Reply
New Member
Posts: 19
Registered: ‎11-14-2013
Kudos: 2
Accepted Solution

OpenVPN Clinet (StrongVPN)

[ Edited ]

Traffic not going via VPN and I want it to.  This what I have done.

set interfaces openvpn vtun0 config-file /config/vpn-dcxx_ovpnxxx_account.ovpn

edge# show interfaces openvpn
 openvpn vtun0 {
     config-file /config/vpn-dcxx_ovpnxxx_account.ovpn
 }

 

Eventually I will want only some traffic (based on a destination address) to go via the VPN but currently I am trying to get all traffic to go via the VPN with NAT rules.

edge# show service nat 
 rule 5000 {
     log disable
     outbound-interface vtun0
     type masquerade
 }
 rule 5001 {
     outbound-interface pppoe0
     type masquerade
 }
[edit]

 

where vpn-dcxx_ovpnxxx_account.ovpn is

remote <SNIP IP Address> 443 tcp
remote <SNIP IP Address> 3690 tcp
remote <SNIP IP Address> 2401 tcp
remote <SNIP IP Address> 8443 tcp
key-direction 1
cipher none
auth none
no-iv
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
;http-proxy-retry
;http-proxy <SNIP IP Address> 80
verb 4
reneg-sec 86400
echo vpn-dcxx ovpn160
tun-mtu 1500
route-method exe
route-delay 2
redirect-gateway def1
comp-lzo no
hand-window 30
<ca>
-----BEGIN CERTIFICATE-----
<SNIP CERT>
-----END CERTIFICATE-----
</ca>
<key>
-----BEGIN PRIVATE KEY-----
<SNIP KEY>
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
<SNIP CERT>
-----END CERTIFICATE-----
</cert>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
<SNIP CERT>
-----END OpenVPN Static key V1-----
</tls-auth>

 

My Error log looks like:

Nov 15 01:24:41	edge openvpn[1247]: NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Nov 15 01:24:41	edge openvpn[1247]: /sbin/route add -net 10.8.5.1 netmask 255.255.255.255 gw 10.8.5.5 metric 1
Nov 15 01:24:41	edge openvpn[1247]: Initialization Sequence Completed
Nov 15 01:24:39	edge openvpn[1247]: TUN/TAP device tun0 opened
Nov 15 01:24:39	edge openvpn[1247]: TUN/TAP TX queue length set to 100
Nov 15 01:24:39	edge openvpn[1247]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Nov 15 01:24:39	edge openvpn[1247]: /sbin/ifconfig tun0 10.8.5.6 pointopoint 10.8.5.5 mtu 1500

 

I've tried adding the following to vpn-dcxx_ovpnxxx_account.ovpn but no luck

route-nopull    

route-noexec

 

I have unsucessfully followed http://community.ubnt.com/t5/EdgeMAX/OPENVPN-client/td-p/437733

Any ideas?

The web dashboard shows vtun0 openvpn connected.

 


Accepted Solutions
Highlighted
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: OpenVPN Clinet (StrongVPN)

One thing I noticed is that in your .ovpn file there is the following line:

dev tun

 You should change that line to this:

dev-type tun

so that it will create the "vtun0" interface instead of the default "tun0" as it is doing now.

View solution in original post


All Replies
Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 352
Solutions: 289

Re: OpenVPN Clinet (StrongVPN)

What are the "show ip route" and "ip route" outputs?

New Member
Posts: 19
Registered: ‎11-14-2013
Kudos: 2

Re: OpenVPN Clinet (StrongVPN)

[ Edited ]

Thanks Arthur for resonding. 

@edge:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

K>* 0.0.0.0/0 is directly connected, pppoe0K>* 0.0.0.0/0 is directly connected, pppoe0
K>* 10.8.5.1/32 via 10.8.5.5, tun0
C>* 10.8.5.5/32 is directly connected, tun0
C>* 127.0.0.0/8 is directly connected, lo
C>* 192.168.2.0/24 is directly connected, switch0
S 216.131.84.126/32 [1/0] is directly connected, vtun0 inactive
C>* <snip IP address>/32 is directly connected, pppoe0
@edge:~$ ip route
default dev pppoe0 scope link
10.8.5.1 via 10.8.5.5 dev tun0 metric 1
10.8.5.5 dev tun0 proto kernel scope link src 10.8.5.6
127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1
192.168.2.0/24 dev switch0 proto kernel scope link src 192.168.2.1
<snip IP address> dev pppoe0 proto kernel scope link src <snip IP address>

The 216.131.84.126/32 is in there as a test so I can surf to that IP (strongvpn.com) and it will tell me my ip and gerneal location. This is where I plan to put the netblocks I want routed via the VPN.

 

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 352
Solutions: 289

Re: OpenVPN Clinet (StrongVPN)


@noseat wrote:
...

K>* 0.0.0.0/0 is directly connected, pppoe0K>* 0.0.0.0/0 is directly connected, pppoe0
K>* 10.8.5.1/32 via 10.8.5.5, tun0
C>* 10.8.5.5/32 is directly connected, tun0
...
S 216.131.84.126/32 [1/0] is directly connected, vtun0 inactive
C>* 217.32.140.70/32 is directly connected, pppoe0
...

 


If you want all traffic goes through vtun0, then the default route should go through vtun0 instead of pppoe0. So the first thing to do is to delete "default-route auto" from under pppoe0, then set "protocols static interface-route 0.0.0.0/0 next-hop-interface tun0"(even though openvpn is configured under vtun0, the actual interface is tun0)

Highlighted
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: OpenVPN Clinet (StrongVPN)

One thing I noticed is that in your .ovpn file there is the following line:

dev tun

 You should change that line to this:

dev-type tun

so that it will create the "vtun0" interface instead of the default "tun0" as it is doing now.

New Member
Posts: 19
Registered: ‎11-14-2013
Kudos: 2

Re: OpenVPN Clinet (StrongVPN)

[ Edited ]

Thank you!  Changing "dev tun" to "dev-type tun" was the magic I needed to get the strongVPN default .ovpn working well with EdgeRouter.  With this change the EdgeRouter GUI seems to be happy... and I am happy as well. 

With the GUI I added 3 static routes to get Hulu and Pandora traffic via the VPN.

Hulu.com CIDR - 23.32.0.0/11 and 23.64.0.0/14

Pandora.com CIDR = 208.85.40.0/21

Screen Shot 2013-11-15 at 7.46.46 PM.png

 

 

Reply