OpenVPN provider - redirect gateway
-
Hi
I am trying to route all my lan traffice through an openVPN provider like perfect-privacy.
To me it looks like, there is something blocking the traffic throug this tunnel.If i connect with the openVPN client i can't open any website.
Anyway i can't ping any public domain or ip, but DNS works.
If i ping on google.com i see the resolved ip but got no ping answer.I allready tried to play arround with the AON settings but no luck.
Here is the openVPN log:
Feb 5 18:55:04 openvpn[25458]: real_hash_size = 256 Feb 5 18:55:04 openvpn[25458]: virtual_hash_size = 256 Feb 5 18:55:04 openvpn[25458]: client_connect_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: learn_address_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: client_disconnect_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: client_config_dir = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: ccd_exclusive = DISABLED Feb 5 18:55:04 openvpn[25458]: tmp_dir = '/tmp' Feb 5 18:55:04 openvpn[25458]: push_ifconfig_defined = DISABLED Feb 5 18:55:04 openvpn[25458]: push_ifconfig_local = 0.0.0.0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_remote_netmask = 0.0.0.0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_defined = DISABLED Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_local = ::/0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_remote = :: Feb 5 18:55:04 openvpn[25458]: enable_c2c = DISABLED Feb 5 18:55:04 openvpn[25458]: duplicate_cn = DISABLED Feb 5 18:55:04 openvpn[25458]: cf_max = 0 Feb 5 18:55:04 openvpn[25458]: cf_per = 0 Feb 5 18:55:04 openvpn[25458]: max_clients = 1024 Feb 5 18:55:04 openvpn[25458]: max_routes_per_client = 256 Feb 5 18:55:04 openvpn[25458]: auth_user_pass_verify_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: auth_user_pass_verify_script_via_file = DISABLED Feb 5 18:55:04 openvpn[25458]: ssl_flags = 0 Feb 5 18:55:04 openvpn[25458]: port_share_host = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: port_share_port = 0 Feb 5 18:55:04 openvpn[25458]: client = ENABLED Feb 5 18:55:04 openvpn[25458]: pull = ENABLED Feb 5 18:55:04 openvpn[25458]: auth_user_pass_file = '/conf/perfect-privacy.pas' Feb 5 18:55:04 openvpn[25458]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011 Feb 5 18:55:04 openvpn[25458]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client3.sock Feb 5 18:55:04 openvpn[25458]: WARNING: file '/conf/perfect-privacy.pas' is group or others accessible Feb 5 18:55:04 openvpn[25458]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Feb 5 18:55:04 openvpn[25458]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 5 18:55:04 openvpn[25458]: Control Channel Authentication: using '/var/etc/openvpn/client3.tls-auth' as a OpenVPN static key file Feb 5 18:55:04 openvpn[25458]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:04 openvpn[25458]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:04 openvpn[25458]: Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ] Feb 5 18:55:04 openvpn[25458]: Socket Buffers: R=[42080->65536] S=[57344->65536] Feb 5 18:55:04 openvpn[25458]: RESOLVE: NOTE: moscow.perfect-privacy.com resolves to 3 addresses Feb 5 18:55:04 openvpn[25458]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ] Feb 5 18:55:04 openvpn[25458]: Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client' Feb 5 18:55:04 openvpn[25458]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server' Feb 5 18:55:04 openvpn[25458]: Local Options hash (VER=V4): 'ed844052' Feb 5 18:55:04 openvpn[25458]: Expected Remote Options hash (VER=V4): '8a244582' Feb 5 18:55:04 openvpn[25739]: UDPv4 link local (bound): [AF_INET]192.168.178.22:50013 Feb 5 18:55:04 openvpn[25739]: UDPv4 link remote: [AF_INET]192.162.100.209:1149 Feb 5 18:55:05 openvpn[25739]: TLS: Initial packet from [AF_INET]192.162.100.209:1149, sid=0dffcb99 ea51437a Feb 5 18:55:05 openvpn[25739]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Feb 5 18:55:06 openvpn[25739]: VERIFY OK: depth=1, /C=NZ/ST=Glenside/L=Wellington/O=PP_Internet_Services/OU=PP_Security_Department/CN=ppca/emailAddress=admin@perfect-privacy.com Feb 5 18:55:06 openvpn[25739]: VERIFY OK: depth=0, /C=NZ/ST=Glenside/O=PP_Internet_Services/OU=PP_Security_Department/CN=ppserver/emailAddress=admin@perfect-privacy.com Feb 5 18:55:18 openvpn[25739]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1562' Feb 5 18:55:18 openvpn[25739]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Feb 5 18:55:18 openvpn[25739]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic' Feb 5 18:55:18 openvpn[25739]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Feb 5 18:55:18 openvpn[25739]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:18 openvpn[25739]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Feb 5 18:55:18 openvpn[25739]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:18 openvpn[25739]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Feb 5 18:55:18 openvpn[25739]: [ppserver] Peer Connection Initiated with [AF_INET]192.162.100.209:1149 Feb 5 18:55:20 openvpn[25739]: SENT CONTROL [ppserver]: 'PUSH_REQUEST' (status=1) Feb 5 18:55:21 openvpn[25739]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 4.2.2.4,route 10.0.16.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.16.14 10.0.16.13' Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: timers and/or timeouts modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: --ifconfig/up options modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: route options modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Feb 5 18:55:21 openvpn[25739]: ROUTE default_gateway=192.168.178.1 Feb 5 18:55:21 openvpn[25739]: TUN/TAP device /dev/tun3 opened Feb 5 18:55:21 openvpn[25739]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Feb 5 18:55:21 openvpn[25739]: /sbin/ifconfig ovpnc3 10.0.16.14 10.0.16.13 mtu 1500 netmask 255.255.255.255 up Feb 5 18:55:21 openvpn[25739]: /usr/local/sbin/ovpn-linkup ovpnc3 1500 1557 10.0.16.14 10.0.16.13 init Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 192.162.100.209 192.168.178.1 255.255.255.255 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 0.0.0.0 10.0.16.13 128.0.0.0 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 128.0.0.0 10.0.16.13 128.0.0.0 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 10.0.16.1 10.0.16.13 255.255.255.255 Feb 5 18:55:21 openvpn[25739]: Initialization Sequence Completed
This are my routes before the openVPN connection is active:
Destination Gateway Flags Refs Use Mtu Netif Expire default 192.168.178.1 UGS 0 537611 1500 vr1 127.0.0.1 link#5 UH 0 1009 16384 lo0 192.168.1.0/24 link#1 U 0 8769280 1500 vr0 192.168.1.1 link#1 UHS 0 0 16384 lo0 192.168.178.0/24 link#2 U 0 1 1500 vr1 192.168.178.1 00:0d:b9:23:01:1d UHS 0 88556 1500 vr1 192.168.178.22 link#2 UHS 0 0 16384 lo0
Here the routes after initializing the tunnel:
Destination Gateway Flags Refs Use Mtu Netif Expire 0.0.0.0/1 10.0.16.73 UGS 0 177 1500 ovpnc3 => default 192.168.178.1 UGS 0 538564 1500 vr1 10.0.16.1/32 10.0.16.73 UGS 0 0 1500 ovpnc3 10.0.16.73 link#11 UH 0 0 1500 ovpnc3 10.0.16.74 link#11 UHS 0 0 16384 lo0 95.128.242.224/32 192.168.178.1 UGS 0 59 1500 vr1 127.0.0.1 link#5 UH 0 1027 16384 lo0 128.0.0.0/1 10.0.16.73 UGS 0 154 1500 ovpnc3 192.168.1.0/24 link#1 U 0 8770408 1500 vr0 192.168.1.1 link#1 UHS 0 0 16384 lo0 192.168.178.0/24 link#2 U 0 1 1500 vr1 192.168.178.1 00:0d:b9:23:01:1d UHS 0 88678 1500 vr1 192.168.178.22 link#2 UHS 0 0 16384 lo0
Has anybody experience with problems like this?
I am thankful for every hint in the right way!
-
I believe this is your problem.
http://forum.pfsense.org/index.php/topic,8773.0.html
You need to use Advanced outbound NAT. (Manual NAT).
And make an entry under the Firewall > NAT > Outbound which lists your openvpn client subnet as the source, to destinations that you specify, for example, any destination.
If its not AON, then check the OpenVPN tab under: Firewall -> Rules and make sure that the source openvpn network in question can talk to for example, anything, or ! Local Subnet (not the local subnet but anything else).
An example of a firewall rule for the OpenVPN tab:
Proto Source Port Dest. Port GW Queue
- openvpn net * * * * none
Hi
I am trying to route all my lan traffice through an openVPN provider like perfect-privacy.
To me it looks like, there is something blocking the traffic throug this tunnel.If i connect with the openVPN client i can't open any website.
Anyway i can't ping any public domain or ip, but DNS works.
If i ping on google.com i see the resolved ip but got no ping answer.I allready tried to play arround with the AON settings but no luck.
Here is the openVPN log:
Feb 5 18:55:04 openvpn[25458]: real_hash_size = 256 Feb 5 18:55:04 openvpn[25458]: virtual_hash_size = 256 Feb 5 18:55:04 openvpn[25458]: client_connect_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: learn_address_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: client_disconnect_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: client_config_dir = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: ccd_exclusive = DISABLED Feb 5 18:55:04 openvpn[25458]: tmp_dir = '/tmp' Feb 5 18:55:04 openvpn[25458]: push_ifconfig_defined = DISABLED Feb 5 18:55:04 openvpn[25458]: push_ifconfig_local = 0.0.0.0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_remote_netmask = 0.0.0.0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_defined = DISABLED Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_local = ::/0 Feb 5 18:55:04 openvpn[25458]: push_ifconfig_ipv6_remote = :: Feb 5 18:55:04 openvpn[25458]: enable_c2c = DISABLED Feb 5 18:55:04 openvpn[25458]: duplicate_cn = DISABLED Feb 5 18:55:04 openvpn[25458]: cf_max = 0 Feb 5 18:55:04 openvpn[25458]: cf_per = 0 Feb 5 18:55:04 openvpn[25458]: max_clients = 1024 Feb 5 18:55:04 openvpn[25458]: max_routes_per_client = 256 Feb 5 18:55:04 openvpn[25458]: auth_user_pass_verify_script = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: auth_user_pass_verify_script_via_file = DISABLED Feb 5 18:55:04 openvpn[25458]: ssl_flags = 0 Feb 5 18:55:04 openvpn[25458]: port_share_host = '[UNDEF]' Feb 5 18:55:04 openvpn[25458]: port_share_port = 0 Feb 5 18:55:04 openvpn[25458]: client = ENABLED Feb 5 18:55:04 openvpn[25458]: pull = ENABLED Feb 5 18:55:04 openvpn[25458]: auth_user_pass_file = '/conf/perfect-privacy.pas' Feb 5 18:55:04 openvpn[25458]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011 Feb 5 18:55:04 openvpn[25458]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client3.sock Feb 5 18:55:04 openvpn[25458]: WARNING: file '/conf/perfect-privacy.pas' is group or others accessible Feb 5 18:55:04 openvpn[25458]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Feb 5 18:55:04 openvpn[25458]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Feb 5 18:55:04 openvpn[25458]: Control Channel Authentication: using '/var/etc/openvpn/client3.tls-auth' as a OpenVPN static key file Feb 5 18:55:04 openvpn[25458]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:04 openvpn[25458]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:04 openvpn[25458]: Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ] Feb 5 18:55:04 openvpn[25458]: Socket Buffers: R=[42080->65536] S=[57344->65536] Feb 5 18:55:04 openvpn[25458]: RESOLVE: NOTE: moscow.perfect-privacy.com resolves to 3 addresses Feb 5 18:55:04 openvpn[25458]: Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ] Feb 5 18:55:04 openvpn[25458]: Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client' Feb 5 18:55:04 openvpn[25458]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server' Feb 5 18:55:04 openvpn[25458]: Local Options hash (VER=V4): 'ed844052' Feb 5 18:55:04 openvpn[25458]: Expected Remote Options hash (VER=V4): '8a244582' Feb 5 18:55:04 openvpn[25739]: UDPv4 link local (bound): [AF_INET]192.168.178.22:50013 Feb 5 18:55:04 openvpn[25739]: UDPv4 link remote: [AF_INET]192.162.100.209:1149 Feb 5 18:55:05 openvpn[25739]: TLS: Initial packet from [AF_INET]192.162.100.209:1149, sid=0dffcb99 ea51437a Feb 5 18:55:05 openvpn[25739]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Feb 5 18:55:06 openvpn[25739]: VERIFY OK: depth=1, /C=NZ/ST=Glenside/L=Wellington/O=PP_Internet_Services/OU=PP_Security_Department/CN=ppca/emailAddress=admin@perfect-privacy.com Feb 5 18:55:06 openvpn[25739]: VERIFY OK: depth=0, /C=NZ/ST=Glenside/O=PP_Internet_Services/OU=PP_Security_Department/CN=ppserver/emailAddress=admin@perfect-privacy.com Feb 5 18:55:18 openvpn[25739]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1562' Feb 5 18:55:18 openvpn[25739]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Feb 5 18:55:18 openvpn[25739]: WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic' Feb 5 18:55:18 openvpn[25739]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Feb 5 18:55:18 openvpn[25739]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:18 openvpn[25739]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Feb 5 18:55:18 openvpn[25739]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Feb 5 18:55:18 openvpn[25739]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Feb 5 18:55:18 openvpn[25739]: [ppserver] Peer Connection Initiated with [AF_INET]192.162.100.209:1149 Feb 5 18:55:20 openvpn[25739]: SENT CONTROL [ppserver]: 'PUSH_REQUEST' (status=1) Feb 5 18:55:21 openvpn[25739]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.8.8,dhcp-option DNS 4.2.2.4,route 10.0.16.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.16.14 10.0.16.13' Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: timers and/or timeouts modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: --ifconfig/up options modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: route options modified Feb 5 18:55:21 openvpn[25739]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Feb 5 18:55:21 openvpn[25739]: ROUTE default_gateway=192.168.178.1 Feb 5 18:55:21 openvpn[25739]: TUN/TAP device /dev/tun3 opened Feb 5 18:55:21 openvpn[25739]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Feb 5 18:55:21 openvpn[25739]: /sbin/ifconfig ovpnc3 10.0.16.14 10.0.16.13 mtu 1500 netmask 255.255.255.255 up Feb 5 18:55:21 openvpn[25739]: /usr/local/sbin/ovpn-linkup ovpnc3 1500 1557 10.0.16.14 10.0.16.13 init Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 192.162.100.209 192.168.178.1 255.255.255.255 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 0.0.0.0 10.0.16.13 128.0.0.0 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 128.0.0.0 10.0.16.13 128.0.0.0 Feb 5 18:55:21 openvpn[25739]: /sbin/route add -net 10.0.16.1 10.0.16.13 255.255.255.255 Feb 5 18:55:21 openvpn[25739]: Initialization Sequence Completed
This are my routes before the openVPN connection is active:
Destination Gateway Flags Refs Use Mtu Netif Expire default 192.168.178.1 UGS 0 537611 1500 vr1 127.0.0.1 link#5 UH 0 1009 16384 lo0 192.168.1.0/24 link#1 U 0 8769280 1500 vr0 192.168.1.1 link#1 UHS 0 0 16384 lo0 192.168.178.0/24 link#2 U 0 1 1500 vr1 192.168.178.1 00:0d:b9:23:01:1d UHS 0 88556 1500 vr1 192.168.178.22 link#2 UHS 0 0 16384 lo0
Here the routes after initializing the tunnel:
Destination Gateway Flags Refs Use Mtu Netif Expire 0.0.0.0/1 10.0.16.73 UGS 0 177 1500 ovpnc3 => default 192.168.178.1 UGS 0 538564 1500 vr1 10.0.16.1/32 10.0.16.73 UGS 0 0 1500 ovpnc3 10.0.16.73 link#11 UH 0 0 1500 ovpnc3 10.0.16.74 link#11 UHS 0 0 16384 lo0 95.128.242.224/32 192.168.178.1 UGS 0 59 1500 vr1 127.0.0.1 link#5 UH 0 1027 16384 lo0 128.0.0.0/1 10.0.16.73 UGS 0 154 1500 ovpnc3 192.168.1.0/24 link#1 U 0 8770408 1500 vr0 192.168.1.1 link#1 UHS 0 0 16384 lo0 192.168.178.0/24 link#2 U 0 1 1500 vr1 192.168.178.1 00:0d:b9:23:01:1d UHS 0 88678 1500 vr1 192.168.178.22 link#2 UHS 0 0 16384 lo0
Has anybody experience with problems like this?
I am thankful for every hint in the right way!