RT-AC68U (Merlin Beta) and OpenVPN Server

[nurv2600]

So I'm having a hell of a time getting my client machine(s) to route all traffic through the OVPN server. I've attached a screenshot of my server settings, and attached a copy of my config.ovpn file that I'm using on the client. I've gotten PPTP to route the traffic just fine, and have been using that, but like the idea of the better security OVPN offers (and, in TAP mode, zeroconf/Bonjour works! Makes administrating the office network much easier.)

So, the problem is as follows: OpenVPN server is working, and I can see via Bonjour all devices, and connect to any of them via any method I'd like, just as if I was at the office. When "direct clients to redirect internet traffic" is disabled, everything works as expected; Bonjour and connecting to machines at the office is functional, all other traffic exits my house and goes straight to the destination. When I enable "redirect internet traffic", connecting to the internal office network still works fine, but I cannot access the internet through the tunnel. I'm familiar with SSH/Linux/etc., so while I am new to OpenVPN, I'm ready to get down into those syslogs and figure out whats going on. I've tried adding "push redirect-gateway def1" and "push dhcp-option dns 8.8.8.8" to the custom config area to no avail. I've also tried manually setting the default gateway to 192.168.0.1 in Viscosity (the OVPN client app on Mac), as well as manually setting the DNS on the client as well, also to no avail. I've tried Tunnelblick, no change there either. It seems like a routing problem, but I've got nothing funky as far as routing goes on the office router; no static routes, NAT is all set to defaults, and its nothing more than a network routed at 192.168.0.1, subnet of 255.255.255.0; quite bland indeed!

Any help is greatly appreciated!

Network topography:

Client(192.168.2.10)-->Router(192.168.2.1)-->Internet-->RT-AC68U(public:70.90.xxx.xxx, private:192.168.0.1)-->office network(192.168.0.0/24)

config.ovpn:
client
dev tap
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
cipher aes-256-cbc
comp-lzo
verb 3

 

[netware5]

What is your client OS?

 

[nurv2600]

What is your client OS?

OS X 10.8. (I've tried on iOS 7, but the app seems bugged.)

 

[netware5]

OS X 10.8. (I've tried on iOS 7, but the app seems bugged.)

Hm-m-m, I asked this question because sometimes Windows 7 have problems to route all traffic through the tunnel if the user has no administrative privilege. On Windows XP this problem does not happen. But I never heard about such problem on Mac OS.....

Let's compare with my WORKING client configuration (the Server config is exactly the same as yours except port number, LZO compression and tls-auth):

client
proto tcp
dev tap
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
ping 10
;comp-lzo - LZO compresion is disabled for some reasons
verb 4
mute 10

Almost the same, excluding the followng which is present in your client config:

resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
comp-lzo

 

[nurv2600]

Thanks for the reply, I'll make those changes and see if it helps; I'd be surprised if compression is the issue, but then again, I have no idea what "LZO" compression is, so there might be something there I'm missing. I'll report back either way, thanks for the help!

 

[RMerlin]

Thanks for the reply, I'll make those changes and see if it helps; I'd be surprised if compression is the issue, but then again, I have no idea what "LZO" compression is, so there might be something there I'm missing. I'll report back either way, thanks for the help!

It's important that the configuration matches at both end. You have compression enabled on the server, therefore it must also be enabled in the client.

 

[nurv2600]

It's important that the configuration matches at both end. You have compression enabled on the server, therefore it must also be enabled in the client.

So, tried everything suggested here, and still no change. The connection is working great, since I can connect to all my office machines and browse the network, it's just the internet that's fouled. Merlin, I tried disabling the "firewall" setting on the OVPN Server page by setting it to "custom", although after applying no additional options appeared.

It's worth mentioning that for all the equipment in this test, there is no firewall; I have it disabled for the duration (no hardware FW, FW is disabled on the AC68U, no software FW on the clients).

It's so frustrating, because I know the OVPN client/server setup is correct; all traffic NOT bound for the internet is encrypted (verified via tcpdump) and routed properly (all connections to office machines are solid and reliable). I'm going to load up Win 7 on my Mac and see if there's any change there...

 

[nurv2600]

So, looks like it IS setup correctly...the same certs and config.ovpn file works perfectly under Windows 7. Now I have to figure out what the hell is managing to stump both Tunnelblick AND Viscosity under OS X. What a nightmare, but thank you guys nonetheless for helping me figure this one out!

 

[RMerlin]

This is why double-posting the same issue is never a good idea. In the other thread I suggested you enable firewall logging so you can determine if packets are being dropped because of the firewall.

 

[netware5]

Another suggestion just in case that something similar to some Windows 7 installations happens - try with administrative privileges. If the problem is with changing routing tables at the client machine, this should solve it.

 

[bird333]

Why don't you have "redirect-gateway def1" in your client config? It is my understanding that this is a must to redirect all traffic. Also as mentioned above openvpn needs to run with admin privileges to change the necessary routing tables.

 

[netware5]

Why don't you have "redirect-gateway def1" in your client config? It is my understanding that this is a must to redirect all traffic. Also as mentioned above openvpn needs to run with admin privileges to change the necessary routing tables.

Admin privileges are needed only in some weird occasions. I am using Windows XP and don't need administrative privileges. Even on Windows 7 it happens not in every configuration and it is still mistery for me when it happens and when not.

Concerning "redirect-gateway def1" I do beleive it is not needed if the server is properly configured to push the settings. Personally I don't have it in my client config and everything works fine.

 

[RMerlin]

Admin privileges are needed only in some weird occasions. I am using Windows XP and don't need administrative privileges. Even on Windows 7 it happens not in every configuration and it is still mistery for me when it happens and when not.

Admin privileges is required whenever your client needs to define a new route.

 

[nurv2600]

Definitely using and admin account, and admin privs when running the app. Does anybody here use a Mac that is tunneling all traffic successfully? The PC side is working exactly as it should, so the router is definitely setup correctly. I've got both Viscosity and Tunnelblick, but only access to the local network is working.

 

[netware5]

Admin privileges is required whenever your client needs to define a new route.

Sorry, but it is not true. I am using OpenVPN client on Windows XP as non-admin user and, yes all traffic is routed through the tunnel. My daughter uses Windows 7 and also as non-admin. But her boyfriend uses Windows 7 also and fails to route through the tunnel if he is not admin. This is very strange and I never found the answer yet. The client configuration files are identical, except the keys, the server is the same - my home Asuswrt-Merlin RT-N66U.

P.S. Just checked - on Windows XP my everyday username is a member of Network Configuration Operators group. May be this is the key .... I never checked yet with my daughter concerning Windows 7 case.

 

[RMerlin]

Sorry, but it is not true. I am using OpenVPN client on Windows XP as non-admin user and, yes all traffic is routed through the tunnel. My daughter uses Windows 7 and also as non-admin. But her boyfriend uses Windows 7 also and fails to route through the tunnel if he is not admin. This is very strange and I never found the answer yet. The client configuration files are identical, except the keys, the server is the same - my home Asuswrt-Merlin RT-N66U.

P.S. Just checked - on Windows XP my every day username is a member of Network Configuration Operators group. May be this is the key .... I never checked yet with my daughter concerning Windows 7 case.

I am talking about Windows 7 here, not WinXP. Privilege elevation was only introduced with Windows Vista, before that the security model was completely different.