4

I setup an OpenVPN server on a personal AWS EC2 instance, and am trying to connect to it from an Ubuntu 14.04 client. (I had to update the server for minimum version of TLS 1.0 to get the handshake to work)

Now, when I type sudo openvpn --config client.ovpn it seems to connect, by ending the log messages with "Initialization Sequence Completed"

However, in my web browser, my IP address remains the same as my home IP.

What's needed to complete the vpn connection?

EDIT: I am including log output from "ip route" and the openvpn command

"ip route" output BEFORE connecting to openvpn

default via 192.168.1.1 dev eth0  proto static 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.12  metric 1

NOTE: in all output below, I have replaced the public ip of my openvpn server with 111.222.333.444 to retain anonymity

output of openvpn command

sudo openvpn --config client.ovpn  --redirect-gateway def1  --auth-user-pass pass.txt 
Tue Apr 12 07:04:20 2022 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Jun 22 2017
Tue Apr 12 07:04:20 2022 WARNING: file 'pass.txt' is group or others accessible
Tue Apr 12 07:04:20 2022 Control Channel Authentication: tls-auth using INLINE static key file
Tue Apr 12 07:04:20 2022 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 07:04:20 2022 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 07:04:20 2022 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Apr 12 07:04:20 2022 UDPv4 link local: [undef]
Tue Apr 12 07:04:20 2022 UDPv4 link remote: [AF_INET]111.222.333.444:1194
Tue Apr 12 07:04:20 2022 TLS: Initial packet from [AF_INET]111.222.333.444:1194, sid=2847d960 bd54dabd
Tue Apr 12 07:04:20 2022 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr 12 07:04:20 2022 VERIFY OK: depth=1, CN=OpenVPN CA
Tue Apr 12 07:04:20 2022 VERIFY OK: nsCertType=SERVER
Tue Apr 12 07:04:20 2022 VERIFY OK: depth=0, CN=OpenVPN Server
Tue Apr 12 07:04:21 2022 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Apr 12 07:04:21 2022 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 07:04:21 2022 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Apr 12 07:04:21 2022 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 12 07:04:21 2022 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Tue Apr 12 07:04:21 2022 [OpenVPN Server] Peer Connection Initiated with [AF_INET]111.222.333.444:1194
Tue Apr 12 07:04:23 2022 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Tue Apr 12 07:04:23 2022 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,comp-lzo no,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,redirect-private bypass-dns,route-gateway 172.27.232.1,route 172.27.224.0 255.255.240.0,route 172.31.0.0 255.255.0.0,block-ipv6,ifconfig 172.27.232.15 255.255.248.0,auth-token SESS_ID'
Tue Apr 12 07:04:23 2022 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.2)
Tue Apr 12 07:04:23 2022 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.2)
Tue Apr 12 07:04:23 2022 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.2)
Tue Apr 12 07:04:23 2022 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: block-ipv6 (2.3.2)
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: explicit notify parm(s) modified
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: LZO parms modified
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: route options modified
Tue Apr 12 07:04:23 2022 OPTIONS IMPORT: route-related options modified
Tue Apr 12 07:04:23 2022 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=ec:f4:bb:57:57:1a
Tue Apr 12 07:04:23 2022 TUN/TAP device tun0 opened
Tue Apr 12 07:04:23 2022 TUN/TAP TX queue length set to 100
Tue Apr 12 07:04:23 2022 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr 12 07:04:23 2022 /sbin/ip link set dev tun0 up mtu 1500
Tue Apr 12 07:04:23 2022 /sbin/ip addr add dev tun0 172.27.232.15/21 broadcast 172.27.239.255
Tue Apr 12 07:04:28 2022 ROUTE remote_host is NOT LOCAL
Tue Apr 12 07:04:28 2022 /sbin/ip route add 111.222.333.444/32 via 192.168.1.1
Tue Apr 12 07:04:28 2022 /sbin/ip route add 0.0.0.0/1 via 172.27.232.1
Tue Apr 12 07:04:28 2022 /sbin/ip route add 128.0.0.0/1 via 172.27.232.1
Tue Apr 12 07:04:28 2022 /sbin/ip route add 172.27.224.0/20 via 172.27.232.1 metric 101
Tue Apr 12 07:04:28 2022 /sbin/ip route add 172.31.0.0/16 via 172.27.232.1 metric 101
Tue Apr 12 07:04:28 2022 Initialization Sequence Completed

"ip route" output AFTER connecting to openvpn

0.0.0.0/1 via 172.27.232.1 dev tun0
default via 192.168.1.1 dev eth0  proto static
111.222.333.444 via 192.168.1.1 dev eth0            
128.0.0.0/1 via 172.27.232.1 dev tun0
172.27.224.0/20 via 172.27.232.1 dev tun0  metric 101
172.27.232.0/21 dev tun0  proto kernel  scope link  src 172.27.232.15
172.31.0.0/16 via 172.27.232.1 dev tun0  metric 101
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.12  metric 1
draca
  • 295
  • 1
    Please do traceroute 8.8.8.8 and provide the output. You’ll be able to see whether traffic leaves over the VPN tunnel. – Daniel B Apr 12 '22 at 14:24
  • Solved by reinstalling the openvpn server software and during the prompts it asked "Should client traffic be routed by default through the VPN?" with a default value of no, which I selected yes this time. Why would anybody want to setup a vpn without enabling that? And I dont know where menu option to change that is in the openvpn web ui – draca Apr 13 '22 at 10:38

1 Answers1

1

According to the documentation, in order to route all traffic through the server (and not just traffic destined for the VPN's network), the server needs to set a directive push "redirect-gateway def1" and the server needs to route the traffic appropriately:

Add the following directive to the server configuration file:

push "redirect-gateway def1"

If your VPN setup is over a wireless network, where all clients and the server are on the same wireless subnet, add the local flag:

push "redirect-gateway local def1"

Pushing the redirect-gateway option to clients will cause all IP network traffic originating on client machines to pass through the OpenVPN server. The server will need to be configured to deal with this traffic somehow, such as by NATing it to the internet, or routing it through the server site's HTTP proxy.

On Linux, you could use a command such as this to NAT the VPN client traffic to the internet:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

This command assumes that the VPN subnet is 10.8.0.0/24 (taken from the server directive in the OpenVPN server configuration) and that the local ethernet interface is eth0.

Edit:

I trust Daniel's comments. The routing table while the VPN is active should be pushing you over the VPN given the 0.0.0.0/1 via 172.27.232.1 dev tun0 and 128.0.0.0/1 via 172.27.232.1 dev tun0 lines. Output of a traceroute to 8.8.8.8 can confirm.

Preston Maness
  • 1,462
  • 11
  • 16
  • I tried all this, to no avail. Still no change in my IP address – draca Apr 11 '22 at 10:01
  • Hmm. On your Ubuntu client machine, could you edit your question to include the output of ip route both without the VPN connection active, and with it active? Including the full output from your sudo openvpn --config client.ovpn command would be helpful too. – Preston Maness Apr 11 '22 at 17:14
  • I have edited question to include output of those commands as requested, with the public IP of my openvpn EC2 server replaced with 111.222.333.444 – draca Apr 12 '22 at 12:54
  • 1
    The option doesn’t have to be pushed. It can also be directly in the client config. It is active, as evident from the resulting routing table. – Daniel B Apr 12 '22 at 14:25