I'm having trouble reaching the machines in a VPN. The server has a TAP configuration and I can successfully connect from a Windows 7 client. I've been following mainly this guide to get everything set up: http://www.howtogeek.com/60774/connect-to-your-home-network-from-anywhere-with-openvpn-and-tomato/
The strange part is that I can connect to the VPN, the server shows the connection, but I can't reach the other computers from the network when I'm doing this from Ubuntu. Do I need to manually fix some kind of bridging on the client or should Ubuntu automatically find the routes? I read somewhere that it might be blocked by the firewall but I'm positive that the firewall has been turned off on the client and on the server the firewall is obviously configured correctly or else I wouldn't be able to connect from a Windows 7 client.
The guide instructed me to go with OpenVPN 2.1.4 on Windows and that's what I've done, on Ubuntu I've used the version in the repositories and this may have caused some issue but I don't see why it would. Here below is my client.conf:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
dev tap
#dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
#proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote removed.for-sake-of.security 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca "/etc/openvpn/ca.crt"
cert "/etc/openvpn/client.crt"
key "/etc/openvpn/client.key"
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
cipher AES-128-CBC
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
Is there anything else I must configure to get my Ubuntu client to be a part of the network/have access to other machines?
UPDATE:
This is the output from the client, as you can see it seems to be stuck in a loop, restarting the connection over and over again. I copied the output from the start until the second time it says Initialization Sequence Completed. Does it help provide an answer?
Thu Jan 9 18:52:37 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jul 12 2013
Thu Jan 9 18:52:37 2014 WARNING: file '/etc/openvpn/krs-niklas.key' is group or others accessible
Thu Jan 9 18:52:37 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Jan 9 18:52:37 2014 Attempting to establish TCP connection with [AF_INET]85.225.217.161:1194 [nonblock]
Thu Jan 9 18:52:38 2014 TCP connection established with [AF_INET]85.225.217.161:1194
Thu Jan 9 18:52:38 2014 TCPv4_CLIENT link local: [undef]
Thu Jan 9 18:52:38 2014 TCPv4_CLIENT link remote: [AF_INET]85.225.217.161:1194
Thu Jan 9 18:52:38 2014 TLS: Initial packet from [AF_INET]85.225.217.161:1194, sid=444e38d7 ac8fcbca
Thu Jan 9 18:52:39 2014 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, CN=KRS, [email protected]
Thu Jan 9 18:52:39 2014 VERIFY OK: nsCertType=SERVER
Thu Jan 9 18:52:39 2014 VERIFY OK: depth=0, C=US, ST=CA, O=OpenVPN, CN=KRS, [email protected]
Thu Jan 9 18:52:41 2014 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan 9 18:52:41 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 9 18:52:41 2014 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan 9 18:52:41 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 9 18:52:41 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 9 18:52:41 2014 [KRS] Peer Connection Initiated with [AF_INET]85.225.217.161:1194
Thu Jan 9 18:52:43 2014 SENT CONTROL [KRS]: 'PUSH_REQUEST' (status=1)
Thu Jan 9 18:52:43 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway dhcp,ping 15,ping-restart 60'
Thu Jan 9 18:52:43 2014 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 9 18:52:43 2014 OPTIONS IMPORT: route-related options modified
Thu Jan 9 18:52:43 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan 9 18:52:43 2014 TUN/TAP device tap1 opened
Thu Jan 9 18:52:43 2014 TUN/TAP TX queue length set to 100
Thu Jan 9 18:52:43 2014 Initialization Sequence Completed
Thu Jan 9 18:52:49 2014 Connection reset, restarting [0]
Thu Jan 9 18:52:49 2014 SIGUSR1[soft,connection-reset] received, process restarting
Thu Jan 9 18:52:49 2014 Restart pause, 5 second(s)
Thu Jan 9 18:52:54 2014 Socket Buffers: R=[87380->131072] S=[16384->131072]
Thu Jan 9 18:52:54 2014 Attempting to establish TCP connection with [AF_INET]85.225.217.161:1194 [nonblock]
Thu Jan 9 18:52:55 2014 TCP connection established with [AF_INET]85.225.217.161:1194
Thu Jan 9 18:52:55 2014 TCPv4_CLIENT link local: [undef]
Thu Jan 9 18:52:55 2014 TCPv4_CLIENT link remote: [AF_INET]85.225.217.161:1194
Thu Jan 9 18:52:55 2014 TLS: Initial packet from [AF_INET]85.225.217.161:1194, sid=ff99a93f 04c54987
Thu Jan 9 18:52:56 2014 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=OpenVPN, CN=KRS, [email protected]
Thu Jan 9 18:52:56 2014 VERIFY OK: nsCertType=SERVER
Thu Jan 9 18:52:56 2014 VERIFY OK: depth=0, C=US, ST=CA, O=OpenVPN, CN=KRS, [email protected]
Thu Jan 9 18:52:58 2014 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan 9 18:52:58 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 9 18:52:58 2014 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Jan 9 18:52:58 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 9 18:52:58 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 9 18:52:58 2014 [KRS] Peer Connection Initiated with [AF_INET]85.225.217.161:1194
Thu Jan 9 18:53:00 2014 SENT CONTROL [KRS]: 'PUSH_REQUEST' (status=1)
Thu Jan 9 18:53:00 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 192.168.1.1,route-gateway dhcp,ping 15,ping-restart 60'
Thu Jan 9 18:53:00 2014 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 9 18:53:00 2014 OPTIONS IMPORT: route-related options modified
Thu Jan 9 18:53:00 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan 9 18:53:00 2014 Preserving previous TUN/TAP instance: tap1
Thu Jan 9 18:53:00 2014 Initialization Sequence Completed
From the log, the client machine doesn't get a valid DHCP IP, which should be usually pushed by server with 'push' statement. So the client couldn't communicate with the peer (the server), then a restart triggered.
As you may note that there 'ping 15, ping-restart 60' pushed too, it is why "SIGUSR1" is there. Please refer to 'man openvpn' for more details.
You can access the single node on the LAN when you connect, but not the others. Here's what's happening. Your router doesn't know how to route traffic for OpenVPN, because it's a 'foreign network'. Example:
Client A connects to OpenVPN server B.
A's assigned OpenVPN address is 172.19.0.2. The server's OpenVPN address is 172.19.0.1, but its LAN address is 192.168.0.101.
A is attempting to connect to another box on the LAN, 192.168.0.33 (C). In order for this to happen, traffic has to originate from A, transmit to B, transmit to the gateway for B (the router) and finally transmit to C.
Now, moving forward. NONE OF THIS WILL WORK IF YOU DON'T HAVE ADMIN ACCESS TO YOUR LAN ROUTER:
So first you need to turn on routing on the OpenVPN server so it can route packets to the gateway. This will vary with your OS, but you should be able to google "enable routing on _" (your OS name). Do that.
Then you need to add a static route on your router so it knows that openvpn traffic must be returned from the LAN via your openvpn server. Find the static routes section on your router configuration, and add a route. The route must match the address specification in your server config file. So if your server config file will use virtual network 10.20.0.0 with netmask 255.255.0.0, you'd add
That should do it.
Ubuntu Server 14.04.1 How To setup OpenVPN server on a seperate machine than the LAN gateway (with access to other machines on server LAN)
Make sure your openvpn LAN is not the usual 192.168.1.1 or 10.0.0.1. If it is, log in to your router and change the third number ie. 192.168.(this number).1
Make sure to forward port 1194 on your router to the OpenVPN server IP
Example Network:
OpenVPN Config:
Edit /etc/network/interfaces:
Make sure to comment out ipv6 setting
Edit /etc/sysctl.conf:
Change:
to:
Assuming your keys and client configs are all squared away; Reboot your server and you should be good to go!
In general situation, When you connect to a VPN you can access the remote LAN but your access to local LAN will be blocked.