No traffic through OpenVPN tunnel
-
Hi,
I setup OpenVPN to connect from my IOS devices to my home network.
My VPN connection is working but for some reason the internal traffic isn't routed through the tunnel.
I setup my internal networks and DNS, NTP servers. I assigned the OpenVPN interface and configured an IP address.
From my IOS device I can ping the OpenVPN network address. I see the routes in the logging on the IOS OpenVPN client.
However the traffic doesn't seem to be routed. I enabled the checkbox that all client generated traffic should go through the tunnel.Below the log from the IOS device:
2016-08-09 11:54:46 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2016-08-09 11:54:46 Session is ACTIVE
2016-08-09 11:54:46 EVENT: GET_CONFIG
2016-08-09 11:54:46 Sending PUSH_REQUEST to server…
2016-08-09 11:54:46 OPTIONS:
0 [route] [172.10.15.0] [255.255.255.0]
1 [route] [192.168.20.0] [255.255.255.0]
2 [route] [192.168.150.0] [255.255.255.0]
3 [dhcp-option] [DOMAIN] [mydomain.local]
4 [dhcp-option] [DNS] [192.168.20.13]
5 [dhcp-option] [DNS] [192.168.20.15]
6 [register-dns]
7 [dhcp-option] [NTP] [192.168.20.13]
8 [redirect-gateway] [def1]
9 [route-gateway] [10.15.10.1] –> IP of OpenVPN interface
10 [topology] [subnet]
11 [ping] [10]
12 [ping-restart] [60]
13 [ifconfig] [10.15.10.2] [255.255.255.0] –> IP of connected device2016-08-09 11:54:46 PROTOCOL OPTIONS:
cipher: AES-256-CBC
digest: SHA1
compress: NONE
peer ID: -1
2016-08-09 11:54:46 EVENT: ASSIGN_IP
2016-08-09 11:54:46 Unknown pushed DHCP option: [dhcp-option] [NTP] [192.168.20.13]
2016-08-09 11:54:46 TunPersist: saving tun context:
Session Name: vpndomain.name.com
Layer: OSI_LAYER_3
Remote Address: <<wan ip="">>
Tunnel Addresses:
10.15.10.2/24 -> 10.15.10.1
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv6: no
Add Routes:
Exclude Routes:
2a01:7c8:eb::xx:xx:xx:49/128 [IPv6]
DNS Servers:
192.168.20.13
192.168.20.15
Search Domains:
mydomain.local2016-08-09 11:54:46 Connected via tun
2016-08-09 11:54:46 EVENT: CONNECTED user@vpndomain.name.com:1194 (<<wan ip="">>) via /UDPv4 on tun/10.15.10.2/
2016-08-09 11:54:46 SetStatus ConnectedWhat am I forgetting?
Kind regards,
Mark</wan></wan>
-
Have you got a firewall rule to allow the tunnel traffic onto your lan?
-
Hi Keylevel,
Thanks. Yes I have several firewall rules in place. it also makes no difference if I add an 'any' rule.
I don't see traffic dropped.Kind regards,
Mark
-
Some more logging from the OpenVPN server. At the moment I unassinged the OpenVPN interface.
It wasn't clear to me if I should or should not assign the interface and configure the IP.
It seems to work (or not work) either way.Aug 9 15:51:53 openvpn 99469 92.69.213.93:62051 TLS: Initial packet from [AF_INET]92.69.213.93:62051, sid=9157e45b 82f155c1
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY SCRIPT OK: depth=1, certdata
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY OK: depth=1, C=NL, certdata
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY SCRIPT OK: depth=0, certdata
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 VERIFY OK: depth=0, certdata
Aug 9 15:51:54 openvpn user 'ME' authenticated
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 TLS: Username/Password authentication succeeded for username 'ME' [CN SET]
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Aug 9 15:51:54 openvpn 99469 92.69.213.93:62051 [mark] Peer Connection Initiated with [AF_INET]92.69.213.93:62051
Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 MULTI_sva: pool returned IPv4=10.15.10.2, IPv6=(Not enabled)
Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_c22c667e5f903932f615859110b7c08c.tmp
Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 MULTI: Learn: 10.15.10.2 -> ME/92.69.213.93:62051
Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 MULTI: primary virtual IP for ME/92.69.213.93:62051: 10.15.10.2
Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 PUSH: Received control message: 'PUSH_REQUEST'
Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 send_push_reply(): safe_cap=940
Aug 9 15:51:54 openvpn 99469 mark/92.69.213.93:62051 SENT CONTROL [mark]: 'PUSH_REPLY,route 172.10.15.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route 192.168.150.0 255.255.255.0,dhcp-option DOMAIN argus.local,dhcp-option DNS 192.168.20.13,dhcp-option DNS 192.168.20.15,register-dns,dhcp-option NTP 192.168.20.13,redirect-gateway def1,route-gateway 10.15.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.15.10.2 255.255.255.0' (status=1)
Aug 9 15:52:04 openvpn 99469 MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock
Aug 9 15:52:04 openvpn 99469 MANAGEMENT: CMD 'status 2'
Aug 9 15:52:04 openvpn 99469 MANAGEMENT: CMD 'quit'
Aug 9 15:52:04 openvpn 99469 MANAGEMENT: Client disconnectedHope the log clears up anything. I don't have a clue what I'm missing.