No traffic through OpenVPN tunnel

mark81

Hi,

I setup OpenVPN to connect from my IOS devices to my home network.
My VPN connection is working but for some reason the internal traffic isn't routed through the tunnel.
I setup my internal networks and DNS, NTP servers. I assigned the OpenVPN interface and configured an IP address.
From my IOS device I can ping the OpenVPN network address. I see the routes in the logging on the IOS OpenVPN client.
However the traffic doesn't seem to be routed. I enabled the checkbox that all client generated traffic should go through the tunnel.

Below the log from the IOS device:

2016-08-09 11:54:46 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2016-08-09 11:54:46 Session is ACTIVE
2016-08-09 11:54:46 EVENT: GET_CONFIG
2016-08-09 11:54:46 Sending PUSH_REQUEST to server…
2016-08-09 11:54:46 OPTIONS:
0 [route] [172.10.15.0] [255.255.255.0]
1 [route] [192.168.20.0] [255.255.255.0]
2 [route] [192.168.150.0] [255.255.255.0]
3 [dhcp-option] [DOMAIN] [mydomain.local]
4 [dhcp-option] [DNS] [192.168.20.13]
5 [dhcp-option] [DNS] [192.168.20.15]
6 [register-dns]
7 [dhcp-option] [NTP] [192.168.20.13]
8 [redirect-gateway] [def1]
9 [route-gateway] [10.15.10.1] –> IP of OpenVPN interface
10 [topology] [subnet]
11 [ping] [10]
12 [ping-restart] [60]
13 [ifconfig] [10.15.10.2] [255.255.255.0] –> IP of connected device

2016-08-09 11:54:46 PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA1
  compress: NONE
  peer ID: -1
2016-08-09 11:54:46 EVENT: ASSIGN_IP
2016-08-09 11:54:46 Unknown pushed DHCP option: [dhcp-option] [NTP] [192.168.20.13]
2016-08-09 11:54:46 TunPersist: saving tun context:
Session Name: vpndomain.name.com
Layer: OSI_LAYER_3
Remote Address: <<wan ip="">>
Tunnel Addresses:
  10.15.10.2/24 -> 10.15.10.1
Reroute Gateway: IPv4=1 IPv6=0 flags=[ ENABLE REROUTE_GW DEF1 IPv4 ]
Block IPv6: no
Add Routes:
Exclude Routes:
  2a01:7c8:eb::xx:xx:xx:49/128 [IPv6]
DNS Servers:
  192.168.20.13
  192.168.20.15
Search Domains:
  mydomain.local

2016-08-09 11:54:46 Connected via tun
2016-08-09 11:54:46 EVENT: CONNECTED user@vpndomain.name.com:1194 (<<wan ip="">>) via /UDPv4 on tun/10.15.10.2/
2016-08-09 11:54:46 SetStatus Connected

What am I forgetting?

Kind regards,

Mark</wan></wan>

keylevel

Have you got a firewall rule to allow the tunnel traffic onto your lan?

mark81

Hi Keylevel,

Thanks. Yes I have several firewall rules in place. it also makes no difference if I add an 'any' rule.
I don't see traffic dropped.

Kind regards,

Mark

mark81

Some more logging from the OpenVPN server. At the moment I unassinged the OpenVPN interface.
It wasn't clear to me if I should or should not assign the interface and configure the IP.
It seems to work (or not work) either way.

Aug 9 15:51:53  openvpn  99469  92.69.213.93:62051 TLS: Initial packet from [AF_INET]92.69.213.93:62051, sid=9157e45b 82f155c1 
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 VERIFY SCRIPT OK: depth=1, certdata 
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 VERIFY OK: depth=1, C=NL, certdata
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 VERIFY SCRIPT OK: depth=0, certdata
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 VERIFY OK: depth=0, certdata
Aug 9 15:51:54  openvpn  user 'ME' authenticated 
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 TLS: Username/Password authentication succeeded for username 'ME' [CN SET] 
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key 
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA 
Aug 9 15:51:54  openvpn  99469  92.69.213.93:62051 [mark] Peer Connection Initiated with [AF_INET]92.69.213.93:62051 
Aug 9 15:51:54  openvpn  99469  mark/92.69.213.93:62051 MULTI_sva: pool returned IPv4=10.15.10.2, IPv6=(Not enabled) 
Aug 9 15:51:54  openvpn  99469  mark/92.69.213.93:62051 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_c22c667e5f903932f615859110b7c08c.tmp 
Aug 9 15:51:54  openvpn  99469  mark/92.69.213.93:62051 MULTI: Learn: 10.15.10.2 -> ME/92.69.213.93:62051 
Aug 9 15:51:54  openvpn  99469  mark/92.69.213.93:62051 MULTI: primary virtual IP for ME/92.69.213.93:62051: 10.15.10.2 
Aug 9 15:51:54  openvpn  99469  mark/92.69.213.93:62051 PUSH: Received control message: 'PUSH_REQUEST' 
Aug 9 15:51:54  openvpn  99469  mark/92.69.213.93:62051 send_push_reply(): safe_cap=940 
Aug 9 15:51:54  openvpn  99469  mark/92.69.213.93:62051 SENT CONTROL [mark]: 'PUSH_REPLY,route 172.10.15.0 255.255.255.0,route 192.168.20.0 255.255.255.0,route 192.168.150.0 255.255.255.0,dhcp-option DOMAIN argus.local,dhcp-option DNS 192.168.20.13,dhcp-option DNS 192.168.20.15,register-dns,dhcp-option NTP 192.168.20.13,redirect-gateway def1,route-gateway 10.15.10.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.15.10.2 255.255.255.0' (status=1) 
Aug 9 15:52:04  openvpn  99469  MANAGEMENT: Client connected from /var/etc/openvpn/server1.sock 
Aug 9 15:52:04  openvpn  99469  MANAGEMENT: CMD 'status 2' 
Aug 9 15:52:04  openvpn  99469  MANAGEMENT: CMD 'quit' 
Aug 9 15:52:04  openvpn  99469  MANAGEMENT: Client disconnected

Hope the log clears up anything. I don't have a clue what I'm missing.