Has anyone ever gotten OpenVPN to run as a client successfully with a VPN subscription? OpenBSD seems to be the only OS I can't get OpenVPN up successfully on for some reason, and I'd like to make it work. So I've confirmed it's not a server-side issue as I've tested it on other operating systems as well as other people who are currently using the VPN service without a problem (except none of them are on OpenBSD).
The issue is that when I connect with OpenVPN, it's apparently "connected", but I can't seem to ping the gateway, any websites such as Google, nor use any internet-relying services such as browsing to a website or going on IRC. I am running OpenBSD 4.8 release, with almost a default install. I've just got openvpn, scrotwm, firefox, and p7zip pkg_added on top of the barebones/fresh install. Here are some logs/configs: /etc/hostname.tun0 $ cat /etc/hostname.tun0 up !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn /* I'd like to mention here that even after rebooting, the tun0 interface does NOT come up. An ifconfig shows that it is still down, and OpenVPN is not started up at boottime. I have no idea why /etc/hostname.tun0 isn't being read. */ OpenVPN client config: $ cat /etc/client.ovpn # VPN config ns-cert-type server tls-client pull verb 3 tls-timeout 6 cipher BF-CBC keysize 256 pkcs12 cert.dat keepalive 30 120 hand-window 120 route-delay 2 persist-tun persist-key redirect-gateway def1 remote-random route-metric 2 route-method exe dev tun0 topology subnet <connection> proto tcp-client remote [vpn url] 11000 remote [vpn ip] 11000 connect-retry 10 </connection> <connection> proto udp remote [vpn url] 11000 remote [vpn ip] 11000 </connection> /* The square brackets contain the URL and IP address of the VPN service I connect to. I filtered them out as to not spam/advertise their service. */ OpenVPN connection log: $ sudo openvpn --config /etc/openvpn/client.ovpn Wed Feb 2 10:19:53 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010 Wed Feb 2 10:19:53 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Wed Feb 2 10:19:53 2011 WARNING: file 'cert.dat' is group or others accessible Wed Feb 2 10:19:53 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ] Wed Feb 2 10:19:53 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ] Wed Feb 2 10:19:53 2011 Local Options hash (VER=V4): '91138c76' Wed Feb 2 10:19:53 2011 Expected Remote Options hash (VER=V4): 'f5a300ca' Wed Feb 2 10:19:53 2011 Socket Buffers: R=[41600->65536] S=[9216->65536] Wed Feb 2 10:19:53 2011 UDPv4 link local (bound): [undef]:1194 Wed Feb 2 10:19:53 2011 UDPv4 link remote: [vpn ip]:11000 Wed Feb 2 10:19:53 2011 TLS: Initial packet from [vpn ip]:11000, sid=a16fdfdd b22d9c39 Wed Feb 2 10:19:54 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O= example.com/CN=example.com_CA/emailAddress=ad...@example.com Wed Feb 2 10:19:54 2011 VERIFY OK: nsCertType=SERVER Wed Feb 2 10:19:54 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O= example.com/CN=server/emailAddress=ad...@example.com Wed Feb 2 10:20:02 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key Wed Feb 2 10:20:02 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Feb 2 10:20:02 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key Wed Feb 2 10:20:02 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Feb 2 10:20:02 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Wed Feb 2 10:20:02 2011 [server] Peer Connection Initiated with [vpn ip]:11000 Wed Feb 2 10:20:04 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Wed Feb 2 10:20:04 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.100.2.0 255.255.255.0,redirect-gateway,dhcp-option DNS 10.100.2.1,route-gateway 10.100.2.1,topology subnet,ping 30,ping-restart 120,ifconfig 10.100.2.106 255.255.255.0' Wed Feb 2 10:20:04 2011 OPTIONS IMPORT: timers and/or timeouts modified Wed Feb 2 10:20:04 2011 OPTIONS IMPORT: --ifconfig/up options modified Wed Feb 2 10:20:04 2011 OPTIONS IMPORT: route options modified Wed Feb 2 10:20:04 2011 OPTIONS IMPORT: route-related options modified Wed Feb 2 10:20:04 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Feb 2 10:20:04 2011 ROUTE default_gateway=192.168.1.1 Wed Feb 2 10:20:04 2011 /sbin/ifconfig tun0 destroy Wed Feb 2 10:20:04 2011 /sbin/ifconfig tun0 create Wed Feb 2 10:20:04 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Wed Feb 2 10:20:04 2011 /sbin/ifconfig tun0 10.100.2.106 netmask 255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0 Wed Feb 2 10:20:04 2011 TUN/TAP device /dev/tun0 opened Wed Feb 2 10:20:07 2011 /sbin/route add -net [vpn ip] 192.168.1.1 -netmask 255.255.255.255 add net [vpn ip]: gateway 192.168.1.1 Wed Feb 2 10:20:07 2011 /sbin/route add -net 0.0.0.0 10.100.2.1 -netmask 128.0.0.0 add net 0.0.0.0: gateway 10.100.2.1 Wed Feb 2 10:20:07 2011 /sbin/route add -net 128.0.0.0 10.100.2.1 -netmask 128.0.0.0 add net 128.0.0.0: gateway 10.100.2.1 Wed Feb 2 10:20:07 2011 /sbin/route add -net 10.100.2.0 10.100.2.1 -netmask 255.255.255.0 add net 10.100.2.0: gateway 10.100.2.1 Wed Feb 2 10:20:07 2011 Initialization Sequence Completed Now while OpenVPN is still running, here is the ifconfig: $ sudo ifconfig -A lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:26:b0:da:a3:86 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::226:b0ff:feda:a386%nfe0 prefixlen 64 scopeid 0x1 inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255 enc0: flags=0<> priority: 0 groups: enc status: active pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200 priority: 0 groups: pflog tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500 lladdr fe:e1:ba:d4:20:7e priority: 0 groups: tun status: active inet 10.100.1.112 netmask 0xffffff00 broadcast 10.100.1.255 inet6 fe80::fce1:baff:fed4:207e%tun0 prefixlen 64 scopeid 0x6 And the routing table while the OpenVPN is still running: $ route -n show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface 0/1 10.100.1.1 UGS 0 0 - 8 tun0 default 192.168.1.1 UGS 3 1313 - 8 nfe0 10.100.1/24 link#6 UC 1 0 - 4 tun0 10.100.1/24 10.100.1.1 UGS 0 0 - 8 tun0 10.100.1.1 link#6 UHLc 3 0 - 4 tun0 [vpn ip]/32 192.168.1.1 UGS 0 0 - 8 nfe0 127/8 127.0.0.1 UGRS 0 0 33200 8 lo0 127.0.0.1 127.0.0.1 UH 2 0 33200 4 lo0 128/1 10.100.1.1 UGS 0 1 - 8 tun0 192.168.1/24 link#1 UC 1 0 - 4 nfe0 192.168.1.1 00:1f:90:0f:88:8c UHLc 2 38 - 4 nfe0 192.168.1.4 127.0.0.1 UGHS 0 0 33200 8 lo0 224/4 127.0.0.1 URS 0 0 33200 8 lo0 /* Left out IPv6 */ Just to avoid any misunderstanding, I'd like to add that everything (the internet) works fine without OpenVPN running, I just run into this issue with OpenVPN. Is this some sort of routing issue? I'm not sure what the networking of other operating systems do with a VPN that makes them just work out of the box. I cannot ping 10.100.1.1, 10.100.2.1 and 8.8.8.8 while on the VPN, so isn't it like I'm almost not even on the VPN at all even though I am supposedly "connected" as the OpenVPN log shows? I just get this when I try to ping any website while the OpenVPN is running: $ ping google.com PING google.com (74.125.226.145): 56 data bytes ping: sendto: No route to host ping: wrote google.com 64 chars, ret=-1 ping: sendto: No route to host ping: wrote google.com 64 chars, ret=-1 ping: sendto: No route to host ping: wrote google.com 64 chars, ret=-1 --- google.com ping statistics --- 9 packets transmitted, 0 packets received, 100.0% packet loss Here I am trying to ping the gateway whilst OpenVPN is running: $ ping 10.100.1.1 PING 10.100.1.1 (10.100.1.1): 56 data bytes ping: sendto: No route to host ping: wrote 10.100.1.1 64 chars, ret=-1 ping: sendto: No route to host ping: wrote 10.100.1.1 64 chars, ret=-1 ping: sendto: No route to host ping: wrote 10.100.1.1 64 chars, ret=-1 ping: sendto: No route to host $ ping 10.100.2.1 PING 10.100.2.1 (10.100.2.1): 56 data bytes ping: sendto: Host is down ping: wrote 10.100.2.1 64 chars, ret=-1 ping: sendto: Host is down ping: wrote 10.100.2.1 64 chars, ret=-1 ping: sendto: Host is down $ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes ping: sendto: No route to host ping: wrote 8.8.8.8 64 chars, ret=-1 ping: sendto: No route to host ping: wrote 8.8.8.8 64 chars, ret=-1 ping: sendto: No route to host Does anyone know how to successfully run OpenVPN on OpenBSD as a client with a VPN subscription? Or run into similar problems?