OpenVPN provider - redirect gateway

wanie

Hi

I am trying to route all my lan traffice through an openVPN provider like perfect-privacy.
To me it looks like, there is something blocking the traffic throug this tunnel.

If i connect with the openVPN client i can't open any website.
Anyway i can't ping any public domain or ip, but DNS works.
If i ping on google.com i see the resolved ip but got no ping answer.

I allready tried to play arround with the AON settings but no luck.

Here is the openVPN log:

Feb 5 18:55:04 	openvpn[25458]: real_hash_size = 256
Feb 5 18:55:04 	openvpn[25458]: virtual_hash_size = 256
Feb 5 18:55:04 	openvpn[25458]: client_connect_script = '[UNDEF]'
Feb 5 18:55:04 	openvpn[25458]: learn_address_script = '[UNDEF]'
Feb 5 18:55:04 	openvpn[25458]: client_disconnect_script = '[UNDEF]'
Feb 5 18:55:04 	openvpn[25458]: client_config_dir = '[UNDEF]'
Feb 5 18:55:04 	openvpn[25458]: ccd_exclusive = DISABLED
Feb 5 18:55:04 	openvpn[25458]: tmp_dir = '/tmp'
Feb 5 18:55:04 	openvpn[25458]: push_ifconfig_defined = DISABLED
Feb 5 18:55:04 	openvpn[25458]: push_ifconfig_local = 0.0.0.0
Feb 5 18:55:04 	openvpn[25458]: push_ifconfig_remote_netmask = 0.0.0.0
Feb 5 18:55:04 	openvpn[25458]: push_ifconfig_ipv6_defined = DISABLED
Feb 5 18:55:04 	openvpn[25458]: push_ifconfig_ipv6_local = ::/0
Feb 5 18:55:04 	openvpn[25458]: push_ifconfig_ipv6_remote = ::
Feb 5 18:55:04 	openvpn[25458]: enable_c2c = DISABLED
Feb 5 18:55:04 	openvpn[25458]: duplicate_cn = DISABLED
Feb 5 18:55:04 	openvpn[25458]: cf_max = 0
Feb 5 18:55:04 	openvpn[25458]: cf_per = 0
Feb 5 18:55:04 	openvpn[25458]: max_clients = 1024
Feb 5 18:55:04 	openvpn[25458]: max_routes_per_client = 256
Feb 5 18:55:04 	openvpn[25458]: auth_user_pass_verify_script = '[UNDEF]'
Feb 5 18:55:04 	openvpn[25458]: auth_user_pass_verify_script_via_file = DISABLED
Feb 5 18:55:04 	openvpn[25458]: ssl_flags = 0
Feb 5 18:55:04 	openvpn[25458]: port_share_host = '[UNDEF]'
Feb 5 18:55:04 	openvpn[25458]: port_share_port = 0
Feb 5 18:55:04 	openvpn[25458]: client = ENABLED
Feb 5 18:55:04 	openvpn[25458]: pull = ENABLED
Feb 5 18:55:04 	openvpn[25458]: auth_user_pass_file = '/conf/perfect-privacy.pas'
Feb 5 18:55:04 	openvpn[25458]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Feb 5 18:55:04 	openvpn[25458]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client3.sock
Feb 5 18:55:04 	openvpn[25458]: WARNING: file '/conf/perfect-privacy.pas' is group or others accessible
Feb 5 18:55:04 	openvpn[25458]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 5 18:55:04 	openvpn[25458]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Feb 5 18:55:04 	openvpn[25458]: Control Channel Authentication: using '/var/etc/openvpn/client3.tls-auth' as a OpenVPN static key file
Feb 5 18:55:04 	openvpn[25458]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 5 18:55:04 	openvpn[25458]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 5 18:55:04 	openvpn[25458]: Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
Feb 5 18:55:04 	openvpn[25458]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Feb 5 18:55:04 	openvpn[25458]: RESOLVE: NOTE: moscow.perfect-privacy.com resolves to 3 addresses
Feb 5 18:55:04 	openvpn[25458]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Feb 5 18:55:04 	openvpn[25458]: Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Feb 5 18:55:04 	openvpn[25458]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Feb 5 18:55:04 	openvpn[25458]: Local Options hash (VER=V4): 'ed844052'
Feb 5 18:55:04 	openvpn[25458]: Expected Remote Options hash (VER=V4): '8a244582'
Feb 5 18:55:04 	openvpn[25739]: UDPv4 link local (bound): [AF_INET]192.168.178.22:50013
Feb 5 18:55:04 	openvpn[25739]: UDPv4 link remote: [AF_INET]192.162.100.209:1149
Feb 5 18:55:05 	openvpn[25739]: TLS: Initial packet from [AF_INET]192.162.100.209:1149, sid=0dffcb99 ea51437a
Feb 5 18:55:05 	openvpn[25739]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Feb 5 18:55:06 	openvpn[25739]: VERIFY OK: depth=1, /C=NZ/ST=Glenside/L=Wellington/O=PP_Internet_Services/OU=PP_Security_Department/CN=ppca/emailAddress=admin@perfect-privacy.com
Feb 5 18:55:06 	openvpn[25739]: VERIFY OK: depth=0, /C=NZ/ST=Glenside/O=PP_Internet_Services/OU=PP_Security_Department/CN=ppserver/emailAddress=admin@perfect-privacy.com
Feb 5 18:55:18 	openvpn[25739]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1562'
Feb 5 18:55:18 	openvpn[25739]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Feb 5 18:55:18 	openvpn[25739]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
Feb 5 18:55:18 	openvpn[25739]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 5 18:55:18 	openvpn[25739]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 5 18:55:18 	openvpn[25739]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Feb 5 18:55:18 	openvpn[25739]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 5 18:55:18 	openvpn[25739]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Feb 5 18:55:18 	openvpn[25739]: [ppserver] Peer Connection Initiated with [AF_INET]192.162.100.209:1149
Feb 5 18:55:20 	openvpn[25739]: SENT CONTROL [ppserver]: 'PUSH_REQUEST' (status=1)
Feb 5 18:55:21 	openvpn[25739]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 4.2.2.4,route 10.0.16.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.16.14 10.0.16.13'
Feb 5 18:55:21 	openvpn[25739]: OPTIONS IMPORT: timers and/or timeouts modified
Feb 5 18:55:21 	openvpn[25739]: OPTIONS IMPORT: --ifconfig/up options modified
Feb 5 18:55:21 	openvpn[25739]: OPTIONS IMPORT: route options modified
Feb 5 18:55:21 	openvpn[25739]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Feb 5 18:55:21 	openvpn[25739]: ROUTE default_gateway=192.168.178.1
Feb 5 18:55:21 	openvpn[25739]: TUN/TAP device /dev/tun3 opened
Feb 5 18:55:21 	openvpn[25739]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 5 18:55:21 	openvpn[25739]: /sbin/ifconfig ovpnc3 10.0.16.14 10.0.16.13 mtu 1500 netmask 255.255.255.255 up
Feb 5 18:55:21 	openvpn[25739]: /usr/local/sbin/ovpn-linkup ovpnc3 1500 1557 10.0.16.14 10.0.16.13 init
Feb 5 18:55:21 	openvpn[25739]: /sbin/route add -net 192.162.100.209 192.168.178.1 255.255.255.255
Feb 5 18:55:21 	openvpn[25739]: /sbin/route add -net 0.0.0.0 10.0.16.13 128.0.0.0
Feb 5 18:55:21 	openvpn[25739]: /sbin/route add -net 128.0.0.0 10.0.16.13 128.0.0.0
Feb 5 18:55:21 	openvpn[25739]: /sbin/route add -net 10.0.16.1 10.0.16.13 255.255.255.255
Feb 5 18:55:21 	openvpn[25739]: Initialization Sequence Completed

This are my routes before the openVPN connection is active:


Destination 	Gateway 	Flags 	Refs 	Use 	Mtu 	Netif 	Expire
default 	192.168.178.1 	UGS 	0 	537611 	1500 	vr1 	 
127.0.0.1 	link#5 	UH 	0 	1009 	16384 	lo0 	 
192.168.1.0/24 	link#1 	U 	0 	8769280 	1500 	vr0 	 
192.168.1.1 	link#1 	UHS 	0 	0 	16384 	lo0 	 
192.168.178.0/24 	link#2 	U 	0 	1 	1500 	vr1 	 
192.168.178.1 	00:0d:b9:23:01:1d 	UHS 	0 	88556 	1500 	vr1 	 
192.168.178.22 	link#2 	UHS 	0 	0 	16384 	lo0

Here the routes after initializing the tunnel:


Destination 	Gateway 	Flags 	Refs 	Use 	Mtu 	Netif 	Expire
0.0.0.0/1 	10.0.16.73 	UGS 	0 	177 	1500 	ovpnc3 	=>
default 	192.168.178.1 	UGS 	0 	538564 	1500 	vr1 	 
10.0.16.1/32 	10.0.16.73 	UGS 	0 	0 	1500 	ovpnc3 	 
10.0.16.73 	link#11 	UH 	0 	0 	1500 	ovpnc3 	 
10.0.16.74 	link#11 	UHS 	0 	0 	16384 	lo0 	 
95.128.242.224/32 	192.168.178.1 	UGS 	0 	59 	1500 	vr1 	 
127.0.0.1 	link#5 	UH 	0 	1027 	16384 	lo0 	 
128.0.0.0/1 	10.0.16.73 	UGS 	0 	154 	1500 	ovpnc3 	 
192.168.1.0/24 	link#1 	U 	0 	8770408 	1500 	vr0 	 
192.168.1.1 	link#1 	UHS 	0 	0 	16384 	lo0 	 
192.168.178.0/24 	link#2 	U 	0 	1 	1500 	vr1 	 
192.168.178.1 	00:0d:b9:23:01:1d 	UHS 	0 	88678 	1500 	vr1 	 
192.168.178.22 	link#2 	UHS 	0 	0 	16384 	lo0

Has anybody experience with problems like this?
I am thankful for every hint in the right way!

aon.jpg_thumb

wm408

I believe this is your problem.

http://forum.pfsense.org/index.php/topic,8773.0.html

You need to use Advanced outbound NAT. (Manual NAT).

And make an entry under the Firewall > NAT > Outbound which lists your openvpn client subnet as the source, to destinations that you specify, for example, any destination.

If its not AON, then check the OpenVPN tab under: Firewall -> Rules and make sure that the source openvpn network in question can talk to for example, anything, or ! Local Subnet (not the local subnet but anything else).

An example of a firewall rule for the OpenVPN tab:

Proto Source Port Dest. Port GW Queue

openvpn net * * * * none

@wanie:

Hi