# Openvpn and redirect-gateway

## brra

I want to get all my traffic to go through the vpn tunnel i have.

like this

my computer > internet > vpn server > internet

if you wounder why this way. it is becuse i am behind a fw that i dont have access to

The wan port on the server is dhcp (eth0)

The issue i have is that i cant ping anythig. i cant resolve any dns. i wounder whats wrong whit my config?

Do i need to add something in the system so that i know how to route?

<server>

openvpn.conf

# Virtual interface

dev tap0

# Network settings

port 22

proto tcp-server

# Security

tls-server

ca /etc/ssl/keys/ca.crt

cert /etc/ssl/keys/server.crt

# This file should be kept secret

key /etc/ssl/keys/server.key

dh /etc/ssl/keys/dh1024.pem

# Other

keepalive 10 120

user nobody

group nogroup

persist-key

persist-tun

status /var/log/openvpn-status.log

verb 8

mute 20

server-bridge 192.168.34.1 255.255.255.0 192.168.34.21 192.168.34.25

push "route 192.168.34.0 255.255.255.0"

push "redirect-gateway"

push "dhcp-option DNS 192.168.34.55"

log         /var/log/openvpn.log

log-append  /var/log/openvpn.log

<client conf>

tls-client

dev tap

proto tcp-client

resolv-retry infinite

nobind

persist-key

persist-tun

remote ip

port 22

ca ca.crt

cert client1.crt

key client1.key

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

pull

float

ping 10

ping-restart 60

verb 5

----------

## Deem3n

On server enable ip forwarding:

echo "1" > /proc/sys/net/ipv4/ip_forward

and 

iptables -t nat -A POSTROUTING -s 192.168.34.0/24 -o your_internet_interface -j MASQUERADE

Also, you might look to this tutorial

----------

## Dagger

Why are you using bridge mode? It's good if you want to bridge two subnets. In your case I would use tunnel mode*.

----------

## truc

 *Dagger wrote:*   

> Why are you using bridge mode? It's good if you want to bridge two subnets. In your case I would use tunnel more.

 

Same question! 

If all you want to do is going on the WWW, and If you can use ssh to the server, then, you might want to use ssh instead of openvpn:

ssh -D 9999 user@server 

and then configure your browser to use a proxy SOCKS localhost on port 9999

If you can't even resolve name on your LAN, then choose, SOCKSv5

(if you're using firefox, change set network.proxy.socks_remote_dns to true  (in about:config))

----------

## brra

the issue is that its not only www traffic i want routed. its all traffic, 

Deem3n ide was a bit hard to do becuse ther is no fw on this server so i cant run iptables.

cat /proc/sys/net/ipv4/ip_forward  1

so i went whit daggers ide.

i stol a config. and it works great. but push "redirect-gateway" doesn't work.

cant ping cant resolve. anything i am missig?

server.conf

# Network settings

port 22

#proto tcp-server

proto udp

local 87.96.*.* # IP where your openvpn server will listen on. check for you IP

dev tun # we want to use tunnel mode

tls-server

ca /etc/ssl/keys/ca.crt

cert /etc/ssl/keys/server.crt

# This file should be kept secret

key /etc/ssl/keys/server.key

dh /etc/ssl/keys/dh1024.pem

# Other

status /var/log/openvpn-status.log

log         /var/log/openvpn.log

log-append  /var/log/openvpn.log

push "redirect-gateway"

ifconfig-pool-persist ipp.txt #clients will always have the same IP - very useful for setting up custom firewall rules customized for each cl$

server 192.168.1.0 255.255.255.0 # your VPN subnet

client-to-client # clients wants to see each other

push "route 192.168.5.0 255.255.255.0" # push routes to your IP's on server's network

push "route 192.168.6.0 255.255.255.0" # another random subnet begind your server

#push "dhcp-option DNS 192.168.1.1" # personally I've never seen it working

keepalive 10 120 # really useful

;tls-auth ta.key 0 # _optional_ additional security

cipher AES-256-CBC # if you are paranoid as I am you want 256bit encryption

comp-lzo # compression is always welcome

persist-key

persist-tun

status openvpn-status.log 2 # good to log connections, so you always know whos connected

verb 3

link-mtu 1456

mssfix 1412

fragment 1400 # additional mtu fixes to work fine with some random programs. Rsync over ssh didnt want to work for me over vpn without it.

mssfix

client.conf

client

dev tun

proto udp

remote *.*.*.* 22 # IP of your server

resolv-retry infinite

nobind

user nobody

group nobody

persist-key

persist-tun

ca ca.crt

cert client1.crt

key client1.key

keepalive 10 60

ns-cert-type server

;tls-auth ta.key 1

cipher AES-256-CBC

comp-lzo

verb 3

#link-mtu 1456

#mssfix 1412

fragment 1400

mssfix

explicit-exit-notify 3 # we want to inform server when you close your VPN

----------

## Dagger

ok first of all go to your client and check your gateway. We need to see where the problem lies.

In windows you can go to command prompt and type

```

route print

```

if your client is linux than use

```

route -n

```

print the results

ps

lol that config looks familiar :p

----------

## brra

i am behind a router (at home router ip 192.168.1.1)

now i cant resolve anythig or ping any ips. 

===========================================================================

Gränssnittslista

0x1 ........................... MS TCP Loopback interface

0x2 ...00 15 f2 69 c2 03 ...... NVIDIA nForce Networking Controller - Determinis

tic Network Enhancer Miniport

0x10004 ...00 10 60 d1 18 cb ...... Bluetooth-enhet (Personal Area Network) #3

0x20005 ...00 ff 9f 3f e3 be ...... TAP-Win32 Adapter V8 - Deterministic Network

 Enhancer Miniport

0x20006 ...00 ff 80 44 14 ae ...... TAP-Win32 Adapter V8 #2 - Deterministic Netw

ork Enhancer Miniport

===========================================================================

===========================================================================

Aktiva vägar:

   Nätverksadress          Nätmask   Gateway-adress      Gränssnitt    Mått

          0.0.0.0          0.0.0.0      192.168.1.5     192.168.1.6       1

    87.96.*.* 255.255.255.255      192.168.1.1   192.168.1.101       1

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

      192.168.1.0    255.255.255.0    192.168.1.101   192.168.1.101       20

      192.168.1.0    255.255.255.0      192.168.1.5     192.168.1.6       1

      192.168.1.4  255.255.255.252      192.168.1.6     192.168.1.6       30

      192.168.1.6  255.255.255.255        127.0.0.1       127.0.0.1       30

    192.168.1.101  255.255.255.255        127.0.0.1       127.0.0.1       20

    192.168.1.255  255.255.255.255      192.168.1.6     192.168.1.6       30

    192.168.1.255  255.255.255.255    192.168.1.101   192.168.1.101       20

      192.168.5.0    255.255.255.0      192.168.1.5     192.168.1.6       1

      192.168.6.0    255.255.255.0      192.168.1.5     192.168.1.6       1

        224.0.0.0        240.0.0.0      192.168.1.6     192.168.1.6       30

        224.0.0.0        240.0.0.0    192.168.1.101   192.168.1.101       20

  255.255.255.255  255.255.255.255      192.168.1.6     192.168.1.6       1

  255.255.255.255  255.255.255.255    192.168.1.101   192.168.1.101       1

  255.255.255.255  255.255.255.255    192.168.1.101           20006       1

  255.255.255.255  255.255.255.255    192.168.1.101           10004       1

Standard-gateway:       192.168.1.5

===========================================================================

Beständiga vägar:

----------

## Dagger

ok seems like default gateway IS a vpn gateway.

Now you need to do:

Print the following

On the client machine:

```

tracert www.google.com

```

On the server machine you need to run iptraf and check if you can see incomming packets.

If you can that means the problem lies with server packets forwarding.

----------

## brra

I cant run tracert becuse it says cant resolve ip.

i have no issues to ping ther server as you see.

so ther is something wrong whit the config or ther srver box.

but what? and how do i fix it?

Client:

Ethernet-kort my-tap:

        Anslutningsspecifika DNS-suffix . :

        Beskrivning . . . . . . . . . . . : TAP-Win32 Adapter V8

        Fysisk adress . . . . . . . . . . : 00-FF-9F-3F-E3-BE

        DHCP aktiverat  . . . . . . . . . : Ja

        Autokonfiguration aktiverat . . . : Ja

        IP-adress . . . . . . . . . . . . : 192.168.1.6

        Nätmask . . . . . . . . . . . . . : 255.255.255.252

        Standard-gateway  . . . . . . . . : 192.168.1.5

        DHCP-server . . . . . . . . . . . : 192.168.1.5

        DNS-servrar . . . . . . . . . . . : 

        Lånet erhölls . . . . . . . . . . : den 5 oktober 2007 17:36:49

        Lånet upphör  . . . . . . . . . . : den 4 oktober 2008 17:36:49

Svar från 192.168.1.1: byte=32 tid=25ms TTL=64

Svar från 192.168.1.1: byte=32 tid=126ms TTL=64

Svar från 192.168.1.1: byte=32 tid=25ms TTL=64

Svar från 192.168.1.1: byte=32 tid=14ms TTL=64

Server:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.20.12   0.0.0.0         255.255.255.255 UH    0      0        0 tun4

192.168.20.14   0.0.0.0         255.255.255.255 UH    0      0        0 tun5

192.168.1.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun11

192.168.20.24   0.0.0.0         255.255.255.255 UH    0      0        0 tun10

192.168.20.8    0.0.0.0         255.255.255.255 UH    0      0        0 tun2

192.168.20.10   0.0.0.0         255.255.255.255 UH    0      0        0 tun3

192.168.20.20   0.0.0.0         255.255.255.255 UH    0      0        0 tun8

192.168.20.22   0.0.0.0         255.255.255.255 UH    0      0        0 tun9

192.168.20.6    0.0.0.0         255.255.255.255 UH    0      0        0 tun1

192.168.10.1    0.0.0.0         255.255.255.255 UH    0      0        0 tun0

192.168.20.16   0.0.0.0         255.255.255.255 UH    0      0        0 tun6

192.168.20.18   0.0.0.0         255.255.255.255 UH    0      0        0 tun7

192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 tun0

192.168.1.0     192.168.1.2     255.255.255.0   UG    0      0        0 tun11

87.*.*.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

0.0.0.0         87.*.*.1     0.0.0.0         UG    0      0        0 eth0

tun11     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:192.168.1.1  P-t-P:192.168.1.2  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1

          RX packets:40 errors:0 dropped:0 overruns:0 frame:0

          TX packets:31 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:4713 (4.6 KiB)  TX bytes:3727 (3.6 KiB)

----------

## Dagger

Ok. Try 

```

tracert 64.233.183.103

```

 which is www.google.com IP

It might happen, that your DNS is not configured to listen on VPN IP, thats why name can not be resolved. Can you please post the result of tracert as well as /etc/dhcp/dhcpd.conf and /etc/resolve.conf and if you have dns-server /etc/bind/named.conf

----------

## brra

I dont use any dns server, is that needed for this?

I am grateful for the help

tracert 64.233.183.103

Spårar route till 64.233.183.103 över ett maximalt antal av 30 hopp

  1    15 ms    15 ms    14 ms  192.168.1.1

  2     *        *        *     Begäran gjorde timeout.

  3     *        *        *     Begäran gjorde timeout.

  4     *        *        *     Begäran gjorde timeout.

/etc/dhcp3/dhclient.conf (this is defulte and this is what i use)

# Configuration file for /sbin/dhclient, which is included in Debian's

#       dhcp3-client package.

#

# This is a sample configuration file for dhclient. See dhclient.conf's

#       man page for more information about the syntax of this file

#       and a more comprehensive list of the parameters understood by

#       dhclient.

#

# Normally, if the DHCP server provides reasonable information and does

#       not leave anything out (like the domain name, for example), then

#       few changes must be made to this file, if any.

#

#send host-name "andare.fugue.com";

#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;

#send dhcp-lease-time 3600;

#supersede domain-name "fugue.com home.vix.com";

#prepend domain-name-servers 127.0.0.1;

request subnet-mask, broadcast-address, time-offset, routers,

        domain-name, domain-name-servers, host-name,

        netbios-name-servers, netbios-scope, interface-mtu;

#require subnet-mask, domain-name-servers;

#timeout 60;

#retry 60;

#reboot 10;

#select-timeout 5;

#initial-interval 2;

#script "/etc/dhcp3/dhclient-script";

#media "-link0 -link1 -link2", "link0 link1";

#reject 192.33.137.209;

#alias {

#  interface "eth0";

#  fixed-address 192.5.5.213;

#  option subnet-mask 255.255.255.255;

#}

#lease {

#  interface "eth0";

#  fixed-address 192.33.137.200;

#  medium "link0 link1";

#  option host-name "andare.swiftmedia.com";

#  option subnet-mask 255.255.255.0;

#  option broadcast-address 192.33.137.255;

#  option routers 192.33.137.250;

#  option domain-name-servers 127.0.0.1;

#  renew 2 2000/1/12 00:00:01;

#  rebind 2 2000/1/12 00:00:01;

#  expire 2 2000/1/12 00:00:01;

#}

/etc/resolv.conf

nameserver 87.96.*.52

nameserver 87.96.*.67

----------

## Dagger

ok we can see that packets are not forwarded on vpn server. We can see that the default gateway is working fine though.

Also if you don't have DNS server, that vpn _should_ use your default dns (if you specified option to push dns). It's always a good solution to install a small dns server (even for a caching purposes). 

Can you please check

```

cat /proc/sys/net/ipv4/ip_forward

```

If its 0 that use

```

echo "1" > /proc/sys/net/ipv4/ip_forward

```

You will also need some iptables rules, so it will "remap" source and destination IP addresses.

You can use simple rules as Deem3n suggested, which will do the trick (ONLY if your INPUT/FORWARD/OUTPUT policy is set up to ACCEPT everything).

If you can print output of

```

iptables -L -n

```

we can take a look what policy you have, and how to make it work.

ps

Sorry I didn't reply earlier, but I had no access to my PC (thank god for such a weekends  :Razz: )

----------

## brra

Ok!

/proc/sys/net/ipv4/ip_forward is 1

I dont have a firewall installed on this computer, ther is no need for it.

I will install dns server on the computer asap and test if that will help. 

No problem. I am just glad that you are helping me.   :Very Happy: 

----------

## brra

I have installed a dns server on ther server and still no connection to outside. i can only ping the computer ip (external and vpn ip).

is ther anything els i can try?

----------

