Configuring openvpn client behind router

networking 15.10 network-manager vpn openvpn
7,770

The problem here is evident in this log line:

Thu Mar 17 16:13:37 2016 /sbin/ip route add 192.168.1.0/24 via 10.0.254.21

Openvpn causing traffic for your local LAN to be routed via the tunnel interface. The following log line shows that 10.0.254.21 is the remote end of your tunnel connection:

Thu Mar 17 16:13:34 2016 /sbin/ip addr add dev tun0 local 10.0.254.22 peer 10.0.254.21

Presumably a "push route" command in your openvpn server configuration is causing the route for 192.168.1.0/24 to be setup. See this section of the man page:

--client A helper directive designed to simplify the configuration of OpenVPN's client mode. This directive is equivalent to:

          pull
          tls-client

--pull This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that it should accept options pushed by the server, provided they are part of the legal set of pushable options (note that the --pull option is implied by --client ).

          In  particular,  --pull allows the server to push routes to the client, so you should not use --pull or
          --client in situations where you don't trust the server to have control over the client's  routing  ta‐
          ble.

The simplest solution, if practical, would be to change the IP address space for your LAN, that is, configure the DHCP server on your router to 192.168.2.0/255, for example. Perhaps this is what your modem was doing before you added the router device to the mix? This solution is the best one if there is a remote LAN in the 192.168.1.0/24 address range that you wish to connect with over the VPN tunnel.

If you don't need access to the remote 192.168.1.0/24 network and you don't wish to renumber your LAN, you have some other options. If you can control the openvpn server configuration on a per-client basis, you can remove the "push route" command for 192.168.1.0/24. Refer to the Openvpn Community HOWTO, in the section mentioning the "ccd" directory.

Another possibility is to override the server in the local openvpn config file. As a starting point, you could add "route-nopull" to your config file and configure the routes manually. i.e. Let openvpn connect and then type:

/sbin/ip route add 192.168.6.0/24 via 10.0.254.21
/sbin/ip route add 192.168.200.0/24 via 10.0.254.21
/sbin/ip route add 10.0.0.0/16 via 10.0.254.21
/sbin/ip route add 10.0.254.1/32 via 10.0.254.21
Share:
7,770

Related videos on Youtube

szaman
Author by

szaman

while true: learn()

Updated on September 18, 2022

Comments

  • szaman
    szaman over 1 year

    I have a dlink dir-645 router which is connected to cisco modem. My laptop (Ubuntu 15.10) is connected to this router via wi-fi.

    I have a problem with openvpn connection. When laptop is connected directly to modem then connection works fine. When it is behind router then few seconds after connecting with openvpn Internet stops working (cannot ping neither ip nor dns name). I thought it is router config problem, but after installing openvpn client for windows I was able to establish connection using the same openvpn config file as on Ubuntu.

    What am I missing?

    My openvpn version: 2.3.7 x86_64 I'm trying to connect using network manager plugin as well as using cmd line.

    Connection log:

    Thu Mar 17 16:13:18 2016 OpenVPN 2.3.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jul 8 2015
Thu Mar 17 16:13:18 2016 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Thu Mar 17 16:13:18 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Mar 17 16:13:18 2016 Control Channel Authentication: using '/etc/openvpn/vpn/ta.key' as a OpenVPN static key file
Thu Mar 17 16:13:18 2016 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 17 16:13:18 2016 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 17 16:13:18 2016 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Mar 17 16:13:19 2016 UDPv4 link local: [undef]
Thu Mar 17 16:13:19 2016 UDPv4 link remote: [AF_INET]x.x.x.x:1194 <- usunięte
Thu Mar 17 16:13:19 2016 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=18f6d2a7 029e6b8e
Thu Mar 17 16:13:20 2016 VERIFY OK: usunięte
Thu Mar 17 16:13:20 2016 VERIFY OK: nsCertType=SERVER
Thu Mar 17 16:13:20 2016 VERIFY OK: usunięte
Thu Mar 17 16:13:25 2016 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Mar 17 16:13:25 2016 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 17 16:13:25 2016 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Thu Mar 17 16:13:25 2016 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Mar 17 16:13:25 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Thu Mar 17 16:13:25 2016 [usunięte] Peer Connection Initiated with [AF_INET]x.x.x.x:1194
Thu Mar 17 16:13:27 2016 SENT CONTROL [usunięte]: 'PUSH_REQUEST' (status=1)
Thu Mar 17 16:13:32 2016 SENT CONTROL [usunięte]: 'PUSH_REQUEST' (status=1)
Thu Mar 17 16:13:34 2016 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.6.0 255.255.255.0,route 192.168.200.0 255.255.255.0,route 10.0.0.0 255.255.0.0,dhcp-option DNS 192.168.1.1,dhcp-option DOMAIN usunięte,route 10.0.254.1,topology net30,ping 10,ping-restart 60,ifconfig 10.0.254.22 10.0.254.21'
Thu Mar 17 16:13:34 2016 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar 17 16:13:34 2016 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar 17 16:13:34 2016 OPTIONS IMPORT: route options modified
Thu Mar 17 16:13:34 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Mar 17 16:13:34 2016 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlan0 HWADDR=a4:34:d9:51:f0:a9
Thu Mar 17 16:13:34 2016 TUN/TAP device tun0 opened
Thu Mar 17 16:13:34 2016 TUN/TAP TX queue length set to 100
Thu Mar 17 16:13:34 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Mar 17 16:13:34 2016 /sbin/ip link set dev tun0 up mtu 1500
Thu Mar 17 16:13:34 2016 /sbin/ip addr add dev tun0 local 10.0.254.22 peer 10.0.254.21
Thu Mar 17 16:13:34 2016 /etc/openvpn/update-resolv-conf tun0 1500 1569 10.0.254.22 10.0.254.21 init
dhcp-option DNS 192.168.1.1
dhcp-option DOMAIN usunięte
Thu Mar 17 16:13:37 2016 /sbin/ip route add 192.168.1.0/24 via 10.0.254.21
Thu Mar 17 16:13:37 2016 /sbin/ip route add 192.168.6.0/24 via 10.0.254.21
Thu Mar 17 16:13:37 2016 /sbin/ip route add 192.168.200.0/24 via 10.0.254.21
Thu Mar 17 16:13:37 2016 /sbin/ip route add 10.0.0.0/16 via 10.0.254.21
Thu Mar 17 16:13:37 2016 /sbin/ip route add 10.0.254.1/32 via 10.0.254.21
Thu Mar 17 16:13:37 2016 Initialization Sequence Completed
Thu Mar 17 16:15:00 2016 [usunięte] Inactivity timeout (--ping-restart), restarting
Thu Mar 17 16:15:00 2016 SIGUSR1[soft,ping-restart] received, process restarting
Thu Mar 17 16:15:00 2016 Restart pause, 2 second(s)
Thu Mar 17 16:15:02 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Mar 17 16:15:02 2016 Socket Buffers: R=[212992->131072] S=[212992->131072]
Thu Mar 17 16:16:23 2016 RESOLVE: Cannot resolve host address: home.absilion.com: Temporary failure in name resolution
Thu Mar 17 16:17:38 2016 RESOLVE: signal received during DNS resolution attempt
Thu Mar 17 16:17:38 2016 /sbin/ip route del 10.0.254.1/32
Thu Mar 17 16:17:38 2016 /sbin/ip route del 10.0.0.0/16
Thu Mar 17 16:17:38 2016 /sbin/ip route del 192.168.200.0/24
Thu Mar 17 16:17:38 2016 /sbin/ip route del 192.168.6.0/24
Thu Mar 17 16:17:38 2016 /sbin/ip route del 192.168.1.0/24
Thu Mar 17 16:17:38 2016 Closing TUN/TAP interface
Thu Mar 17 16:17:38 2016 /sbin/ip addr del dev tun0 local 10.0.254.22 peer 10.0.254.21
Thu Mar 17 16:17:38 2016 /etc/openvpn/update-resolv-conf tun0 1500 1569 10.0.254.22 10.0.254.21 init
Thu Mar 17 16:17:38 2016 SIGTERM[hard,init_instance] received, process exiting

    Openvpn config file:

    # Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# enable openvpn running scripts (enable to update resolv.conf)
script-security 2

# fix DNS via VPN connection
;up /etc/openvpn/update-resolv-conf
;down /etc/openvpn/update-resolv-conf

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote HOST 1194

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody


# For MS Windows
route-method exe
route-delay 2

# Try to preserve some state across restarts.
persist-key
persist-tun

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca cacert.pem
cert clientcert.pem
key clientkey.pem

# avoid sha1
auth sha256

# TLS-Auth, makes portscanning and DOS-attacks harder for the bad guys.
tls-auth ta.key 1

# Decent default
cipher AES-256-CBC

# Only connect to nodes with a certificate tagged as server.
ns-cert-type server

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
mute 20

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

OpenVPN setup with PIA - Connects but no internet
How to auto(re)connect to openvpn connection?
How to add openvpn connection in the GUI using .ovpn .p12 and .key files
OpenVPN does not connect via network manager plugin
Network only using one DNS when connected to VPN
Ubuntu 16.04 LTS Network Manager cannot add VPN - greyed out
How to setup VPN using an .ovpn file?
How do I setup OpenVPN so I can securely use the internet from an unsecured hotspot?
How to disable IPv6 when connecting to an OpenVPN server using Network Manager on a dual-stack system?
How to monitor an OpenVPN connection