Arch Linux

stefano

Member

Registered: 2011-04-09

Posts: 268

Openvpn starts but cannot reach any hosts

I am trying to setup openvpn with an external vpn provider.

I received id. password, keys, and certificates, and setup openvpn according to the wiki instructions.

However, once openvpn starts (I am just starting it from the coman line now), I am off the network and cannot even ping other machines on my local network.
Obviosuly, I am doing something wrong.  Where can I start to debug this issue? I know next to nothing about networking issues, I am afraid.

My setup is very simple: I have a small local network, connected to a router running tomato firmware. Openvpn seems to start succesfully:

Sat Apr 28 10:16:54 2012 TUN/TAP device tun0 opened
Sat Apr 28 10:16:54 2012 /usr/sbin/ip link set dev tun0 up mtu 1500
Sat Apr 28 10:16:54 2012 /usr/sbin/ip addr add dev tun0 local 10.9.0.138 peer 10.9.0.137
Sat Apr 28 10:16:54 2012 Initialization Sequence Completed

Help is appreciated.

S.

Gcool

Member

Registered: 2011-08-16

Posts: 1,456

Re: Openvpn starts but cannot reach any hosts

Please post the following info:

- Output of "ip addr" and "ip route" prior to establishing the vpn connection.
- Output of "ip addr" and "ip route" after establishing the vpn connection.
- Your clientside openvpvn config.

---

Burninate!

stefano

Member

Registered: 2011-04-09

Posts: 268

Re: Openvpn starts but cannot reach any hosts

Here they are:

before starting openvpn:

[stefano@polus ~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:1d:60:ca:dc:48 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.4/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::21d:60ff:feca:dc48/64 scope link
       valid_lft forever preferred_lft forever

[stefano@polus ~]$ ip route
default via 192.168.0.1 dev eth0
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.4

afterwards:

Sat Apr 28 11:24:55 2012 Initialization Sequence Completed

[stefano@polus ~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:1d:60:ca:dc:48 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.4/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::21d:60ff:feca:dc48/64 scope link
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.9.0.138 peer 10.9.0.137/32 scope global tun0
[stefano@polus ~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:1d:60:ca:dc:48 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.4/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::21d:60ff:feca:dc48/64 scope link
       valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none
    inet 10.9.0.138 peer 10.9.0.137/32 scope global tun0

stefano

Member

Registered: 2011-04-09

Posts: 268

Re: Openvpn starts but cannot reach any hosts

and the conf file I am using to connect:

float
client
dev tun
proto udp
nobind

; Cert
ca /etc/openvpn/keys/ca-us.crt
ns-cert-type server
cipher BF-CBC    #Blowfish

;Vpn server

remote-random
;US-server
remote us-vpn.vpntunnel.se 30001
remote us-vpn.vpntunnel.se 30002
remote us-vpn.vpntunnel.se 30003
remote us-vpn.vpntunnel.se 30004

;Auth
auth-user-pass /etc/openvpn/p.txt

persist-key
persist-tun

; Logging
comp-lzo
verb 1

Gcool

Member

Registered: 2011-08-16

Posts: 1,456

Re: Openvpn starts but cannot reach any hosts

That looks about right (tunnel is getting established correctly). I'm missing the output of "ip route" after you've connected the vpn though.

---

Burninate!

stefano

Member

Registered: 2011-04-09

Posts: 268

Re: Openvpn starts but cannot reach any hosts

Sorry, here it is:

[stefano@polus ~]$ ip route
0.0.0.0/1 via 10.8.0.201 dev tun0
default via 192.168.0.1 dev eth0
10.8.0.1 via 10.8.0.201 dev tun0
10.8.0.201 dev tun0  proto kernel  scope link  src 10.8.0.202
108.59.10.145 via 192.168.0.1 dev eth0
128.0.0.0/1 via 10.8.0.201 dev tun0
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.4

ewaller

Administrator

From: Pasadena, CA

Registered: 2009-07-13

Posts: 20,156

Re: Openvpn starts but cannot reach any hosts

I am trying to setup openvpn with an external vpn provider.

I received id. password, keys, and certificates, and setup openvpn according to the wiki instructions.

However, once openvpn starts (I am just starting it from the coman line now), I am off the network and cannot even ping other machines on my local network.
Obviosuly, I am doing something wrong.  Where can I start to debug this issue? I know next to nothing about networking issues, I am afraid.

My setup is very simple: I have a small local network, connected to a router running tomato firmware. Openvpn seems to start succesfully:

Sat Apr 28 10:16:54 2012 TUN/TAP device tun0 opened
Sat Apr 28 10:16:54 2012 /usr/sbin/ip link set dev tun0 up mtu 1500
Sat Apr 28 10:16:54 2012 /usr/sbin/ip addr add dev tun0 local 10.9.0.138 peer 10.9.0.137
Sat Apr 28 10:16:54 2012 Initialization Sequence Completed

Help is appreciated.

S.

What you describe is pretty much the way it is designed.  Conceptually, you are no longer part of your local network, you are now part of the network to which you have tunneled.  For all intents and purposes, you are now behind the other firewall.  Internet requests come out through the remote firewall, not through  your firewall.  This protects the network to which you are attaching.

There are ways to configure around this, but I never have.  Mostly because the networks to which I attach are my place of work and their security is important to me.

Edit: Oh, and when you are on a VPN connection, be sure to honor the use restrictions of that network.  Third party sites you visit see you as being from the VPN.  Likewise, if it is a work VPN, don't do things you would not do at work.

Last edited by ewaller (2012-04-28 16:51:33)

---

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Gcool

Member

Registered: 2011-08-16

Posts: 1,456

Re: Openvpn starts but cannot reach any hosts

That all looks pretty decent to me. You should be perfectly possible to still make connections to other boxes on your local lan (given that they're also in the 192.168.0.0/24 subnet). All your other connectivity will routed over the tun0 vpn tunnel obviously.

If I understand your initial post correctly, no connectivity is working at all? Can you post the output of the following:

- ping 192.168.0.1
- ping 8.8.8.8
- ping www.google.com

---

Burninate!

stefano

Member

Registered: 2011-04-09

Posts: 268

Re: Openvpn starts but cannot reach any hosts

Ok, it may be a DNS problem. I can ping my local router (192.168.0.1) as well as Google's DNS server (i guess that's what it is: 8.8.8.8), but I get no output from pinging www.google.com

Gcool

Member

Registered: 2011-08-16

Posts: 1,456

Re: Openvpn starts but cannot reach any hosts

Ok, that's what I was expecting.

Everyone runs into that issue when working with openvpn the first time. Have a look at this wiki section for instructions on how to fix it.

---

Burninate!

stefano

Member

Registered: 2011-04-09

Posts: 268

Re: Openvpn starts but cannot reach any hosts

Thanks, great guess. I had skipped the "Deprecated content" part of the wiki, because, well, it said it was deprecated...

But I am not there yet. I installed openresolv and restarted network services (with /etc/rc.d/network restart), but resolv.conf does NOT say that "resolv.conf states that it was generated by "resolvconf"" as the wiki page states. So I guess I may have other issues. My resolv.conf was manually modified (by me) some time ago, with the adresses of my two ISP-given DNS servers. Is that a problem?

Gcool

Member

Registered: 2011-08-16

Posts: 1,456

Re: Openvpn starts but cannot reach any hosts

That's no problem. What will happen (short and simplified version) is that openresolv will switch to the dns servers pushed to you from the openvpn server (store them in /etc/resolv.conf) and then rotate back to your own config when you disconnect the tunnel.

Make sure you've added the following to your openvpn config file (as documented on the wiki), otherwise nothing will happen.

script-security 2
up /usr/share/openvpn/update-resolv-conf
down /usr/share/openvpn/update-resolv-conf

---

Burninate!

stefano

Member

Registered: 2011-04-09

Posts: 268

Re: Openvpn starts but cannot reach any hosts

Ok, I'm half way there. I did everything the wiki suggests, and I am these two problems:

1. Big one: openresolv does not restore my original resolv.conf setting when exiting openvpn. All I get is a an resolv.conf file with the simple line "# Generated by resolvconf"

2. Slightly less annoying: I can connect to some of my VPN servers but not all of them (not at the same time, of course).

How can I solve problem (1)? From what I can see, the script in the wiki deletes the newly generated resolv.conf file with the last line:
 
/usr/sbin/resolvconf -d "${dev}.inet"

But where does it restore it to the previous version?

Last edited by stefano (2012-04-28 18:06:53)

Gcool

Member

Registered: 2011-08-16

Posts: 1,456

Re: Openvpn starts but cannot reach any hosts

It should save your existing resolv.conf file to /var/run/resolvconf and restore that one when the script is called again.

---

Burninate!

stefano

Member

Registered: 2011-04-09

Posts: 268

Re: Openvpn starts but cannot reach any hosts

It does not. I have openvpn running now, and the only thing  in var/run/resolv.conf is a copy of the current resolv.conf (the one with the DNSs from the VPN server).

I am very poor at shell scripting, but it does not seem to me that the script on the wiki is even meant to save *manually modified* resolv.conf files. All it seems to do is to work with DHCP information. Or am I wrong?