-1

I have a CentOS 6.64bit machine that I installed OpenVPN on.

I want to have OpenVPN setup internally as a VPN to replace QuickVPN(it's horrible, fragile and randomly will work on Windows 8.x and not even supported by Cisco anymore).

I can't access the internet when on the OpenVPN connection. I have the following iptable ruleset in place:

iptables -t -nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

I am connecting as 192.168.2.6

Also, is there a way to set OpenVPN to use my DHCP/DNS server on 192.168.2.10?

SERVER.CONF:

 cat /etc/openvpn/server.conf port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 192.168.2.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 192.168.2.10" push "dhcp-option DNS 8.8.8.8" push "route 0.0.0.0 255.255.255.255 192.168.2.254" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3
Improve this question
1
  • 1
    You need to setup a bridge Commented Jan 20, 2014 at 15:38

2 Answers 2

Reset to default
1

Networking

It looks like you're assigning your clients to the same subnet as your main network. When you use tun as your device, your server gives each client a /30 block.

I think some of your numbering choices were defined by the way you would set up an OpenVPN server with a tap device (bridge) instead of a tun. I've experienced better performance using tun devices than tap (bridge) devices in my experience for the home network, though I don't have any numbers to back up that feeling.

If you were to change your server directive to server 192.168.3.0 255.255.255.0, then your server would have an IP of 192.168.3.1/24 in addition to its normal 192.168.2._ address. I'm not sure on why it insists on the .1. It hasn't done me any harm, so I haven't pursued changing it. When your client machine connects, it would then be given an address like 192.168.3.6.

You don't need to specify the gateway for the route you're pushing. Saying push "route 192.168.1.0 255.255.255.0 should do it. If you're always going to be re-directing a clients traffic through the server, this will be redundant.

Make sure that routing is enabled on your machine: 

echo 1 > /proc/sys/net/ipv4/ip_forward

To make this change persistent after a restart, open /etc/sysctl.conf for editing and set the value of net.ipv4.ip_forward to 1.

When client machines attempt to speak to the internet and beyond, they will need to go through the FORWARD chain in iptables. You can use this to tweak exactly how much access you want VPN clients to have to your network or the internet.

DNS

As far as DNS goes, I would only push the one DNS server to remote clients once you've made sure that they can connect. This should be read by Windows clients right off the bat, but for Linux it needs an adjustment to the configuration file plus a few supporting scripts.

Grabbing my response to another similar topic on OpenVPN and DNS on Linux (NetworkManager is not changing /etc/resolv.conf after openvpn dns push):

For connecting to my home network (using Fedora 18 at the time), I used a script by gronke on GitHub (https://github.com/gronke/OpenVPN-linux-push) to automate the updating process.

To use these scripts, I added the following to my OpenVPN client file:

up /home/gadgeteering/tools/vpn/up.sh down /home/gadgeteering/tools/vpn/down.sh

Make sure that the client has permission to run these scripts using chmod.

up.sh:

#! /bin/bash DEV=$1 if [ ! -d /tmp/openvpn ]; then mkdir /tmp/openvpn fi CACHE_NAMESERVER="/tmp/openvpn/$DEV.nameserver" echo -n "" > $CACHE_NAMESERVER dns=dns for opt in ${!foreign_option_*} do eval "dns=\${$opt#dhcp-option DNS }" if [[ $dns =~ [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} ]]; then if [ ! -f /etc/resolv.conf.default ]; then cp /etc/resolv.conf /etc/resolv.conf.default fi cat /etc/resolv.conf | grep -v ^# | grep -v ^nameserver > /tmp/resolv.conf echo "nameserver $dns" >> /tmp/resolv.conf echo $dns >> $CACHE_NAMESERVER cat /etc/resolv.conf | grep -v ^# | grep -v "nameserver $dns" | grep nameserver >> /tmp/resolv.conf mv /tmp/resolv.conf /etc/resolv.conf fi done

down.sh:

#! /bin/bash DEV=$1 CACHE_NAMESERVER="/tmp/openvpn/$DEV.nameserver" echo $CACHE_NAMESERVER if [ -f $CACHE_NAMESERVER ]; then for ns in `cat $CACHE_NAMESERVER`; do echo "Removing $ns from /etc/resolv.conf" cat /etc/resolv.conf | grep -v "nameserver $ns" > /tmp/resolv.conf mv /tmp/resolv.conf /etc/resolv.conf done fi
Improve this answer
0

You don't need a bridge, plus with a bridge you would need tap support.

Try setting this to match your network instead of 0.0.0.0

e.g. push "route 192.168.0.0 255.255.255.0"

and check your iptables rules, I use this (192.168.150.0 is my VPN subnet)

iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT

iptables -I FORWARD 1 --source 192.168.150.0/24 -j ACCEPT

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.