1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato OpenVPN - Route back to internet

Discussion in 'Tomato Firmware' started by risq, Apr 20, 2009.

  1. risq

    risq Addicted to LI Member

    Hej,

    I sucessfully use the newest Tomato OpenVPN Firmware. From various sites i can connect to my local servers behind the Router on the 192.168.2.x subnet via the TAP method.

    What i cant do is to get back to the internet, so whenever i vpn from the internet to my tomato router i stick in the LAN.

    Is there a way to this (without something like a squid server in my enviroment) ? Where do i have to set some "reroute" information? ill use port 443 for the openvpn server on the tomato.

    Sorry, im a tomato+vpn newbie...

    risq
     
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    You shouldn't need to have any extra configuration to accomplish what you're wanting. Could you post the routing table ("route -n" on router or linux client, "route print" on windows) on the VPN client and server when they are connected?
     
  3. risq

    risq Addicted to LI Member

    Router Tomato with Openvpn:

    # route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    217.0.116.18x 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
    192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
    127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
    0.0.0.0 217.0.116.180 0.0.0.0 UG 0 0 0 ppp0
    # ping www.google.de
    PING www.google.de (209.85.135.103): 56 data bytes
    64 bytes from 209.85.135.103: seq=0 ttl=248 time=54.085 ms


    Win Client with Openvpn:

    C:\>route PRINT
    ===========================================================================
    Schnittstellenliste
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 ff e2 c0 7a a5 ...... TAP-Win32 Adapter V9
    0x10004 ...00 19 bb 4b 8a a8 ...... Broadcom NetXtreme Gigabit Ethernet
    ===========================================================================
    ===========================================================================
    Aktive Routen:
    Netzwerkziel Netzwerkmaske Gateway Schnittstelle Anzahl
    0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.130 30
    0.0.0.0 0.0.0.0 192.168.102.1 192.168.102.203 20
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.2.0 255.255.255.0 192.168.2.130 192.168.2.130 30
    192.168.2.130 255.255.255.255 127.0.0.1 127.0.0.1 30
    192.168.2.255 255.255.255.255 192.168.2.130 192.168.2.130 30
    192.168.102.0 255.255.255.0 192.168.102.203 192.168.102.203 20
    192.168.102.203 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.102.255 255.255.255.255 192.168.102.203 192.168.102.203 20
    224.0.0.0 240.0.0.0 192.168.2.130 192.168.2.130 30
    224.0.0.0 240.0.0.0 192.168.102.203 192.168.102.203 20
    255.255.255.255 255.255.255.255 192.168.2.130 192.168.2.130 1
    255.255.255.255 255.255.255.255 192.168.102.203 192.168.102.203 1
    Standardgateway: 192.168.102.1
    ===========================================================================
    Ständige Routen:
    Keine
     
  4. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I assume you are using a "redirect-gateway" directive on the client (or pushed from the server). Do you want the internet traffic to go over the tunnel? If so, try adding "def1" to the end of the redirect-gateway directive. If not, remove it altogether.
     
  5. risq

    risq Addicted to LI Member

    i dont use "redirect-gateway", maybe that is my fault. where do i put it on the openvpn tomato gui and what is the exact syntax so that i can push it to the client? i also wonder if DNS will work automatic or is there another directive for this ?
     
  6. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I only assumed it because that is what your routes seemed to indicate, not because you "should" be using it.

    Could you provide your client OpenVPN config file, and the output of
    Code:
    cat /etc/openvpn/server1/config.ovpn
    on the router (the server will need to be running)?
     
  7. risq

    risq Addicted to LI Member

    OpenVPN Server Config on the Tomato Router:


    # cat /etc/openvpn/server1/config.ovpn
    # Automatically generated configuration
    daemon
    server-bridge
    proto tcp-server
    port 443
    dev tap21
    comp-lzo yes
    keepalive 15 60
    verb 3
    ca ca.crt
    dh dh.pem
    cert server.crt
    key server.key
    status-version 2
    status status

    # Custom Configuration




    OpenVPN Client Config:

    ##############################################
    # Sample client-side OpenVPN 2.0 config file #
    # for connecting to multi-client server. #
    # #
    # This configuration can be used by multiple #
    # clients, however each client should have #
    # its own cert and key files. #
    # #
    # On Windows, you might want to rename this #
    # file so it has a .ovpn extension #
    ##############################################

    # Specify that we are a client and that we
    # will be pulling certain config file directives
    # from the server.
    client

    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    dev tap
    ;dev tun

    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    # if you have more than one. On XP SP2,
    # you may need to disable the firewall
    # for the TAP adapter.
    ;dev-node MyTap

    # Are we connecting to a TCP or
    # UDP server? Use the same setting as
    # on the server.
    proto tcp
    ;proto udp

    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    remote xxx.homeip.net 443
    ;remote my-server-2 1194

    # Choose a random host from the remote
    # list for load-balancing. Otherwise
    # try hosts in the order specified.
    ;remote-random

    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server. Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    resolv-retry infinite

    # Most clients don't need to bind to
    # a specific local port number.
    nobind

    # Downgrade privileges after initialization (non-Windows only)
    ;user nobody
    ;group nobody

    # Try to preserve some state across restarts.
    persist-key
    persist-tun

    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here. See the man page
    # if your proxy server requires
    # authentication.
    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]
    http-proxy proxy 8080

    # Wireless networks often produce a lot
    # of duplicate packets. Set this flag
    # to silence duplicate packet warnings.
    ;mute-replay-warnings

    # SSL/TLS parms.
    # See the server config file for more
    # description. It's best to use
    # a separate .crt/.key file pair
    # for each client. A single ca
    # file can be used for all clients.
    ca ca.crt
    cert client1.crt
    key client1.key

    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to "server". This is an
    # important precaution to protect against
    # a potential attack discussed here:
    # http://openvpn.net/howto.html#mitm
    #
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to "server". The build-key-server
    # script in the easy-rsa folder will do this.
    ;ns-cert-type server

    # If a tls-auth key is used on the server
    # then every client must also have the key.
    ;tls-auth ta.key 1

    # Select a cryptographic cipher.
    # If the cipher option is used on the server
    # then you must also specify it here.
    ;cipher x

    # Enable compression on the VPN link.
    # Don't enable this unless it is also
    # enabled in the server config file.
    comp-lzo

    # Set log file verbosity.
    verb 3

    # Silence repeating messages
    ;mute 20
     
  8. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    First, I'm assuming that "xxx.homip.net" and "proxy" have been replaced with real values. If this isn't correct, that needs to be addressed.

    The only problem I see with that client config is that "proto tcp" should be "proto tcp-client". The fact that your client didn't complain makes me suspicious. What version of OpenVPN client are you running? If you're not already, try running 2.1rc15 (the latest).
     
  9. risq

    risq Addicted to LI Member

    of course, "proxy" is the real name of the squid proxy server and xxx.homeip.net is a replacement for my DynDNS Server Name. I only use the proxy if i have to on a specific location, but it works, so theres no real problem with it. As i said it works perfectly to access my LAN from the internet. But i cant route back to the Internet with the VPN Tunnel.


    I am using 2.1rc15 and my config is totally based on the default config from the openvpn howto: http://openvpn.net/index.php/documentation/howto.html#client
    as u see there "proto tcp" defines connecting via TCP.

    so...any other guess why it dont work ?!?
     
  10. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    As you can see from here the only valid values for proto are udp, tcp-server, and tcp-client. Though, since you're able to connect, I doubt that's the problem.

    For some reason, your client is establishing a second default route. Could you provide the client logs and the router syslog from the time of the connection?
     
  11. risq

    risq Addicted to LI Member

    CLient Log:


    Wed Apr 22 09:16:47 2009 OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008
    Wed Apr 22 09:16:47 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Wed Apr 22 09:16:47 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Wed Apr 22 09:16:47 2009 LZO compression initialized
    Wed Apr 22 09:16:47 2009 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Wed Apr 22 09:16:47 2009 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
    Wed Apr 22 09:16:47 2009 Local Options hash (VER=V4): '31fdf004'
    Wed Apr 22 09:16:47 2009 Expected Remote Options hash (VER=V4): '3e6d1056'
    Wed Apr 22 09:16:47 2009 Attempting to establish TCP connection with 192.168.205.50:8080
    Wed Apr 22 09:16:47 2009 TCP connection established with 192.168.205.50:8080
    Wed Apr 22 09:16:47 2009 Send to HTTP proxy: 'CONNECT xxx.homeip.net:443 HTTP/1.0'
    Wed Apr 22 09:16:49 2009 HTTP proxy returned: 'HTTP/1.1 200 Connection Established'
    Wed Apr 22 09:16:51 2009 Socket Buffers: R=[8192->8192] S=[64512->64512]
    Wed Apr 22 09:16:51 2009 TCPv4_CLIENT link local: [undef]
    Wed Apr 22 09:16:51 2009 TCPv4_CLIENT link remote: 192.168.205.50:8080
    Wed Apr 22 09:16:51 2009 TLS: Initial packet from 192.168.205.50:8080, sid=02c85bf4 ddf7469e
    Wed Apr 22 09:16:56 2009 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=OpenVPN/CN=dl/emailAddress=mail@host.domain
    Wed Apr 22 09:16:56 2009 VERIFY OK: depth=0, /C=US/ST=CA/O=OpenVPN/CN=dl/emailAddress=mail@host.domain
    Wed Apr 22 09:17:04 2009 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Apr 22 09:17:04 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Apr 22 09:17:04 2009 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Wed Apr 22 09:17:04 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Apr 22 09:17:04 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Wed Apr 22 09:17:04 2009 [dl] Peer Connection Initiated with 192.168.205.50:8080
    Wed Apr 22 09:17:05 2009 SENT CONTROL [dl]: 'PUSH_REQUEST' (status=1)
    Wed Apr 22 09:17:06 2009 PUSH: Received control message: 'PUSH_REPLY,route-gateway dhcp,ping 15,ping-restart 60'
    Wed Apr 22 09:17:06 2009 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Apr 22 09:17:06 2009 OPTIONS IMPORT: route-related options modified
    Wed Apr 22 09:17:06 2009 TAP-WIN32 device [LAN-Verbindung 2] opened: \\.\Global\{E2C07AA5-6CFA-4988-BB17-3E3416899422}.tap
    Wed Apr 22 09:17:06 2009 TAP-Win32 Driver Version 9.4
    Wed Apr 22 09:17:06 2009 TAP-Win32 MTU=1500
    Wed Apr 22 09:17:06 2009 Successful ARP Flush on interface [2] {E2C07AA5-6CFA-4988-BB17-3E3416899422}
    Wed Apr 22 09:17:11 2009 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
    Wed Apr 22 09:17:11 2009 Initialization Sequence Completed


    Serer Log:

    Apr 22 09:16:48 t1 daemon.notice openvpn[4020]: MULTI: multi_create_instance called
    Apr 22 09:16:48 t1 daemon.notice openvpn[4020]: Re-using SSL/TLS context
    Apr 22 09:16:48 t1 daemon.notice openvpn[4020]: LZO compression initialized
    Apr 22 09:16:48 t1 daemon.notice openvpn[4020]: Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Apr 22 09:16:48 t1 daemon.notice openvpn[4020]: Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
    Apr 22 09:16:48 t1 daemon.notice openvpn[4020]: TCP connection established with 213.xxx.xxx.xxx:49298
    Apr 22 09:16:48 t1 daemon.notice openvpn[4020]: Socket Buffers: R=[65534->65534] S=[65534->65534]
    Apr 22 09:16:48 t1 daemon.notice openvpn[4020]: TCPv4_SERVER link local: [undef]
    Apr 22 09:16:48 t1 daemon.notice openvpn[4020]: TCPv4_SERVER link remote: 213.xxx.xxx.xxx:49298
    Apr 22 09:16:50 t1 daemon.notice openvpn[4020]: 213.xxx.xxx.xxx:49298 TLS: Initial packet from 213.xxx.xxx.xxx:49298, sid=a6304c22 31f6a127
    Apr 22 09:17:00 t1 daemon.notice openvpn[4020]: 213.xxx.xxx.xxx:49298 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=OpenVPN/CN=dl/Email=mail@host.domain
    Apr 22 09:17:00 t1 daemon.notice openvpn[4020]: 213.xxx.xxx.xxx:49298 VERIFY OK: depth=0, /C=US/ST=CA/O=OpenVPN/CN=dl1/Email=mail@host.domain
    Apr 22 09:17:03 t1 daemon.notice openvpn[4020]: 213.xxx.xxx.xxx:49298 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 22 09:17:03 t1 daemon.notice openvpn[4020]: 213.xxx.xxx.xxx:49298 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 22 09:17:03 t1 daemon.notice openvpn[4020]: 213.xxx.xxx.xxx:49298 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Apr 22 09:17:03 t1 daemon.notice openvpn[4020]: 213.xxx.xxx.xxx:49298 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 22 09:17:04 t1 daemon.notice openvpn[4020]: 213.xxx.xxx.xxx:49298 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA
    Apr 22 09:17:04 t1 daemon.notice openvpn[4020]: 213.xxx.xxx.xxx:49298 [dl1] Peer Connection Initiated with 213.xxx.xxx.xxx:49298
    Apr 22 09:17:04 t1 daemon.err openvpn[4020]: dl1/213.xxx.xxx.xxx:49298 MULTI: no dynamic or static remote --ifconfig address is available for dl1/213.xxx.xxx.xxx:49298
    Apr 22 09:17:05 t1 daemon.notice openvpn[4020]: dl1/213.xxx.xxx.xxx:49298 PUSH: Received control message: 'PUSH_REQUEST'
    Apr 22 09:17:05 t1 daemon.notice openvpn[4020]: dl1/213.xxx.xxx.xxx:49298 SENT CONTROL [dl1]: 'PUSH_REPLY,route-gateway dhcp,ping 15,ping-restart 60' (status=1)
    Apr 22 09:17:06 t1 daemon.notice openvpn[4020]: dl1/213.xxx.xxx.xxx:49298 MULTI: Learn: 00:ff:e2:c0:7a:a5 -> dl1/213.xxx.xxx.xxx:49298
    Apr 22 09:17:08 t1 daemon.info dnsmasq[4026]: DHCPREQUEST(br0) 192.168.2.130 00:ff:e2:c0:7a:a5
    Apr 22 09:17:08 t1 daemon.info dnsmasq[4026]: DHCPACK(br0) 192.168.2.130 00:ff:e2:c0:7a:a5 pc2931
    Apr 22 09:17:08 t1 daemon.warn dnsmasq[4026]: Ignoring domain xxx.xxx..de for DHCP host name pc2931
    Apr 22 09:17:11 t1 daemon.info dnsmasq[4026]: DHCPINFORM(br0) 192.168.2.130 00:ff:e2:c0:7a:a5
    Apr 22 09:17:11 t1 daemon.info dnsmasq[4026]: DHCPACK(br0) 192.168.2.130 00:ff:e2:c0:7a:a5
    Apr 22 09:17:22 t1 daemon.info dnsmasq[4026]: DHCPINFORM(br0) 192.168.2.130 00:ff:e2:c0:7a:a5
    Apr 22 09:17:22 t1 daemon.info dnsmasq[4026]: DHCPACK(br0) 192.168.2.130 00:ff:e2:c0:7a:a5
    Apr 22 09:17:22 t1 daemon.info dnsmasq[4026]: DHCPINFORM(br0) 192.168.2.130 00:ff:e2:c0:7a:a5
    Apr 22 09:17:22 t1 daemon.info dnsmasq[4026]: DHCPACK(br0) 192.168.2.130 00:ff:e2:c0:7a:a5
    Apr 22 09:17:23 t1 daemon.info dnsmasq[4026]: DHCPINFORM(br0) 192.168.2.130 00:ff:e2:c0:7a:a5
    Apr 22 09:17:23 t1 daemon.info dnsmasq[4026]: DHCPACK(br0) 192.168.2.130 00:ff:e2:c0:7a:a5
     
  12. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    The "0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.130 30" line in your route still has me a bit baffled, but let's narrow down what part of your internet routing isn't working. Can you run the following on the client (with the tunnel connected, of course)?
    Code:
    nslookup google.com
    ping 74.125.67.100
    ping google.com
    tracert google.com
    tracert 74.125.67.100
    
     
  13. Delta221

    Delta221 Addicted to LI Member

    I don't know why it won't work for you either... Though I got a similar configuration to work in TUN. You can access the internet, and all computers on your home VPN subnet. You can find the HOWTO here:

    http://www.linksysinfo.org/forums/showthread.php?t=61253

    The only problem with that configuration is that DNS queries are sent through the DNS server of the lan(if it matters at all to you) you are connected to, not the DNS server on your VPN server. The reason is because any DNS query sent to the VPN server gets no reply, and I don't know why yet. Try that configuration out and let me know how it goes.

    I don't have any http-proxy setup, so add it in.
     
  14. risq

    risq Addicted to LI Member

    ok, sorry for the german windows.. here are the results:

    C:\>nslookup google.com
    Server: t1
    Address: 192.168.2.1 -> thats the router

    Nicht autorisierte Antwort:
    Name: google.com
    Addresses: 209.85.171.100, 74.125.45.100, 74.125.67.100



    C:\>ping 74.125.67.100

    Ping wird ausgeführt für 74.125.67.100 mit 32 Bytes Daten:

    Zeitüberschreitung der Anforderung.

    Ping-Statistik für 74.125.67.100:
    Pakete: Gesendet = 1, Empfangen = 0, Verloren = 1 (100% Verlust),
    STRG-C

    -> coult not ping

    C:\>ping google.com

    Ping google.com [209.85.171.100] mit 32 Bytes Daten:

    Zeitüberschreitung der Anforderung.

    Ping-Statistik für 209.85.171.100:
    Pakete: Gesendet = 1, Empfangen = 0, Verloren = 1 (100% Verlust),
    STRG-C


    -> coult not ping

    C:\>tracert google.com

    Routenverfolgung zu google.com [209.85.171.100] über maximal 30 Abschnitte:

    1 <1 ms <1 ms <1 ms 192.168.102.2
    2 <1 ms <1 ms <1 ms 192.168.200.17
    3 <1 ms <1 ms <1 ms r-rz-5.xxx.de [192.168.0.9]
    4 * * * Zeitüberschreitung der Anforderung.
    5 ^C

    -> all there hosts are on the client...not in my home network

    C:\>tracert 74.125.67.100

    Routenverfolgung zu gw-in-f100.google.com [74.125.67.100] über maximal 30 Abschnitte:

    1 <1 ms <1 ms <1 ms 192.168.102.2
    2 <1 ms <1 ms <1 ms 192.168.200.17
    3 <1 ms <1 ms <1 ms r-rz-5.xxx.de [192.168.0.9]
    4 * * * Zeitüberschreitung der Anforderung.
    5 ^C

    -> all there hosts are on the client...not in my home network


    u mentioned the redirect gateway directive earlier ..wont that help ..in which scenario is that used ? looks like DNS works over the VPN Server, but no other traffic..
     
  15. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    Very, very strange. We have done nothing that should make DNS traffic go over the tunnel (but somehow it is). Also, internet traffic is trying to traverse the normal (non-VPN) route to the internet (as it should) but somehow fails part way through. It seems that once it is set on the right path there should be nothing we can do to help or hinder it.

    The only thing I can think of that would make sense of everything is that your normal path to the internet passes through a 192.168.2.0/24 subnet (I notice in your traceroute that it already passes through a couple of different subnets). Try changing the subnet of your home LAN to something very different (172.16.12.0/24, for instance). The more I think about it, the more this makes sense - it would explain all your problems.
    redirect-gateway is used when you want internet-bound traffic to go over the tunnel. I was under the impression that you wanted internet traffic to stay on the normal path, and only LAN traffic to cross the tunnel. If you want internet-bound traffic to cross the tunnel, add
    Code:
    push "redirect-gateway def1"
    to the Custom Config on the server. However, make sure to solve the above problem first. If my hypothesis is correct, adding the redirect-gateway may get your internet working, but routing will still be messed up and you may see other problems.
     
  16. risq

    risq Addicted to LI Member

    you were totally right..all problems were based on the two 192.168.2.0/24 subnets...

    after i switched my homenet to 10.10.1.x Adresses i can use both szenarios, running internet through "normal" path and through the tunnel via "redirect-gateway". works like a charm now.

    thx a lot SgtPepper, was not an obivious error..
     

Share This Page