This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Route problems with OpenVPN through a local Astaro firewall

I started a question on superuser.com but I thought I would also post here too.

routing - Route problems with OpenVPN through a local Astaro firewall - Super User

I am trying to connect to a OpenVPN server on my Windows 7 desktop though my Astaro (ASG) Firewall. I got it setup and can connect just fine but I can't surf the web. I can ping websites like google.com so DNS and some routing is working. I am trying to figure out if the problem is a setting in my firewall.

This is what I allowed in the firewall:

Computer (10.10.1.71) --> 1:65000 to 1194 (UDP/TCP) --> VPN DNS Group

So after I connect I look at the routing table and I'm just confused. Can someone post a link to a good website that explains how the Windows 7 routing table is read. Also can someone explain how mine is read?

Is there any reason why Astaro might block the traffic? Nothing shows in Live Firewall log and IPS is currently disabled.

//local ip      10.10.1.71   
//local network 10.10.1.0/24
//local Subnet  255.255.255.0

// vpn ip     10.109.84.6
// vpn subnet 255.255.255.252

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.10.1.1       10.10.1.71      5
          0.0.0.0        128.0.0.0      10.109.84.5      10.109.84.6     30
        10.10.1.0    255.255.255.0         On-link        10.10.1.71    261
       10.10.1.71  255.255.255.255         On-link        10.10.1.71    261
      10.10.1.255  255.255.255.255         On-link        10.10.1.71    261
      10.109.84.1  255.255.255.255      10.109.84.5      10.109.84.6     30
      10.109.84.4  255.255.255.252         On-link       10.109.84.6    286
      10.109.84.6  255.255.255.255         On-link       10.109.84.6    286
      10.109.84.7  255.255.255.255         On-link       10.109.84.6    286
    50.23.113.234  255.255.255.255        10.10.1.1       10.10.1.71      5
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        128.0.0.0        128.0.0.0      10.109.84.5      10.109.84.6     30
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link        10.10.1.71    261
        224.0.0.0        240.0.0.0         On-link       10.109.84.6    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link        10.10.1.71    261
  255.255.255.255  255.255.255.255         On-link       10.109.84.6    286
===========================================================================

EDIT:

I was able to get the OpenVPN connection working when connecting using 443/tcp. Which makes me believe that something in my Astaro ASG is blocking the connection for some reason. I'm still determined to figure out why 1194/udp is not working (for everything) even though I added the rule into my firewall to allow the traffic.

Any help is appreciated, Thanks!

This thread was automatically locked due to age.

0 BAlfson over 12 years ago

Hi Brandon,

I am trying to connect to a OpenVPN server on my Windows 7 desktop though my Astaro (ASG) Firewall.

It's not clear whether your Win7 machine is the client or the server or if the ASG is the server or just the firewall.

IPS is currently disabled.

Please check that log as Anti-DoS Flooding also is logged there.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 bradonm over 12 years ago in reply to BAlfson

The Windows 7 computer is the client (inside the network) connecting to a OpenVPN server outside the network.

Nothing is being logged to the IPS log.  I have Anti-DoS/Flood all uncheck and Anti-Portscan disabled.  I also added the client computer to the exception list with all Skipping: Intrusion Protection / Anti-Portscan / Anti-DoS/Flooding TCP / Anti-DoS/Flooding UDP / Anti-DoS/Flooding ICMP.

When connected I ran "telnet google.com 80" from command line which connected just fine and received response.  I even connected to ftp server just fine "ftp://ftp.us.debian.org"

Chrome and IE still not working. There is no proxy configuration setup in the browsers.
Cancel
Vote Up 0 Vote Down

Cancel

0 BAlfson over 12 years ago

I guess that your problem is not in the Astaro...

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.10.1.1       10.10.1.71      5
          0.0.0.0        128.0.0.0      10.109.84.5      10.109.84.6     30
[...]
        128.0.0.0        128.0.0.0      10.109.84.5      10.109.84.6     30

That's strange. Why would you have 0.0.0.0/1 and 128.0.0.0/1 routes? Your OpenVPN config can't be right - or it's a version that needs to be updated.

Cheers - Bob

0 bradonm over 12 years ago in reply to BAlfson

This is just weird but I don't think the routing is the problem because when I change same configuration to use tcp/443 everything works just fine. It has has the same routing table as the port 1194/upd config.

I am using latest OpenVPN 2.3 rc1 now but also had same results from OpenVPN 2.2.2. Both downloaded from openvpn.net. Nothing running on the system that would be filtering the connection besides the windows fw.


IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0        10.10.1.1       10.10.1.71      5

          0.0.0.0        128.0.0.0      10.30.85.21      10.30.85.22     30

        10.10.1.0    255.255.255.0         On-link        10.10.1.71    261

       10.10.1.71  255.255.255.255         On-link        10.10.1.71    261

      10.10.1.255  255.255.255.255         On-link        10.10.1.71    261

       10.30.85.1  255.255.255.255      10.30.85.21      10.30.85.22     30

      10.30.85.20  255.255.255.252         On-link       10.30.85.22    286

      10.30.85.22  255.255.255.255         On-link       10.30.85.22    286

      10.30.85.23  255.255.255.255         On-link       10.30.85.22    286

      50.23.65.53  255.255.255.255        10.10.1.1       10.10.1.71      5

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

        128.0.0.0        128.0.0.0      10.30.85.21      10.30.85.22     30

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link        10.10.1.71    261

        224.0.0.0        240.0.0.0         On-link       10.30.85.22    286

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link        10.10.1.71    261

  255.255.255.255  255.255.255.255         On-link       10.30.85.22    286

===========================================================================

0 bradonm over 12 years ago in reply to bradonm

Oh I guess I kind of forgot an important thing. The Windows 7 machine is a guest on VirtualBox VM. The Host is Mac OS X. The guest is using a bridged network so it has it own IP address from the Astaro.
Cancel
Vote Up 0 Vote Down

Cancel
0 matthias.schmidt over 12 years ago in reply to BAlfson
I guess that your problem is not in the Astaro...

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.10.1.1       10.10.1.71      5
          0.0.0.0        128.0.0.0      10.109.84.5      10.109.84.6     30
[...]
        128.0.0.0        128.0.0.0      10.109.84.5      10.109.84.6     30

That's strange.  Why would you have 0.0.0.0/1 and 128.0.0.0/1 routes?  Your OpenVPN config can't be right - or it's a version that needs to be updated.

Cheers - Bob

Open-VPN Client does that in order to implement a "route all through tunnel" scenario. (I think Sophos SSL client does the same thing, when you set "Any" in "Local networks" of SSL-VPN-Config. Which is not surprising, because its an openVPN implementation at the end of the day)

It sets a /32 route for the VPN Server to your former default GW.
And it sets two routes 0.0.0.0/1 and 128.0.0.0/1 into the tunnel.
That way it avoids trouble with the original default route by messing with metric settings.
Because /32 route is always preferred before /1 route which is preffered before /0 route.

Kind regards,
Matthias

Btw. Is "preferred before" actual english? Sounds a little awkward to me. Please let me know.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 12 years ago

Thanks, I never noticed that, Matthias. In fact, At one point in time in one of the betas, we had to use two "half-Any" definitions like that instead of "Any" in the SSL configuration. So, my original guess about Brandon's problem wasn't even close!

Brandon, it seems like you've eliminated everything but VM and any firewalling done in OS X.

Cheers - Bob
PS Matthias, that would be understood as perfectly good English, although maybe a bit contrived. I think you'd more likely hear something like: Because a /32 route is always used/chosen before a /1 route which is used/chosen before a /0 route.
Cancel
Vote Up 0 Vote Down

Cancel