Openvpn – No internet access when toggling `redirect-gateway` in OpenVPN client config

gatewayopenvpnrouterroutingsubnet

I have a router with IP 192.168.1.1 subnetting 192.168.1.0/24.

On that subnet, a Synology NAS has an IP of 192.168.1.181 and is running a VPN server using subnet 192.168.2.0/24.

When I connect a client to that server from outside both networks, I get assigned 192.168.2.6. From that client I can ping machines on 192.168.1.0/24 (192.168.1.17 & 192.168.1.181 for example) and 192.168.1.1 & 192.168.2.1.

From machines already on 192.168.1.0/24, I can ping the VPN client (192.168.2.6) after adding a static route of route add 192.168.2.0 mask 255.255.255.0 192.168.1.181 (windows).

Before adding the redirect-gateway line to the client config, I would be able to access the internet while on the VPN but was unable to access local web services like a router service or the Synology NAS web service (running within 192.168.1.0/24). I thought this was maybe because the external IP (whatmyip.org) from a VPN client showed the same external address as if I was not connected to the VPN.

After adding the redirect-gateway line to the client config, I verified I had the correct external IP (matches the 192.168.1.0/24 clients external IP) when connected but could not access external sites (google.com) but could access internal web services (192.168.1.1's & 192.168.1.181's).

What am I missing?

Weird observation, not sure why but the client (192.168.2.6) gets a DHCP & gateway server of 192.168.2.5 which as far as I know, isn't anything that exists. I can't ping it. 192.168.2.1 is definitely the VPN server and I can access it's web service (192.168.1.181 on 192.168.1.0/24).

Connected client ipconfig /all:

Description . . . . . . . . . . . : TAP-Windows Adapter V9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.2.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Lease Obtained. . . . . . . . . . : Thursday, August 13, 2015 11:55:43 AM
Lease Expires . . . . . . . . . . : Friday, August 12, 2016 11:55:42 AM
Default Gateway . . . . . . . . . : 192.168.2.5
DHCP Server . . . . . . . . . . . : 192.168.2.5
DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Best Answer

You must make sure your router has an outbound NAT entry for the VPN 192.168.2.0/24 network and that DNS has been set.

See this: https://openvpn.net/index.php/open-source/documentation/howto.html

You must redirect the gateway: push "redirect-gateway def1"

Make sure the client has DNS set or push it with openVPN using push "dhcp-option DNS x.x.x.x"

The final step as mentioned above is that your router must have outbound NAT configured for your VPN network, otherwise you won't get out onto the internet.

Related Solutions

Windows – Can’t access the internet when connected to OpenVPN server

It looks to me like the server is pushing the "redirect-gateway" option down to the client. This causes the client to use the VPN as its default gateway. Comment out the line in the server config 'push "redirect-gateway def1"'.

Woah there-- just saw your edit. You client can't be using the same IP addresses as the LAN it's connecting to. That's not going to work. One end or the other needs to use different IP addresses.

Edit:

Assuming routing is configured properly on your Windows Server 2003 machine (per the www.itsatechworld.com page you referenced), you should be able to PING the Windows Server 2003 machine and Windows Vista machine by their LAN IPs via the VPN. If you can, then you've got routing right on the Windows Server 2003 and DD-WRT machines and you can proceed. If not, then you need to start tracking down why either (1) PING traffic coming off the OpenVPN tunnel isn't getting to the destination, or (b) why PING replies from the destination host aren't coming back. You may end up putting something like Wireshark on your Windows Vista machine to see if the PING requests are even getting there (since PING can't tell you if your request is being received and the reply is just being lost).

Once you've got IP connectivity across the VPN working fine. I'd recommend installing the DNS and WINS services on your Windows Server 2003 VPN server computer and configuring the server computer and the Windows Vista home computer to use that machine for WINS and DNS. You can either add your ISP's DNS as a "forwarded" on the Windows Server 2003 machine, or leave the stock "root hints" configured to allow it to resolve Internet names. In your OpenVPN server configuration, add the following line right after the 'push "dhcp-option DNS 192.168.1.1" line:

push "dhcp-option WINS 192.168.1.1"

This is going to get the remote clients taking to the WINS and DNS servers on your Windows Server 2003 machine, and should get you both DNS and NetBIOS name resolution.

If you're not using an Active Directory domain at home, you'll probably want to setup a standard forward lookup zone on the Windows Server 2003 DNS server for your Windows Server 2003 and Windows Vista machines to register into. You'll want to grant clients permission to dynamically update records (albeit insecurely) when you create this zone. You should add the option "DNS domain name" (option 15) to your DHCP scope at home so that your client computers there pick up the right DNS domain name suffix. (If you're using DD-WRT for DNS then I can't tell you how to do that. I'm an OpenWRT guy, and I manage my WRT54G from the command line. I'd recommend running DHCP from the Windows Server 2003 machine anyway, but I just like that DHCP server more.)

If you are using an Active Directory domain you'll already have a forward lookup zone created in DNS. Since your remote VPN clients aren't members of your domain, though, they won't be able to register in DNS under the stock security settings that Windows Server sets on the DNS zone (at least, if you let it create the zone during DCPROMO). It's insecure, but if you want to allow them to register you could either (a - less secure) chang the permission on the zone to allow insecure registrations, or (b - more secure but still insecure) create A and PTR records for them and modify the permission on each of those records to allow anyone to update them.

It sounds like this is a home networking thing, and it's really a good learning opportunity for a lot of things-- IP routing, VPNs, name resolution. Perhaps you're looking for it to "just work" and not as a learning opportunity, in which case I can only offer my apologies and say that these things just aren't "turnkey" yet.

Problem linking two Cisco routers with a static route

Because the external interface on R2 is on the same LAN as the clients on 192.168.1.0/24, you'd need a route on each client on 192.168.1.0/24 to route to 192.168.2.0/24 via 192.168.1.2. That should do the trick (assuming R2 is routing, not NAT, and has no firewall.)

If I were you, I'd throw the link between the two routers into its own administrative VLAN and then you could route through this VLAN.

Best Answer

Related Solutions

Windows – Can’t access the internet when connected to OpenVPN server

Problem linking two Cisco routers with a static route

Related Topic