VPN Internet Traffic Redirect?

[renss78]

Hello,

I'm setting up a network with the VPN option in Zentyal.

Configuration:

eth0(WAN) -->178.xx.xxx.x(external ip)
eth1(LAN) --> 172.80.0.1 (internal lan)
VPN --> 192.168.160.1/24 (vpn lan)

Problem:

When i connect via my Windows 8 workstation, i can connect fine but all my traffic goes true the VPN server(internet), we dont want that, i want to keep using my local(office) WAN connection.

So at the VPN server configuration(VPN-->Servers-->Config) i unchecked the Redirect gateway option and checked the Network Address Translation and Allow client-to-client connections options. Now indeed i use my own local(office) WAN connection BUT i cannot reach the VPN network(can't ping the 192.168.160.1(while my own ip is 160.2) and i cannot reach the 172.80.0.x network. All of this works when i check the option Redirect the gateway, but than all the internet goes true the VPN connection.

So i think the solution is: Add static routes... but i have no clue what values i must add.....

Best regards,

Rens

[ATT1]

I ran into a similar problem - you may have several networks called "192.168.x.y".
If your own IP at home is "192.168.x.y" and you connect to VPN _and_ the VPN network on the other side is also "192.168.x.y", your computer at home does not know what to do when to reach "192.168.x.y" - reach the one at home or reach the one at the other end of the VPN?
I see no other solution but to switch to another network, either at home or at the other endpoint.
Other networks likely include "10.x.y.z" (24 bit network, large!), etc:

10.0.0.0 bis 10.255.255.255   10.0.0.0/8   10/8   224 = 16.777.216   Class A: 1 private Net with 16.777.216 IP's
10.0.0.0/8

172.16.0.0 bis 172.31.255.255   172.16.0.0/12   172.16/12   220 = 1.048.576   Class B: 16 private Networks with each containing 65.536 IP-Adresses;
172.16.0.0/16 bis 172.31.0.0/16        -> several of these seem to be a wise choice

192.168.0.0 bis 192.168.255.255   192.168.0.0/16   192.168/16   216 = 65.536   Class C: 256 private subnets with each 256 Adresses;
192.168.0.0/24 bis 192.168.255.0/24

[renss78]

Hi,

In the first place, thanks for your quick response

You were certainly right about one thing:

your computer at home does not know what to do when to reach "192.168.x.y" - reach the one at home or reach the one at the other end of the VPN?

And the solution you purposed would probably work, but both networks are /24... completely different subnets since they are /24. But what you said made me think the following:

When i ping for example the LAN(which is behind the Zentyal) 172.80.0.1, how does Windows know what connection to use to send the ping...... the normal local internet connection or the VPN connection... well it does not!!

My solution:

Manually add the following routes to my local ovpn file which is in the config folder:

Code: [Select]

route-nopull
route 192.168.160.0 255.255.255.0
route 172.80.0.0 255.255.255.0
Now does the OpenVPN client know that it must ONLY use the VPN connection for these subnets.

BUT i don't want to manually add these routes for all those clients i'm going to use... The next step is i'm going to find a way to PUSH the routes to the clients(which can be achieved to edit the openvpn.conf) But i have no idea where to find it in Zentyal.

Maybe a tip for a new feature in Zentyal, make it possible to push routes via the GUI.

Best regards,

Rens

[renss78]

Hello,

Here is a update:

I found out that the Zentyal DOES try to push the Advertised Networks to the client true OpenVPN only thats fails...

I solved that with my last post by manually add the route.

By default the advertised network should be pushed correctly so this problem would NOT occur. At the moment i do not have a solution for this problem, only a workaround;)

The error which you see in the VPN State Log:

Code: [Select]

Fri Oct 23 15:59:21 2015 PUSH: Received control message: 'PUSH_REPLY,route 178.20.252.0 255.255.255.0,route x.x.x.0 255.255.254.0,route 192.168.170.0 255.255.255.0,route 172.80.0.0 255.255.255.0,route 192.168.160.0 255.255.255.0,route-gateway 192.168.160.1,ping 10,ping-restart 120,ifconfig 192.168.160.2 255.255.255.0'
Fri Oct 23 15:59:21 2015 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct 23 15:59:21 2015 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct 23 15:59:21 2015 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct 23 15:59:21 2015 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])
Fri Oct 23 15:59:21 2015 Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS])

[ATT1]

I think you can't do it in Zentyal itself; but you can edit the config-file.
My solution was to have a config-file for each user, a "client-config-dir" for OpenVpn:

/etc/openvpn/ccd

In this directory, I keep a textfile for each openvpn-user, the name of the textfile is the name of the user:

/etc/openvpn/ccd/user1
/etc/openvpn/ccd/user2
/etc/openvpn/ccd/user3  etc.

Each user contains a specific route-push-option:

In the textfile "user1":

ifconfig-push 10.8.0.200 255.255.255.0

In the textfile "user2":
ifconfig-push 10.8.0.30 255.255.255.0

so the user is always getting the same static ip. For example.

See the "iroute" and "ifconfig-push" parameters in the client-config-dir.

[renss78]

Thnx!