networking - OpenVPN - Linux client could not access internet, routing issue - Ask Ubuntu


i installed openvpn server quite while go gateway option internet traffic routed through.

it works fine client machine windows , android phone, same open vpn client config on unbuntu notebook seems not work. client connects internet traffic seems not routed.

pinging server work: ping 10.8.0.1

so not sure missing. tried far following options

  • added client route config: route 10.8.0.0/24
  • added via console route config: sudo route add -net 10.8.0.0/24 gw 10.8.0.1 dev tun0
  • turned off firewall on client

any or hints appreciated. thanks

server config:

port 443 proto tcp dev tun ca ... cert ... key ... dh ... server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypasss-dhcp" push "dhcp-option dns 8.8.8.8" push "dhcp-option dns 8.8.4.4" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status ... log ... verb 3

client config:

client dev tun proto tcp remote www.serverdomain.com 443 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 remote-cert-tls server # route 10.8.0.0/24 --> adding such route made no difference

client ifconfig:

tun0             link encap:unspec  hwaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00         inet addr:10.8.0.10  p-t-p:10.8.0.9  mask:255.255.255.255       inet6 addr: fe80::b393:268c:61db:72d4/64 scope:link       pointopoint running noarp multicast  mtu:1500  metric:1       rx packets:47 errors:0 dropped:0 overruns:0 frame:0       tx packets:93 errors:0 dropped:0 overruns:0 carrier:0       collisions:0 txqueuelen:100        rx bytes:4394 (4.3 kb)  tx bytes:7012 (7.0 kb)  wlp1s0           link encap:ethernet  hwaddr a4:34:d9:5c:9d:06         inet addr:192.168.0.130  bcast:192.168.0.255  mask:255.255.255.0       inet6 addr: fe80::5e97:3a8f:9596:8c30/64 scope:link       broadcast running multicast  mtu:1500  metric:1       rx packets:24879 errors:0 dropped:0 overruns:0 frame:0       tx packets:17473 errors:0 dropped:0 overruns:0 carrier:0       collisions:0 txqueuelen:1000        rx bytes:14983497 (14.9 mb)  tx bytes:2721828 (2.7 mb)

client log output:

 thu nov  3 21:03:25 2016 openvpn 2.3.10 x86_64-pc-linux-gnu [ssl (openssl)] [lzo] [epoll] [pkcs11] [mh] [ipv6] built on feb  2 2016  thu nov  3 21:03:25 2016 library versions: openssl 1.0.2g-fips  1 mar 2016, lzo 2.08  thu nov  3 21:03:25 2016 socket buffers: r=[87380->87380] s=[16384->16384]  thu nov  3 21:03:25 2016 attempting establish tcp connection [af_inet]188.62.xx.xx:443 [nonblock]  thu nov  3 21:03:26 2016 tcp connection established [af_inet]188.62.xx.xx:443  thu nov  3 21:03:26 2016 tcpv4_client link local: [undef]  thu nov  3 21:03:26 2016 tcpv4_client link remote: [af_inet]188.62.xx.xx:443  thu nov  3 21:03:26 2016 tls: initial packet [af_inet]188.62.xx.xx:443, sid=ff1258e5 f87eeaf5  thu nov  3 21:03:26 2016 verify ok: depth=1, c=ch, st=zh, l=hinwil, o=xxx, ou=it, cn=xxxx, name=xxxx, emailaddress=xxxx.ch  thu nov  3 21:03:26 2016 validating certificate key usage  thu nov  3 21:03:26 2016 ++ certificate has key usage  00a0, expects 00a0  thu nov  3 21:03:26 2016 verify ku ok  thu nov  3 21:03:26 2016 validating certificate extended key usage  thu nov  3 21:03:26 2016 ++ certificate has eku (str) tls web server authentication, expects tls web server authentication  thu nov  3 21:03:26 2016 verify eku ok  thu nov  3 21:03:26 2016 verify ok: depth=0, c=ch, st=zh, l=hinwil, o=xxxx, ou=it, cn=xxxx, name=xxxxx, emailaddress=xxxx.ch  thu nov  3 21:03:26 2016 data channel encrypt: cipher 'bf-cbc' initialized 128 bit key  thu nov  3 21:03:26 2016 data channel encrypt: using 160 bit message hash 'sha1' hmac authentication  thu nov  3 21:03:26 2016 data channel decrypt: cipher 'bf-cbc' initialized 128 bit key  thu nov  3 21:03:26 2016 data channel decrypt: using 160 bit message hash 'sha1' hmac authentication  thu nov  3 21:03:26 2016 control channel: tlsv1.2, cipher     tlsv1/sslv3 dhe-rsa-aes256-gcm-sha384, 2048 bit rsa  thu nov  3 21:03:26 2016 [xxxx] peer connection initiated [af_inet]188.62.xx.xx:443  thu nov  3 21:03:28 2016 sent control [diabolo]: 'push_request' (status=1)  thu nov  3 21:03:29 2016 push: received control message: 'push_reply,redirect-gateway def1 bypass-dhcp,dhcp-option dns 8.8.8.8,dhcp-option dns 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'  thu nov  3 21:03:29 2016 options import: timers and/or timeouts modified  thu nov  3 21:03:29 2016 options import: --ifconfig/up options modified  thu nov  3 21:03:29 2016 options import: route options modified  thu nov  3 21:03:29 2016 options import: --ip-win32 and/or --dhcp-option options modified  thu nov  3 21:03:29 2016 route_gateway 192.168.0.1/255.255.255.0 iface=wlp1s0 hwaddr=a4:34:d9:5c:9d:06  thu nov  3 21:03:29 2016 tun/tap device tun0 opened  thu nov  3 21:03:29 2016 tun/tap tx queue length set 100  thu nov  3 21:03:29 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0  thu nov  3 21:03:29 2016 /sbin/ip link set dev tun0 mtu 1500  thu nov  3 21:03:29 2016 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5  thu nov  3 21:03:29 2016 /sbin/ip route add 188.62.79.43/32 via 192.168.0.1  thu nov  3 21:03:29 2016 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5  thu nov  3 21:03:29 2016 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5  thu nov  3 21:03:29 2016 /sbin/ip route add 10.8.0.0/24 via 10.8.0.5  thu nov  3 21:03:29 2016 initialization sequence completed

client netstat -rn

 kernel ip routing table  destination     gateway         genmask         flags   mss window  irtt iface  0.0.0.0         10.8.0.9        128.0.0.0       ug        0 0          0 tun0  0.0.0.0         192.168.0.1     0.0.0.0         ug        0 0          0 wlp1s0  10.8.0.0        10.8.0.9        255.255.255.0   ug        0 0          0 tun0  10.8.0.9        0.0.0.0         255.255.255.255 uh        0 0          0 tun0  128.0.0.0       10.8.0.9        128.0.0.0       ug        0 0          0 tun0  169.254.0.0     0.0.0.0         255.255.0.0     u         0 0          0 wlp1s0  188.62.xx.xx    192.168.0.1     255.255.255.255 ugh       0 0          0 wlp1s0  192.168.0.0     0.0.0.0         255.255.255.0   u         0 0          0 wlp1s0

i solve issue lowering "metrics" of ethernet/wifi card. can lower metrics (priority) of routing entries network card via "route" command or using additional tool "ifmetric" (sudo apt-get install ifmetric) i.e. ifmetric eth0 100 (0 = highest priority)

after recognized dns entries openvpn server has not been taken on when vpn connection has been setup. googled around , found answer need add on ubuntu client following lines on config file:

script-security 2 /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

this updates dns entries in /etc/resolv.conf when vpn connection established using pushed entries server.

so works charm.


Comments

Post a Comment

Popular posts from this blog

download - Firefox cannot save files (most of the time), how to solve? - Super User

this not full duplicate of this question or this question , though base question same. however, questions have no answers. for on half year have problems downloading files firefox. when click on download link, download dialog opened asking me do, save or open it. immediately, there error/warning pop-up (twice, can see 1 @ first) ok button. looks this message : "c:\users\%user%\appdata\local\temp\wbbdv9k8.zip.part not saved because source file not read. try again later or contact server administrator." replace '%user%' name of user trying download. after closing pop-up, download dialog disappears , have minimize firefox , open again, see other pop-up. downloading exact same file internet explorer work, not desired. i tried solutions here . tried solutions here . tried disabling extensions. tried fixing permissions on temp folder. tried making files , folder in profile directory non-readonly. tried running firefox administrator. tried ...
Read more

windows - "-2146893807 NTE_NOT_FOUND" when repair certificate store - Super User

i try repair certificate store in windows 10 doing c:\windows\system32>certutil -store -user ‎330000019dba8d5dddb98062a900000000019d "personal" certutil: -store command failed: 0x80090011 (-2146893807 nte_not_found) certutil: object not found. i have double check mmc, certificate details serial number of certificate. still fail repair certificate store. can please help? i getting same error when trying export pfx. turns out had export c:\cert.pfx instead of cert.pfx (it trying export file cert store ( cert:\localmachine\my ).
Read more