[SOLVED] routing all traffic from ppp0 to openvpn then masquerading it to LAN problem

matters · 03-08-2012, 08:32 AM

Heres scenario: I got linux server which connects to the internet via pppoe-start, meaning that router is in bridge mode. All other machines inside the lan get the internet connections through the linux server.

Here are interfaces on the linux server

ppp0 -internet
eth0
tun0 - vpn

right now ppp0 interface is masquerading so all machines on the lan have access to the internet

to do that i have only this rule to accomplish that task.

Code:

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

EXTIF=ppp0

Now what i would like to accomplish is this:
Since im connecting to VPN provider directly through config file only of specific vpn that im connecting to, i havent edited any openvpn conf file on my end.I would like that all ppp0 traffic (internet traffic) is routed through vpn in this case tun0, then all tun0 traffic masquerade through the lan so that all machines inside the lan get the ip address from the vpn while connected on the internet. How can i do that?

Thanks!

Celyr · 03-12-2012, 12:30 PM

Hi,

You can just change EXTIF to tun0 (if you have a static ip I suggest you to change it to a SNAT)
AND change the default route of your server to be on the vpn.

Code:

route del default
route add default gw vpn-gateway

You can also do some fine routing if you feel, just read the route documentation (man route).
It won't be that hard

+Alan Hicks+ · 03-12-2012, 03:00 PM

You haven't given us enough information to accurately answer the question.

In particular, the following information would be of great value:
- openvpn config file (you can remove the authentication information if you like)
- the output of netstat -rn
- who your vpn provider is (i.e. is this just a work connection allowing you access to your employer's LAN or is it a general-purpose encyrpyted connection?)
- if your VPN should always be up or if you bring it down on occassion
- does your server run any particular services available to the net?
- do you have a second NIC connected to your LAN or are you doing something crazy like having your PPPoE and your plain LAN ethernet connection on the same NIC?

Also, do you only want to tunnel LAN traffic over the VPN or do you want to tunnel traffic from the server as well?

matters · 03-12-2012, 04:46 PM

Hi, all! Thanks for your contribution to help.

@Celyr that actually dosent help

Let me explain. The real router from ISP is in bridge mode because i want my slackware machine to act as a router and give other machines in the lan access to the internet. The ip from the internet is obtained by pppoe-start. Meaning i get ppp0 interface.

Now i currently dont have openvpn server setup nor i want it to have.

I connect to the openvpn server which is in hongkong through the net via

Code:

openvpn --config server.ovpn

it connects and i get tun0 interface.

now ill post you my routing table and then ill further explain.

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.10.0.0       0.0.0.0         255.255.255.0   U     0      0        0 tun0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
172.29.252.59   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

and heres my iptables.

Code:

#!/bin/bash
#
# firewall-masq         This script sets up firewall rules for a machine
#                       acting as a masquerading gateway
#
# Copyright (C) 2000 Roaring Penguin Software Inc.  This software may
# be distributed under the terms of the GNU General Public License, version
# 2 or any later version.
# LIC: GPL

# Interface to Internet
EXTIF=tun0

# NAT-Tables are different, so we can use ACCEPT everywhere (?)
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

# Flush the NAT-Table
iptables -t nat -F

iptables -t filter -P INPUT ACCEPT
iptables -t filter -F

# Allow NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

# Allow incoming SSH
#iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 5050 -j ACCEPT

#Allow HTTP/HTTPS
#iptables -t filter -A INPUT -i $EXTIF -m state --state NEW -p tcp --dport 80 -j ACCEPT

#Allow PING
# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Log & Deny the rest of the privileged ports
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 0:1023 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 0:52  -j DROP
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 54:1023 -j DROP
iptables -t filter -A INPUT -p tcp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp -s 192.168.0.0/24 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp -s 127.0.0.1 --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp -s 127.0.0.1 --dport 53 -j ACCEPT
# Log & Deny NFS
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p udp --dport 2049 -j DROP
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 2049 -j DROP

# Log & Deny X11
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 6000:6063 -j DROP

# Log & Deny XFS
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --dport 7100 -j DROP

# Deny TCP connection attempts
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j LOG
iptables -t filter -A INPUT -i $EXTIF -p tcp --syn -j DROP

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# no IP spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
   for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $i
   done
fi

# Disable Source Routed Packets
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo 0 > $i
done

Now heres the funny part if i do:

Code:

route del default dev ppp0; route add default dev tun0

i immediately(of course) loose internet connection, and because openvpn server is not in my area but i connect through the internet i loose connection to the vpn server.

If i however have default route ppp0 and in iptables,

Code:

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

EXTIF=ppp0

then from lan computers, dont have access to the internet, but can ping vpn subnet.

If i have default route, ppp0 and in iptables:

Code:

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

EXTIF=ppp0

then from lan computers i do have access to the internet, and vpn subnet but the ip address visible to the internet is the one from isp and not the one from vpn server.

and all i want is that all computers in the lan including linux server to have openvpn ip instead of the ip assigned from the isp in my scenario when linux server is connected to the openvpn server, and that all traffic is encrypted.

My question is how can i do that? I really want that my slackware acts as a router instead of ISP router.

I hope that my goal is much clearer now

Thanks alot!

EDIT: @Alan Hicks

when connecting to the vpn server via config file i get this error:

Code:

NOTE: unable to redirect default gateway -- Cannot read current default gateway from system

heres an info requested:

1. openvpn config file:

Code:

cat HongKong.ovpn

route-delay 3
fast-io
client
dev tun
nobind
remote switchhk-1.switchkonnect.com 1195 udp
pull
resolv-retry infinite
persist-key
persist-tun
mute-replay-warnings
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
;mute 10
explicit-exit-notify 2
<ca>
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
</ca>


key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REMOVED
-----END OpenVPN Static key V1-----
</tls-auth>

2. routing table i provided above (was typing and didnt read your post untill i submitted mine)

3. VPN PROVIDER: Switchvpn.com - want to have it used especially for encrypted connection purposes and anonymity.

4. I would like to make a script to have vpn connection up on boot as soon as internet connection is established, so i can disable it later if i want to.

5. No particular services available to the world from my slackware server. (only services that are available to the lan)

6. All computers inside the lan have single nic installed, and all computers including isp router are connected directly to the switch.

7. I want is that all computers in the lan including linux server to have openvpn ip instead of the ip assigned from the isp in my scenario when linux server is connected to the openvpn server, and that all traffic is encrypted.

Meaning that want to tunnel all LAN traffic over the vpn including my linux server.

I dont plan as of right now vpn to vpn connection if you mean that.

If you need any more info, feel free to ask.

Again, thanks to everyone for their contribution to help. Im strugling with this for a few days now.

Celyr · 03-13-2012, 05:17 AM

Can you please post an

Code:

ifconfig

and the result of

Code:

route

after this:

Code:

route del default dev ppp0; route add default dev tun0

What you did shoud work imo

I've noticed being wrong after read this:
http://openvpn.net/index.php/open-so....html#redirect

matters · 03-13-2012, 09:20 AM

@Celyr its no problem being wrong, at least you wanted to help

For others let me post ifconfig

Code:

eth0      Link encap:Ethernet  HWaddr 00:0B:6A:3C:8B:84
          inet addr:192.168.0.3  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20b:6aff:fe3c:8b84/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:204680 errors:0 dropped:0 overruns:0 frame:0
          TX packets:203620 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:28902378 (27.5 Mb)  TX bytes:28070835 (26.7 Mb)
          Interrupt:19 Base address:0xc000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:489 errors:0 dropped:0 overruns:0 frame:0
          TX packets:489 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:55856 (54.5 Kb)  TX bytes:55856 (54.5 Kb)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:x.x.x.x  P-t-P:172.29.252.64  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:93667 errors:0 dropped:0 overruns:0 frame:0
          TX packets:92269 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:11145577 (10.6 Mb)  TX bytes:5515458 (5.2 Mb)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.10.0.40  P-t-P:10.10.0.40  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1210 (1.1 Kb)  TX bytes:1454 (1.4 Kb)

Please note that for ppp0 i removed my ip for purpose, because its public ip assigned from ISP

NOTE : the gateway of tun0 is 10.10.0.1 if its needed.

routing table is posted in my previous post, as well as the whole explanation, and answers to questions.

Hopefully someone will have an idea how to solve this problem.

Thanks guys!

Celyr · 03-14-2012, 07:06 AM

Have a look at the link that I've posted, I think is the solution to your issue

matters · 03-14-2012, 09:31 AM

@Celyr actually it is not.I thank you very much for trying to help me i really appreciate it. I dont have access to VPN server directly therefore i cannot edit server config. As i said in my previous post i connect to VPN provider called switchvpn, and use their config files for the vpn server that i want to connect to.

the iptables rule

Code:

iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -o ppp0 -j MASQUERADE

as it suggests dosent give access to vpn from lan machines except the slackware server of course.

However,

If i have default route, ppp0 and in iptables:

Code:

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

EXTIF=ppp0

then from lan computers i do have access to the internet, and vpn subnet but the ip address visible to the internet is the one from isp and not the one from vpn server, as i stated in one of my previous posts.

Hopefully someone will have an idea how to solve this problem sooner or later. I dont want to use wrt320n for this purpose but instead my own slackware , if thats anyhow possible.

Thanks guys!

+Alan Hicks+ · 03-14-2012, 11:46 AM

Ok based on your openvpn config file, this may not be possible.

Typically if your VPN provider wants or allows you to tunnel all outbound traffic through them, they'll include some route rules in the config file they give you to use. Unless they have a router setup on their end, there's really nothing you can do to route all general-purpose Internet traffic through them. With that said, there are some things you can try. The first thing to do is to forget all about netfilter/iptables and focus just on your linux box and ignore all the clients on your LAN.

In your above statements, we see that frames destined to 10.10.0.0/24 will go out your tun0 interface. If there is a router on that subnet which will take and route your general-purpose net traffic, then it is probably 10.10.0.1 or 10.10.0.254. Assuming either of those pings, you can attempt to setup your routing table with statements like the following.

Code:

route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.10.0.1

Code:

route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.10.0.1

The above two rules setup routes for 0.0.0.0/1 and 128.0.0.0/1 and send them both through the 10.10.0.1 gateway (assuming it exists). Since these routes are more specific than the general 0.0.0.0/0 which is your default gateway, they'll always be preferred. This allows you to setup a new "default gateway" without removing your old route. (This is actually something openvpn can do on its own with the proper options.) You will also need to create the following rule.

Code:

route add -host 123.254.107.125 dev ppp0

Since this rule is the most specific one, it will ensure that the UDP-encapsulated packets get delivered out your ppp0 interface. (123.254.107.125 is the IP for switchhk-1.switchkonnect.com.)

Once that's done, you should test things with your linux box. Using tcpdump, you can determine if packets leaving your linux box and destined to say, google, take a route out ppp0 or out tun0.

Code:

tcpdump -i ppp0 tcp port 80

Then hit google.com with lynx on a separate terminal and see if any HTTP traffic travels out your ppp0 interface. Assuming everything works, then you can focus on making these changes permanent and getting your LAN clients to use the tun0 interface with netfilter rules.

matters · 03-15-2012, 03:21 AM

@alan hicks i solved the problem yesterday night before i was reading your post. i fixed it by:

Code:

 route add -net ip IP (of the vpn gateway) netmask 255.255.255.255 dev ppp0; route del default dev ppp0; route add default tun0

then in iptables

Code:

# Do masquerading
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

EXTIF=tun0

thanks alot to all you guys!

+Alan Hicks+ · 03-15-2012, 01:49 PM

Quote:

Originally Posted by matters

Code:

 route add -net ip IP (of the vpn gateway) netmask 255.255.255.255 dev ppp0; route del default dev ppp0; route add default tun0

I really don't recommend you do that.

If the VPN tunnel drops for whatever reason (and that can happen somewhat often), then you won't be able to re-establish the tunnel because your default route is down. It's far better to add the 0.0.0.0/1 and 128.0.0.0/1 routes. This way if the tunnel drops you can still re-establish the connection. Again, openvpn can do this for you if you setup your config file correctly.

matters · 03-18-2012, 01:19 AM

@alan hicks you were absolutely right about vpn droping connections. it actually happens very often.

you didnt tell me when you said

Code:

route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.10.0.1 is it dev tun0 or ppp0

route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.10.0.1 is it dev tun0 or ppp0

Btw vpn facing drops connections very often in different intervals from 5 mins to 2 hours
i didnt have single connection up for more than 2 hours.

heres what i get when connections drops:

Code:

Sat Mar 17 15:24:17 2012 [SwitchVPN_NL] Inactivity timeout
(--ping-restart), restarting
Sat Mar 17 15:24:17 2012 TCP/UDP: Closing socket
Sat Mar 17 15:24:17 2012 SIGUSR1[soft,ping-restart] received, process
restarting
Sat Mar 17 15:24:17 2012 Restart pause, 2 second(s)
Sat Mar 17 15:24:19 2012 WARNING: No server certificate verification
method has been enabled.  See http://openvpn.net/howto.html#mitm for more
info.
Sat Mar 17 15:24:19 2012 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
Sat Mar 17 15:24:19 2012 Re-using SSL/TLS context
Sat Mar 17 15:24:19 2012 LZO compression initialized
Sat Mar 17 15:24:19 2012 Control Channel MTU parms [ L:1542 D:166 EF:66
EB:0 ET:0 EL:0 ]
Sat Mar 17 15:24:19 2012 Socket Buffers: R=[163840->131072]
S=[163840->131072]
Sat Mar 17 15:24:59 2012 RESOLVE: Cannot resolve host address:
switchnl-1.switchkonnect.com: [TRY_AGAIN] A temporary error occurred on an
authoritative name server.
Sat Mar 17 15:24:59 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:135 ET:0 EL:0 AF:3/1 ]
Sat Mar 17 15:24:59 2012 Local Options hash (VER=V4): '504e774e'
Sat Mar 17 15:24:59 2012 Expected Remote Options hash (VER=V4): '14168603'
^CSat Mar 17 15:25:39 2012 RESOLVE: signal received during DNS resolution
attempt
Sat Mar 17 15:25:39 2012 TCP/UDP: Closing socket
Sat Mar 17 15:25:39 2012 Closing TUN/TAP interface
Sat Mar 17 15:25:39 2012 /sbin/ip addr del dev tun0 10.10.0.17/24
Sat Mar 17 15:25:39 2012 SIGINT[hard,init_instance] received, process
exiting

you can ignore this :

Code:

 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts

since i forgot to add the directive when connecting manually.

Where the problem might be

im using different config now: because hong kong is slow for me

Code:

route-delay 3
fast-io
client
dev tun
remote switchnl-1.switchkonnect.com 1195 udp
pull
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
auth-user-pass
comp-lzo
reneg-sec 0
log-append /var/log/openvpn/openvpn.log
verb 7
;mute 10
explicit-exit-notify 2

<ca>
-----BEGIN CERTIFICATE-----
MIIDvDCCAyWgAwIBAgIJAJg5+gAJMOMIMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
VQQGEwJJTjELMAkGA1UECBMCTUgxDzANBgNVBAcTBk11bWJhaTESMBAGA1UEChMJ
U3dpdGNoVlBOMQswCQYDVQQLEwJJVDEVMBMGA1UEAxMMU3dpdGNoVlBOIE5MMRIw
EAYDVQQpEwlTd2l0Y2hWUE4xIjAgBgkqhkiG9w0BCQEWE2FkbWluQHN3aXRjaHZw
bi5jb20wHhcNMTEwMTA0MjIwMDQxWhcNMjEwMTAxMjIwMDQxWjCBmzELMAkGA1UE
BhMCSU4xCzAJBgNVBAgTAk1IMQ8wDQYDVQQHEwZNdW1iYWkxEjAQBgNVBAoTCVN3
aXRjaFZQTjELMAkGA1UECxMCSVQxFTATBgNVBAMTDFN3aXRjaFZQTiBOTDESMBAG
A1UEKRMJU3dpdGNoVlBOMSIwIAYJKoZIhvcNAQkBFhNhZG1pbkBzd2l0Y2h2cG4u
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCz1rtUZ0Tyc2wgSnLqUMrh
Z/bkKRxN/R1SNfc+eIKH4gq8QeWE8ntfu2Rq5fjgUUmpyVZxwINeczFv/zH0mDJ0
gN3PgmqTPHytXS0+DNMcpi+g4EvANjpV9RSPtpoHtQyd8Uqb5qhmtP57/BYaWHQi
wcWUVXcSJwYcDasHUXBvvwIDAQABo4IBBDCCAQAwHQYDVR0OBBYEFP1ImHnFFmoU
KPYf7dfpyXI6fctHMIHQBgNVHSMEgcgwgcWAFP1ImHnFFmoUKPYf7dfpyXI6fctH
oYGhpIGeMIGbMQswCQYDVQQGEwJJTjELMAkGA1UECBMCTUgxDzANBgNVBAcTBk11
bWJhaTESMBAGA1UEChMJU3dpdGNoVlBOMQswCQYDVQQLEwJJVDEVMBMGA1UEAxMM
U3dpdGNoVlBOIE5MMRIwEAYDVQQpEwlTd2l0Y2hWUE4xIjAgBgkqhkiG9w0BCQEW
E2FkbWluQHN3aXRjaHZwbi5jb22CCQCYOfoACTDjCDAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4GBAKxQMSqDAzKo3MkzBi8bA1OZ5DU6svaf0K9MvKpf1rDl
K9CZsIflgi6Z2vCVQ6iOWtVFJExAwj2iqUkeAQxVBQnX6d/hTWyIo0sxiYHRcRZb
oIpDrj++Z13+X6kQJ7Y9z/dCQxHsky5LgPKfHzTy3321POqS3fh59G8QDQqbx5Jg
-----END CERTIFICATE-----
</ca>

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
f1aa80dd93a1818c3cda71025161fa1b
abf4bb69bbb9935266e77529ff47b74f
6f7c4e45d29a088e8dac7324d25c5572
46d4d602a2be35b664cd3e784f688f46
ab659f43f1b17371db2870aa78332cb5
035ef6a9014e62d0872a2f3ca218f2e2
dea2fb1fc657abcd973669f03a29e6f8
a7a1013bfb52cbf56159fd1d9676bf9e
4d4686183e35771648b5a99c52f304b5
29b15a8f6220de543760d0eacf5eafd9
40658009a6d9d808c0669a2643284a2a
a755fab98c6de729931148b44893fd95
b2e42aead345eaca1785c3e0292658f5
a240f5789682186f6303e7b1c24643de
4286d9fed7f3bd9ca2e1a51d512430a2
25a1efde9ed3935606656db6034bc005
-----END OpenVPN Static key V1-----
</tls-auth>

i tried to reduce mtu of tun0 to 1400 default is 1500 because of ppp0 mtu is 1492 as you can see, thought it would help but it didnt.

im wondering what else can i try so the vpn connection wont get dropped, so i dont have to reconnect every time it drops. on reconnections as you can assume vpn connection is established and tunnelling works!

thanks alan!

EDIT: if i change udp to tcp mode, theres no more connection drops, but tcp mode is much slower compared to udp from what can i see. so i would like to solve vpn connection drops in udp mode.

thanks again!

+Alan Hicks+ · 03-18-2012, 07:08 PM

Quote:

Originally Posted by matters

@alan hicks you were absolutely right about vpn droping connections. it actually happens very often.

Told you so.

Quote:

Originally Posted by matters

i tried to reduce mtu of tun0 to 1400 default is 1500 because of ppp0 mtu is 1492 as you can see, thought it would help but it didnt.

That may be a touch low, but I still recommend a setting like that to reduce the amount of frame fragmentation.

[QUOTE=matters;4629567
im wondering what else can i try so the vpn connection wont get dropped, so i dont have to reconnect every time it drops. on reconnections as you can assume vpn connection is established and tunnelling works!

thanks alan!

EDIT: if i change udp to tcp mode, theres no more connection drops, but tcp mode is much slower compared to udp from what can i see. so i would like to solve vpn connection drops in udp mode.

thanks again![/QUOTE]

Yeah you definitely do not want to use TCP mode. All packet encapsulation should be done with a connectionless protocol like UDP.

Now for your biggest questions, look at adding "redirect-gateway" to your openvpn config file. That will automatically add the 0.0.0.0/1 and 128.0.0.0/1 routes for you as well as ensuring that you have a static route to the other vpn endpoint. See openvpn(8) for details.

As for your disconnect problems, those are likely caused by a router or firewall dropping the connection after a period of time without any UDP packets being sent. If you want to prevent and/or mitigate this problem, look at the "ping-restart" option. Even if the connection drops, it will restart it automatically as long as the openvpn client process is running on your box.

matters · 03-19-2012, 08:39 AM

@Alan Hicks thanks alot for the advice, you were right about everything as usual the funny thing is i that i always do that without reading your post. and reducing frame fragmentation actually fixes the problem. so i didnt have to use ping-restart.

Also thank you about suggesting me to read the man about gateway-redirect it explains everything.

Also on some servers i used just mssfix and that also fixes the problem about dropping connections.

Thanks again!

matters · 03-20-2012, 08:26 AM

@Alan Hicks Actually mssfix alone didnt fix the problem of dropping connections. While fragment is. Im just wondering if theres some openvpn directive that is somekind identical to --fragment? because now since only one server is fragment enabled in server.conf, means i can connect only to this server without connection drops. mssfix in some occasion can leave vpn connection open for max 2 hours then drops. I was happy that i was online with mssfix for more than an hour but after 2 hours connection dropped, whereas with --fragment theres no connection drops, just like you said.

What do you suggest?