OpenVPN problem: Can't get "redirect-gateway" to work correctly

[riahc3]

On my client side, if I include "redirect-gateway", I can access the tunnel but I cannot access internet.
Without it, I can't access the tunnel but I can access internet.
server:

 port 1194
proto udp
dev tun
ca keys/comp-ca/ca.crt
cert keys/comp-ca/comp-svr.crt
key keys/comp-ca/comp-svr.key
dh keys/comp-ca/dh2048.pem
server 10.10.10.1 255.255.255.0
crl-verify keys/comp-ca/crl.pem
ifconfig-pool-persist servers/compSVR/logs/ipp.txt
cipher AES-128-CBC
user root
group root
status servers/compSVR/logs/openvpn-status.log
log-append servers/compSVR/logs/openvpn.log
verb 2
mute 20
max-clients 200
management 127.0.0.1 7505
keepalive 10 120
client-config-dir /etc/openvpn/servers/compSVR/ccd
client-to-client
comp-lzo
persist-key
persist-tun
ccd-exclusive
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.100.0 255.255.255.0"

client:

 client
proto udp
dev tun
ca ca.crt
dh dh2048.pem
cert clientlocal.crt
key clientlocal.key
remote 192.168.100.200 1194
cipher AES-128-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind

ccd:

 ifconfig-push 10.10.10.177 10.10.10.178
iroute 192.168.100.100 255.255.255.0
iroute 172.16.0.0 255.255.0.0
push "route 192.168.100.0 255.255.255.0"
push "route 172.16.0.0 255.255.0.0"

I want to be able to do both.

 

[IndyColtsFan]

I don't use OpenVPN but I think I might understand what is going on. If it is like a standard VPN solution (MS, Sophos, etc), I'm guessing that redirect-gateway means that you're using the default gateway of the VPN solution as your gateway and without it, you're doing split tunneling. For other VPN solutions I've used (MS, Sophos, etc), you would need to add a policy to allow VPN clients access to the internet when you have redirect-gateway enabled. If it doesn't support policies (not familiar with it), you probably need some additional routes.

 

[riahc3]

I don't use OpenVPN but I think I might understand what is going on. If it is like a standard VPN solution (MS, Sophos, etc), I'm guessing that redirect-gateway means that you're using the default gateway of the VPN solution as your gateway and without it, you're doing split tunneling. For other VPN solutions I've used (MS, Sophos, etc), you would need to add a policy to allow VPN clients access to the internet when you have redirect-gateway enabled. If it doesn't support policies (not familiar with it), you probably need some additional routes.

Do you know where I could get good VPN help? Noone on the OpenVPN forums hardly answers...

 

[IndyColtsFan]

Do you know where I could get good VPN help? Noone on the OpenVPN forums hardly answers...

This thread seems to be similar to the problem you're having:

http://serverfault.com/questions/66928/openvpn-enabled-redirect-gateway-but-cant-access-any-websites

Not sure if the solution will work, but it is worth a shot.

 

[riahc3]

Posted my own but Im getting slow replies....lets see how it goes tomorrow.

 

[Bird222]

I'm not an expert, but it looks like your 'route' commands are incomplete. Also, I don't even see your 'redirect-gateway' command. Change your server and client to 'verb 4' and report your log output. You may have to use the 'log' command in your client config. I know you may get log output without it, but some errors didn't show until I used the log command. Read up on 'route' and 'redirect-gateway' commands (and any others) on http://linux.die.net/man/8/openvpn

 

[CubanlB]

Do you have a route pointing to your OVPN network on your inet gateway?

you need a route on your regular router for 10.10.10.0/24 with a next hop of the 192.168.x.x address of the OVPN server. If you don't have this your router is most likely forwarding traffic for the 10.10.10.0 network out the wan interface which is promptly being dropped.

 

[Red Squirrel]

I might be confusing this with something else, but try this on the OpenVPN server:

cat /proc/sys/net/ipv4/ip_forward

Is it 0 or 1? If it's 0, try this:

echo 1 > /proc/sys/net/ipv4/ip_forward

This basically allows the machine to route traffic, from what I understand. It's needed for OpenVPN to work properly as it's essentially acting as router to the tunnel.

Though I was checking my existing vpn server and I don't have that in my startup script so not sure if it's actually needed anymore... but it is set to 1 on my system if I cat it so maybe it's actually on by default.

Worth checking though so figured I'd mention it. If it does fix the setting, stick the line (2nd one) in /etc/rc.local or other startup script.

And +1 for ensuring there is a route on the router. Another thing, I know with pfsense, it gave me lot of trouble if trying to access my network from the VPN client. I ended up having to make a separate vlan for the vpn server for things to work properly. Some kind of security thing where it wont allow traffic to go back through the same interface it came in on, or something like that. A basic router probably wont have this though.

 

[CubanlB]

red, in pFsense you should be able to turn on hairpin routing if needed. sounds like you got it sorted another way.

agree that you should make sure you have routing turned on in the ovpn server.

you can usually ping your way to the problem. start by establishing your tunnel, pinging your tunnel ip(looks like 10.10.10.177) ping the remote tunnel ip (looks like 10.10.10.178), then ovpn network gateway (most likely 10.10.10.1), then ovpn local subnet ip, then local resource/local gateway, then internet. should find the mis configuration pretty easily.