[Resolved] list of Local Networks not pushed to remote acces vpn clients

Snailkhan

Hi,
I want to achieve split tunneling so that traffic destined from vpn clients to below networks is passed through tunnel.

192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24, these are specified in openvpn configuration in "IPv4 Local Network/s" field.

However when the vpn clients connect non of above networks ( except 4.0/24 )  are reachable. traceroute and host routing table shows that  it is using locally installed default gateway and no route for those networks is pushed to clients.

EDIT after it is resolved.
Resolved by running openvpn client with admin privilidges

viragomann

Hi,
what type of client is it?

Are the subnets, which are not routed over vpn, part of the clients LAN network?

Post your server and client config.

Snailkhan

@viragomann:

Hi,
what type of client is it?

Are the subnets, which are not routed over vpn, part of the clients LAN network?

Post your server and client config.

windows 7 using openvpn client (from client export wizard)

regarding subnets .. these are client subnets on different interfaces on rotuer (one which is 192.168.4.0/24 and is accessible on vpn clients is on Lan interface.. 4 are virtual AP's broadcasted from a wifi adapter running in ap mode.


viragomann

With this configuration all routes for your subnets should be pushed correctly.
Have you check the client network? Do the subnets you are trying to push cross local subnets?
Post the routing table.

Maybe the settings are not added to the server config file properly. You can find it at /var/etc/openvpn/server1.conf for the first server, server2.conf for the second and so on.

Snailkhan

for server1 below is output (server2 it says doesn't exists)

dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local x.x.x.x
tls-server
server 192.168.99.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'mydnsname' 1 "
lport 1195
management /var/etc/openvpn/server1.sock unix
max-clients 100
push "route 192.168.4.0 255.255.255.0"
push "route 192.168.11.0 255.255.255.0"
push "route 192.168.12.0 255.255.255.0"
push "route 192.168.13.0 255.255.255.0"
push "route  0.0.0.0"
push "dhcp-option DNS 192.168.4.10"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1.tls-auth 0
persist-remote-ip
float

while i do not have the output of routing table to show here but i checked vpn from two differnet systems and routes to other subnets were not pushed into routing table on both systems. i checked it multiple times.
(checked on windows 7 and 8 )

however i will post host routing table tomorrow when i get access to external network ..

viragomann

If you have only one ovpn server configured there is only the server1.conf present.

I don't understand the line

push "route  0.0.0.0"

in the server config. That is no correct push command, there is the subnet mask missing.
Have you entered "0.0.0.0" at local networks?

Snailkhan

@viragomann:

If you have only one ovpn server configured there is only the server1.conf present.

I don't understand the line

push "route  0.0.0.0"

in the server config. That is no correct push command, there is the subnet mask missing.
Have you entered "0.0.0.0" at local networks?

Here is route print result

===========================================================================
Interface List
16…00 ff e4 d0 b3 28 ......TAP-Windows Adapter V9
11...b0 83 fe 65 a8 28 ......Realtek PCIe GBE Family Controller
14...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
  1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

IPv4 Route Table

Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0      10.11.26.49      10.11.26.62    276
      10.11.26.48  255.255.255.240        On-link      10.11.26.62    276
      10.11.26.62  255.255.255.255        On-link      10.11.26.62    276
      10.11.26.63  255.255.255.255        On-link      10.11.26.62    276
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
    192.168.56.0    255.255.255.0        On-link      192.168.56.1    266
    192.168.56.1  255.255.255.255        On-link      192.168.56.1    266
  192.168.56.255  255.255.255.255        On-link      192.168.56.1    266
    192.168.99.4  255.255.255.252        On-link      192.168.99.6    276
    192.168.99.6  255.255.255.255        On-link      192.168.99.6    276
    192.168.99.7  255.255.255.255        On-link      192.168.99.6    276
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link      10.11.26.62    276
        224.0.0.0        240.0.0.0        On-link      192.168.56.1    266
        224.0.0.0        240.0.0.0        On-link      192.168.99.6    276
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link      10.11.26.62    276
  255.255.255.255  255.255.255.255        On-link      192.168.56.1    266
  255.255.255.255  255.255.255.255        On-link      192.168.99.6    276

Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      10.11.26.49  Default

IPv6 Route Table

Active Routes:
If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
11    276 fe80::/64                On-link
14    266 fe80::/64                On-link
16    276 fe80::/64                On-link
14    266 fe80::2450:aaf9:b1fd:2c90/128
                                    On-link
16    276 fe80::a5ca:eb89:d193:2b8b/128
                                    On-link
11    276 fe80::e8bc:44bc:b736:2cd2/128
                                    On-link
  1    306 ff00::/8                On-link
11    276 ff00::/8                On-link
14    266 ff00::/8                On-link
16    276 ff00::/8                On-link

Persistent Routes:
  None

Snailkhan

@Snailkhan:

@viragomann:

If you have only one ovpn server configured there is only the server1.conf present.

I don't understand the line

push "route  0.0.0.0"

in the server config. That is no correct push command, there is the subnet mask missing.
Have you entered "0.0.0.0" at local networks?

Here is route print result

===========================================================================
Interface List
16…00 ff e4 d0 b3 28 ......TAP-Windows Adapter V9
11...b0 83 fe 65 a8 28 ......Realtek PCIe GBE Family Controller
14...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
  1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

IPv4 Route Table

Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0      10.11.26.49      10.11.26.62    276
      10.11.26.48  255.255.255.240        On-link      10.11.26.62    276
      10.11.26.62  255.255.255.255        On-link      10.11.26.62    276
      10.11.26.63  255.255.255.255        On-link      10.11.26.62    276
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
    192.168.56.0    255.255.255.0        On-link      192.168.56.1    266
    192.168.56.1  255.255.255.255        On-link      192.168.56.1    266
  192.168.56.255  255.255.255.255        On-link      192.168.56.1    266
    192.168.99.4  255.255.255.252        On-link      192.168.99.6    276
    192.168.99.6  255.255.255.255        On-link      192.168.99.6    276
    192.168.99.7  255.255.255.255        On-link      192.168.99.6    276
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link      10.11.26.62    276
        224.0.0.0        240.0.0.0        On-link      192.168.56.1    266
        224.0.0.0        240.0.0.0        On-link      192.168.99.6    276
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link      10.11.26.62    276
  255.255.255.255  255.255.255.255        On-link      192.168.56.1    266
  255.255.255.255  255.255.255.255        On-link      192.168.99.6    276

Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      10.11.26.49  Default

IPv6 Route Table

Active Routes:
If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
11    276 fe80::/64                On-link
14    266 fe80::/64                On-link
16    276 fe80::/64                On-link
14    266 fe80::2450:aaf9:b1fd:2c90/128
                                    On-link
16    276 fe80::a5ca:eb89:d193:2b8b/128
                                    On-link
11    276 fe80::e8bc:44bc:b736:2cd2/128
                                    On-link
  1    306 ff00::/8                On-link
11    276 ff00::/8                On-link
14    266 ff00::/8                On-link
16    276 ff00::/8                On-link

Persistent Routes:
  None

regarding 0.0.0.0 route i have not entered it anywhere.

in "IPv4 Local Network/s" below is entered.
192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24,

as shown in above snaps as well.

viragomann

So there isn't any route pushed to the client.

@Snailkhan:

in "IPv4 Local Network/s" below is entered.
192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24,

as shown in above snaps as well.

Do you have a comma there at the end of the line? Try to delete it.

Snailkhan

@viragomann:

So there isn't any route pushed to the client.

@Snailkhan:

in "IPv4 Local Network/s" below is entered.
192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24,

as shown in above snaps as well.

Do you have a comma there at the end of the line? Try to delete it.

yes no route is pused to the clients. i had a comma at the end removed it.. still same issue.
attached are ip settings.
i cannnot ping the dhcp server ip shown above when on vpn since no route to it is installed and default route to takes it via local network.


Danixu86

Maybe is a stupid question but, have you executed the openvpn client as administrator? (right click -> run as administrator). The routes cannot be added as normal user.

I've a similar configuracion on my server and using this config file is working:

remote serverIP port
client
resolv-retry infinite

;dev tap
dev tun

;proto tcp
proto udp

nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# Verifica que el servidor tiene certificado del tipo Server
ns-cert-type server

# Clave TLS del servidor
tls-auth tls-file.key 1

# Configuración del cliente
#tls-client

ca ServerCA.crt
cert User.crt
key User.key

# Opciones de conexión con el servidor
cipher AES-256-CBC
link-mtu 1558
keysize 256
comp-lzo

# Set log file verbosity.
verb 3

Running as admin on a Windows client the routes are pushed from server without problem.

Greetings!!

Snailkhan

@Danixu86:

Maybe is a stupid question but, have you executed the openvpn client as administrator? (right click -> run as administrator). The routes cannot be added as normal user.

I've a similar configuracion on my server and using this config file is working:

remote serverIP port
client
resolv-retry infinite

;dev tap
dev tun

;proto tcp
proto udp

nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# Verifica que el servidor tiene certificado del tipo Server
ns-cert-type server

# Clave TLS del servidor
tls-auth tls-file.key 1

# Configuración del cliente
#tls-client

ca ServerCA.crt
cert User.crt
key User.key

# Opciones de conexión con el servidor
cipher AES-256-CBC
link-mtu 1558
keysize 256
comp-lzo

# Set log file verbosity.
verb 3

Running as admin on a Windows client the routes are pushed from server without problem.

Greetings!!

Awesome as soon as i ran it OpenVPN utility with admin privileges routes were pushed properly

thanks a lot.

Danixu86

You're welcome  ;)

The best for final users is to configure the app to run as administrator always (Right click -> properties -> Compatibility -> Run as admin), or just enable the service on services manager to connect at windows startup.

Greetings!!