[Solved] OpenVPN: Don't redirect everything through tunnel

Questions about applications and software
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
XXXBold
Level 1
Level 1
Posts: 29
Joined: Sat Feb 09, 2019 5:50 pm

[Solved] OpenVPN: Don't redirect everything through tunnel

Post by XXXBold »

Hello there

I'm owning a Server (Debian 10) which runs an Openvpn server on it. I mainly installed the VPN for accessing the samba shares (hosted on the same machine) from my client (Linux Mint 19.1 Cinnamon) over the internet.

I added the VPN Client details using the Network manager GUI: Image

I can connect to the VPN & also connect to the samba share, but I have a problem.

When connected to the VPN, I can't connect to the internet any more (Think I didn't set up any redirections on the server), but I don't want my whole traffic to go through the tunnel anyway, I only need it to connect to the samba shares on 192.168.x.x (BTW the subnet differs from what I have locally, so it doesn't confuses). Any other traffic from my machine should go the direct way(Use normal route+dns etc). I know I could probably do it changing some routes (on the client) after connecting to the VPN.
If possible, I would like to configure this on server side, so I could potentially add more clients for using the samba shares without routing further traffic over the VPN, without to configure individual routes for each client.

Is that possible, and if so, how?

Regards,

XXXBold
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Kendoori
Level 5
Level 5
Posts: 749
Joined: Thu Jul 09, 2009 12:51 pm
Location: Sanibel, FL USA

Re: OpenVPN: Don't redirect everything through tunnel

Post by Kendoori »

I think you have to do this on the client side...

Image
XXXBold
Level 1
Level 1
Posts: 29
Joined: Sat Feb 09, 2019 5:50 pm

Re: OpenVPN: Don't redirect everything through tunnel

Post by XXXBold »

Thanks for your response.

I tried that option, but it didn't solve my problem. When enabled, I could still access the internet, but however, was not able to connect to the local network over the VPN anymore.

Maybe this is interesting, what "route" prints (on the client) when connected or not.

If not connected to the VPN, it looks like this:

Code: Select all

default         RT-N56U         0.0.0.0         UG    100    0        0 enp1s0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp1s0
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 enp1s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
If connected normally (Without the "use connection only for resources" option checked):

Code: Select all

default         _gateway        0.0.0.0         UG    50     0        0 tun0
default         RT-N56U         0.0.0.0         UG    100    0        0 enp1s0
10.8.0.1        _gateway        255.255.255.255 UGH   50     0        0 tun0
_gateway        0.0.0.0         255.255.255.255 UH    50     0        0 tun0
xx-xx-xx-xx.dy RT-N56U         255.255.255.255 UGH   100    0        0 enp1s0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp1s0
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 enp1s0
RT-N56U         0.0.0.0         255.255.255.255 UH    100    0        0 enp1s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
If connected "use connection only for resources" enabled:

Code: Select all

default         RT-N56U         0.0.0.0         UG    100    0        0 enp1s0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   50     0        0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH    50     0        0 tun0
xx-xx-xx-xx.dy RT-N56U         255.255.255.255 UGH   100    0        0 enp1s0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp1s0
192.168.10.0    0.0.0.0         255.255.255.0   U     100    0        0 enp1s0
RT-N56U         0.0.0.0         255.255.255.255 UH    100    0        0 enp1s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
User avatar
Pippin
Level 4
Level 4
Posts: 441
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: OpenVPN: Don't redirect everything through tunnel

Post by Pippin »

You are redirecting gateway.
Can you post your server and client config?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
XXXBold
Level 1
Level 1
Posts: 29
Joined: Sat Feb 09, 2019 5:50 pm

Re: OpenVPN: Don't redirect everything through tunnel

Post by XXXBold »

server.conf:

Code: Select all

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port xxx

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert simonprivatevpn.crt
key simonprivatevpn.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
dh dh.pem

# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
;topology subnet

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /var/log/openvpn/ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses.  You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC

# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"

# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         /var/log/openvpn/openvpn.log
;log-append  /var/log/openvpn/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1

auth SHA256
client (/etc/NetworkManager/system-connections/VPN-simonServer):

Code: Select all

[connection]
id=VPN-simonServer
uuid=xxx
type=vpn
autoconnect=false
permissions=user:simon:;
timestamp=1567711309

[vpn]
auth=SHA256
ca=xxx
cert=xxx
cert-pass-flags=1
cipher=AES-256-CBC
connect-timeout=30
connection-type=tls
key=xxx
port=xxx
remote=xxx
remote-cert-tls=server
ta=xxx
ta-dir=1
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto
User avatar
Pippin
Level 4
Level 4
Posts: 441
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: OpenVPN: Don't redirect everything through tunnel

Post by Pippin »

Ok, step by step.

In server config file change

Code: Select all

;topology subnet
to

Code: Select all

topology subnet
The LAN where the server resides, is it 192.168.10.0 or 192.168.122.0?
Also post a drawing of your network topology.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
XXXBold
Level 1
Level 1
Posts: 29
Joined: Sat Feb 09, 2019 5:50 pm

Re: OpenVPN: Don't redirect everything through tunnel

Post by XXXBold »

192.168.10.0/24: My Home network's (of my openvpn client) LAN
192.168.1.0/24 : My server's(where the openvpn server is running) LAN.
192.168.122.0 : This is just for a local samba share (clientside) with using in QEMU/KVM, so this doesn't apply here, ignore it.

Hmm, drawing, hope this will explain it:

Client(192.168.10.140)<-->Router(192.168.10.0/24)<--->Internet<--->Router(192.168.1.0/24)<-->Server(192.168.1.100)

Is this fine, or you need additional information?
User avatar
Pippin
Level 4
Level 4
Posts: 441
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: OpenVPN: Don't redirect everything through tunnel

Post by Pippin »

Let's first check the server:
Add to it's config

Code: Select all

log /var/log/openvpn.log
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
and change

Code: Select all

verb 3
to

Code: Select all

verb 4
Do a full restart of the OpenVPN server and post the /var/log/openvpn.log

1. Is ip_forward enabled?

Code: Select all

cat /proc/sys/net/ipv4/ip_forward
Should return, 1.

2. Did you add any firewall rule?

Code: Select all

iptables -S
iptables -t nat -S
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
XXXBold
Level 1
Level 1
Posts: 29
Joined: Sat Feb 09, 2019 5:50 pm

Re: OpenVPN: Don't redirect everything through tunnel

Post by XXXBold »

Seems it's working now as intended (When I set the "Use this connection only for ressources in network" option on client's side as well).

I've added/uncommented/changed the following options in server.conf:

Code: Select all

topology subnet
log /var/log/openvpn.log
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
verb 4
IP forwarding wasn't enabled, I enabled it now. ("sysctl -w net.ipv4.ip_forward=1" enabled it temporary, for testing, will make it persistent now I guess)

I didn't set up any rules via iptables (Well, previously did, but deleted them all for troubleshooting) because I don't think it's really needed anyway, cause the server is behind a Router.

There are a few more questions I have:
1: I'm not sure if this is a "clean" log because there are some errors on it (on start and a "hard" sigterm when exiting),

Here's the openvpn.log (start + stop the server, without making connections on it from the client):

Code: Select all

Sun Sep  8 13:23:44 2019 us=606175 Current Parameter Settings:
Sun Sep  8 13:23:44 2019 us=606208   config = '/etc/openvpn/server.conf'
Sun Sep  8 13:23:44 2019 us=606227   mode = 1
Sun Sep  8 13:23:44 2019 us=606230   persist_config = DISABLED
Sun Sep  8 13:23:44 2019 us=606234   persist_mode = 1
Sun Sep  8 13:23:44 2019 us=606237   show_ciphers = DISABLED
Sun Sep  8 13:23:44 2019 us=606240   show_digests = DISABLED
Sun Sep  8 13:23:44 2019 us=606243   show_engines = DISABLED
Sun Sep  8 13:23:44 2019 us=606246   genkey = DISABLED
Sun Sep  8 13:23:44 2019 us=606249   key_pass_file = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606252   show_tls_ciphers = DISABLED
Sun Sep  8 13:23:44 2019 us=606256   connect_retry_max = 0
Sun Sep  8 13:23:44 2019 us=606259 Connection profiles [0]:
Sun Sep  8 13:23:44 2019 us=606262   proto = udp
Sun Sep  8 13:23:44 2019 us=606265   local = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606268   local_port = 'xxx'
Sun Sep  8 13:23:44 2019 us=606271   remote = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606274   remote_port = 'xxx'
Sun Sep  8 13:23:44 2019 us=606277   remote_float = DISABLED
Sun Sep  8 13:23:44 2019 us=606280   bind_defined = DISABLED
Sun Sep  8 13:23:44 2019 us=606283   bind_local = ENABLED
Sun Sep  8 13:23:44 2019 us=606286   bind_ipv6_only = DISABLED
Sun Sep  8 13:23:44 2019 us=606290   connect_retry_seconds = 5
Sun Sep  8 13:23:44 2019 us=606293   connect_timeout = 120
Sun Sep  8 13:23:44 2019 us=606296   socks_proxy_server = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606299   socks_proxy_port = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606302   tun_mtu = 1500
Sun Sep  8 13:23:44 2019 us=606305   tun_mtu_defined = ENABLED
Sun Sep  8 13:23:44 2019 us=606308   link_mtu = 1500
Sun Sep  8 13:23:44 2019 us=606311   link_mtu_defined = DISABLED
Sun Sep  8 13:23:44 2019 us=606314   tun_mtu_extra = 0
Sun Sep  8 13:23:44 2019 us=606317   tun_mtu_extra_defined = DISABLED
Sun Sep  8 13:23:44 2019 us=606320   mtu_discover_type = -1
Sun Sep  8 13:23:44 2019 us=606323   fragment = 0
Sun Sep  8 13:23:44 2019 us=606327   mssfix = 1450
Sun Sep  8 13:23:44 2019 us=606330   explicit_exit_notification = 1
Sun Sep  8 13:23:44 2019 us=606333 Connection profiles END
Sun Sep  8 13:23:44 2019 us=606336   remote_random = DISABLED
Sun Sep  8 13:23:44 2019 us=606339   ipchange = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606342   dev = 'tun'
Sun Sep  8 13:23:44 2019 us=606345   dev_type = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606348   dev_node = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606351   lladdr = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606354   topology = 3
Sun Sep  8 13:23:44 2019 us=606357   ifconfig_local = '10.8.0.1'
Sun Sep  8 13:23:44 2019 us=606360   ifconfig_remote_netmask = '255.255.255.0'
Sun Sep  8 13:23:44 2019 us=606363   ifconfig_noexec = DISABLED
Sun Sep  8 13:23:44 2019 us=606366   ifconfig_nowarn = DISABLED
Sun Sep  8 13:23:44 2019 us=606369   ifconfig_ipv6_local = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606372   ifconfig_ipv6_netbits = 0
Sun Sep  8 13:23:44 2019 us=606375   ifconfig_ipv6_remote = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606378   shaper = 0
Sun Sep  8 13:23:44 2019 us=606381   mtu_test = 0
Sun Sep  8 13:23:44 2019 us=606384   mlock = DISABLED
Sun Sep  8 13:23:44 2019 us=606387   keepalive_ping = 10
Sun Sep  8 13:23:44 2019 us=606390   keepalive_timeout = 120
Sun Sep  8 13:23:44 2019 us=606393   inactivity_timeout = 0
Sun Sep  8 13:23:44 2019 us=606396   ping_send_timeout = 10
Sun Sep  8 13:23:44 2019 us=606399   ping_rec_timeout = 240
Sun Sep  8 13:23:44 2019 us=606404   ping_rec_timeout_action = 2
Sun Sep  8 13:23:44 2019 us=606407   ping_timer_remote = DISABLED
Sun Sep  8 13:23:44 2019 us=606410   remap_sigusr1 = 0
Sun Sep  8 13:23:44 2019 us=606413   persist_tun = ENABLED
Sun Sep  8 13:23:44 2019 us=606416   persist_local_ip = DISABLED
Sun Sep  8 13:23:44 2019 us=606419   persist_remote_ip = DISABLED
Sun Sep  8 13:23:44 2019 us=606422   persist_key = ENABLED
Sun Sep  8 13:23:44 2019 us=606425   passtos = DISABLED
Sun Sep  8 13:23:44 2019 us=606428   resolve_retry_seconds = 1000000000
Sun Sep  8 13:23:44 2019 us=606431   resolve_in_advance = DISABLED
Sun Sep  8 13:23:44 2019 us=606444   username = 'nobody'
Sun Sep  8 13:23:44 2019 us=606448   groupname = 'nogroup'
Sun Sep  8 13:23:44 2019 us=606451   chroot_dir = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606454   cd_dir = '/etc/openvpn'
Sun Sep  8 13:23:44 2019 us=606457   writepid = '/run/openvpn/server.pid'
Sun Sep  8 13:23:44 2019 us=606460   up_script = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606463   down_script = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606466   down_pre = DISABLED
Sun Sep  8 13:23:44 2019 us=606469   up_restart = DISABLED
Sun Sep  8 13:23:44 2019 us=606472   up_delay = DISABLED
Sun Sep  8 13:23:44 2019 us=606475   daemon = ENABLED
Sun Sep  8 13:23:44 2019 us=606478   inetd = 0
Sun Sep  8 13:23:44 2019 us=606481   log = ENABLED
Sun Sep  8 13:23:44 2019 us=606484   suppress_timestamps = DISABLED
Sun Sep  8 13:23:44 2019 us=606487   machine_readable_output = DISABLED
Sun Sep  8 13:23:44 2019 us=606490   nice = 0
Sun Sep  8 13:23:44 2019 us=606493   verbosity = 4
Sun Sep  8 13:23:44 2019 us=606496   mute = 0
Sun Sep  8 13:23:44 2019 us=606499   gremlin = 0
Sun Sep  8 13:23:44 2019 us=606503   status_file = '/var/log/openvpn-status.log'
Sun Sep  8 13:23:44 2019 us=606506   status_file_version = 1
Sun Sep  8 13:23:44 2019 us=606509   status_file_update_freq = 10
Sun Sep  8 13:23:44 2019 us=606512   occ = ENABLED
Sun Sep  8 13:23:44 2019 us=606515   rcvbuf = 0
Sun Sep  8 13:23:44 2019 us=606518   sndbuf = 0
Sun Sep  8 13:23:44 2019 us=606521   mark = 0
Sun Sep  8 13:23:44 2019 us=606524   sockflags = 0
Sun Sep  8 13:23:44 2019 us=606527   fast_io = DISABLED
Sun Sep  8 13:23:44 2019 us=606530   comp.alg = 0
Sun Sep  8 13:23:44 2019 us=606533   comp.flags = 0
Sun Sep  8 13:23:44 2019 us=606536   route_script = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606539   route_default_gateway = '10.8.0.2'
Sun Sep  8 13:23:44 2019 us=606542   route_default_metric = 0
Sun Sep  8 13:23:44 2019 us=606545   route_noexec = DISABLED
Sun Sep  8 13:23:44 2019 us=606548   route_delay = 0
Sun Sep  8 13:23:44 2019 us=606551   route_delay_window = 30
Sun Sep  8 13:23:44 2019 us=606554   route_delay_defined = DISABLED
Sun Sep  8 13:23:44 2019 us=606557   route_nopull = DISABLED
Sun Sep  8 13:23:44 2019 us=606560   route_gateway_via_dhcp = DISABLED
Sun Sep  8 13:23:44 2019 us=606563   allow_pull_fqdn = DISABLED
Sun Sep  8 13:23:44 2019 us=606567   route 192.168.1.0/255.255.255.0/default (not set)/default (not set)
Sun Sep  8 13:23:44 2019 us=606571   management_addr = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606574   management_port = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606577   management_user_pass = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606580   management_log_history_cache = 250
Sun Sep  8 13:23:44 2019 us=606583   management_echo_buffer_size = 100
Sun Sep  8 13:23:44 2019 us=606586   management_write_peer_info_file = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606590   management_client_user = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606593   management_client_group = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606596   management_flags = 0
Sun Sep  8 13:23:44 2019 us=606599   shared_secret_file = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606602   key_direction = 0
Sun Sep  8 13:23:44 2019 us=606606   ciphername = 'AES-256-CBC'
Sun Sep  8 13:23:44 2019 us=606609   ncp_enabled = ENABLED
Sun Sep  8 13:23:44 2019 us=606612   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sun Sep  8 13:23:44 2019 us=606615   authname = 'SHA256'
Sun Sep  8 13:23:44 2019 us=606618   prng_hash = 'SHA1'
Sun Sep  8 13:23:44 2019 us=606622   prng_nonce_secret_len = 16
Sun Sep  8 13:23:44 2019 us=606625   keysize = 0
Sun Sep  8 13:23:44 2019 us=606628   engine = DISABLED
Sun Sep  8 13:23:44 2019 us=606631   replay = ENABLED
Sun Sep  8 13:23:44 2019 us=606635   mute_replay_warnings = DISABLED
Sun Sep  8 13:23:44 2019 us=606638   replay_window = 64
Sun Sep  8 13:23:44 2019 us=606641   replay_time = 15
Sun Sep  8 13:23:44 2019 us=606644   packet_id_file = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606647   use_iv = ENABLED
Sun Sep  8 13:23:44 2019 us=606650   test_crypto = DISABLED
Sun Sep  8 13:23:44 2019 us=606656   tls_server = ENABLED
Sun Sep  8 13:23:44 2019 us=606659   tls_client = DISABLED
Sun Sep  8 13:23:44 2019 us=606662   key_method = 2
Sun Sep  8 13:23:44 2019 us=606666   ca_file = 'ca.crt'
Sun Sep  8 13:23:44 2019 us=606669   ca_path = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606672   dh_file = 'dh.pem'
Sun Sep  8 13:23:44 2019 us=606675   cert_file = 'simonprivatevpn.crt'
Sun Sep  8 13:23:44 2019 us=606678   extra_certs_file = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606682   priv_key_file = 'simonprivatevpn.key'
Sun Sep  8 13:23:44 2019 us=606685   pkcs12_file = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606688   cipher_list = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606691   cipher_list_tls13 = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606694   tls_cert_profile = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606697   tls_verify = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606700   tls_export_cert = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606703   verify_x509_type = 0
Sun Sep  8 13:23:44 2019 us=606706   verify_x509_name = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606709   crl_file = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606712   ns_cert_type = 0
Sun Sep  8 13:23:44 2019 us=606716   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606719   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606722   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606725   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606728   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606731   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606734   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606737   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606740   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606743   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606746   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606749   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606752   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606755   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606758   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606761   remote_cert_ku[i] = 0
Sun Sep  8 13:23:44 2019 us=606765   remote_cert_eku = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606768   ssl_flags = 0
Sun Sep  8 13:23:44 2019 us=606771   tls_timeout = 2
Sun Sep  8 13:23:44 2019 us=606774   renegotiate_bytes = -1
Sun Sep  8 13:23:44 2019 us=606777   renegotiate_packets = 0
Sun Sep  8 13:23:44 2019 us=606780   renegotiate_seconds = 3600
Sun Sep  8 13:23:44 2019 us=606784   handshake_window = 60
Sun Sep  8 13:23:44 2019 us=606787   transition_window = 3600
Sun Sep  8 13:23:44 2019 us=606790   single_session = DISABLED
Sun Sep  8 13:23:44 2019 us=606793   push_peer_info = DISABLED
Sun Sep  8 13:23:44 2019 us=606796   tls_exit = DISABLED
Sun Sep  8 13:23:44 2019 us=606799   tls_auth_file = 'ta.key'
Sun Sep  8 13:23:44 2019 us=606802   tls_crypt_file = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606805   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606808   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606812   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606815   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606818   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606821   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606824   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606827   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606830   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606833   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606836   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606839   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606842   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606845   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606848   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606853   pkcs11_protected_authentication = DISABLED
Sun Sep  8 13:23:44 2019 us=606856   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606859   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606863   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606866   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606869   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606872   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606875   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606878   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606881   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606884   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606887   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606890   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606893   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606896   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606899   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606902   pkcs11_private_mode = 00000000
Sun Sep  8 13:23:44 2019 us=606905   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606908   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606912   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606915   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606918   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606921   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606924   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606927   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606930   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606933   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606936   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606939   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606942   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606945   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606948   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606951   pkcs11_cert_private = DISABLED
Sun Sep  8 13:23:44 2019 us=606954   pkcs11_pin_cache_period = -1
Sun Sep  8 13:23:44 2019 us=606957   pkcs11_id = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=606961   pkcs11_id_management = DISABLED
Sun Sep  8 13:23:44 2019 us=606964   server_network = 10.8.0.0
Sun Sep  8 13:23:44 2019 us=606968   server_netmask = 255.255.255.0
Sun Sep  8 13:23:44 2019 us=606971   server_network_ipv6 = ::
Sun Sep  8 13:23:44 2019 us=606975   server_netbits_ipv6 = 0
Sun Sep  8 13:23:44 2019 us=606978   server_bridge_ip = 0.0.0.0
Sun Sep  8 13:23:44 2019 us=606982   server_bridge_netmask = 0.0.0.0
Sun Sep  8 13:23:44 2019 us=606985   server_bridge_pool_start = 0.0.0.0
Sun Sep  8 13:23:44 2019 us=606988   server_bridge_pool_end = 0.0.0.0
Sun Sep  8 13:23:44 2019 us=606992   push_entry = 'route 192.168.1.0 255.255.255.0'
Sun Sep  8 13:23:44 2019 us=606995   push_entry = 'route-gateway 10.8.0.1'
Sun Sep  8 13:23:44 2019 us=606998   push_entry = 'topology subnet'
Sun Sep  8 13:23:44 2019 us=607001   push_entry = 'ping 10'
Sun Sep  8 13:23:44 2019 us=607004   push_entry = 'ping-restart 120'
Sun Sep  8 13:23:44 2019 us=607007   ifconfig_pool_defined = ENABLED
Sun Sep  8 13:23:44 2019 us=607010   ifconfig_pool_start = 10.8.0.2
Sun Sep  8 13:23:44 2019 us=607014   ifconfig_pool_end = 10.8.0.253
Sun Sep  8 13:23:44 2019 us=607019   ifconfig_pool_netmask = 255.255.255.0
Sun Sep  8 13:23:44 2019 us=607022   ifconfig_pool_persist_filename = '/var/log/openvpn/ipp.txt'
Sun Sep  8 13:23:44 2019 us=607026   ifconfig_pool_persist_refresh_freq = 600
Sun Sep  8 13:23:44 2019 us=607029   ifconfig_ipv6_pool_defined = DISABLED
Sun Sep  8 13:23:44 2019 us=607032   ifconfig_ipv6_pool_base = ::
Sun Sep  8 13:23:44 2019 us=607036   ifconfig_ipv6_pool_netbits = 0
Sun Sep  8 13:23:44 2019 us=607039   n_bcast_buf = 256
Sun Sep  8 13:23:44 2019 us=607042   tcp_queue_limit = 64
Sun Sep  8 13:23:44 2019 us=607047   real_hash_size = 256
Sun Sep  8 13:23:44 2019 us=607051   virtual_hash_size = 256
Sun Sep  8 13:23:44 2019 us=607054   client_connect_script = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=607057   learn_address_script = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=607060   client_disconnect_script = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=607063   client_config_dir = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=607066   ccd_exclusive = DISABLED
Sun Sep  8 13:23:44 2019 us=607070   tmp_dir = '/tmp'
Sun Sep  8 13:23:44 2019 us=607073   push_ifconfig_defined = DISABLED
Sun Sep  8 13:23:44 2019 us=607076   push_ifconfig_local = 0.0.0.0
Sun Sep  8 13:23:44 2019 us=607080   push_ifconfig_remote_netmask = 0.0.0.0
Sun Sep  8 13:23:44 2019 us=607083   push_ifconfig_ipv6_defined = DISABLED
Sun Sep  8 13:23:44 2019 us=607087   push_ifconfig_ipv6_local = ::/0
Sun Sep  8 13:23:44 2019 us=607090   push_ifconfig_ipv6_remote = ::
Sun Sep  8 13:23:44 2019 us=607093   enable_c2c = DISABLED
Sun Sep  8 13:23:44 2019 us=607097   duplicate_cn = DISABLED
Sun Sep  8 13:23:44 2019 us=607100   cf_max = 0
Sun Sep  8 13:23:44 2019 us=607103   cf_per = 0
Sun Sep  8 13:23:44 2019 us=607106   max_clients = 1024
Sun Sep  8 13:23:44 2019 us=607110   max_routes_per_client = 256
Sun Sep  8 13:23:44 2019 us=607113   auth_user_pass_verify_script = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=607116   auth_user_pass_verify_script_via_file = DISABLED
Sun Sep  8 13:23:44 2019 us=607119   auth_token_generate = DISABLED
Sun Sep  8 13:23:44 2019 us=607122   auth_token_lifetime = 0
Sun Sep  8 13:23:44 2019 us=607125   port_share_host = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=607128   port_share_port = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=607131   client = DISABLED
Sun Sep  8 13:23:44 2019 us=607134   pull = DISABLED
Sun Sep  8 13:23:44 2019 us=607138   auth_user_pass_file = '[UNDEF]'
Sun Sep  8 13:23:44 2019 us=607142 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sun Sep  8 13:23:44 2019 us=607148 library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Sun Sep  8 13:23:44 2019 us=607301 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sun Sep  8 13:23:44 2019 us=607468 Diffie-Hellman initialized with 2048 bit key
Sun Sep  8 13:23:44 2019 us=607708 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Sep  8 13:23:44 2019 us=607718 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Sep  8 13:23:44 2019 us=607724 TLS-Auth MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sun Sep  8 13:23:44 2019 us=607825 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp0s31f6 HWADDR=18:31:bf:0b:31:79
Sun Sep  8 13:23:44 2019 us=607939 TUN/TAP device tun0 opened
Sun Sep  8 13:23:44 2019 us=607954 TUN/TAP TX queue length set to 100
Sun Sep  8 13:23:44 2019 us=607962 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Sep  8 13:23:44 2019 us=607970 /sbin/ip link set dev tun0 up mtu 1500
Sun Sep  8 13:23:44 2019 us=609094 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Sun Sep  8 13:23:44 2019 us=610000 /sbin/ip route add 192.168.1.0/24 via 10.8.0.2
RTNETLINK answers: File exists
Sun Sep  8 13:23:44 2019 us=610795 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Sep  8 13:23:44 2019 us=610820 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Sun Sep  8 13:23:44 2019 us=610988 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Sep  8 13:23:44 2019 us=611000 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Sep  8 13:23:44 2019 us=611008 UDPv4 link local (bound): [AF_INET][undef]:1195
Sun Sep  8 13:23:44 2019 us=611012 UDPv4 link remote: [AF_UNSPEC]
Sun Sep  8 13:23:44 2019 us=611018 GID set to nogroup
Sun Sep  8 13:23:44 2019 us=611033 UID set to nobody
Sun Sep  8 13:23:44 2019 us=611041 MULTI: multi_init called, r=256 v=256
Sun Sep  8 13:23:44 2019 us=611059 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Sun Sep  8 13:23:44 2019 us=611067 ifconfig_pool_read(), in='simondesktop,10.8.0.4', TODO: IPv6
Sun Sep  8 13:23:44 2019 us=611072 succeeded -> ifconfig_pool_set()
Sun Sep  8 13:23:44 2019 us=611077 IFCONFIG POOL LIST
Sun Sep  8 13:23:44 2019 us=611081 simondesktop,10.8.0.4
Sun Sep  8 13:23:44 2019 us=611113 Initialization Sequence Completed
Sun Sep  8 13:27:41 2019 us=723100 event_wait : Interrupted system call (code=4)
Sun Sep  8 13:27:43 2019 us=725506 TCP/UDP: Closing socket
Sun Sep  8 13:27:43 2019 us=725590 Closing TUN/TAP interface
Sun Sep  8 13:27:43 2019 us=725628 /sbin/ip addr del dev tun0 10.8.0.1/24
RTNETLINK answers: Operation not permitted
Sun Sep  8 13:27:43 2019 us=728895 Linux ip addr del failed: external program exited with error status: 2
Sun Sep  8 13:27:43 2019 us=754254 SIGTERM[hard,] received, process exiting
When I connect log looks good.

2: If I close the openvpn server while still connected from the client, I don't get any notification on the clientside. It still shows the "connected" status in the GUI. Is it possible to enable something like that?

That's how it looks if the server gets closed (obviously the same as if still connected):
Image

Thanks a lot for your effort so far, I appreciate that very much!
User avatar
Pippin
Level 4
Level 4
Posts: 441
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: OpenVPN: Don't redirect everything through tunnel

Post by Pippin »

Hi,
IP forwarding wasn't enabled, I enabled it now. ("sysctl -w net.ipv4.ip_forward=1" enabled it temporary, for testing, will make it persistent now I guess)
Any time you need traffic to flow between different interfaces, in this case between enp1s0 and tun0, you need ip_forward enabled.
I didn't set up any rules via iptables (Well, previously did, but deleted them all for troubleshooting) because I don't think it's really needed anyway, cause the server is behind a Router.
Don't want to start a discussion about "hosts are safe/unsafe behind NAT/Router" ;)
It can be useful, especially if you plan to add more VPN users, to configure firewall rules to restrict access to resources on your network.
You would place those rules in the FORWARD chain on the tun interface using the client tunnel IP address.
If you need such setup, just ask for help...
This picture can be helpful to understand the packet flow:
Image

1:

Code: Select all

NOTE: your local LAN uses the extremely common subnet address
To avoid routing conflicts you should avoid common subnets.
This list are addresses to avoid on the networks that you control:

Code: Select all

10.0.0
10.0.1
10.1.1
10.1.10
10.2.0
10.8.0
10.10.1
10.90.90
10.100.1
10.255.255

169.254 # APIPA #

172.16.0
172.16.16
172.16.42
172.16.68

172.19.3

172.20.10 # IPhone built-in hotspot #

192.168.0
192.168.1
192.168.2
192.168.3
192.168.4
192.168.5
192.168.6
192.168.7
192.168.8
192.168.9
192.168.10
192.168.11
192.168.13
192.168.15
192.168.16
192.168.18
192.168.20
192.168.29
192.168.30
192.168.31
192.168.33
192.168.39
192.168.40
192.168.42 # Android USB tethering #
192.168.43 # Android built-in hotspot #
192.168.50
192.168.55
192.168.61
192.168.62
192.168.65
192.168.77
192.168.80
192.168.85
192.168.88
192.168.98
192.168.99
192.168.100
192.168.101
192.168.102
192.168.111
192.168.123
192.168.126
192.168.129
192.168.137 # Windows Phone built-in hotspot #
192.168.168
192.168.178
192.168.190
192.168.199
192.168.200
192.168.220
192.168.223
192.168.229
192.168.240
192.168.245
192.168.251
192.168.252
192.168.254

200.200.200

Code: Select all

/sbin/ip route add 192.168.1.0/24 via 10.8.0.2
RTNETLINK answers: File exists
ERROR: Linux route add command failed: external program exited with error status: 2
The above error is probably because the previous instance was not shutdown properly or still active normally.
This could also be due to

Code: Select all

user nobody
group nogroup
So first check with

Code: Select all

netstat -atunp
before starting the server. After killing "leftover" openvpn process test to see if the error still pops up.
If it does then change the above to

Code: Select all

#user nobody
#group nogroup
2:
The server has --keepalive 10 120 in it's config, basically this means that the server will wait max. 240 seconds before assuming/becoming aware that the client has disconnected. You can for example change that to 10 60 which will shorten that to 120 seconds. It also depends on the client side setting of --keepalive. See OpenVPN manual: https://community.openvpn.net/openvpn/w ... n24ManPage to understand the logic.
But the server should notify the client because it has --explicit-exit-notify 1 in it's config, unless you changed it since last time. You can set this client side as well.
How do you stop the server?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
XXXBold
Level 1
Level 1
Posts: 29
Joined: Sat Feb 09, 2019 5:50 pm

Re: OpenVPN: Don't redirect everything through tunnel

Post by XXXBold »

Pippin wrote: Sun Sep 08, 2019 8:51 am Don't want to start a discussion about "hosts are safe/unsafe behind NAT/Router" ;)
It can be useful, especially if you plan to add more VPN users, to configure firewall rules to restrict access to resources on your network.
You would place those rules in the FORWARD chain on the tun interface using the client tunnel IP address.
If you need such setup, just ask for help...
Agreed, probably I'll add them again back later, but for now while testing it just complicates every step.

I know the subnet is very common, but that's okay so far and not an issue.

After stopping the server, "netstat -atunp" doesn't show any listening process on the port I'm using anymore, so this should be fine. I also don't find any "openvpn" processes anymore after stopping using

Code: Select all

sudo ps -lA | grep open
(Assuming there's no leftover/previous process any more then)

I use systemd

Code: Select all

systemctl start|stop openvpn@server.service
to stop/start the server.

I tried to both to comment/uncomment the

Code: Select all

user nobody
group nogroup
but I get the same errors both time. BTW when commenting it out, the server is started as root, which isn't the best idea I guess? Should I create a dedicated user for that?

Is it also possible to push the keepalive directive? like adding

Code: Select all

push "keepalive 10 120"
to server.conf? BTW I already have a client timeout set in the GUI configuration: Image
User avatar
Pippin
Level 4
Level 4
Posts: 441
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: OpenVPN: Don't redirect everything through tunnel

Post by Pippin »

Hi,

To be honest, I have little experience using systemd, I do it like described here:
https://github.com/OpenVPN/openvpn/blob ... ME.systemd
Same for clients.
That way I have full control over the config, so I do not use Network Manager.
I also use .bash_aliases to stop/start tunnels.
.
I get the same errors both time.
Made a mistake, my bad.
192.168.1.0/24 : My server's(where the openvpn server is running) LAN.
The server already knows it's default gateway ^^^ so remove

Code: Select all

route 192.168.1.0 255.255.255.0
from the server config, that route caused the File exists error.
But do not remove

Code: Select all

push "route 192.168.1.0 255.255.255.0"
.
the server is started as root, which isn't the best idea I guess?
Keep it as it was for now.
.
The keepalive setting is automatically pushed by the server, from the manual ;) :
This option can be used on both client and server side, but it is enough to add this on the server side as it will push appropriate --ping and --ping-restart options to the client.
You can see this happening in the client log (and server), logs can be very useful, my log

Code: Select all

SENT CONTROL [serveraddress]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.8.38 255.255.255.0,peer-id 35,cipher AES-256-GCM'
These are the directives received from the server, see the ping/ping-restart w.r.t. keepalive.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
XXXBold
Level 1
Level 1
Posts: 29
Joined: Sat Feb 09, 2019 5:50 pm

Re: OpenVPN: Don't redirect everything through tunnel

Post by XXXBold »

Ah, indeed, after removing the warning is gone now, thanks a lot :)

Just two more (hopefully) final questions about this:

1. Do you know a proper solution how to connect the VPN on startup + mount the samba shares from there? Because I think in just adding to fstab it will try to mount too early, before the VPN connection can be established and therefore it fails.

2. Is there a good way to increase the OpenVPNs performance (By performance I mean the transferring speed in both ways)? Do you think enabling data compression is a good idea for that?

I'll check about the ping/keepalive options later. Hopefully that's all so far and I don't have to bother you anymore after this ;D
User avatar
Pippin
Level 4
Level 4
Posts: 441
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: OpenVPN: Don't redirect everything through tunnel

Post by Pippin »

Hi,

1.
I think it would be best to search specifically on Debian recources/howto/wiki/forum for autostart.
With regards to mounting samba shares, you can use an --up and --down script for that,
see --up cmd, --down cmd, --script-security level and Order of Execution in manual:
https://community.openvpn.net/openvpn/w ... n24ManPage
Keep in mind that automatic mounting can pose a greater risk with regards to ransomware.
As long as the VPN is up, ransomware can encrypt your remote shares...

2.
On Linux-like hosts you can add:

Code: Select all

fast-io
sndbuf 524288 # can try different values
rcvbuf 524288 # can try different values
txqueuelen 500 # can try different values, default 100
The following can also be pushed to the client side:

Code: Select all

push "sndbuf 524288" # can try different values
push "rcvbuf 524288" # can try different values

Compression is not advised because of Voracle:
https://community.openvpn.net/openvpn/wiki/VORACLE
Most traffic nowadays is already compressed so can ask oneself it's usefulness.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
XXXBold
Level 1
Level 1
Posts: 29
Joined: Sat Feb 09, 2019 5:50 pm

Re: OpenVPN: Don't redirect everything through tunnel

Post by XXXBold »

I guess I'll find a way with the autostart to work then, considering your security advise.

I've also added your performance tweaks to my server configuration, and seems it's quite faster (more responsive) now compared to before.

Guess I'll consider this topic solved then, hopefully it will help other people as well if they struggle on it like I did.

Thanks again so much for you help, have a nice day!
User avatar
Pippin
Level 4
Level 4
Posts: 441
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: [Solved] OpenVPN: Don't redirect everything through tunnel

Post by Pippin »

Welcome and nice day to you too.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Locked

Return to “Software & Applications”