7ecc4baa
By:
7ecc4baa

Why is the traffic does not go through the VPN connection?

April 20, 2014 9.8k views
I installed openvpn server on Ubuntu 14 droplet and i'm trying to connect through it on my Fedora 20 home computer. There is a connection (according to the log below), but my IP didn't change. ANY IDEA WHY? I re-install the server several time (tried different distributions) from several guide i found on the internet, and i'm starting to think the problem is with the client and not with the server. SERVER: UBUNTU 14 CLIENT: FEDORA 20 (I changed the public ip in the logs blow to X.X.X.X) SERVER.CONF CONTENT: root@vpn2:~# grep -vE '^#|^;|^$' /etc/openvpn/server.conf port 1194 proto udp dev tun ca ca.crt cert vpn2.crt key vpn2.key # This file should be kept secret dh dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log verb 3 CLIENT.CONF CONTENT: [e@localhost ~]$ grep -vE '^#|^;|^$' /etc/openvpn/client.conf client dev tun proto udp remote X.X.X.X 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/client1.crt key /etc/openvpn/client1.key ns-cert-type server comp-lzo verb 3 CLIENT VPN CONNECTION OUTPUT: [e@localhost ~]$ sudo openvpn --config /etc/openvpn/client.conf Sun Apr 20 15:01:01 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 Sun Apr 20 15:01:01 2014 Socket Buffers: R=[212992->131072] S=[212992->131072] Sun Apr 20 15:01:01 2014 UDPv4 link local: [undef] Sun Apr 20 15:01:01 2014 UDPv4 link remote: [AF_INET]X.X.X.X:1194 Sun Apr 20 15:01:02 2014 TLS: Initial packet from [AF_INET]X.X.X.X:1194, sid=45cdb38f f3323d6e Sun Apr 20 15:01:23 2014 VERIFY OK: depth=1, C=NL, ST=HM, L=Amsterdam, O=blabla, OU=blablabla, CN=blabla CA, name=EasyRSA, emailAddress=bla1@1bla.bla Sun Apr 20 15:01:23 2014 VERIFY OK: nsCertType=SERVER Sun Apr 20 15:01:23 2014 VERIFY OK: depth=0, C=NL, ST=HM, L=Amsterdam, O=blabla, OU=blablabla, CN=vpn2, name=EasyRSA, emailAddress=bla1@1bla.bla Sun Apr 20 15:01:52 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Apr 20 15:01:52 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Apr 20 15:01:52 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sun Apr 20 15:01:52 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Apr 20 15:01:52 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Sun Apr 20 15:01:52 2014 [vpn2] Peer Connection Initiated with [AF_INET]X.X.X.X:1194 Sun Apr 20 15:01:54 2014 SENT CONTROL [vpn2]: 'PUSH_REQUEST' (status=1) Sun Apr 20 15:01:55 2014 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' Sun Apr 20 15:01:55 2014 OPTIONS IMPORT: timers and/or timeouts modified Sun Apr 20 15:01:55 2014 OPTIONS IMPORT: --ifconfig/up options modified Sun Apr 20 15:01:55 2014 OPTIONS IMPORT: route options modified Sun Apr 20 15:01:55 2014 ROUTE_GATEWAY 10.0.0.138/255.255.255.0 IFACE=p3p1 HWADDR=d8:50:e6:ba:a3:44 Sun Apr 20 15:01:55 2014 TUN/TAP device tun0 opened Sun Apr 20 15:01:55 2014 TUN/TAP TX queue length set to 100 Sun Apr 20 15:01:55 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Sun Apr 20 15:01:55 2014 /usr/sbin/ip link set dev tun0 up mtu 1500 Sun Apr 20 15:01:55 2014 /usr/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Sun Apr 20 15:01:55 2014 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5 Sun Apr 20 15:01:55 2014 Initialization Sequence Completed CLIENT NETSTAT OUTPUT: [e@localhost ~]$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.0.0.138 0.0.0.0 UG 0 0 0 p3p1 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 p3p1 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 CLIENT IFCONFIG OUTPUT: [e@localhost ~]$ ifconfig lo: flags=73 mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 0 (Local Loopback) RX packets 227 bytes 18188 (17.7 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 227 bytes 18188 (17.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 p3p1: flags=4163 mtu 1500 inet 10.0.0.1 netmask 255.255.255.0 broadcast 10.0.0.255 inet6 fe80::da50:e6ff:feba:a344 prefixlen 64 scopeid 0x20 ether d8:50:e6:ba:a3:44 txqueuelen 1000 (Ethernet) RX packets 4846734 bytes 5998970353 (5.5 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2985059 bytes 592853394 (565.3 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 tun0: flags=4305 mtu 1500 inet 10.8.0.6 netmask 255.255.255.255 destination 10.8.0.5 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 SERVER LOG (TAIL): Apr 20 08:01:53 localhost ovpn-server[2181]: X.X.X.X:60561 [client1] Peer Connection Initiated with [AF_INET]X.X.X.X:60561 Apr 20 08:01:53 localhost ovpn-server[2181]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. Apr 20 08:01:53 localhost ovpn-server[2181]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Apr 20 08:01:53 localhost ovpn-server[2181]: MULTI: Learn: 10.8.0.6 -> client1/X.X.X.X:60561 Apr 20 08:01:53 localhost ovpn-server[2181]: MULTI: primary virtual IP for client1/X.X.X.X:60561: 10.8.0.6 Apr 20 08:01:55 localhost ovpn-server[2181]: client1/X.X.X.X:60561 PUSH: Received control message: 'PUSH_REQUEST' Apr 20 08:01:55 localhost ovpn-server[2181]: client1/X.X.X.X:60561 send_push_reply(): safe_cap=940 Apr 20 08:01:55 localhost ovpn-server[2181]: client1/X.X.X.X:60561 SENT CONTROL [client1]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1) Apr 20 08:13:57 localhost ovpn-server[2181]: client1/X.X.X.X:60561 [client1] Inactivity timeout (--ping-restart), restarting Apr 20 08:13:57 localhost ovpn-server[2181]: client1/X.X.X.X:60561 SIGUSR1[soft,ping-restart] received, client-instance restarting SERVER NETSTAT OUTPUT: root@vpn2:~# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 X.X.X.X.1 0.0.0.0 UG 0 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 X.X.X.X.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 SERVER IFCONFIG OUTPUT: root@vpn2:~# ifconfig eth0 Link encap:Ethernet HWaddr 04:01:16:e1:87:01 inet addr:X.X.X.X Bcast:X.X.X.255 Mask:255.255.240.0 inet6 addr: fe80::601:16ff:fee1:8701/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:589782 errors:0 dropped:0 overruns:0 frame:0 TX packets:39230 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:82987986 (82.9 MB) TX bytes:6037129 (6.0 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:527 errors:0 dropped:0 overruns:0 frame:0 TX packets:35 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:36693 (36.6 KB) TX bytes:2940 (2.9 KB)
4 Answers
Edit openvpn's server config file and uncomment the line that says push "redirect-gateway def1 bypass-dhcp". Restart OpenVPN and reconnect, does that fix it?
First, Thank you vary much for the answer!

I did what you suggested and it is interesting:
When i connect to the VPN from the client, all traffic stops (the browser for example just get stuck at the beginning of the load presses) and only the connection to the server (ssh) works without a problem!

Any idea what is wrong now?


THE SERVER'S SYSTEM LOG:
Apr 20 17:55:22 localhost ovpn-server[2927]: X.X.X.X:56847 TLS: Initial packet from [AF_INET]X.X.X.X:56847, sid=82614284 132dc7d7
Apr 20 17:55:24 localhost ovpn-server[2927]: X.X.X.X:56847 VERIFY OK: depth=1, C=NL, ST=HM, L=Amsterdam, O=blabla, OU=blablabla, CN=blabla CA, name=EasyRSA, emailAddress=bla1@1bla.bla
Apr 20 17:55:24 localhost ovpn-server[2927]: X.X.X.X:56847 VERIFY OK: depth=0, C=NL, ST=HM, L=Amsterdam, O=blabla, OU=blablabla, CN=client1, name=EasyRSA, emailAddress=bla1@1bla.bla
Apr 20 17:55:24 localhost ovpn-server[2927]: X.X.X.X:56847 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 20 17:55:24 localhost ovpn-server[2927]: X.X.X.X:56847 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 20 17:55:24 localhost ovpn-server[2927]: X.X.X.X:56847 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Apr 20 17:55:24 localhost ovpn-server[2927]: X.X.X.X:56847 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 20 17:55:24 localhost ovpn-server[2927]: X.X.X.X:56847 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Apr 20 17:55:24 localhost ovpn-server[2927]: X.X.X.X:56847 [client1] Peer Connection Initiated with [AF_INET]X.X.X.X:56847
Apr 20 17:55:24 localhost ovpn-server[2927]: MULTI: new connection by client 'client1' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Apr 20 17:55:24 localhost ovpn-server[2927]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Apr 20 17:55:24 localhost ovpn-server[2927]: MULTI: Learn: 10.8.0.6 -> client1/X.X.X.X:56847
Apr 20 17:55:24 localhost ovpn-server[2927]: MULTI: primary virtual IP for client1/X.X.X.X:56847: 10.8.0.6
Apr 20 17:55:27 localhost ovpn-server[2927]: client1/X.X.X.X:56847 PUSH: Received control message: 'PUSH_REQUEST'
Apr 20 17:55:27 localhost ovpn-server[2927]: client1/X.X.X.X:56847 send_push_reply(): safe_cap=940
Apr 20 17:55:27 localhost ovpn-server[2927]: client1/X.X.X.X:56847 SENT CONTROL [client1]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)


THE CLIENT'S SYSTEM LOG:
empty

SERVER netstat -rn:
root@vpn2:~# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 188.226.192.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
188.226.192.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0

CLIENT netstat -rn:
[e@localhost ~]$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 10.0.0.138 0.0.0.0 UG 0 0 0 p3p1
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 p3p1
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
X.X.X.X 10.0.0.138 255.255.255.255 UGH 0 0 0 p3p1

Thank you!
Now i understand what was wrong.
I installed OpenVPN Access Server instead and now it works perfectly!
Thank you gain!
Have another answer? Share your knowledge.