[Resolved] list of Local Networks not pushed to remote acces vpn clients



  • Hi,
    I want to achieve split tunneling so that traffic destined from vpn clients to below networks is passed through tunnel.

    192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24, these are specified in openvpn configuration in "IPv4 Local Network/s" field.

    However when the vpn clients connect non of above networks ( except 4.0/24 )  are reachable. traceroute and host routing table shows that  it is using locally installed default gateway and no route for those networks is pushed to clients.

    EDIT after it is resolved.
    Resolved by running openvpn client with admin privilidges



  • Hi,
    what type of client is it?

    Are the subnets, which are not routed over vpn, part of the clients LAN network?

    Post your server and client config.



  • @viragomann:

    Hi,
    what type of client is it?

    Are the subnets, which are not routed over vpn, part of the clients LAN network?

    Post your server and client config.

    windows 7 using openvpn client (from client export wizard)

    regarding subnets .. these are client subnets on different interfaces on rotuer (one which is 192.168.4.0/24 and is accessible on vpn clients is on Lan interface.. 4 are virtual AP's broadcasted from a wifi adapter running in ap mode.

    ![1- open vpn confis.PNG](/public/imported_attachments/1/1- open vpn confis.PNG)
    ![1- open vpn confis.PNG_thumb](/public/imported_attachments/1/1- open vpn confis.PNG_thumb)
    ![2- open vpn confis.PNG](/public/imported_attachments/1/2- open vpn confis.PNG)
    ![2- open vpn confis.PNG_thumb](/public/imported_attachments/1/2- open vpn confis.PNG_thumb)
    ![3- open vpn confis.PNG](/public/imported_attachments/1/3- open vpn confis.PNG)
    ![3- open vpn confis.PNG_thumb](/public/imported_attachments/1/3- open vpn confis.PNG_thumb)
    ![4 interfaces.PNG](/public/imported_attachments/1/4 interfaces.PNG)
    ![4 interfaces.PNG_thumb](/public/imported_attachments/1/4 interfaces.PNG_thumb)



  • With this configuration all routes for your subnets should be pushed correctly.
    Have you check the client network? Do the subnets you are trying to push cross local subnets?
    Post the routing table.

    Maybe the settings are not added to the server config file properly. You can find it at /var/etc/openvpn/server1.conf for the first server, server2.conf for the second and so on.



  • for server1 below is output (server2 it says doesn't exists)

    dev ovpns1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local x.x.x.x
    tls-server
    server 192.168.99.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'Local Database' false server1" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'mydnsname' 1 "
    lport 1195
    management /var/etc/openvpn/server1.sock unix
    max-clients 100
    push "route 192.168.4.0 255.255.255.0"
    push "route 192.168.11.0 255.255.255.0"
    push "route 192.168.12.0 255.255.255.0"
    push "route 192.168.13.0 255.255.255.0"
    push "route  0.0.0.0"
    push "dhcp-option DNS 192.168.4.10"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.2048
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    persist-remote-ip
    float

    while i do not have the output of routing table to show here but i checked vpn from two differnet systems and routes to other subnets were not pushed into routing table on both systems. i checked it multiple times.
    (checked on windows 7 and 8 )

    however i will post host routing table tomorrow when i get access to external network ..



  • If you have only one ovpn server configured there is only the server1.conf present.

    I don't understand the line

    push "route  0.0.0.0"
    

    in the server config. That is no correct push command, there is the subnet mask missing.
    Have you entered "0.0.0.0" at local networks?



  • @viragomann:

    If you have only one ovpn server configured there is only the server1.conf present.

    I don't understand the line

    push "route  0.0.0.0"
    

    in the server config. That is no correct push command, there is the subnet mask missing.
    Have you entered "0.0.0.0" at local networks?

    Here is route print result

    ===========================================================================
    Interface List
    16…00 ff e4 d0 b3 28 ......TAP-Windows Adapter V9
    11...b0 83 fe 65 a8 28 ......Realtek PCIe GBE Family Controller
    14...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
      1...........................Software Loopback Interface 1
    12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      10.11.26.49      10.11.26.62    276
          10.11.26.48  255.255.255.240        On-link      10.11.26.62    276
          10.11.26.62  255.255.255.255        On-link      10.11.26.62    276
          10.11.26.63  255.255.255.255        On-link      10.11.26.62    276
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        192.168.56.0    255.255.255.0        On-link      192.168.56.1    266
        192.168.56.1  255.255.255.255        On-link      192.168.56.1    266
      192.168.56.255  255.255.255.255        On-link      192.168.56.1    266
        192.168.99.4  255.255.255.252        On-link      192.168.99.6    276
        192.168.99.6  255.255.255.255        On-link      192.168.99.6    276
        192.168.99.7  255.255.255.255        On-link      192.168.99.6    276

            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link      10.11.26.62    276
            224.0.0.0        240.0.0.0        On-link      192.168.56.1    266
            224.0.0.0        240.0.0.0        On-link      192.168.99.6    276
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link      10.11.26.62    276
      255.255.255.255  255.255.255.255        On-link      192.168.56.1    266
      255.255.255.255  255.255.255.255        On-link      192.168.99.6    276

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0      10.11.26.49  Default

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
    11    276 fe80::/64                On-link
    14    266 fe80::/64                On-link
    16    276 fe80::/64                On-link
    14    266 fe80::2450:aaf9:b1fd:2c90/128
                                        On-link
    16    276 fe80::a5ca:eb89:d193:2b8b/128
                                        On-link
    11    276 fe80::e8bc:44bc:b736:2cd2/128
                                        On-link
      1    306 ff00::/8                On-link
    11    276 ff00::/8                On-link
    14    266 ff00::/8                On-link
    16    276 ff00::/8                On-link

    Persistent Routes:
      None



  • @Snailkhan:

    @viragomann:

    If you have only one ovpn server configured there is only the server1.conf present.

    I don't understand the line

    push "route  0.0.0.0"
    

    in the server config. That is no correct push command, there is the subnet mask missing.
    Have you entered "0.0.0.0" at local networks?

    Here is route print result

    ===========================================================================
    Interface List
    16…00 ff e4 d0 b3 28 ......TAP-Windows Adapter V9
    11...b0 83 fe 65 a8 28 ......Realtek PCIe GBE Family Controller
    14...0a 00 27 00 00 00 ......VirtualBox Host-Only Ethernet Adapter
      1...........................Software Loopback Interface 1
    12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
    13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
    15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
    17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

    IPv4 Route Table

    Active Routes:
    Network Destination        Netmask          Gateway      Interface  Metric
              0.0.0.0          0.0.0.0      10.11.26.49      10.11.26.62    276
          10.11.26.48  255.255.255.240        On-link      10.11.26.62    276
          10.11.26.62  255.255.255.255        On-link      10.11.26.62    276
          10.11.26.63  255.255.255.255        On-link      10.11.26.62    276
            127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
            127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
      127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
        192.168.56.0    255.255.255.0        On-link      192.168.56.1    266
        192.168.56.1  255.255.255.255        On-link      192.168.56.1    266
      192.168.56.255  255.255.255.255        On-link      192.168.56.1    266
        192.168.99.4  255.255.255.252        On-link      192.168.99.6    276
        192.168.99.6  255.255.255.255        On-link      192.168.99.6    276
        192.168.99.7  255.255.255.255        On-link      192.168.99.6    276

            224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
            224.0.0.0        240.0.0.0        On-link      10.11.26.62    276
            224.0.0.0        240.0.0.0        On-link      192.168.56.1    266
            224.0.0.0        240.0.0.0        On-link      192.168.99.6    276
      255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      255.255.255.255  255.255.255.255        On-link      10.11.26.62    276
      255.255.255.255  255.255.255.255        On-link      192.168.56.1    266
      255.255.255.255  255.255.255.255        On-link      192.168.99.6    276

    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
              0.0.0.0          0.0.0.0      10.11.26.49  Default

    IPv6 Route Table

    Active Routes:
    If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
    11    276 fe80::/64                On-link
    14    266 fe80::/64                On-link
    16    276 fe80::/64                On-link
    14    266 fe80::2450:aaf9:b1fd:2c90/128
                                        On-link
    16    276 fe80::a5ca:eb89:d193:2b8b/128
                                        On-link
    11    276 fe80::e8bc:44bc:b736:2cd2/128
                                        On-link
      1    306 ff00::/8                On-link
    11    276 ff00::/8                On-link
    14    266 ff00::/8                On-link
    16    276 ff00::/8                On-link

    Persistent Routes:
      None

    regarding 0.0.0.0 route i have not entered it anywhere.

    in "IPv4 Local Network/s" below is entered.
    192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24,

    as shown in above snaps as well.



  • So there isn't any route pushed to the client.

    @Snailkhan:

    in "IPv4 Local Network/s" below is entered.
    192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24,

    as shown in above snaps as well.

    Do you have a comma there at the end of the line? Try to delete it.



  • @viragomann:

    So there isn't any route pushed to the client.

    @Snailkhan:

    in "IPv4 Local Network/s" below is entered.
    192.168.4.0/24,192.168.11.0/24,192.168.12.0/24, 192.168.13.0/24,

    as shown in above snaps as well.

    Do you have a comma there at the end of the line? Try to delete it.

    yes no route is pused to the clients. i had a comma at the end removed it.. still same issue.
    attached are ip settings.
    i cannnot ping the dhcp server ip shown above when on vpn since no route to it is installed and default route to takes it via local network.

    ![vpn network ip settings.PNG](/public/imported_attachments/1/vpn network ip settings.PNG)
    ![vpn network ip settings.PNG_thumb](/public/imported_attachments/1/vpn network ip settings.PNG_thumb)



  • Maybe is a stupid question but, have you executed the openvpn client as administrator? (right click -> run as administrator). The routes cannot be added as normal user.

    I've a similar configuracion on my server and using this config file is working:

    remote serverIP port
    client
    resolv-retry infinite
    
    ;dev tap
    dev tun
    
    ;proto tcp
    proto udp
    
    nobind
    
    # Try to preserve some state across restarts.
    persist-key
    persist-tun
    
    # Verifica que el servidor tiene certificado del tipo Server
    ns-cert-type server
    
    # Clave TLS del servidor
    tls-auth tls-file.key 1
    
    # Configuración del cliente
    #tls-client
    
    ca ServerCA.crt
    cert User.crt
    key User.key
    
    # Opciones de conexión con el servidor
    cipher AES-256-CBC
    link-mtu 1558
    keysize 256
    comp-lzo
    
    # Set log file verbosity.
    verb 3
    

    Running as admin on a Windows client the routes are pushed from server without problem.

    Greetings!!



  • @Danixu86:

    Maybe is a stupid question but, have you executed the openvpn client as administrator? (right click -> run as administrator). The routes cannot be added as normal user.

    I've a similar configuracion on my server and using this config file is working:

    remote serverIP port
    client
    resolv-retry infinite
    
    ;dev tap
    dev tun
    
    ;proto tcp
    proto udp
    
    nobind
    
    # Try to preserve some state across restarts.
    persist-key
    persist-tun
    
    # Verifica que el servidor tiene certificado del tipo Server
    ns-cert-type server
    
    # Clave TLS del servidor
    tls-auth tls-file.key 1
    
    # Configuración del cliente
    #tls-client
    
    ca ServerCA.crt
    cert User.crt
    key User.key
    
    # Opciones de conexión con el servidor
    cipher AES-256-CBC
    link-mtu 1558
    keysize 256
    comp-lzo
    
    # Set log file verbosity.
    verb 3
    

    Running as admin on a Windows client the routes are pushed from server without problem.

    Greetings!!

    Awesome as soon as i ran it OpenVPN utility with admin privileges routes were pushed properly

    thanks a lot.



  • You're welcome  ;)

    The best for final users is to configure the app to run as administrator always (Right click -> properties -> Compatibility -> Run as admin), or just enable the service on services manager to connect at windows startup.

    Greetings!!


Log in to reply