OpenVPN routing problem on N900 - maemo.org

gregc2009 | # 1 | 2009-12-21, 19:17 | Report

I have OpenVPN installed and working on tomato flashed router using a static key and tap. I'm using a win xp laptop successfully with this setup.

I wanted to try and get the N900 to work with it as well. It installed OpenVPN and the applet fine. When I run the test, it all looks good. When I connect, it looks good too except the routing through the vpn doesn't work. I am not familiar enough with this stuff to understand why though.

Here is the config:

Code:

   remote MY.STATIC.SERVER.IP
   port 1194
   dev tap
   secret static.key
   proto udp
   comp-lzo
   route-gateway 192.168.0.100
   redirect-gateway

Here is the test output:

Code:

Mon Dec 21 11:09:52 2009 OpenVPN 2.1_rc20 arm-unknown-linux-gnueabi [SSL] [LZO2] [EPOLL] [MH] [PF_INET6] built on Nov 29 2009
Mon Dec 21 11:09:52 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Dec 21 11:09:52 2009 /usr/sbin/openvpn-vulnkey -q static.key
Mon Dec 21 11:09:52 2009 ******* WARNING *******: 'static.key' cannot be verified as a non-vulnerable key. See 'man openvpn-vulnkey' for details.
Mon Dec 21 11:09:52 2009 Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 21 11:09:52 2009 Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 21 11:09:52 2009 Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Dec 21 11:09:52 2009 Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Dec 21 11:09:52 2009 LZO compression initialized
Mon Dec 21 11:09:52 2009 ROUTE: default_gateway=UNDEF
Mon Dec 21 11:09:52 2009 TUN/TAP device tap0 opened
Mon Dec 21 11:09:52 2009 TUN/TAP TX queue length set to 100
Mon Dec 21 11:09:52 2009 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Mon Dec 21 11:09:52 2009 Data Channel MTU parms [ L:1577 D:1450 EF:45 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Dec 21 11:09:52 2009 Local Options hash (VER=V4): '83c3b015'
Mon Dec 21 11:09:52 2009 Expected Remote Options hash (VER=V4): '83c3b015'
Mon Dec 21 11:09:52 2009 Socket Buffers: R=[65536->131072] S=[16384->131072]
Mon Dec 21 11:09:52 2009 UDPv4 link local (bound): [undef]
Mon Dec 21 11:09:52 2009 UDPv4 link remote: [AF_INET]MY.STATIC.SERVER.IP

Any help is greatly appreciated.

- Greg

mikkov | # 2 | 2009-12-21, 19:25 | Report

>Mon Dec 21 11:09:52 2009 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system

redirect-gateway doesn't work when cellular (3g/gprs) connection is used. Reason is stated in above error message

gregc2009 | # 3 | 2009-12-21, 21:08 | Report

Is this a software limitation? Any way around it? I'm posting this on my computer that is using the N900 as a modem on GSM through a VPN to our work without any issues.

mikkov | # 4 | 2009-12-21, 21:20 | Report

It is because how network interfaces are setup on N900, so you could say it's a software limitation.

There may be workaround for it, see http://talk.maemo.org/showthread.php...hlight=openvpn (actually these threads should be merged)

alphazo | # 5 | 2010-02-10, 17:14 | Report

Workaround (script) found here works just fine:
https://bugs.maemo.org/show_bug.cgi?id=7596#c9

- Copied the script to /etc/openvpn
- Added

Code:

script-security 2
ipchange /etc/openvpn/add_default_route.sh

to my openvpn config file and all traffic was tunneled (tested with Wireshark). BTW, there is one last thing I had to do in order to get DNS resolution, I had to add

Code:

nameserver 192.168.0.254

Where 192.168.0.254 is the address of my router at home to either /var/run/resolv.conf.gprs or /var/run/resolv.conf.wlan0 depending of the connection.

To automate that process I simply added the following to the workaround script found up there:

Code:

if [ -f /var/run/resolv.conf.gprs ];
then
  echo "nameserver 192.168.0.254" >> /var/run/resolv.conf.gprs
fi
if [ -f /var/run/resolv.conf.wlan0 ];
then
  echo "nameserver 192.168.0.254" >> /var/run/resolv.conf.wlan0
fi

As a side note here are the special options I have enabled in my openvpn config:

Code:

push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.254"

I now have OpenVPN working on both Wifi and Gprs with full internet traffic routed through the tunnel... cool!

The Following 4 Users Say Thank You to alphazo For This Useful Post:
cpm, davall, reinob, totalizator

lbt | # 6 | 2010-02-22, 15:51 | Report

Just checking that you guys know what the "redirect-gateway" option does?

It replaces the default gateway on the client/device and makes *all* your network traffic from the client/device go via the (slow) VPN.

So if you are just using a VPN to allow access to machines on a private LAN then you probably don't want it.

alphazo | # 7 | 2010-02-22, 16:52 | Report

Yep.. that was the intended purpose especially when browsing the web from untrusted locations such as public WiFi hot spots.

As a side note, if you use password protected certificates you will have to add

Code:

askpass

to the OpenVPN config file in order to get prompted for your password by OpenVPN-gui applet (very convenient).

Alphazo

mr.zoom | # 8 | 2010-05-07, 12:17 | Report

I added to the openvpn client config file the following 3 lines:

script-security 2
up /etc/openvpn/maemo-update-resolvconf
down /etc/openvpn/maemo-update-resolvconf

The script maemo-update-resolvconf existed already.
This works for me very fine with wlan and gprs/umts.

Cheers

mr.zoom

The Following 3 Users Say Thank You to mr.zoom For This Useful Post:
handaxe, mveplus, stlpaul

Davey101 | # 9 | 2010-05-18, 11:53 | Report

Originally Posted by mr.zoom View Post

I added to the openvpn client config file the following 3 lines:

script-security 2
up /etc/openvpn/maemo-update-resolvconf
down /etc/openvpn/maemo-update-resolvconf

The script maemo-update-resolvconf existed already.
This works for me very fine with wlan and gprs/umts.

Cheers

mr.zoom

What does this addition do?

Thanks

mr.zoom | # 10 | 2010-05-27, 14:14 | Report

Hi Dave

script-security 2 # sets the security settings that you can run external scripts
up /etc/openvpn/maemo-update-resolvconf # runs the script maemo-update-resolvconf if your vpn connection is up
down /etc/openvpn/maemo-update-resolvconf # runs the script maemo-update-resolvconf if your vpn connection is down

The maemo-update-resolvconf script existed on my phone already after the installation of openvpn on my phone. The script takes the dns settings from your openvpn environment and writes it in your /etc/resolv.conf if the connection is up. If you disconnect it wirtes the orginal settings to the /etc/resolv.conf.

Cheers

mr.zoom

The Following 2 Users Say Thank You to mr.zoom For This Useful Post:
Davey101, kwurk