Hi,
Remove folloving line from OpenVPN config:
redirect-gateway def1

It redirects your default gateway to tunnel you have just opened.
Btw you have copied /etc/hostname.tun0 from install suggestion, but this
is not the only right way to start it. I found that it is better to
setup tunnel device, assign IP, routes and PF settings usual way as any
other interface, then start OpenVPN in /etc/rc.local. Of course then no
IP, route settings in OpenVPN config. Start/Stop of OpenVPN then behaves
the same way as plug/unplug cable to net device. Best setup for
permanent VPNs, also LAN bridges over VPN works well this way.
For 'roadwarrior' VPNs it is better to write own simple up/down scripts
to create tun device and setup IPs/routes, than mixing it with OpenBSD
netstart script and semi universal ifconfig abilities of OpenVPN.

I.

On Wed, 2011-02-02 at 11:17 -0500, Emile Sanders wrote:
> Has anyone ever gotten OpenVPN to run as a client successfully with a VPN
> subscription? OpenBSD seems to be the only OS I can't get OpenVPN up
> successfully on for some reason, and I'd like to make it work. So I've
> confirmed it's not a server-side issue as I've tested it on other operating
> systems as well as other people who are currently using the VPN service
> without a problem (except none of them are on OpenBSD).
> 
> The issue is that when I connect with OpenVPN, it's apparently "connected",
> but I can't seem to ping the gateway, any websites such as Google, nor use
> any internet-relying services such as browsing to a website or going on IRC.
> 
> I am running OpenBSD 4.8 release, with almost a default install. I've just
> got openvpn, scrotwm, firefox, and p7zip pkg_added on top of the
> barebones/fresh install.
> 
> Here are some logs/configs:
> 
> /etc/hostname.tun0
> $ cat /etc/hostname.tun0
> up
> !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.ovpn
> 
> /* I'd like to mention here that even after rebooting, the tun0 interface
> does NOT come up. An ifconfig shows that it is still down, and OpenVPN is
> not started up at boottime. I have no idea why /etc/hostname.tun0 isn't
> being read. */
> 
> OpenVPN client config:
> $ cat /etc/client.ovpn
> # VPN config
> ns-cert-type server
> tls-client
> pull
> verb 3
> tls-timeout 6
> cipher BF-CBC
> keysize 256
> pkcs12 cert.dat
> keepalive 30 120
> hand-window 120
> route-delay 2
> persist-tun
> persist-key
> redirect-gateway def1
> remote-random
> route-metric 2
> route-method exe
> dev tun0
> topology subnet
> <connection>
> proto tcp-client
> remote [vpn url] 11000
> remote [vpn ip] 11000
> connect-retry 10
> </connection>
> <connection>
> proto udp
> remote [vpn url] 11000
> remote [vpn ip] 11000
> </connection>
> 
> /* The square brackets contain the URL and IP address of the VPN service I
> connect to. I filtered them out as to not spam/advertise their service. */
> 
> OpenVPN connection log:
> 
> $ sudo openvpn --config /etc/openvpn/client.ovpn
> Wed Feb  2 10:19:53 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2]
> built on Aug 10 2010
> Wed Feb  2 10:19:53 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or
> higher to call user-defined scripts or executables
> Wed Feb  2 10:19:53 2011 WARNING: file 'cert.dat' is group or others
> accessible
> Wed Feb  2 10:19:53 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0
> ET:0 EL:0 ]
> Wed Feb  2 10:19:53 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4
> ET:0 EL:0 ]
> Wed Feb  2 10:19:53 2011 Local Options hash (VER=V4): '91138c76'
> Wed Feb  2 10:19:53 2011 Expected Remote Options hash (VER=V4): 'f5a300ca'
> Wed Feb  2 10:19:53 2011 Socket Buffers: R=[41600->65536] S=[9216->65536]
> Wed Feb  2 10:19:53 2011 UDPv4 link local (bound): [undef]:1194
> Wed Feb  2 10:19:53 2011 UDPv4 link remote: [vpn ip]:11000
> Wed Feb  2 10:19:53 2011 TLS: Initial packet from [vpn ip]:11000,
> sid=a16fdfdd b22d9c39
> Wed Feb  2 10:19:54 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=
> example.com/CN=example.com_CA/emailAddress=ad...@example.com
> Wed Feb  2 10:19:54 2011 VERIFY OK: nsCertType=SERVER
> Wed Feb  2 10:19:54 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=
> example.com/CN=server/emailAddress=ad...@example.com
> Wed Feb  2 10:20:02 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized
> with 256 bit key
> Wed Feb  2 10:20:02 2011 Data Channel Encrypt: Using 160 bit message hash
> 'SHA1' for HMAC authentication
> Wed Feb  2 10:20:02 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized
> with 256 bit key
> Wed Feb  2 10:20:02 2011 Data Channel Decrypt: Using 160 bit message hash
> 'SHA1' for HMAC authentication
> Wed Feb  2 10:20:02 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3
> DHE-RSA-AES256-SHA, 2048 bit RSA
> Wed Feb  2 10:20:02 2011 [server] Peer Connection Initiated with [vpn
> ip]:11000
> Wed Feb  2 10:20:04 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
> Wed Feb  2 10:20:04 2011 PUSH: Received control message: 'PUSH_REPLY,route
> 10.100.2.0 255.255.255.0,redirect-gateway,dhcp-option DNS
> 10.100.2.1,route-gateway 10.100.2.1,topology subnet,ping 30,ping-restart
> 120,ifconfig 10.100.2.106 255.255.255.0'
> Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: timers and/or timeouts modified
> Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: --ifconfig/up options modified
> Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: route options modified
> Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: route-related options modified
> Wed Feb  2 10:20:04 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
> options modified
> Wed Feb  2 10:20:04 2011 ROUTE default_gateway=192.168.1.1
> Wed Feb  2 10:20:04 2011 /sbin/ifconfig tun0 destroy
> Wed Feb  2 10:20:04 2011 /sbin/ifconfig tun0 create
> Wed Feb  2 10:20:04 2011 NOTE: Tried to delete pre-existing tun/tap instance
> -- No Problem if failure
> Wed Feb  2 10:20:04 2011 /sbin/ifconfig tun0 10.100.2.106 netmask
> 255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0
> Wed Feb  2 10:20:04 2011 TUN/TAP device /dev/tun0 opened
> Wed Feb  2 10:20:07 2011 /sbin/route add -net [vpn ip] 192.168.1.1 -netmask
> 255.255.255.255
> add net [vpn ip]: gateway 192.168.1.1
> Wed Feb  2 10:20:07 2011 /sbin/route add -net 0.0.0.0 10.100.2.1 -netmask
> 128.0.0.0
> add net 0.0.0.0: gateway 10.100.2.1
> Wed Feb  2 10:20:07 2011 /sbin/route add -net 128.0.0.0 10.100.2.1 -netmask
> 128.0.0.0
> add net 128.0.0.0: gateway 10.100.2.1
> Wed Feb  2 10:20:07 2011 /sbin/route add -net 10.100.2.0 10.100.2.1 -netmask
> 255.255.255.0
> add net 10.100.2.0: gateway 10.100.2.1
> Wed Feb  2 10:20:07 2011 Initialization Sequence Completed
> 
> Now while OpenVPN is still running, here is the ifconfig:
> 
> $ sudo ifconfig -A
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
>         priority: 0
>         groups: lo
>         inet 127.0.0.1 netmask 0xff000000
>         inet6 ::1 prefixlen 128
>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
> nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         lladdr 00:26:b0:da:a3:86
>         priority: 0
>         groups: egress
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet6 fe80::226:b0ff:feda:a386%nfe0 prefixlen 64 scopeid 0x1
>         inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
> enc0: flags=0<>
>         priority: 0
>         groups: enc
>         status: active
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
>         priority: 0
>         groups: pflog
> tun0: flags=9843<UP,BROADCAST,RUNNING,SIMPLEX,LINK0,MULTICAST> mtu 1500
>         lladdr fe:e1:ba:d4:20:7e
>         priority: 0
>         groups: tun
>         status: active
>         inet 10.100.1.112 netmask 0xffffff00 broadcast 10.100.1.255
>         inet6 fe80::fce1:baff:fed4:207e%tun0 prefixlen 64 scopeid 0x6
> 
> And the routing table while the OpenVPN is still running:
> 
> $ route -n show
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags   Refs      Use   Mtu  Prio
> Iface
> 0/1                10.100.1.1         UGS        0        0     -     8 tun0
> 
> default            192.168.1.1        UGS        3     1313     -     8 nfe0
> 
> 10.100.1/24        link#6             UC         1        0     -     4 tun0
> 
> 10.100.1/24        10.100.1.1         UGS        0        0     -     8 tun0
> 
> 10.100.1.1         link#6             UHLc       3        0     -     4 tun0
> 
> [vpn ip]/32   192.168.1.1        UGS        0        0     -     8 nfe0
> 127/8              127.0.0.1          UGRS       0        0 33200     8 lo0
> 
> 127.0.0.1          127.0.0.1          UH         2        0 33200     4 lo0
> 
> 128/1              10.100.1.1         UGS        0        1     -     8 tun0
> 
> 192.168.1/24       link#1             UC         1        0     -     4 nfe0
> 
> 192.168.1.1        00:1f:90:0f:88:8c  UHLc       2       38     -     4 nfe0
> 
> 192.168.1.4        127.0.0.1          UGHS       0        0 33200     8 lo0
> 
> 224/4              127.0.0.1          URS        0        0 33200     8 lo0
> 
> 
> /* Left out IPv6 */
> 
> Just to avoid any misunderstanding, I'd like to add that everything (the
> internet) works fine without OpenVPN running, I just run into this issue
> with OpenVPN.
> 
> Is this some sort of routing issue? I'm not sure what the networking of
> other operating systems do with a VPN that makes them just work out of the
> box.
> I cannot ping 10.100.1.1, 10.100.2.1 and 8.8.8.8 while on the VPN, so isn't
> it like I'm almost not even on the VPN at all even though I am supposedly
> "connected" as the OpenVPN log shows?
> 
> I just get this when I try to ping any website while the OpenVPN is running:
> 
> $ ping google.com
> PING google.com (74.125.226.145): 56 data bytes
> ping: sendto: No route to host
> ping: wrote google.com 64 chars, ret=-1
> ping: sendto: No route to host
> ping: wrote google.com 64 chars, ret=-1
> ping: sendto: No route to host
> ping: wrote google.com 64 chars, ret=-1
> --- google.com ping statistics ---
> 9 packets transmitted, 0 packets received, 100.0% packet loss
> 
> Here I am trying to ping the gateway whilst OpenVPN is running:
> 
> $ ping 10.100.1.1
> PING 10.100.1.1 (10.100.1.1): 56 data bytes
> ping: sendto: No route to host
> ping: wrote 10.100.1.1 64 chars, ret=-1
> ping: sendto: No route to host
> ping: wrote 10.100.1.1 64 chars, ret=-1
> ping: sendto: No route to host
> ping: wrote 10.100.1.1 64 chars, ret=-1
> ping: sendto: No route to host
> 
> $ ping 10.100.2.1
> PING 10.100.2.1 (10.100.2.1): 56 data bytes
> ping: sendto: Host is down
> ping: wrote 10.100.2.1 64 chars, ret=-1
> ping: sendto: Host is down
> ping: wrote 10.100.2.1 64 chars, ret=-1
> ping: sendto: Host is down
> 
> $ ping 8.8.8.8
> PING 8.8.8.8 (8.8.8.8): 56 data bytes
> ping: sendto: No route to host
> ping: wrote 8.8.8.8 64 chars, ret=-1
> ping: sendto: No route to host
> ping: wrote 8.8.8.8 64 chars, ret=-1
> ping: sendto: No route to host
> 
> Does anyone know how to successfully run OpenVPN on OpenBSD as a client with
> a VPN subscription? Or run into similar problems?

Reply via email to