Cannot Change Default Route After Successful VPN Connection

Got a problem with Viscosity or need help? Ask here!

nikiski

Posts: 2
Joined: Thu Sep 03, 2009 12:18 pm

Post by nikiski » Thu Sep 03, 2009 12:30 pm
Hello,

I am having some troubles with trying to change the default route of the client computer after a successful VPN connection. I have looked up some suggestions including "route-delay 20" and that doesn't work either. "Send all traffic over VPN connection" is checked. The same configuration works on Windows computers. Any help would be greatly appreciated. I am running Snow Leopard.

Server configuration:
Code: Select all
mode server 
tls-server
local 192.168.0.1
port 443
proto tcp-server
dev tap0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
client-to-client
duplicate-cn
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
push "redirect-gateway bypass-dhcp"
Client configuration:
Code: Select all
client
dev tap
proto tcp-client
remote <hostname> 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
Log file when connecting:
Code: Select all
Thu Sep  3 10:27:36 2009: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Sep  3 10:27:36 2009: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep  3 10:27:36 2009: LZO compression initialized
Thu Sep  3 10:27:37 2009: Attempting to establish TCP connection with <hostname>:443 [nonblock]
Thu Sep  3 10:27:38 2009: TCP connection established with <hostname>:443
Thu Sep  3 10:27:38 2009: TCPv4_CLIENT link local: [undef]
Thu Sep  3 10:27:38 2009: TCPv4_CLIENT link remote: <hostname>:443
Thu Sep  3 10:27:39 2009: [<hostname>] Peer Connection Initiated with <hostname>:443
Thu Sep  3 10:27:40 2009: TUN/TAP device /dev/tap0 opened
Thu Sep  3 10:27:40 2009: /Applications/Viscosity.app/Contents/Resources/dnsup.py tap0 1500 1576   init
Thu Sep  3 10:27:40 2009: NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing
Thu Sep  3 10:27:40 2009: Initialization Sequence Completed
Thu Sep  3 10:27:41 2009: write to TUN/TAP : Input/output error (code=5)

jay

Posts: 3
Joined: Fri Sep 04, 2009 8:55 am

Post by jay » Fri Sep 04, 2009 9:15 am
Hello,

I am also having the same problem under Snow Leopard. Both server and client are configured to redirect all traffic through the VPN, but I can only communicate with hosts on my remote network. Hosts on the Internet are not available. However, when I run the same client configuration in a Windows XP host, everything works as intended (remote network, Internet, DNS forwarding, traffic forwarding through VPN). Because everything works in XP, I believe the problem must be related to Snow Leopard. Thank you for your assistance.

I am running Viscosity 1.0.6b5.

Here is the output of "ping http://www.yahoo.com":
Code: Select all
PING www-real.wa1.b.yahoo.com (209.131.36.158): 56 data bytes
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable
Request timeout for icmp_seq 0
ping: sendto: Network is unreachable
Request timeout for icmp_seq 1
^C
--- www-real.wa1.b.yahoo.com ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
Here is my connection configuration:
Code: Select all
#-- Config Auto Generated By Viscosity --#

#viscosity startonopen false
#viscosity dhcp true
#viscosity dnssupport true
#viscosity name Home
remote <host>
persist-key
tls-client
tls-auth ta.key 1
proto tcp-client
ca ca.crt
ping 10
redirect-gateway def1
dev tap
persist-tun
cert cert.crt
comp-lzo
ping-restart 40
key key.key
nobind
pull
float
ns-cert-type server
Here is my server configuration:
Code: Select all
daemon
server-bridge
proto tcp-server
port 443
dev tap21
comp-lzo yes
keepalive 15 60
verb 3
push "dhcp-option DOMAIN localdomain"
push "dhcp-option DNS 10.10.0.1"
push "route-gateway 10.10.0.1"
push "redirect-gateway def1"
tls-auth static.key 0
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status
My Viscosity details window for this connection is practically identical to nikiski's:
Code: Select all
Thu Sep  3 15:59:35 2009: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Sep  3 15:59:35 2009: WARNING: file 'key.key' is group or others accessible
Thu Sep  3 15:59:35 2009: Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Thu Sep  3 15:59:35 2009: LZO compression initialized
Thu Sep  3 15:59:35 2009: Attempting to establish TCP connection with <hostname>:443 [nonblock]
Thu Sep  3 15:59:36 2009: TCP connection established with <hostname>:443
Thu Sep  3 15:59:36 2009: TCPv4_CLIENT link local: [undef]
Thu Sep  3 15:59:36 2009: TCPv4_CLIENT link remote: <hostname>:443
Thu Sep  3 15:59:47 2009: [server] Peer Connection Initiated with <hostname>:443
Thu Sep  3 15:59:48 2009: TUN/TAP device /dev/tap0 opened
Thu Sep  3 15:59:48 2009: /Applications/Viscosity.app/Contents/Resources/dnsup.py tap0 1500 1576   init
Thu Sep  3 15:59:48 2009: Initialization Sequence Completed
Thu Sep  3 15:59:48 2009: write to TUN/TAP : Input/output error (code=5)

James

User avatar
Posts: 1898
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Sep 09, 2009 4:49 pm
Hi nikiski,

Pushing the "redirect-gateway bypass-dhcp" command will only work if the client knows what the default route should be. This isn't an issue for TUN connections, however in the case of TAP connections, where the IP is assigned by a DHCP server, OpenVPN has no idea what the default route should be.

You'll need to help it by specifying the IP address of the default gateway to use. In Viscosity this can be set under the Networking tab when editing your connection. Or you can push out the "route-gateway" command from the server.

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

James

User avatar
Posts: 1898
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Sep 09, 2009 4:52 pm
Hi jay,

Does following the same advice as above resolve your issue as well?

Cheers,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

jay

Posts: 3
Joined: Fri Sep 04, 2009 8:55 am

Post by jay » Thu Sep 10, 2009 3:50 am
Hi James,

Unfortunately, it does not. I am not pushing "redirect-gateway bypass-dhcp" to my clients, and when I try setting the gateway manually in the Viscosity connection settings, this does not fix the issue.

I think something strange is happening with the way routes are being set or interpreted on the client. When I have successfully connected to the VPN, I can ping the VPN gateway (10.10.0.1) with no problems. However, when connected to the VPN, I cannot ping my local ISP's gateway. When I disconnect from the VPN, I can ping the gateway again. But I should be able to ping the local ISP gateway when I am connected to the VPN.

If it would be helpful, I can send you the routing table as displayed by "netstat -r".

Thanks,
jay

James

User avatar
Posts: 1898
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Sep 10, 2009 5:10 pm
Hi jay,

What happens if you increase the delay before adding the routes (incase Snow Leopard is taking awhile to communicate with the DHCP server)? You should be able to do this by editing your connection in Viscosity, clicking on the Advanced tab, and adding the command "route-delay 30" (no quotes) on a new line. This should cause Viscosity/OpenVPN to wait 30 seconds after connection before attempting to add the routes.

Regards,
James
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

jay

Posts: 3
Joined: Fri Sep 04, 2009 8:55 am

Post by jay » Fri Sep 11, 2009 4:39 am
Hi James,

It works! I tested some smaller values and found that "route-delay 10" also works while "route-delay 5" does not. Thank you very much!

I wonder why this is happening in Snow Leopard but not Leopard. Perhaps it is related to the "write to TUN/TAP: Input/output error (code=5)" messages I see in the Details log (I did not see these messages in Leopard).

Thanks,
jay

nikiski

Posts: 2
Joined: Thu Sep 03, 2009 12:18 pm

Post by nikiski » Sun Sep 13, 2009 3:23 am
Hi James,

Setting the IP address and delaying does work. Thanks! :)


Jack
8 posts Page 1 of 1