0.0.0 10.9.0.1 10.9.0.1 30
224.0.0.0 240.0.0.0 10.106.8.15 10.106.8.15 1
255.255.255.255 255.255.255.255 10.9.0.1 10.9.0.1 1
255.255.255.255 255.255.255.255 10.106.8.15 10008 1
255.255.255.255 255.255.255.255 10.106.8.15 2 1
255.255.255.255 255.255.255.255 10.106.8.15 10.106.8.15 1
255.255.255.255 255.255.255.255 10.106.8.15 3 1
Default Gateway: 10.9.0.2
Code: Select all
client
dev tun
proto tcp
remote a.b.c.d 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 4