2
  1. I create a server on AWS with OpenVPN.
  2. Set it up, through the Admin page, I choose fully routing option and download the .ovpn

  3. I add three extra lines to client .ovpn; (I have to use it because ssh freeze problem)

    redirect-gateway def1
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

This is the client file;

setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote SERVER IP 1194 udp
remote SERVER IP 1194 udp
remote SERVER IP 443 tcp
remote SERVER IP 1194 udp
remote SERVER IP 1194 udp
remote SERVER IP 1194 udp
remote SERVER IP 1194 udp
remote SERVER IP 1194 udp
dev tun
redirect-gateway def1
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
auth-user-pass auth.txt
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO

I try client .ovpn with Tunnelblick, enable the full routing and connect without any problem. The things starts get funny when I try to use this VPN on my Ubuntu server.(terminal only)

When I try to use the VPN on my Ubuntu server, first I do;

sudo ip rule add from $(ip route get 1 | grep -Po '(?<=src )(\S+)') table 128
sudo ip route add table 128 to $(ip route get 1 | grep -Po '(?<=src )(\S+)')/32 dev $(ip -4 route ls | grep default | grep -Po '(?<=dev )(\S+)')
sudo ip route add table 128 default via $(ip -4 route ls | grep default | grep -Po '(?<=via )(\S+)')

And then I start running the VPN;

screen -dmS openvpn
screen -S openvpn -X stuff 'sudo openvpn --config client.ovpn --script-security 2'$(echo -ne '\015')

Funny thing is when I curl ifconfig.co or try to do anything that requires internet, I can't because something is wrong with routing.

This used to work but it does not anymore for some reason. I'm open to any suggestions.

Update

Problem is somewhere around the routing table. This is my normal routing table without connecting to VPN;

pre-VPN routing table

and this is after I connect to VPN;

after VPN routing table

aaand this is if I don't fully route, which routing tables are in order and internet works fine;

after VPN no fully routing table

J. Doe
  • 31
  • 2

1 Answers1

1

What if you don't complicate things with the extra routing table 128 and simply put the routes to the main table? That redirect-gateway def1 should do the trick.

Couple of things to check:

  • Do you have iptables NAT properly set up on the OpenVPN gateway?
  • Do you have IP forwarding enabled on the OpenVPN gateway?
  • Can you run tcpdump on the gateway both to see what's coming in through the tun0 interface and what, if anything, is going out from the eth0?
  • Do you have Src/Dest Check disabled in the EC2 instance settings?

Check out these detailed steps for how to set up OpenVPN gateway.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • I can't stop adding 128 extra routing table because ssh freeze problem. If I don't add it, my ssh session freeze and I have to reboot. With or without redirect-gateway def1 it doesn't change anything. As I said, it works fine on my Mac or any other PC, but linux distros can't set the routes correctly for some reason. It is so strange, whole thing used to work now it doesn't. – J. Doe Jan 24 '19 at 23:06
  • @J.Doe so you SSH from your laptop to the Ubuntu server and once on the Ubuntu you run `openvpn` and your SSH freezes? To prevent that add a more specific route for your laptop's IP on the Ubuntu server. E.g. if your laptop is at 10.20.30.40 then on the Ubuntu do `ip route add 10.20.30.40 via {ubuntu's-default-gw}`. That will make sure the route back to your laptop is still valid. Then you can get away without the extra routing table. – MLu Jan 24 '19 at 23:14
  • interesting didn't know that, thank you. Freeze issue aside, this thing was actually working like a month ago. Either the Ubuntu or the OpenVPN version change must have changed something. I still can't find a way to make openvpn to set routes in order to work. – J. Doe Jan 24 '19 at 23:55