Sending all traffic through the VPN?

Got a problem with Viscosity or need help? Ask here!

jmj75

Posts: 1
Joined: Wed Nov 05, 2008 3:11 am

Post by jmj75 » Wed Nov 05, 2008 4:38 am
Routing all traffic through OpenVPN (including DNS) has always been easy for Linux and Win XP clients (along with the push directives in the Server side config). However, I've not gotten this to work on OS X 10.5. I've read lots of assorted posts, some very old, with up/down scripts that need to be run etc... I liked Viscosity because it had some routing options...however I've not been able to get all my network traffic to be sent via the VPN link.

Is there a concise and updated way to accomplish this in OS X with Viscosity? Reading all the old, and conflicting posts, that are out there seem to obfuscate things quite a bit.

jmj

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Nov 05, 2008 3:27 pm
Hi jmj,

Redirecting all traffic through the VPN connection is simply a matter of editing your connection in Viscosity, clicking on the Networking tab, and ticking "Send all traffic over VPN connection". In most cases you should leave the "Default Gateway" field blank. If your server side config is already pushing out the "redirect-gateway def1" command, then it is usually not necessary to tick this box.

A lot of people get stuck at the server side config - if your OpenVPN server doesn't know how to handle the traffic then the "Send all traffic over VPN connection" option will essentially not work. For example, to get all traffic through an OpenVPN connection where your OpenVPN server is running pfSense, you'll need to not only tick the box under Viscosity, however also add several firewall/NAT rules to pfSense to allow the OpenVPN traffic to access the world.

Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

super_kev

Posts: 18
Joined: Fri Nov 14, 2008 3:05 am

Post by super_kev » Mon Nov 17, 2008 7:28 am
Hey James,
I'm trying to setup a bridged VPN, as I need to be able to access a few data servers behind a VPN server, and the routed connection is not allowing me do to that. My connection is as follows:

192.168.1.1 is the VPN router (DD-WRT) that is running OpenVPN. It has a DHCP server that hands out IPs of 192.168.1.101-149. This is the OpenVPN server config file:
Code: Select all
mode server 
push "redirect-gateway def1"
client-to-client 
tls-server 
dev tap0 
proto udp 
server-bridge 192.168.1.6 255.255.255.0 192.168.1.160 192.168.1.169 
keepalive 10 120 
dh /tmp/openvpn/dh.pem 
ca /tmp/openvpn/ca.crt 
cert /tmp/openvpn/cert.pem 
key /tmp/openvpn/key.pem 
Even though I was successfully connecting, nothing seemed to be going through the VPN. For example, I'm running 10.5, and the servers show up in my Finder window (screen sharing is activated on the servers), but I can't successfully connect and get to the screen sharing login/authentication box. Checking "Send all traffic through VPN connection" doesn't seem to make any difference.

My details window shows that I'm connected, and I have an IP address of 192.168.1.160, and that the server is the WAN ip of the router (not a 192.168.1.x address). I'm still unclear as to why I need an address (192.168.1.6) to be set as the VPN server if it won't show up as the server IP anyways?

Any ideas as to why I'm not able to connect to any servers on the same network, even through I see them? I also can't browse the internet (or do any network functions) while connected to the VPN. The OpenVPN docs that I followed for redirecting all traffic through the VPN (http://openvpn.net/index.php/documentat ... l#redirect) said to add "push "redirect-gateway def1"" to the server config. What am I missing to make it all work?
Last edited by super_kev on Mon Dec 08, 2008 2:57 am, edited 2 times in total.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Nov 18, 2008 1:10 am
Hi super_kev,

It sounds like it might be a routing issue - if you type "netstat -r" into the Terminal, do you see any routes for the VPN connection?

As you are using a TAP interface you'll probably want to add a route-delay to your connection (otherwise OpenVPN might try and add the routes before the interface is ready). You can do this like so:

1. Open the Preferences window and Edit your connection
2. Click on the Advanced tab
3. On a new line in the commands box enter "route-delay 20" (without the quotes)
4. Click Save and try reconnecting

Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

super_kev

Posts: 18
Joined: Fri Nov 14, 2008 3:05 am

Post by super_kev » Tue Nov 18, 2008 3:17 am
Ok, here's what I get. I'm not sure what you need so I commented out what I thought were the important parts (account name, MAC addresses). I forgot to say that I had "Use alternate DNS" as an option in Viscosity. I turned it off and it made no difference.
Code: Select all
Pro:~ ****** netstat -r
Routing tables
Internet:
Destination        Gateway            Flags    Refs      Use    Netif        Expire
0/1                192.168.1.6        UGSc        0        0        en0
default            DD-WRT             UGSc        7      159      en0
99.181.178.68/32   DD-WRT       UGSc        1  0             en0
127                localhost          UCS         0        0            lo0
localhost          localhost          UH          2    18031       lo0
128.0/1            192.168.1.6        UGSc        0        0      en0
169.254            link#4             UCS         0        0          en0
172.16.16/24       link#8             UC          1        0       vmnet8
172.16.16.255      **:**:**:**:**:**  UHLWb       0       30 vmnet8
172.16.122/24      link#9             UC          1        0      vmnet1
172.16.122.255     **:**:**:**:**:**  UHLWb       0       30 vmnet1
192.168.1          link#4             UCS         6        0         en0
DD-WRT             *:**:**:**:**:**   UHLW        4     7576   en0            1197
Pro                localhost          UHS         0        0            lo0
Macbook            *:**:**:**:**:**    UHLW        0        0      en0             645
192.168.1.6        link#4             UHLW        2        0       en0
192.168.1.55       *:**:**:**:**:**    UHLW        0      995    en0          70
192.168.1.255      **:**:**:**:**:**  UHLWb       0       48    en0

Internet6:
Destination        Gateway            Flags      Netif Expire
localhost          link#1             UHL         lo0
fe80::%lo0         localhost          Uc          lo0
localhost          link#1             UHL         lo0
fe80::%en0         link#4             UC          en0
Pro.local    *:**:**:**:**:**     UHL         lo0
ff01::             localhost          U           lo0
ff02::             localhost          UC          lo0
ff02::             link#4             UC          en0
Adding "route-delay 20" does not change the routing tables.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Sat Nov 22, 2008 4:02 pm
Would you be able to post (or PM me) your OpenVPN log from the Details window?
Adding "route-delay 20" does not change the routing tables.
Does increasing the route-delay to 30 or higher make any difference? It appears OpenVPN is trying to add the routes, however the tap interface isn't ready at the time.

Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

super_kev

Posts: 18
Joined: Fri Nov 14, 2008 3:05 am

Post by super_kev » Sun Nov 23, 2008 1:03 pm
Sure, here's the log with the delay-20
Code: Select all
Sat Nov 22 17:16:01 2008: IMPORTANT: OpenVPN's default port number is now 1194
Sat Nov 22 17:16:01 2008: UDPv4 link local: [undef]
Sat Nov 22 17:16:01 2008: UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sat Nov 22 17:16:07 2008: [DRVPN-Server] Peer Connection Initiated with xxx.xxx.xxx.xxx:1194
Sat Nov 22 17:16:08 2008: gw 192.168.1.1
Sat Nov 22 17:16:08 2008: TUN/TAP device /dev/tap0 opened
Sat Nov 22 17:16:08 2008: /sbin/ifconfig tap0 delete
Sat Nov 22 17:16:08 2008: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Sat Nov 22 17:16:08 2008: /sbin/ifconfig tap0 192.168.1.160 netmask 255.255.255.0 mtu 1500 up
Sat Nov 22 17:16:08 2008: /Applications/Viscosity.app/Contents/Resources/dnsup.py tap0 1500 1573 192.168.1.160 255.255.255.0 init
Sat Nov 22 17:16:29 2008: Initialization Sequence Completed
And with delay set to 40, nothing changed. Once logged into the VPN I can access the VPN router just fine, but can't access the outside world or the network. I can see the shared computers on the VPN network, but can't connect to them.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Nov 28, 2008 5:03 am
Hi Kev,

I'm afraid I'm running out of ideas for this one. A few troubleshooting techniques you can try:

1. Try connecting with DNS support turned off. Under the General tab untick "Enable DNS/Nameserver support". It's possible that Viscosity's DNS scripts may be interfering with your connection.

2. Try using OpenVPN directly from the command line to see if the issue related to Viscosity, or is an OpenVPN/machine issue. Assuming Viscosity is installed in your Applications folder, and your connection has an ID of "1" (you can check the connection ID at Your Home Folder->Library->Application Support->Viscosity->OpenVPN), try typing the following commands into the Terminal:

cd ~/Library/Application\ Support/Viscosity/OpenVPN/1
/Applications/Viscosity.app/Contents/Resources/openvpn config.conf

If the same issue is occurring when directly using OpenVPN, you may like to try the OpenVPN forums:
http://sourceforge.net/mailarchive/foru ... nvpn-users

3. You could also try using a different version of OpenVPN (under Preferences->Advanced).

Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

super_kev

Posts: 18
Joined: Fri Nov 14, 2008 3:05 am

Post by super_kev » Sat Nov 29, 2008 8:22 am
Hey James,
I'm checking out the openvpn mailing list, but in the mean time, do you mind posting a server & client config that you have used to get a working bridged VPN with Viscosity and a OpenVPN server?

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Dec 03, 2008 2:18 am
Hi Kev,

Here are working config files for a bridged tap configuration (a DHCP server is handing out IPs in this case). These are used in house for testing - I would recommend changing them for a production environment.

Server:
Code: Select all
tls-server
mode server

port 1194
proto udp 
dev tap0 

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

client-to-client
keepalive 10 120
comp-lzo 
max-clients 5

user nobody 
group nogroup 
persist-key 
persist-tun
Client:
Code: Select all
#viscosity startonopen false
#viscosity dnssupport true
#viscosity name Test
route-gateway x.x.x.x
persist-key
tls-client
remote myserver.com 1194
proto udp
ca ca.crt
ping 10
redirect-gateway def1
ping-restart 120
persist-tun
cert cert.crt
comp-lzo
dev tap
key key.key
nobind
pull
dhcp-option DNS x.x.x.x
route-delay 20
Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
35 posts Page 1 of 4