Skip to content
Sending all traffic through the VPN?
Got a problem with Viscosity or need help? Ask here!
Routing all traffic through OpenVPN (including DNS) has always been easy for Linux and Win XP clients (along with the push directives in the Server side config). However, I've not gotten this to work on OS X 10.5. I've read lots of assorted posts, some very old, with up/down scripts that need to be run etc... I liked Viscosity because it had some routing options...however I've not been able to get all my network traffic to be sent via the VPN link.
Is there a concise and updated way to accomplish this in OS X with Viscosity? Reading all the old, and conflicting posts, that are out there seem to obfuscate things quite a bit.
jmj
Is there a concise and updated way to accomplish this in OS X with Viscosity? Reading all the old, and conflicting posts, that are out there seem to obfuscate things quite a bit.
jmj
Hi jmj,
Redirecting all traffic through the VPN connection is simply a matter of editing your connection in Viscosity, clicking on the Networking tab, and ticking "Send all traffic over VPN connection". In most cases you should leave the "Default Gateway" field blank. If your server side config is already pushing out the "redirect-gateway def1" command, then it is usually not necessary to tick this box.
A lot of people get stuck at the server side config - if your OpenVPN server doesn't know how to handle the traffic then the "Send all traffic over VPN connection" option will essentially not work. For example, to get all traffic through an OpenVPN connection where your OpenVPN server is running pfSense, you'll need to not only tick the box under Viscosity, however also add several firewall/NAT rules to pfSense to allow the OpenVPN traffic to access the world.
Cheers
James
Redirecting all traffic through the VPN connection is simply a matter of editing your connection in Viscosity, clicking on the Networking tab, and ticking "Send all traffic over VPN connection". In most cases you should leave the "Default Gateway" field blank. If your server side config is already pushing out the "redirect-gateway def1" command, then it is usually not necessary to tick this box.
A lot of people get stuck at the server side config - if your OpenVPN server doesn't know how to handle the traffic then the "Send all traffic over VPN connection" option will essentially not work. For example, to get all traffic through an OpenVPN connection where your OpenVPN server is running pfSense, you'll need to not only tick the box under Viscosity, however also add several firewall/NAT rules to pfSense to allow the OpenVPN traffic to access the world.
Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Hey James,
I'm trying to setup a bridged VPN, as I need to be able to access a few data servers behind a VPN server, and the routed connection is not allowing me do to that. My connection is as follows:
192.168.1.1 is the VPN router (DD-WRT) that is running OpenVPN. It has a DHCP server that hands out IPs of 192.168.1.101-149. This is the OpenVPN server config file:
My details window shows that I'm connected, and I have an IP address of 192.168.1.160, and that the server is the WAN ip of the router (not a 192.168.1.x address). I'm still unclear as to why I need an address (192.168.1.6) to be set as the VPN server if it won't show up as the server IP anyways?
Any ideas as to why I'm not able to connect to any servers on the same network, even through I see them? I also can't browse the internet (or do any network functions) while connected to the VPN. The OpenVPN docs that I followed for redirecting all traffic through the VPN (http://openvpn.net/index.php/documentat ... l#redirect) said to add "push "redirect-gateway def1"" to the server config. What am I missing to make it all work?
I'm trying to setup a bridged VPN, as I need to be able to access a few data servers behind a VPN server, and the routed connection is not allowing me do to that. My connection is as follows:
192.168.1.1 is the VPN router (DD-WRT) that is running OpenVPN. It has a DHCP server that hands out IPs of 192.168.1.101-149. This is the OpenVPN server config file:
Code: Select all
Even though I was successfully connecting, nothing seemed to be going through the VPN. For example, I'm running 10.5, and the servers show up in my Finder window (screen sharing is activated on the servers), but I can't successfully connect and get to the screen sharing login/authentication box. Checking "Send all traffic through VPN connection" doesn't seem to make any difference.mode server
push "redirect-gateway def1"
client-to-client
tls-server
dev tap0
proto udp
server-bridge 192.168.1.6 255.255.255.0 192.168.1.160 192.168.1.169
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
My details window shows that I'm connected, and I have an IP address of 192.168.1.160, and that the server is the WAN ip of the router (not a 192.168.1.x address). I'm still unclear as to why I need an address (192.168.1.6) to be set as the VPN server if it won't show up as the server IP anyways?
Any ideas as to why I'm not able to connect to any servers on the same network, even through I see them? I also can't browse the internet (or do any network functions) while connected to the VPN. The OpenVPN docs that I followed for redirecting all traffic through the VPN (http://openvpn.net/index.php/documentat ... l#redirect) said to add "push "redirect-gateway def1"" to the server config. What am I missing to make it all work?
Last edited by super_kev on Mon Dec 08, 2008 2:57 am, edited 2 times in total.
Hi super_kev,
It sounds like it might be a routing issue - if you type "netstat -r" into the Terminal, do you see any routes for the VPN connection?
As you are using a TAP interface you'll probably want to add a route-delay to your connection (otherwise OpenVPN might try and add the routes before the interface is ready). You can do this like so:
1. Open the Preferences window and Edit your connection
2. Click on the Advanced tab
3. On a new line in the commands box enter "route-delay 20" (without the quotes)
4. Click Save and try reconnecting
Cheers
James
It sounds like it might be a routing issue - if you type "netstat -r" into the Terminal, do you see any routes for the VPN connection?
As you are using a TAP interface you'll probably want to add a route-delay to your connection (otherwise OpenVPN might try and add the routes before the interface is ready). You can do this like so:
1. Open the Preferences window and Edit your connection
2. Click on the Advanced tab
3. On a new line in the commands box enter "route-delay 20" (without the quotes)
4. Click Save and try reconnecting
Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Ok, here's what I get. I'm not sure what you need so I commented out what I thought were the important parts (account name, MAC addresses). I forgot to say that I had "Use alternate DNS" as an option in Viscosity. I turned it off and it made no difference.
Code: Select all
Adding "route-delay 20" does not change the routing tables.Pro:~ ****** netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
0/1 192.168.1.6 UGSc 0 0 en0
default DD-WRT UGSc 7 159 en0
99.181.178.68/32 DD-WRT UGSc 1 0 en0
127 localhost UCS 0 0 lo0
localhost localhost UH 2 18031 lo0
128.0/1 192.168.1.6 UGSc 0 0 en0
169.254 link#4 UCS 0 0 en0
172.16.16/24 link#8 UC 1 0 vmnet8
172.16.16.255 **:**:**:**:**:** UHLWb 0 30 vmnet8
172.16.122/24 link#9 UC 1 0 vmnet1
172.16.122.255 **:**:**:**:**:** UHLWb 0 30 vmnet1
192.168.1 link#4 UCS 6 0 en0
DD-WRT *:**:**:**:**:** UHLW 4 7576 en0 1197
Pro localhost UHS 0 0 lo0
Macbook *:**:**:**:**:** UHLW 0 0 en0 645
192.168.1.6 link#4 UHLW 2 0 en0
192.168.1.55 *:**:**:**:**:** UHLW 0 995 en0 70
192.168.1.255 **:**:**:**:**:** UHLWb 0 48 en0
Internet6:
Destination Gateway Flags Netif Expire
localhost link#1 UHL lo0
fe80::%lo0 localhost Uc lo0
localhost link#1 UHL lo0
fe80::%en0 link#4 UC en0
Pro.local *:**:**:**:**:** UHL lo0
ff01:: localhost U lo0
ff02:: localhost UC lo0
ff02:: link#4 UC en0
Would you be able to post (or PM me) your OpenVPN log from the Details window?
Cheers
James
Adding "route-delay 20" does not change the routing tables.Does increasing the route-delay to 30 or higher make any difference? It appears OpenVPN is trying to add the routes, however the tap interface isn't ready at the time.
Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Sure, here's the log with the delay-20
Code: Select all
And with delay set to 40, nothing changed. Once logged into the VPN I can access the VPN router just fine, but can't access the outside world or the network. I can see the shared computers on the VPN network, but can't connect to them.Sat Nov 22 17:16:01 2008: IMPORTANT: OpenVPN's default port number is now 1194
Sat Nov 22 17:16:01 2008: UDPv4 link local: [undef]
Sat Nov 22 17:16:01 2008: UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Sat Nov 22 17:16:07 2008: [DRVPN-Server] Peer Connection Initiated with xxx.xxx.xxx.xxx:1194
Sat Nov 22 17:16:08 2008: gw 192.168.1.1
Sat Nov 22 17:16:08 2008: TUN/TAP device /dev/tap0 opened
Sat Nov 22 17:16:08 2008: /sbin/ifconfig tap0 delete
Sat Nov 22 17:16:08 2008: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Sat Nov 22 17:16:08 2008: /sbin/ifconfig tap0 192.168.1.160 netmask 255.255.255.0 mtu 1500 up
Sat Nov 22 17:16:08 2008: /Applications/Viscosity.app/Contents/Resources/dnsup.py tap0 1500 1573 192.168.1.160 255.255.255.0 init
Sat Nov 22 17:16:29 2008: Initialization Sequence Completed
Hi Kev,
I'm afraid I'm running out of ideas for this one. A few troubleshooting techniques you can try:
1. Try connecting with DNS support turned off. Under the General tab untick "Enable DNS/Nameserver support". It's possible that Viscosity's DNS scripts may be interfering with your connection.
2. Try using OpenVPN directly from the command line to see if the issue related to Viscosity, or is an OpenVPN/machine issue. Assuming Viscosity is installed in your Applications folder, and your connection has an ID of "1" (you can check the connection ID at Your Home Folder->Library->Application Support->Viscosity->OpenVPN), try typing the following commands into the Terminal:
cd ~/Library/Application\ Support/Viscosity/OpenVPN/1
/Applications/Viscosity.app/Contents/Resources/openvpn config.conf
If the same issue is occurring when directly using OpenVPN, you may like to try the OpenVPN forums:
http://sourceforge.net/mailarchive/foru ... nvpn-users
3. You could also try using a different version of OpenVPN (under Preferences->Advanced).
Cheers
James
I'm afraid I'm running out of ideas for this one. A few troubleshooting techniques you can try:
1. Try connecting with DNS support turned off. Under the General tab untick "Enable DNS/Nameserver support". It's possible that Viscosity's DNS scripts may be interfering with your connection.
2. Try using OpenVPN directly from the command line to see if the issue related to Viscosity, or is an OpenVPN/machine issue. Assuming Viscosity is installed in your Applications folder, and your connection has an ID of "1" (you can check the connection ID at Your Home Folder->Library->Application Support->Viscosity->OpenVPN), try typing the following commands into the Terminal:
cd ~/Library/Application\ Support/Viscosity/OpenVPN/1
/Applications/Viscosity.app/Contents/Resources/openvpn config.conf
If the same issue is occurring when directly using OpenVPN, you may like to try the OpenVPN forums:
http://sourceforge.net/mailarchive/foru ... nvpn-users
3. You could also try using a different version of OpenVPN (under Preferences->Advanced).
Cheers
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Hi Kev,
Here are working config files for a bridged tap configuration (a DHCP server is handing out IPs in this case). These are used in house for testing - I would recommend changing them for a production environment.
Server:
James
Here are working config files for a bridged tap configuration (a DHCP server is handing out IPs in this case). These are used in house for testing - I would recommend changing them for a production environment.
Server:
Code: Select all
Client:
tls-server
mode server
port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
client-to-client
keepalive 10 120
comp-lzo
max-clients 5
user nobody
group nogroup
persist-key
persist-tun
Code: Select all
Cheers#viscosity startonopen false
#viscosity dnssupport true
#viscosity name Test
route-gateway x.x.x.x
persist-key
tls-client
remote myserver.com 1194
proto udp
ca ca.crt
ping 10
redirect-gateway def1
ping-restart 120
persist-tun
cert cert.crt
comp-lzo
dev tap
key key.key
nobind
pull
dhcp-option DNS x.x.x.x
route-delay 20
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs