OpenVPN, clients can see each other, but not outside

[backforward]

I have just finished setting up a basic VPN using OpenVPN. I'm able connect on all the clients (2 clients currently), and everyone can see each other (server + clients). I can access services on each machine over the VPN, share files, ping, etc. I would like to tunnell all of the client's traffic through the VPN, not just filesharing and things like that.

I'm running OpenSUSE 11.1 for the server, and my two clients are Windows XP machines.

Searching around I found a bit about changing the routing on the client, but this is something I do not know anything about. I was able to install Wireshark on the clients and the server and do a bit of testing.

On client1, I decided to play with the routing table a bit. Here is the line I changed in its original form:

Code:

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1  192.168.10.111       10

I deleted that line and added this line:

Code:

PS C:\Documents and Settings\Administrator> route add 0.0.0.0 mask 0.0.0.0 10.1.0.1 IF 3
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.0.1        10.1.0.2       1

This breaks the connection to the outside world on the client though. The VPN connection is still fine, and I can ping the other LAN machines not on the VPN, I just cannot get outside. So this leads me to believe I'm doing something wrong here

Also, just for fun, I tried adding a route to a specific website and then pinging it from the client. Here's what I did, and the result:

Code:

PS C:\Documents and Settings\Administrator> route add 207.97.211.30 mask 255.255.255.255 10.1.0.1 IF 3
PS C:\Documents and Settings\Administrator> ping clusty.com

Pinging clusty.com [207.97.211.30] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

While I was pinging on the client, I had wireshark listening to the TAP interface on the server. The ping packets would show up on the server, but they would stop there.

I have the feeling that I need to do something on the server so that it knows what to do with these outgoing packets it receives on the VPN, but I do not know how to set this up. Here are the details on the setup:

Server: OpenSUSE 11.1
LAN IP: 192.168.10.108
VPN IP: 10.1.0.1
openvpn version: 2.0.9 x86_64
server.conf:

Code:

port 1194 # or any other port you want to use
dev tap
tls-server
cd /etc/openvpn/easy-rsa/2.0/keys
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0
mode server
duplicate-cn
ifconfig 10.1.0.1 255.255.255.0 # openvpn gateway
ifconfig-pool 10.1.0.2 10.1.0.11 255.255.255.0 # ip range for openvpn client
push "dhcp-option DNS 10.1.0.1" # push DNS entries to openvpn client
push "dhcp-option DNS 10.1.0.2"
push "route-gateway 10.1.0.1" # push default gateway
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ping 10
ping-restart 120
push "ping 10"
push "ping-restart 60"
push "route 10.1.0.0 255.255.255.0 10.1.0.1"
comp-lzo
status openvpn-status.log
verb 4

Client 1: Windows XP
LAN IP: 192.168.10.111
VPN IP: 10.1.0.2
openvpn version: OpenVPN 2.1_rc18
client.conf:

Code:

port 1194
dev tap
remote 192.168.10.108 

tls-client
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
mtu-test
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
pull

comp-lzo
verb 4

Client 2: Windows XP
LAN IP: 192.168.10.110
VPN IP: 10.1.0.3
openvpn version: OpenVPN 2.1_rc18
client.conf:
(same as Client 1)

So as it stands right now, all 3 machines can see each other and talk to each other just fine over the VPN. I want the clients to be able to push all of their network traffic through the VPN though - eventually I want to be able to use an open WiFi hotspot and connect to the VPN at my home, and tunnel all of my internet traffic through my home (I'm currently using SSH tunnels, and I wanted to give VPN a try).

Any ideas/suggestions? Need more info? Thank you for taking the time to read all of this, every help/comment/suggestion is appreciated!

[backforward]

I've been digging around in YaST2 and made a few changes.

The firewall was previously disabled, so I enabled it. On the OpenSUSE box (VPN Server) eth1 is the LAN, and tap1 is the VPN. I set eth1 in the external zone, and tap1 in the internal zone, and opened up port 1194 in the external zone. I also enabled masquerading via YaST.

After doing this everything still works the same - I can connect to the VPN Server from the clients just fine, and normal VPN traffic is okay, but I am still not able to tunnel all network traffic from the clients through the VPN server.

[ken_yap]

If the OpenVPN gateway is not also the normal gateway, and if you are not able to change the routing on the client, then you will have to resort to masquerading (NAT) on the OpenVPN gateway so that the reply packets will go through OpenVPN. Remember, routing is stateless.

[backforward]

Thanks for the reply ken_yap. The OpenVPN server is not the normal gateway, these machines are on a LAN behind a normal router.

As far as I am aware I should be able to change the routing on the client - it's just something I do not know my way around very well. If possible, I would love to find a solution where I can change the routing on the client and not have to mess around with NAT on the OpenVPN server.

I thought I was changing the routing on the clients before, when I deleted entry from the routing tables and added a new one using the OpenVPN server as a gateway (route add 0.0.0.0 mask 0.0.0.0 10.1.0.1 IF 3). After doing this the pings reached the OpenVPN server, but then died there. I take it this is because I do not have NAT setup on the OpenVPN server?

[ken_yap]

If you change the routing on the client, you also have to take care of what happens to the Internet bound packets when they reach your end and also the reply to those packets. If you work this through, I think that you'll end up with the conclusion that on the near end you will have to masquerade the packets coming from the remote end so that the replies will go back through the VPN and not the normal connection (if any) of the remote end.

[backforward]

Thanks for the reply key_yap.

I was pointed towards the howto on openvpn's website (whoops...), HOWTO which is exactly what I was looking to do.

To fix it I just followed the howto - added the push "redirect gateway def1" line to the config, and the iptables command after. Everything is working perfectly now!

Thank you