Cannot access internet over vpn

[pstanbra]

Hi, I need a little help with VPN.
I've followed the VPN install video which went fine and can connect to VPN no problem.
I give out addresses using 192.168.250.x and advertise my internal network 192.168.1.x

The video does not mention anything about the fact that you have to make code changes in order for this to work which in the Microsoft SBS vs Zentyal scenario - SBS is always going to win hands down.

Anyway - after code changes, all traffic is now routed through the VPN and I can ping my lan machines.

So - now one problem.
I cannot access the internet and i've no idea how to fix this.
Even changing the ethernet adaptor with static dns servers does nothing.



My system:
Running on VMWare esxi4 with 1 network interface as 192.168.1.3
DNS 127.0.0.1, and then my DSL router 192.168.1.254
Gateway Broadband   192.168.1.254   eth0   1

So any help would be appreciated.
I'm still miffed though why VPN traffic is not routed to the server as default without changing files.
I mean - SBS doesnt require such changes and this is the real aim of zentyal.


Please help in any way you can...
 

[FutureTechSys]

What are your gateways and DNS servers that are being assigned to VPN clients?

[pstanbra]

Ethernet adapter OpenVPN Adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Win32 Adapter V9
   Physical Address. . . . . . . . . : 00-FF-D9-91-A9-4C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.250.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 17 October 2010 19:45:07
   Lease Expires . . . . . . . . . . : 17 October 2011 19:45:07
   Default Gateway . . . . . . . . . : 192.168.250.1
   DHCP Server . . . . . . . . . . . : 192.168.250.0
   DNS Servers . . . . . . . . . . . : 192.168.1.254 (my DSL router)
   NetBIOS over Tcpip. . . . . . . . : Enabled


When I ping OpenDNS server ip
Pinging 208.67.222.222 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 208.67.222.222:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

The DNS entry shown was added to a file (i forgot which - something to do with pushing a dns server via vpn)

[FutureTechSys]

There's your problem... your DNS server is on a different subnet from your VPN clients.

Try pinging 192.168.1.254 - bet it times out or is unreachable.

I don't know the exact fix for this, but I'm betting it's either going to be a static route, or something to do with adding something to the OpenVPN config.  Wish I could help more, but the problem is definitely the DNS server entry.

[pstanbra]

I don't think this is correct as the network is added to my list of accessible networks under vpn settings and yes I can ping all of my 192.168.1.x network including the router.

I cannot however ping an external internet address not resolve a DNS name such as yahoo.com
I can change the adapter DNS to opendns server IPS but then the fact I cannot ping an external internet IP means this is irrelevant anyway.

[FutureTechSys]

So you can't perform DNS lookups, or ping your DNS machine, but your DNS is set up fine and isn't the issue?  Just to recap.

I'm not sure what else to check, if someone else knows what it could be feel free to chime in

[pstanbra]

Not quite..
The DNS machine you refer to is my ADSL router.
192.168.1.254 which I can ping and connect to.
remember - this is part fo my allowed 192.168.1.x network

I cannot resolve DNS names such as yahoo.co.uk
OR ping an EXTERNAL IP address.

I can access all my internal network over VPN.

Thanks

[FutureTechSys]

Got it.

If its a windows machine, try this (not sure on the command line version for linux)

nslookup yahoo.com

It should say "Server (IP Address)" and then some info


Also tracert yahoo.com

Post back results

[pstanbra]

C:\Users\P>nslookup yahoo.co.uk
Server:  UnKnown
Address:  10.203.129.68

*** UnKnown can't find yahoo.co.uk: No response from server


C:\Users\P>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Blue
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : config

PPP adapter Vodafone Mobile Connect:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Vodafone Mobile Connect
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.93.117.103(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.203.129.68
   Primary WINS Server . . . . . . . : 10.11.12.13
   Secondary WINS Server . . . . . . : 10.11.12.14
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter OpenVPN Adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Win32 Adapter V9
   Physical Address. . . . . . . . . : 00-FF-D9-91-A9-4C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.250.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 18 October 2010 11:58:06
   Lease Expires . . . . . . . . . . : 18 October 2011 11:58:06
   Default Gateway . . . . . . . . . : 192.168.250.1
   DHCP Server . . . . . . . . . . . : 192.168.250.0
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled


C:\Users\P>tracert yahoo.co.uk
Unable to resolve target system name yahoo.co.uk.

[FutureTechSys]

Here are your problems:

C:\Users\P>nslookup yahoo.co.uk
Server:  UnKnown
Address:  10.203.129.68

1.) It can't see the name of your DNS server
2.) It can't trace past your DNS server or gateway
3.) On your OpenVPN IP details, everything is on the same subnet except for your DNS server.  With this configuration, specifically the 255.255.255.0 netmask, you will be unable to reach that DNS server from the OpenVPN adapter as its on a different subnet.

You need to find out how to assign a DNS server in the same subnet... maybe create a virtual interface for that address?  I'm not sure what exactly the fix is, but as I've said from the beginning, it's definitely something with the DNS setup.

Basically, this is what is happening when you try and go on the net:

Your computer is saying "My IP address is 192.168.250.2, and I want to go to yahoo.com.  Let me get the IP address for that".  Then it says "My DNS server is 192.168.1.254, let me try and connect to that..." and it sees that it can't reach that subnet, and says "Can't get there" and shrugs its shoulders.


Your DNS server needs to either be a 192.168.250.* address, or something on the VPN server needs to give VPN clients a way to reach that other subnet.

[pstanbra]

thanks for the information,

but I cannot ping an external IP address.. which bypasses the whole DNS issue..

[FutureTechSys]

not being able to ping by IP means there is a gateway issue as well - doesn't mean DNS is fine.  Tracert shows the gateway is wrong, nslookup shows DNS is wrong.  You have two problems there.

Double check your ethernet adapter on your clients to be sure you dont have DNS/Gateway hard set in there, could be overriding your VPN settings.

[pstanbra]

Here are your problems:

C:\Users\P>nslookup yahoo.co.uk
Server:  UnKnown
Address:  10.203.129.68

1.) It can't see the name of your DNS server
2.) It can't trace past your DNS server or gateway
3.) On your OpenVPN IP details, everything is on the same subnet except for your DNS server.  With this configuration, specifically the 255.255.255.0 netmask, you will be unable to reach that DNS server from the OpenVPN adapter as its on a different subnet.
  This is incorrect. I can ping 192.168.1.254 fine. This is my ADSL router.


You need to find out how to assign a DNS server in the same subnet... maybe create a virtual interface for that address?  I'm not sure what exactly the fix is, but as I've said from the beginning, it's definitely something with the DNS setup.

Basically, this is what is happening when you try and go on the net:

Your computer is saying "My IP address is 192.168.250.2, and I want to go to yahoo.com.  Let me get the IP address for that".  Then it says "My DNS server is 192.168.1.254, let me try and connect to that..." and it sees that it can't reach that subnet, and says "Can't get there" and shrugs its shoulders.

     again, I can get to 192.168.1.254 just fine.


Your DNS server needs to either be a 192.168.250.* address, or something on the VPN server needs to give VPN clients a way to reach that other subnet.

does anyone else have any idea whats going on.

Additional Information.
If on my windows pc, I run these commands

route delete 0.0.0.0
route add 0.0.0.0 mask 0.0.0.0 192.168.1.3    (this is my ebox)
and then try to trace route on yahoo.co.uk
then this works fine

C:\Windows\system32>tracert www.yahoo.com

Tracing route to eu-fp.wa1.b.yahoo.com [87.248.122.122]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  Zentyal-SBS-Server.config [192.168.1.3]
  2    22 ms    99 ms    99 ms  BeBox.config [192.168.1.254]
  3    18 ms    20 ms    27 ms  10.1.2.161


so ebox can see my router
and can access the internet...

but when on VPN, I can not
Yet I can ping my router

So when I connect to VPN, the IP that is assigned is 192.168.250.2
and the default gateway becomes 192.168.250.1

If I use the same principle above without vpn and deltet and add my default gateway to 192.168.250.1, I again cannot access the internet

So Im guessing the problem, lies with the 192.168.250.x subnet not knowing how to access the internet.....



HELP

[pstanbra]

anyone else have any idea???

[alexz]

This is my problem too, please help!!