Noob OpenVPN question

jewing · 04-16-2013, 06:27 PM

Trying to connect to openvpn using a .conf. This works and tun0 device is activated presenting me with:

Code:

eth2      Link encap:Ethernet  HWaddr 08:00:27:9b:48:a4  
          inet addr:10.50.51.78  Bcast:10.50.51.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe9b:48a4/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3558 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1804 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1050746 (1.0 MB)  TX bytes:464317 (464.3 KB)
          Interrupt:19 Base address:0xd020 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:421 errors:0 dropped:0 overruns:0 frame:0
          TX packets:421 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:98673 (98.6 KB)  TX bytes:98673 (98.6 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:5.254.140.55  P-t-P:5.254.140.55  Mask:255.255.255.224
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:7 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:450 (450.0 B)  TX bytes:0 (0.0 B)

The following is the output of connecting to my VPN:

Code:

Enter Auth Username:blahblah
Enter Auth Password:
Tue Apr 16 16:07:46 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Apr 16 16:07:46 2013 LZO compression initialized
Tue Apr 16 16:07:46 2013 RESOLVE: NOTE: jenny.vpntunnel.se resolves to 5 addresses, choosing one by random
Tue Apr 16 16:07:46 2013 UDPv4 link local: [undef]
Tue Apr 16 16:07:46 2013 UDPv4 link remote: [AF_INET]178.73.212.244:7002
Tue Apr 16 16:07:47 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr 16 16:07:49 2013 [server] Peer Connection Initiated with [AF_INET]178.73.212.244:7002
Tue Apr 16 16:07:51 2013 TUN/TAP device tun0 opened
Tue Apr 16 16:07:51 2013 /sbin/ifconfig tun0 5.254.140.55 netmask 255.255.255.224 mtu 1500 broadcast 5.254.140.63
Tue Apr 16 16:07:51 2013 Initialization Sequence Completed

Now once I am (i think) connected to the VPN I lose internet connection from eth2. After digging through the forums for answers I am getting more and more confused about what my next steps should be. Being this is the first time I have used openVPN a part of me feels all my traffic should be routed by default through tun0. Any input would be appreciated.

yogo1212 · 04-17-2013, 02:25 PM

Having experienced that problem myself, i would guess that your assumption is right and indeed every traffic is directed trough VPN.

The routes for any tunnel are sent via the freshly established connection. I don't know if there is a way to suppress certain routes.
(You can allow only a maximum number of routes to apply or choose to not use any routes by supplying --iproute /bin/true or so)

It is a common thing that an inexperienced admin pushes the default route over the tunnel during connection.
(It's a server-side thing, you can't filter )

First of all: Could you verify by checking you routes?
e.g. use ip

Code:

ip route

The interesting line is usually first. It should begin with "default".

Is it a work VPN , can you contact the admin?

Next thing you can do is adding/modifying the line controlling verbosity in your config:

Code:

verb 3

Or add --verb 3 to the command line.

Then you should be seeing lines like this in your openvpn output:

Code:

/sbin/route add -net blabla netmask blabla gw blah

I have not yet found a way to reject those routes being pushed or remove them automatically.
My solution was to simply remove the routes by hand, after they have been added. (You can't remove them before ;-) )
Or more precise: I spawn openvpn in screen, wait for the route, detach and run a script that removes them for me.

Wait for the connection to be established and then run:

Code:

ip route del to 192.168.102.2/24 dev tun0

or

Code:

ip route del default

Make sure to add the right default route after deleting the bad one.

You can check how it looks by using ip route before starting openvpn
and then add it again with

Code:

ip route add default dev eth2 # substitute for your active network device

try the man page of the ip tool (man ip route)

Above all of these the ultimate solution is to have your admin reconfigure the VPN provider not to push any nonsense-routes.

Good luck :-)

jewing · 04-17-2013, 04:18 PM

Thanks for your quick reply. Indeed when I set the verbosity up when it connected I saw:

Code:

Wed Apr 17 14:02:04 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Apr 17 14:02:04 2013 LZO compression initialized
Wed Apr 17 14:02:04 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Apr 17 14:02:04 2013 RESOLVE: NOTE: jenny.vpntunnel.se resolves to 5 addresses, choosing one by random
Wed Apr 17 14:02:04 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Apr 17 14:02:04 2013 Local Options hash (VER=V4): '41690919'
Wed Apr 17 14:02:04 2013 Expected Remote Options hash (VER=V4): '530fdded'
Wed Apr 17 14:02:04 2013 Socket Buffers: R=[163840->131072] S=[163840->131072]
Wed Apr 17 14:02:04 2013 UDPv4 link local: [undef]
Wed Apr 17 14:02:04 2013 UDPv4 link remote: [AF_INET]178.73.212.242:7001
Wed Apr 17 14:02:04 2013 TLS: Initial packet from [AF_INET]178.73.212.242:7001, sid=fbec6db2 b4459b8d
Wed Apr 17 14:02:04 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Apr 17 14:02:05 2013 VERIFY OK: depth=1, /C=SE/ST=Stockholm/L=Stockholm/O=Vpntunnel.se/OU=changeme/CN=changeme/name=changeme/emailAddress=info@vpntunnel.se
Wed Apr 17 14:02:05 2013 VERIFY OK: nsCertType=SERVER
Wed Apr 17 14:02:05 2013 VERIFY OK: depth=0, /C=SE/ST=Stockholm/L=Stockholm/O=vpntunnel.se/OU=changeme/CN=server/name=changeme/emailAddress=info@vpntunnel.se
Wed Apr 17 14:02:06 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Apr 17 14:02:06 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 17 14:02:06 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Apr 17 14:02:06 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 17 14:02:06 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Apr 17 14:02:06 2013 [server] Peer Connection Initiated with [AF_INET]178.73.212.242:7001
Wed Apr 17 14:02:08 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Apr 17 14:02:08 2013 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 80.67.0.2,dhcp-option DNS 91.213.246.2,redirect-gateway def1,route-gateway 5.254.138.1,topology subnet,ping 10,ping-restart 160,ifconfig 5.254.138.10 255.255.255.224'
Wed Apr 17 14:02:08 2013 OPTIONS IMPORT: timers and/or timeouts modified
Wed Apr 17 14:02:08 2013 OPTIONS IMPORT: --ifconfig/up options modified
Wed Apr 17 14:02:08 2013 OPTIONS IMPORT: route options modified
Wed Apr 17 14:02:08 2013 OPTIONS IMPORT: route-related options modified
Wed Apr 17 14:02:08 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Apr 17 14:02:08 2013 ROUTE default_gateway=10.50.51.1
Wed Apr 17 14:02:08 2013 TUN/TAP device tun0 opened
Wed Apr 17 14:02:08 2013 TUN/TAP TX queue length set to 100
Wed Apr 17 14:02:08 2013 /sbin/ifconfig tun0 5.254.138.10 netmask 255.255.255.224 mtu 1500 broadcast 5.254.138.31
Wed Apr 17 14:02:08 2013 /sbin/route add -net 178.73.212.242 netmask 255.255.255.255 gw 10.50.51.1
Wed Apr 17 14:02:08 2013 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 5.254.138.1
Wed Apr 17 14:02:08 2013 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 5.254.138.1
Wed Apr 17 14:02:08 2013 Initialization Sequence Completed

Ip Route:

Code:

ip route
0.0.0.0/1 via 5.254.138.1 dev tun0 
default via 10.50.51.1 dev eth2  metric 100 
5.254.138.0/27 dev tun0  proto kernel  scope link  src 5.254.138.10 
10.50.51.0/24 dev eth2  proto kernel  scope link  src 10.50.51.78 
128.0.0.0/1 via 5.254.138.1 dev tun0 
178.73.212.242 via 10.50.51.1 dev eth2

Sorry for being such a novice here. But from what I am gathering I should remove the first two of these routes, then add a new default route?
0.0.0.0/1 via 5.254.138.1 dev tun0
default via 10.50.51.1 dev eth2 metric 100

yogo1212 · 04-17-2013, 05:17 PM

Huh, to me this looks like a huge mess....

tell your admin he must update this.

Neither of these are default routes:

Code:

Wed Apr 17 14:02:08 2013 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 5.254.138.1
Wed Apr 17 14:02:08 2013 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 5.254.138.1

But they match any address imaginable. 128.0.0.0 is a huge mask:

in binary that is: 10000000.00000000.00000000.00000000
it matches any address whichs first bit is the same as the "network"-part of the route. That is half the range of all existing ip addresses.
and the two networks 0.0.0.0 and 128.0.0.0 happen to have a "0" and the other a "1" is first bit. Both halves of the ip address range are covered.

To me this looks some kind of prank ..

With these masks i dont even know how to use ip route by heart, which i ought to be telling you about since it will replace plain old route.

Just take the two lines and change "add" for "del", like this:

Code:

route del -net 0.0.0.0 netmask 128.0.0.0 gw 5.254.138.1
route del -net 128.0.0.0 netmask 128.0.0.0 gw 5.254.138.1

Run as superuser. Don't delete the default route as it is still intact and untouched by VPN.
The 0.0.0.0 route looks like a default route but it isn't because of its funny mask.
(in fact this looks so weird, perhaps it's going to a masked ball)

good luck

remember that if you lose your connection and vpn is still running somewhere, the connection is re-established and the routes will be applied again.
So if at some point your wireless breaks or something like that, you'll have to be able to delete those routes again.

Edit:

I believe this is how you do it with ip:

Code:

ip route del 0.0.0.0/1
ip route del 128.0.0.0/1

jewing · 04-17-2013, 05:56 PM

Progress...

So after deleting the bad routes I am able to receive internet access again with VPN running. However, it doesn't appear that I am utilizing the VPN.

My routes after removing the bogus ones.

Code:

default via 10.50.51.1 dev eth2  proto static 
default via 10.50.51.1 dev eth2  metric 100 
5.254.141.96/27 dev tun0  proto kernel  scope link  src 5.254.141.107 
10.50.51.0/24 dev eth2  proto kernel  scope link  src 10.50.51.78  metric 1 
178.73.212.245 via 10.50.51.1 dev eth2

Thanks again for your help!

yogo1212 · 04-18-2013, 08:05 AM

You are using VPN for addresses matching this:
5.254.141.96/27

Or written like this:

Code:

network 00000101.11111110.10001101.01100000 <- 5.254.141.96
range   11111111.11111111.11111111.11100000 <- 255.255.255.224, 27 leading "1"s that is

btw: you only count to the first zero from the beginning anything after that will be assumed zero by common practice.

So any IP-address with the form of "00000101.11111110.10001101.011*****" will match the route.
Or back in decimals that is: 5.254.141.[96-127]

Right now i'm confused by inconsistency between values for subnets and your ip through your posts.

Does the routing table in the last post belong to the log of the same post?
The ifconfig command with 5.254.138.10 netmask 255.255.255.224 doesn't match the autogenerated route from the output of ip route
In the first post you had an ip from even another network: 5.254.140.55

Is this VPN supposed to be for a whole network subset or just a single host?
Are you the only one using this connection?