[Clug-tech] Still Looking for OpenVPN Help

Jamie Furtner jamie at furtner.ca
Thu Nov 30 20:29:41 PST 2006 

Jon wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hey Jamie,
>
> Mine is largely the same as yours and I've tried the ones that are
> missing or different on my end and get the same result. About the only
> major difference is that you're using tap and I'm using tun. I admit to
> not really understanding the difference even after reading about them,
> so perhaps therein lies the problem.
>
> Since my first post, I have discovered something. Don't know if it's
> good or bad, but I changed my 'client-config-directory ccd' to
> 'client-config-directory /etc/openvpn/ccd'. I no longer get the dropped
> packets message which leads me to believe that the client config file in
> my ccd directory wasn't being read at all prior to this.
>
> It's nice that the dropped packets message is gone, but now I get no
> messages and still no traffic. Not sure what's going on now.
>
> When connected, my client is 10.8.0.6 and my server is 10.8.0.1. I can
> ping the server from the client and vice versa with those IP addresses.
> I think that means my connect is good, there's just something weird with
> my routing.
>
> The connect looks so good, though. There's even a line that reads:
>
> Thu Nov 30 22:12:23 2006 jonzlaptop/68.145.41.64:47767 MULTI: Learn:
> 192.168.0.103 -> jonzlaptop/68.145.41.64:47767
>
> Which is exactly true...
>
> Confuzzled...
>
> J
>
> Jamie Furtner wrote:
>   
>> Jon wrote:
>> I've come to the conclusion that I've left one very important fact out
>> of the description of my problems with OpenVPN. It's entirely logical to
>> assume that I'm trying to set up the server on my home network (behind
>> my router) in order to access it from other locations. Not true.
>>
>> Because I have no desire to leave any of my home computers on all day
>> long, I use VPSes on the Internet to play with. That's where I want my
>> OpenVPN server.
>>
>> While setting this thing up, I am using my laptop as the client from
>> behind my home router and attempting to connect to the OpenVPN server.
>> It looks something like this:
>>
>> Me (192.168.0.103) -> Router (68.145.41.64) -> OpenVPN Server
>> (75.126.18.55).
>>
>> To recap, my problem is that after I connect, I get a slew of these errors:
>>
>> Thu Nov 30 21:05:16 2006 jonzlaptop/68.145.41.64:34309 MULTI: bad source
>> address from client [192.168.0.103], packet dropped
>>
>> My goal is to connect to my OpenVPN server and then have ALL my traffic
>> sent through it and out to the Internet when I am connected. My troubles
>> are most frustrating because I know there are 40 bigajillion people on
>> the planet who have this simple VPN thing working, but I can't get it to
>> happen.
>>
>> Anyone have any ideas before I throw OpenVPN in the trash and try
>> something else?
>>
>> Thanks!
>>
>> J
>>     
> _______________________________________________
> clug-tech mailing list
> clug-tech at clug.ca
> http://clug.ca/mailman/listinfo/clug-tech_clug.ca
>
>   
>> Can you ping the VPN endpoints once you connect using their internal 
>> private IP addresses? Start with your local IP, then try the server's 
>> VPN IP address.
>>     
>
>   
>> Is it possible that *all* your traffic (including the VPN connection 
>> itself) is attempting to be tunneled through the VPN? The 
>> redirect-gateway directive shouldn't cause that to happen, but step one 
>> is to verify that you can ping across the tunnel or if it's traffic 
>> getting out that's the problem.
>>     
>
>   
>> I use OpenVPN myself and can tunnel all my traffic over it when I need 
>> to (using the redirect-gateway directive). Here's my client config (note 
>> it's using TCP as some of the firewalls I'm behind don't allow UDP traffic):
>> dev tap
>>     
>
>   
>> cipher BF-CBC
>>     
>
>   
>> mssfix 1300
>>     
>
>   
>> client
>> remote my.openvpn.server 1194
>> proto tcp-client
>>     
>
>   
>> ns-cert-type server
>> key openvpn.key
>> cert openvpn.crt
>> ca cacert.crt
>>     
>
>   
>> comp-lzo
>> persist-tun
>> nobind
>>     
>
>   
>> auto-proxy
>> redirect-gateway bypass-dhcp bypass-dns
>> route-gateway a.b.c.200
>>     
>
>
>
>   
>> _______________________________________________
>> clug-tech mailing list
>> clug-tech at clug.ca
>> http://clug.ca/mailman/listinfo/clug-tech_clug.ca
>>     
>
> - --
> Key fingerprint: BDE0 DE52 B8C0 0CDF 7653 E5A2 D861 7877 0D3B 813E
> http://www.jonwatson.ca
> +1.403.875.6048
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFFb6wE2GF4dw07gT4RAlsPAKCathac2Wo9hbJn4QY27yiTjnTU9QCfbyMV
> UPZR9mBWCtzsLTkeqahpfaQ=
> =DmNf
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> clug-tech mailing list
> clug-tech at clug.ca
> http://clug.ca/mailman/listinfo/clug-tech_clug.ca
>
>   
Ok, that's great - it sounds like the VPN itself works. OpenVPN itself 
doesn't route traffic - it just dumps it in your network stack which 
decides what to do with it. You'll need to set up iptables to NAT the 
traffic coming through your tunnel using the command I gave earlier 
(again, from memory):
iptables -t nat -A POSTROUTING -j MASQUERADE -o eth0 -s 10.8.0.0/24
which tells iptables to NAT traffic sourced from your VPN network and 
destined for your external interface. If you have ip forwarding enabled, 
then the traffic is already being sent out on your external interface, 
but it's source IP address is your VPN address (10.8.0.6) - which 
nothing outside of your openvpn server knows how to get to. You could 
confirm this by using tcpdump or wireshark on the openvpn server.

Jamie

More information about the clug-tech mailing list