[Problem] OpenVPN routing problems

[donaldd]

Thanks to this forum, I got my VPN Client on my Fritz up and running, but no traffic are going over the VPN, how do I change the route, so all the clients on the LAN uses the VPN tunnel between the Fritz and the VPN Server:

VPN Witopia.net (OpenVPN Server 10.119.0.10) <====> FritzBox ( LAN: 192.168.1.1, OpenVPN Client: 10.119.0.1) <=====> LAN (NW: 192.168.1.0, mask: 255.255.255.0 GW: 192.168.1.1)

route:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.119.0.109 * 255.255.255.255 UH 0 0 0 tun0
192.168.180.1 * 255.255.255.255 UH 2 0 0 dsl
192.168.180.2 * 255.255.255.255 UH 2 0 0 dsl
10.119.0.1 10.119.0.109 255.255.255.255 UGH 0 0 0 tun0
87.x.x.x * 255.255.255.240 U 2 0 0 dsl
192.168.1.0 * 255.255.255.0 U 0 0 0 lan
169.254.0.0 * 255.255.0.0 U 0 0 0 lan
default * 0.0.0.0 U 2 0 0 dsl


With the following routing changes:

# route del default
# route add default gw 169.254.2.1 dev dsl
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.119.0.109 * 255.255.255.255 UH 0 0 0 tun0
192.168.180.1 * 255.255.255.255 UH 2 0 0 dsl
192.168.180.2 * 255.255.255.255 UH 2 0 0 dsl
10.119.0.1 10.119.0.109 255.255.255.255 UGH 0 0 0 tun0
87.x.x.x * 255.255.255.240 U 2 0 0 dsl
192.168.1.0 * 255.255.255.0 U 0 0 0 lan
169.254.0.0 * 255.255.0.0 U 0 0 0 lan
default 169.254.2.1 0.0.0.0 UG 0 0 0 dsl

Connections from the FritzBox goes over the VPN tunnel and reaches almost the destination:

# traceroute www.heise.de
traceroute to www.heise.de (193.99.144.85), 30 hops max, 38 byte packets
1 lo1.virnxx18.ip.tele.dk (80.166.139.37) 12.517 ms 11.894 ms 12.538 ms
2 ge-3-1-0-50.virnxu4.dk.ip.tdc.net (83.88.7.218) 14.189 ms 11.974 ms 47.780 ms
3 xe-2-2-0.ffm2nqp1.de.ip.tdc.net (83.88.23.216) 42.550 ms 53.761 ms 42.064 ms
4 te3-1.c101.f.de.plusline.net (80.81.192.132) 43.482 ms 43.974 ms 46.261 ms
5 * * heise2.f.de.plusline.net (82.98.98.106) 44.858 ms !A
6 * * *


But when I try the same from a PC on the LAN, the VPN gets bypassed:

Tracing route to www.heise.de [193.99.144.85]
over a maximum of 30 hops:

1 1 ms 3 ms 1 ms 192.168.1.1
2 29 ms 18 ms 35 ms lo1.virnxx18.ip.tele.dk [80.166.139.37]
3 14 ms 14 ms 12 ms ge-3-1-0-50.virnxu4.dk.ip.tdc.net [83.88.7.218]

4 51 ms 43 ms 45 ms xe-2-2-0.ffm2nqp1.de.ip.tdc.net [83.88.23.216]
5 44 ms 46 ms 52 ms te3-1.c101.f.de.plusline.net [80.81.192.132]
6 47 ms 46 ms 46 ms heise2.f.de.plusline.net [82.98.98.106]
7 45 ms 46 ms 45 ms www.heise.de [193.99.144.85]

Trace complete.


Thanks in advance

Donald

 

[MaxMuster]

From the trace above I can not see the FB using the tunnel (first hop should be VPN server IP then).
Your config needs "redirect-gateway" parameter, use "redirect-gateway def1" there (first change the default gateway to an IP as you already did, then start OpenVPN client).

Please note that without "natting" the PCs from the local network will reach the server with their original address, so it has to have a routing entry for your LAN pointing to your OpenVPN client IP.

If it doesn't work, we migth need more information, e.g. the configuration.

Joerg

 

[donaldd]

Hi MaxMaster

Thanks for you reply, after I added "redirect-gateway def1" the traceroute from the Frizt goes directly over the VPN Tunnel:

# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.180.1 * 255.255.255.255 UH 2 0 0 dsl
192.168.180.2 * 255.255.255.255 UH 2 0 0 dsl
207.7.149.31 169.254.2.1 255.255.255.255 UGH 0 0 0 dsl
10.119.1.153 * 255.255.255.255 UH 0 0 0 tun0
10.119.0.1 10.119.1.153 255.255.255.255 UGH 0 0 0 tun0
87.x.x.x * 255.255.255.240 U 2 0 0 dsl
192.168.1.0 * 255.255.255.0 U 0 0 0 lan
169.254.0.0 * 255.255.0.0 U 0 0 0 lan
default 10.119.1.153 128.0.0.0 UG 0 0 0 tun0
128.0.0.0 10.119.1.153 128.0.0.0 UG 0 0 0 tun0
default 169.254.2.1 0.0.0.0 UG 0 0 0 dsl


# traceroute www.heise.de
traceroute to www.heise.de (193.99.144.85), 30 hops max, 38 byte packets
1 10.119.0.1 (10.119.0.1) 204.675 ms 208.109 ms 212.397 ms
2 207.7.138.114 (207.7.138.114) 207.142 ms 204.604 ms 202.429 ms
3 ge-1-3-0-9.br1.la1.unitedlayer.com (209.237.224.57) 202.134 ms 204.002 ms 205.131 ms
4 Vlan803.br1.sf9.unitedlayer.com (209.237.224.142) 219.196 ms 222.252 ms 220.626 ms
5 64.125.128.129 (64.125.128.129) 223.509 ms 218.669 ms 221.404 ms
6 xe-2-0-0.er1.sjc2.us.above.net (64.125.31.154) 227.634 ms 219.448 ms 220.010 ms
7 xe-0-1-0.mpr3.sjc7.us.above.net (64.125.30.174) 232.024 ms 228.947 ms 219.039 ms
8 above-level3.sjc7.us.above.net (64.125.13.242) 216.284 ms 216.632 ms 228.377 ms
9 vlan70.csw2.SanJose1.Level3.net (4.69.152.126) 220.993 ms 216.484 ms vlan80.csw3.SanJose1.Level3.net (4.69.152.190) 217.972 ms
10 ae-91-91.ebr1.SanJose1.Level3.net (4.69.153.13) 219.404 ms 216.850 ms ae-61-61.ebr1.SanJose1.Level3.net (4.69.153.1) 226.699 ms
11 ae-2-2.ebr2.NewYork1.Level3.net (4.69.135.186) 289.364 ms 288.253 ms 286.899 ms
12 ae-6-6.ebr2.NewYork2.Level3.net (4.69.141.22) 289.851 ms 289.524 ms 285.704 ms
13 ae-1-100.ebr1.NewYork2.Level3.net (4.69.135.253) 288.629 ms 287.089 ms 289.558 ms
14 ae-3-3.ebr2.Washington1.Level3.net (4.69.132.89) 279.844 ms 280.851 ms 280.132 ms
15 ae-43-43.ebr2.Frankfurt1.Level3.net (4.69.137.57) 369.636 ms 369.963 ms ae-42-42.ebr2.Frankfurt1.Level3.net (4.69.137.53) 369.830 ms
16 ae-62-62.csw1.Frankfurt1.Level3.net (4.69.140.18) 381.196 ms ae-72-72.csw2.Frankfurt1.Level3.net (4.69.140.22) 382.283 ms 371.098 ms
17 ae-3-89.edge4.Frankfurt1.Level3.net (4.68.23.140) 379.260 ms ae-1-69.edge4.Frankfurt1.Level3.net (4.68.23.12) 370.998 ms 405.447 ms
18 te2-2.c102.f.de.plusline.net (212.162.24.58) 372.509 ms 369.186 ms 370.321 ms
19 heise2.f.de.plusline.net (82.98.98.110) 371.935 ms !A 371.793 ms !A *


OpenVPN Client-config:
# Run as daemon
daemon
log logging.log
status status.log

# Device
dev tun
dev-node /var/tmp/tun
persist-tun
redirect-gateway def1

# UDP-Client, port 1194
client
proto udp
ns-cert-type server
remote vpn.lax.witopia.net 1194
resolv-retry infinite
nobind
comp-lzo
cipher bf-cbc

# Certificates
ca ca.crt
key xxxx.key
cert xxxx.crt
persist-key

# verbose level
verb 3

I have some difficulty's creating the route for the LAN network - 192.168.1.0/24 so it points at the VPN gw 10.119.1.153, maybe you also could help me out with the routing

Thanks in advance

Donald

 

[MaxMuster]

Where do you want this route? It would only make sense on the VPN server, if I got it right?
If you have access to the server, it should be no problem (but it is, if you don't) ;-)
The server needs a "client-config-dir" and a config file for your client certificate setting up a static IP for your client (e.g. 10.119.1.153) and then this two entries
"route 192.168.1.0 255.255.255.0 10.119.1.153" and "iroute 192.168.1.0 255.255.255.0 10.119.1.153"

If you can't access the server, you will need "masquerading" your LAN traffic (nat it to the IP of the tun device).

Joerg

EDIT: If you mean, that the LAN devices (192.168.1.0/24) do not use the VPN you just have to make sure, the VPN client (your FritzBox) is default gateway in your net (or set up a route for the "intresting" networks pointing to your FBs LAN IP). In any case you will need the server to "know" and respect your LAN to access internet through the VPN. Otherwise you will need to NAT your LAN, as I said above.

 

[donaldd]

I do not have access to the VPN Server, it seem that I have to flash my FB with Freetz, I just have to find a suitable time to do it


Thanks for you advice you have been very helpful