Posted: Sat Mar 01, 2014 8:45 Post subject: OpenVPN: Connection ok, no internet access
Hey guys. Since January I'm trying to create a VPN setup which allows me to access my home network from outside (especially my NAS) and also be able to browse the internet while connected.
Here's what is working so far:
I can connect with my cellphone over 3G or with my windows7 from university to my home network and access all my NAS stuff (freenas, owncloud, Plex media server). But accessing anything outside my LAN just results in a timeout. I've googles a lot and seems like many people have this problem. I'm sure the routing is wrong or something like this, but I can't figure out what I need to do. Hopefully someone can help me, it's really depressing now (after 3 months worth of weekends).
Check the attached picture for my network topology.
Server Config (DD-WRT) see attached file and the additional config:
Code:
push "route 192.168.2.1 255.255.255.255 net_gateway"
push "dhcp-option DNS 192.168.1.0"
push "dhcp-option DNS 192.168.2.0"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
(yes I tried desperatly, that's why there are so many options. It's a random collection from what I've tried.).
setenv IV_GUI_VER "de.blinkt.openvpn 0.6.9a"
machine-readable-output
client
verb 4
connect-retry-max 5
connect-retry 5
resolv-retry 60
dev tun
remote #myip 1194 udp
comp-lzo
route-ipv6 ::/0
route 0.0.0.0 0.0.0.0 vpn_gateway
# Use system proxy setting
management-query-proxy
# Custom configuration options
# You are on your on own here :)
ns-cert-type server
And here's the log on dd-wrt from when I connect with my cellphone and try to browse the web:
Code:
20140301 09:36:16 I andro_client1/#cell_ip#:18257 [andro_client1] Inactivity timeout (--ping-restart) restarting
20140301 09:36:16 andro_client1/#cell_ip#:18257 SIGUSR1[soft ping-restart] received client-instance restarting
20140301 09:37:33 #cell_ip#:18257 TLS: Initial packet from [AF_INET]#cell_ip#:18257 sid=e311d3cb 1ab176f6
20140301 09:37:37 #cell_ip#:18257 VERIFY OK: depth=1 C=## ST=## L=###### O=####### CN=####### emailAddress=#######
20140301 09:37:37 #cell_ip#:18257 VERIFY OK: depth=0 C=## ST=## L=###### O=####### CN=####### emailAddress=#######
20140301 09:37:38 #cell_ip#:18257 NOTE: --mute triggered...
20140301 09:37:38 #cell_ip#:18257 5 variation(s) on previous 3 message(s) suppressed by --mute
20140301 09:37:38 I #cell_ip#:18257 [andro_client1] Peer Connection Initiated with [AF_INET]#cell_ip#:18257
20140301 09:37:38 I andro_client1/#cell_ip#:18257 MULTI_sva: pool returned IPv4=192.168.2.2 IPv6=(Not enabled)
20140301 09:37:38 andro_client1/#cell_ip#:18257 MULTI: Learn: 192.168.2.2 -> andro_client1/#cell_ip#:18257
20140301 09:37:38 andro_client1/#cell_ip#:18257 MULTI: primary virtual IP for andro_client1/#cell_ip#:18257: 192.168.2.2
20140301 09:37:40 andro_client1/#cell_ip#:18257 PUSH: Received control message: 'PUSH_REQUEST'
20140301 09:37:40 I andro_client1/#cell_ip#:18257 send_push_reply(): safe_cap=940
20140301 09:37:40 andro_client1/#cell_ip#:18257 SENT CONTROL [andro_client1]: 'PUSH_REPLY redirect-gateway def1 route 102.168.2.100 255.255.255.255 net_gateway dhcp-option DNS 192.168.1.0 dhcp-option DNS 192.168.2.0 dhcp-option DNS 208.67.222.222 dhcp-option DNS 208.67.220.220 route-gateway 192.168.2.1 topology subnet ping 10 ping-restart 120 ifconfig 192.168.2.2 255.255.255.0' (status=1)
20140301 09:37:50 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20140301 09:37:50 D MANAGEMENT: CMD 'state'
20140301 09:37:50 MANAGEMENT: Client disconnected
20140301 09:37:50 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20140301 09:37:50 D MANAGEMENT: CMD 'state'
20140301 09:37:50 MANAGEMENT: Client disconnected
20140301 09:37:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20140301 09:37:51 D MANAGEMENT: CMD 'state'
20140301 09:37:51 MANAGEMENT: Client disconnected
20140301 09:37:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20140301 09:37:51 D MANAGEMENT: CMD 'status 2'
20140301 09:37:51 MANAGEMENT: Client disconnected
20140301 09:37:51 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:14
20140301 09:37:51 D MANAGEMENT: CMD 'log 500'
19700101 00:00:00
Clientlog
The "client diconnected" - "client connected from" messages are very weird. They popup whenever I refresh the log page on my dd-wrt router. I can tell that by the timestamp. As long as I dont refresh the page, no such logs are created.
Thanks for any help in advance!
Last edited by crazydude on Sat Mar 01, 2014 17:36; edited 1 time in total
push "dhcp-option DNS 192.168.1.0"
push "dhcp-option DNS 192.168.2.0"
The above can't possibly be correct. .0 addresses are reserved for special purposes. If you don't have a local DNS server on your home network, just specify a public DNS for now (e.g., Google):
push "dhcp-option DNS 8.8.8.8"
Even that is optional if you're willing to use the DNS server of the client's local ISP. Some would consider this a "DNS leak", but whether anyone cares is obviously subjective.
The purpose of this directive is to route that one host out the WAN rather than the VPN. It almost looks like it was supposed to be 192.168.2.1 rather than 102.168.2.1 as well. It’s impossible to know if this was your intent or perhaps a misunderstanding of its purpose.
That’s why it’s best to eliminate such things and thus simplify your configuration whenever you have basic problems w/ connectivity.
Hey eibgrad, thanks for your effort.
"102.168.2.1" is a typo, I thought I edited it, sorry. Of course it's meant to be "192.168.2.1"
Well basically the "Additional Configs" field was empty initially. Since I had no internet on client side, I started adding options from what I've read on different forums. I now tried this simple config:
Code:
push "route 192.168.2.1 255.255.255.255"
push "dhcp-option DNS 8.8.8.8"
well, the SPI firewall is on and IP tables are in use I guess (I never changed anything there..). I also tried it with SPI firewall disabled and it did not help. On client side my windows has the windows firewall and the android cellphone, which I'm currently using for testing has nothing but basic ip table as far as I'm familiar with it.
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
and tried it with my windows client (didnt have it over the weekend). I could connect as usual and I was also able to view webpages which I've already visited before. This sounds pretty much as if the DNS resolution doesn't work. Windows can probably access the pages I've visited earlier with information from its DNS cache.
Then I tried to ping the DNS server 8.8.8.8 for instance or the openDNS servers and I got no response. This is really weird since web traffic does pass through. For example I can google any word or sentence, but I can't open any of the results unless I already did so earlier.