Posted: Fri Aug 17, 2012 17:01 Post subject: Unable to redirect gateway with OpenVPN GUI
Hello I've been wrestling with this for awhile now, and after doing some searching on the boards, I haven't been able to find a solution for my problem, so I'm hoping the gurus here can help.
I'm trying to setup a site to site sever/client OpenVPN setup where client gets DHCP and tunnels all traffic through the server side.
Both the server and client are running on the cisco/linksys E3200 running dd-wrt.v24-17201_NEWD-2_K2.6_openvpn-nv60k.bin
The Server is using the OpenVPN Server GUI configuration and the Client is using the OpenVPN Client GUI configuration.
Currently the client connects to the server successfully, and I'm able to ping/access all the machines connected on the server LAN, but the client side remains on its own IP range and subnet instead of getting DHCP from server, and traffic is not routed through the server. I configured through the GUI and here is the .conf files DD-WRT created:
This is the log outputs I receive with personal info edited out.
Server :
Quote:
20120817 09:19:24 CLIENT/"client wan IP":32770 TLS: new session incoming connection from "client wan IP":32770
20120817 09:19:25 CLIENT/"client wan IP":32770 VERIFY OK: depth=1 /C=XX/ST=XX/L=XXXX/O=x/OU=xx/CN=xxxx/name=XxXx/emailAddress=xxx@gmail.com
20120817 09:19:25 CLIENT/"client wan IP":32770 VERIFY OK: depth=0 /C=XX/ST=XX/L=XXXX/O=x/OU=xx/CN=xxxx/name=XxXx/emailAddress=xxx@gmail.com
20120817 09:19:25 CLIENT/"client wan IP":32770 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
20120817 09:19:25 CLIENT/"client wan IP":32770 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20120817 09:19:25 CLIENT/"client wan IP":32770 NOTE: --mute triggered...
20120817 09:19:28 CLIENT/"client wan IP":32770 5 variation(s) on previous 5 message(s) suppressed by --mute
20120817 09:19:28 CLIENT/"client wan IP":32770 PUSH: Received control message: 'PUSH_REQUEST'
20120817 09:19:28 CLIENT/"client wan IP":32770 SENT CONTROL [CLIENT]: 'PUSH_REPLY redirect-gateway def1 route-gateway dhcp ping 10 ping-restart 120' (status=1)
20120817 09:19:28 CLIENT/"client wan IP":32770 MULTI: Learn: 00:ff:80:8c:b2:65 -> CLIENT/"client wan IP":32770
Client:
Quote:
Serverlog Clientlog 20120817 09:19:23 Socket Buffers: R=[114688->131072] S=[114688->131072]
20120817 09:19:23 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
20120817 09:19:23 Local Options String: 'V4 dev-type tap link-mtu 1574 tun-mtu 1532 proto UDPv4 comp-lzo cipher BF-CBC auth SHA1 keysize 128 key-method 2 tls-client'
20120817 09:19:23 Expected Remote Options String: 'V4 dev-type tap link-mtu 1574 tun-mtu 1532 proto UDPv4 comp-lzo cipher BF-CBC auth SHA1 keysize 128 key-method 2 tls-server'
20120817 09:19:23 Local Options hash (VER=V4): 'd79ca330'
20120817 09:19:23 Expected Remote Options hash (VER=V4): 'f7df56b8'
20120817 09:19:23 I UDPv4 link local: [undef]
20120817 09:19:23 I UDPv4 link remote: "Server WAN IP":1194
20120817 09:19:23 TLS: Initial packet from "Server WAN IP":1194 sid=e7da6984 5d1f0ba4
20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0]
20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0]
20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0]
20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0]
20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0]
20120817 09:19:23 NOTE: --mute triggered...
20120817 09:19:23 1 variation(s) on previous 5 message(s) suppressed by --mute
20120817 09:19:23 VERIFY OK: depth=1 /C=XX/ST=XX/L=XXXX/O=x/OU=xx/CN=xxxx/name=XxXx/emailAddress=xxx@gmail.com
20120817 09:19:23 VERIFY OK: depth=0 /C=US/ST=XX/L=XXXX/O=x/OU=xx/CN=xxxx/name=XxXx/emailAddress=xxx@gmail.com
20120817 09:19:24 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
20120817 09:19:24 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
20120817 09:19:24 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
20120817 09:19:24 NOTE: --mute triggered...
20120817 09:19:24 2 variation(s) on previous 5 message(s) suppressed by --mute
20120817 09:19:24 I [CLIENT] Peer Connection Initiated with "Server WAN IP":1194
20120817 09:19:26 SENT CONTROL [CLIENT]: 'PUSH_REQUEST' (status=1)
20120817 09:19:26 PUSH: Received control message: 'PUSH_REPLY redirect-gateway def1 route-gateway dhcp ping 10 ping-restart 120'
20120817 09:19:26 OPTIONS IMPORT: timers and/or timeouts modified
20120817 09:19:26 OPTIONS IMPORT: route options modified
20120817 09:19:26 OPTIONS IMPORT: route-related options modified
20120817 09:19:26 I TUN/TAP device tap1 opened
20120817 09:19:26 TUN/TAP TX queue length set to 100
20120817 09:19:26 W NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
20120817 09:19:26 I Initialization Sequence Completed
I see in the client log that the "unable to redirect default gateway" error, but I can't seem to resolve it.
The TLS error 20120817 09:19:23 N TLS Error: local/remote TLS keys are out of sync: "Server WAN IP":1194 [0] is usually not there.
Back to square one with build 18740. Both routers (Server/Client using GUI mode are on same build). I'm able to see the network on the server side, but still getting the unable to redirect gateway error just like with build 17201.
You need to push a dhcp command. In the server config you would have something like:
push "dhcp-option DNS <VPN ip address of the server>"
You will also need to route the traffic that comes through the vpn:
iptables -t nat -A POSTROUTING -s <VPN subnet>/24 -o eth0 -j MASQUERADE
I managed to get things setup so that a desktop client connects to the server fully routed; however, I did not manage to get this setup to work for the DD-WRT OpenVPN client -- the gateway-redirect command causes the client router to become inaccessible to the LAN sitting behind it.