I have just finished setting up my VPN, and google shows my IP to be that of my VPN, so this works fine. However, when I log in through SSH to the VPN server, it shows my last login to be that of my (non VPN'd) IP (even after multiple logins/outs). This makes me believe that not all data is passing through the VPN.
In my server.conf
I have the following directives:
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
And iptables
is setup with the following:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Is there a way to fix this? It
Best Answer
This is 100% expected behaviour. In order to route all traffic through your VPN connection, a default route is added with the virtual interface as a target. But this presents a problem - the network packets used to carry the VPN connection itself would also get routed to the VPN interface, creating a kind of routing loop. To resolve this a static host route to the VPN server is added using your normal Internet gatway as target. This way the packets created by OpenVPN could travel to the OpenVPN server over Internet while everything else gets directed over the VPN link.
Because of the host route, if you try to SSH to the Internet address of your VPN server, the connection will go over your regular Internet connection and you will see your IP in the output from
who
orlast
. On the other hand, if you SSH to the other end of the VPN tunnel, your connection will appear to originate from the IP address assigned to the client's end of the tunnel.For example, this is how a typical OpenVPN virtual interface is configured:
The remote end of the VPN tunnel in this case is
10.10.11.10
. This is a BSD-styleifconfig
output (actually OS X). The output on Linux is a bit different. And this is the corresponding host route (again in BSD format):The first route directs all traffic (except the one directed to the local network
10.0.1/24
) to thetun0
interface, i.e. to OpenVPN. The static route to the OpenVPN server is the one on the last line.10.0.1.1
in this case is the Internet gateway.