Posted: Tue Nov 02, 2010 21:29 Post subject: OpenVPN connectivity
All,
I managed to setup OpenVPN on a WRT54Gv4 running dd-wrt v24sp2 vpn-small build 15200.
I can establish connectivity to my home network from the 'outside' and can see the devices on the internal network .. Major progress (thanks to a forum member) from 24 hrs ago when I was literally pulling my hair out.
Had a question though...
When I first establish connection, I get a 'local and internet' connection to the VPN server while the 'enternal' connection goes into a 'local only' mode. This is what I would expect.
A visit to whatsmyip.org shows the internet IP of the VPN server ... Great.
What is stumping me is that after 5-10 minutes, the 'external' and 'VPN' connection, BOTH start showing 'Local and Internet' connectivity. A visit to whatsmyip.org now starts showing the internet IP address of the 'external' connection.
Any clues as to what could be going wrong and how could I correct it?
Internet Gateway - ISP Provided
External IP=DynDns.org Hostname
Internal IP=10.100.1.200/24
DHCP Range =10.100.1.101-150
VPN Server - Linksys WRT54Gv4 Router Running DD-WRT sp2 vpn-small build 15200
LAN IP=10.100.1.203 (Static)
Gateway=10.100.1.200 (IP Address of the Internet Gateway)
DHCP Server=Enabled
Local IP =10.100.2.200/24
Gateway =10.100.1.200 (IP Address of the Internet Gateway)
Local DNS =10.100.1.200 (IP Address of the Internet Gateway)
What am I trying to do: Create a secure channel to connect from the internet to my network at home. Use the home devices (NAS, Printer etc) and connect to the internet too, using the ISP provided gateway. I am trying to create the 10.100.2.* address area for clients coming over the VPN. All the devices (NAS, printer etc) are in the 10.100.1.* address space.
OpenVPN Server Config
Code:
mode server
tls-server
proto udp
port 1194
dev tap0
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
dh /tmp/openvpn/dh.pem
Posted: Sun Nov 07, 2010 4:57 Post subject: split tunnelling here
I think what is going on is classic split tunnelling, your openvpn client on your Vista system is probably creating 2 default routes under vista, one pointing to the "real" ethernet interface under Vista and the other pointing to the vpn to your home network. When it first creates the "new" default route on connection that takes priority for the "internal local" traffic and then after a while that default route expires and the "real" default route takes over. Run the route command a few times over the 10-25 minutes in a command window in Vista and I suspect you will see the route table change.
In summary what your trying to do is rather ugly networking. Your sending Internet-destined traffic to a remote that is then u-turning it and doubling the amount of traffic on the remote's pipe. I'm sure you probably have your reasons for doing this such as the Internet connection that your remote is using is crapped up, maybe filtered, whatever. Maybe your trying to subvert the Great Firewall of China or some such. Whatever it is, Microsoft had to do some special coding in their Vista/Windows 7 ppp client (that isn't in Win XP) to properly support this. There's a checkbox in their client to enable and disable this that most people don't know about or understand what it does. Your OpenVPN client your running under Vista has to have a similar type of thing for this to even work - and it has to be working if it is there.
I don't know enough about the OpenVPN implementation under Vista to know, but I'm sure the OpenVPN mailing list can help you out a lot better. I can tell you though that this problem almost certainly has nothing to do with the OpenVPN server under dd-wrt. You could, just for testing sake, duplicate the OpenVPN server on a PC running Debian or some such, and I am sure you would see the exact same problem happening.
Yup.. I figured that it was something on the client end and not on the router running DD-WRT. The only thing i was wondering was if there is a command that can be 'pushed' from the server side to persist the internet tunnel for the life of the VPN connection from the client.
Yes, you are correct, it appears that the tunnel reverts back to the default after a little while. It has been hard for me to pin point the time interval since nothing abnormal shows up in the logs (client or server).
Interestingly though, when I run a DOS window and try to ping/tracert internet sites or VPN (internal) devices, Vista will randomly use the external route or the tunnel/VPN route. Cant see a pattern, unfortunately.
Now .. Why would I be doing this ..Need to establish a 'secure' VPN connection to access resources on the home network. Having the tunnel spilt does not assure any security, it actually may enhance the opportunity for compromise by cross-site scripting. With a split tunnel, it becomes harder to indentify the culprit. I did take your Great Wall of China comment in good spirit, but jokes apart, if one cannot maintain a dedicated connection over the tunnel, it defeats the purpose of the VPN.
An alternative, and this would eliminate the over burdening of the tunnel, would be to maintain a 'local only' VPN connection and not allow the VPN to have a connection to the internet. Probably easier said than done.
Ideally, I would prefer to have a local connection to the 'immediate network' and the tunneled VPN connection provide internet services for a couple reasons (even if there is a price to pay).
1) Some financial sites (my credit union for sure), keeps track of the various IP's that I connect from. So when I am travelling, I would prefer to appear as if I am connecting from 'home'. With the current setup, I have to request adding the 'new ip' and have to remember to cleanup when done.
2) When travelling overseas, certain sites block access from IP's that are not US based.
Possible next steps/questions.
1. Is it possible to force the VPN channel to handle ALL internet and VPN traffic ? This would force the 'external' network to be a 'local' network.
2. Could this be accomplished by
- a push from the VPN server to the client when a connection is successfully established.
- a batch file on the client to set/reset the default path.
Thoughts/suggestions/alternatives ?
The OpenVPN forum is not very helpful .. they couldn't even help me establish a connection. Waiting for a 4 day turnaround, just to be asked to publish logs and then not hear for another 4-5 days, was not a very rewarding experience. Not sure if others have had a better experience.
instead of making one new default gateway with a /0 mask, ovpn makes two of them: 0.0.0.0/1 and 128.0.0.0/1
as higher numbered masks takes precedence over lower numbered masks, these two together act as your default gateway.
make sure you have at least a 2.1 client to make this work. _________________ now running tomato by shibby
E4200v1 cfe 2010.09.20.0
Looks like I am now taking using the 'external' network in the 'local' mode and using the VPN channel for internet access and devices in the home network.
Tracing route to any-fp.wa1.b.yahoo.com [72.30.2.43]
over a maximum of 30 hops:
1 48 ms 51 ms 48 ms 10.100.2.200
2 66 ms 50 ms 60 ms 10.100.1.200
3 67 ms 66 ms 65 ms 99-16-100-3.lightspeed.snrsca.sbcglobal.net [99.
16.100.3]
4 * * 74 ms 71.145.12.214
and
Code:
C:\Users\Naveen>tracert 10.100.1.100
Tracing route to 10.100.1.100 over a maximum of 30 hops
1 47 ms 49 ms 47 ms 10.100.2.200
2 47 ms 47 ms 49 ms 10.100.1.100
Trace complete.
A visit to whatsmyip.org shows the internet facing IP of the home network.
So looks like I have a config that is working. Yes, I may have a degraded performance, but I have achieved the original objective.
interestingly when I look up the 'Network and Sharing Center' I see the attached screen.
Oakwood-A is the public network. I would have expected this to be 'Local' only. 'OpenVPN to LAN @ Home' is the OpenVPN channel to the home network. I would have expected this to show 'Local and Internet'.
If you look at the main graphic at the top, it shows that I do not have an internet connection. I am using the connection to type this note .
Any thoughts on this anomaly. Is this just one of those Windows things .. .
Let me know what you think.
For reference, here is the route table. The 192 addresses are the public LAN, 10 addresses are the Home network and 99.16.101.28 is the internet facing address of the Home network