O
O
Oleg2018-06-11 12:46:28
openvpn
Oleg, 2018-06-11 12:46:28

How to configure an OpenVPN client so that its local network does not break?

There is a remote OpenVPN server that acts as a gateway to the Internet.
There is a local network with a router on Linux with Dnsmasq and Samba raised. Subnet 172.16.0.0/24.
After connecting to the OpenVPN server, computers on the local network stop pinging by name.
A file with the name of the client was created on the server in the CCD folder and it is written there that packets do not go to the client subnet through the server:
iroute 172.16.0.0 255.255.255.0
and pings on the local network continue to go over IP (with an active OpenVPN connection).
In Linux, I configured the connection in Network Manager (KDE) with some problems.

/etc/resolv.conf
# Generated by NetworkManager
search homenet # - это название моей рабочей группы, прописанное в dnsmasq и samba на роутере лок. сети
nameserver 1.1.1.1 # - DNS-сервер, переданный OpenVPN-сервером
nameserver 208.67.220.220 # - DNS-сервер, переданный OpenVPN-сервером
nameserver 172.16.0.1 # - роутер лок. сети
ip r
default via 10.25.0.1 dev tun0 proto static metric 50 
default via 172.16.0.1 dev eno1 proto dhcp metric 100 
10.25.0.0/24 dev tun0 proto kernel scope link src 10.25.0.6 metric 50 
172.16.0.0/24 dev eno1 proto kernel scope link src 172.16.0.2 metric 100 
172.16.0.1 dev eno1 proto static scope link metric 100 
300.300.300.300 via 172.16.0.1 dev eno1 proto static metric 100 # внешний IP OpenVPN-сервера
server.conf
server 10.25.0.0 255.255.255.0
port 1194
proto udp4
dev tun
topology subnet

cd /etc/openvpn/server/
ca ca.crt
cert server.crt
key server.key
dh dh.pem
crl-verify crl.pem

# Server - '0', client - '1'.
tls-auth ta.key 0 # This file is secret

user nobody
group nobody
persist-key
persist-tun

tls-server
tls-timeout 120

ifconfig-pool-persist ipp.txt
client-config-dir ccd

# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
compress lz4-v2
push "compress lz4-v2"

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 1.1.1.1" # CloudFlare public server
push "dhcp-option DNS 208.67.220.220" # OpenDNS.com server

keepalive 10 120

cipher AES-256-GCM
auth SHA256
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 20

status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
#verb 3
verb 4

mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

# 16 tips on OpenVPN security: https://blog.g3rt.nl/openvpn-security-tips.html

# 2. Check the Extended Key Usage on the certificates
remote-cert-eku "TLS Web Client Authentication" # On clients change to 'Server'

If you connect in the console using a pre-created *.ovpn-config:
sudo openvpn --config home_pc.ovpn
then for the first time traffic through OpenVPN did not go at all, but now it goes, but DNS from the OpenVPN server was not registered, and my provider's DNS servers are used.
home_pc.ovpn
client
dev tun
proto udp4
remote 300.300.300.300 1194  # внешний IP OpenVPN-сервера

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
setenv opt user nobody
setenv opt group nobody

# Block DNS servers on other network adapters to prevent DNS leaks. Windows 7 (or higher) only.
setenv opt block-outside-dns

# Try to preserve some state across restarts.
persist-key
persist-tun

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
mute-replay-warnings

remote-cert-tls server
cipher AES-256-GCM
auth SHA256

# WARNING: this configuration may cache passwords in memory -- use the auth-nocache
auth-nocache

# Take this measure to prevent a client using his certificate to impersonate a server.
remote-cert-eku "TLS Web Server Authentication"

# Set log file verbosity.
verb 3

# Silence repeating messages
mute 20

<ca>...</ca>
<cert>...</cert>
<key>...</key>
<tls-auth>...</tls-auth>
key-direction 1
/etc/resolv.conf
# Generated by NetworkManager
search homenet
nameserver 172.16.0.1
ip r
0.0.0.0/1 via 10.25.0.1 dev tun0 
default via 172.16.0.1 dev eno1 proto dhcp metric 100 
10.25.0.0/24 dev tun0 proto kernel scope link src 10.25.0.6 
128.0.0.0/1 via 10.25.0.1 dev tun0 
172.16.0.0/24 dev eno1 proto kernel scope link src 172.16.0.2 metric 100 
300.300.300.300 via 172.16.0.1 dev eno1


Routes are significantly different compared to connecting through Network Manager.
But local network pings by name work.
In the case of Windows 7 (the same home_pc.ovpn is used ), pings by name work to computers that have already been accessed, but with a large delay at the beginning, the network environment is also very slow. But previously connected network drives open.
Is it correct to not write the word " default " in the console for the route " 0.0.0.0/1 via 10.25.0.1 dev tun0 " when connecting in Linux ? When connecting using Network Manager, the local DNS server is in /etc/resolv.conf , but why doesn't it work?

How to properly configure the configs for Windows and Linux OpenVPN clients so that they continue to work normally with the local network, while using the DNS server passed by the OpenVPN server for all external resources?

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question