OpenVPN No Route To Host

[Peter_APIIT]

Dear All,

I had tried to configure my gateway using openvpn connection but there is no route to host when ping the dns server.

Quote:

Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
0/1 10.9.1.121 UGS 0 64 - 8 tun1
default 60.53.43.254 UGS 5 128650 - 8 pppoe0
10.9.0.1/32 10.9.1.121 UGS 0 0 - 8 tun1
10.9.1.121 10.9.1.122 UH 3 0 - 4 tun1
10.9.1.122 10.9.1.122 UHl 0 0 - 1 lo0
60.53.42.149 60.53.42.149 UHl 0 0 - 1 lo0
60.53.43.254 60.53.42.149 UH 1 0 - 4 pppoe0
loopback localhost UGRS 0 0 32768 8 lo0
localhost localhost UHl 3 7035 32768 1 lo0
128/1 10.9.1.121 UGS 0 200 - 8 tun1
172.16.1/24 link#1 C 0 0 - 4 vr0
172.16.1.1 00:0d:88:17:bf:49 HLl 2 47384 - 1 lo0
172.16.1.255 link#1 HLb 0 0 - 1 vr0
178.162.193.233/32 60.53.43.254 UGS 0 0 - 8 pppoe0
BASE-ADDRESS.MCAST localhost URS 0 0 32768 8 lo0

May I know what wrong with it?
Should i edit the packet filter firewall?

By the way, this is my current pf configuration.

Quote:

################################################## #################################
match on pppoe0 scrub (reassemble tcp,random-id,no-df,max-mss 1440,min-ttl 64)
match out on pppoe0 inet from !(egress:network) to any nat-to (pppoe:0)

antispoof log for {$ext_if,$int_if}

block drop log

pass out on {pppoe0,$ext_if,$int_if} inet proto tcp modulate state
pass out on {pppoe0,$ext_if,$int_if} inet proto udp keep state
pass out on {pppoe0,$ext_if,$int_if} inet proto icmp all icmp-type echoreq keep state

# No Proxy #############

#Allow internal lan enter gateway
pass in log on $int_if inet proto tcp from any to any port $tcp modulate state (max 40,source-track rule,max-s
rc-nodes 40,max-src-states 40,max-src-conn 30,max-src-conn-rate 20/20)

pass in log on $int_if proto udp from any to any port $udp keep state (max 40, source-track rule,max-src-nodes
40,max-src-states 40,max-src-conn 30,max-src-conn-rate 20/20)

Please enlighten on this.

[Oko]

I noticed that you have block drop log line in pf.conf. Client has to be able to pass out traffic on tun interface as well as being able to pass out udp port1194. Server has to accept connection on 1194. Server also has to allow traffic on its tun interface. You can treat tun interface as regular interface and tide up more restrictive rules.

[Peter_APIIT]

I had pass out for tun0 and doing NAT for the tun0 interface as well. What is pass out dup port1194?
I had configure the OpenVPN server and client on the same OpenBSD router.

Does this configuration make sense?
The purpose of I setup my own OpeVPN server is to avoid slow openvpn speed by free vpn provider and to avoid subscribe expensive openvpn plan.

Please enlighten on this.

[Oko]

Quote:

Originally Posted by Peter_APIIT

I had pass out for tun0 and doing NAT for the tun0 interface as well. What is pass out dup port1194?
I had configure the OpenVPN server and client on the same OpenBSD router.

Does this configuration make sense?
The purpose of I setup my own OpeVPN server is to avoid slow openvpn speed by free vpn provider and to avoid subscribe expensive openvpn plan.

Please enlighten on this.

I meant to say udp 1194. What do you mean by doing NAT for tun0? You should have only one line in pf before you debug which reads

Code:

pass on tun0

Also

Code:

# more /etc/hostname.tun0
up link0
!/usr/local/sbin/openvpn --daemon --config /etc/openvpn/server-apollo.conf

Finally here is server-apollo.conf configuration file

Code:

local xxx.xxx.xxx.xxx # replace xxx with the IP address on which you are listening
proto udp
dev tun

ca /etc/openvpn/ca.crt
cert /etc/openvpn/apollo.crt
key /etc/openvpn/private/apollo.key  # This file should be kept secret

dh dh2048.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.6.0 255.255.255.0" # This is very important line 192.168.6.0/24 is my LAN network
client-to-client # My clients can talk to each other
keepalive 10 120
tls-auth /etc/openvpn/private/ta.key 0 
cipher AES-256-CBC
comp-lzo
max-clients 20
user _openvpn
group _openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3

There is one extra line if you want Windows as a client. By the way the above runs on OpenBSD 5.7 amd64

[Peter_APIIT]

Thanks for the brief explanation. By the way, You still did not answer my question yet.

Questions:
I want to setup OpenVPN server on my OpenBSD router. I don't want use the free service because it is very slow and i don't have much budget to subscribe the VPN plan.

Can OpenVPN Server and client runs on same machine (Gateway) on OpenBSD? Means all outgoing internet connection will using vpn tunnel.

All my internal LAN not require to install OpenVPN. Thanks.

[jggimi]

Quote:

Originally Posted by Peter_APIIT

Can OpenVPN Server and client runs on same machine (Gateway) on OpenBSD? Means all outgoing internet connection will using vpn tunnel.

This indicates you do not understand what a VPN is, nor how one functions.

A VPN is established between two or more endpoints.

The graphic in https://en.wikipedia.org/wiki/Virtual_private_network will help, even if the text is beyond your comprehension.

[Oko]

Quote:

Originally Posted by jggimi

This indicates you do not understand what a VPN is, nor how one functions.

+1

[Peter_APIIT]

Quote:

Originally Posted by jggimi

A VPN is established between two or more endpoints.

First, thanks jggmi for pointing the reference material.

Questions:
1. Can OpenVPN servers runs gateway and client connects from internal LAN or it must be WAN(end points)?

2. I'm need understanding of how connection is send after vpn connection had established to vpn server.

Client ------------> VPN Server (Packet Authentication HMAC finished)

Does all the internet connection needs to go through the VPN server or client directly interacts with internet?

Client -------> VPN Server --------> Internet

Thanks.

[jggimi]

I'll try to keep this simple.

Imagine you are standing in a room that has a dozen computers in it. Imagine you are holding a single networking cable in your hands. That cable has two ends:



Let us imagine that you connect each end of this cable into two of the computers. The two computers are able to send signals back and forth, over this single cable. None of the other ten computers in the room has access to the signals travelling over the cable. The two computers are able to use this cable to communicate privately. They use this cable as a private network.

Imagine now, that you unplug the cable from those two computers, and carry it to a third computer. Now, imagine that you plug both ends of that cable into Ethernet ports on that single, third computer. Note that the third computer can't really use that cable for anything but talking to itself. It can't talk to any other computers in the room with it.

---

That imaginary room is the Internet. That imaginary cable is a VPN.

---

You keep asking how to plug both ends of a single cable into one computer, or into two computers in your home, then use that to communicate with other computers privately on the Internet. You don't. You can't.

-------------------------
Edited to add:

If you hire a third party VPN service, it's the same as hiring a local ISP from a security/privacy standpoint. Your communications exiting and entering the remote endpoint can still be monitored. And, depending on how encryption keys for the VPN are managed, the privacy of communication "tunnelled" within the VPN -- the virtual cable -- may be exposed. Lastly, the cable is only virtual. Encrypted traffic is still traffic. Metadata such as ip addresses, protocol, and port may disclose the VPN and its endpoints, and "side channel" metadata such as packet length and timing may disclose the type of communications being conducted.

Third party VPN service provider security/privacy was discussed with you previously, beginning here.

[jggimi]

I revised the post above, in case you missed it.

[Peter_APIIT]

The concept of Internet and Intranet using room as boundary is well explain. Moreover, connection information leaks such as IP address, metadata such as packet length and timing.

Moreover, a reliable/trustable ISP provider and .... is to depend on.

Problem solved. Thread closed.