Posts Tagged ‘OpenVPN’
Connecting to a host using an alternative gateway with OpenVPN
I’ve just finished installing a pfSense firewall as a second gateway for a network that required a dedicated internet connection for some services. Some of the hosts on the network use the main office internet connection as their default gateway. As a result of this I was unable to connect to these hosts from remotely via the VPN, as the return path for the packets attempts to go via the primary internet connection, rather than via the VPN.
I had a quick glance at the pfSense/OpenVPN docs to see whether there was anything I could specify in pfSense and they stated that the machines needed to use the pfSense as the default gateway – this was unacceptable for our purposes here (one of the devices in question is the Asterisk VoIP server on the network which needs to use the other Internet connection for it’s external traffic). There is an easy solution to this however by simply adding a static route back to the IP range issued to DHCP clients via the pfSense’s internal IP.
This looks something like this:
Effectively any internal machines that need to be visible over the VPN need to have an appropriate return path configured. The DHCP scope I have used for VPN clients is 10.0.200.0/24.
For linux machines on the network, the route can be added on a temporary basis (ie. until reboot) by entering the following command on the host:
route add -net 10.0.200.0/24 gw 10.204.6.1
or permanently by adding an entry into the /etc/sysconfig/static-routes (on Centos as per http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-networkscripts-static-routes.html)
On Windows hosts this can be achieved by adding a persistent route:
route add -p 10.0.200.0 mask 255.255.255.0 10.204.6.1
Using the OpenVPN Client in Vista
This morning had a client that was having difficulties connecting to our SSL VPN using the OpenVPN client. The error they were getting was:
Tue Apr 08 17:31:45 2008 ROUTE: route addition failed using CreateIpForwardEntry
: Access is denied. [status=5 if_index=25]
Tue Apr 08 17:31:45 2008 Route addition via IPAPI failed [adaptive]
Tue Apr 08 17:31:45 2008 Route addition fallback to route.exe
The requested operation requires elevation.
Tue Apr 08 17:31:45 2008 ERROR: Windows route add command failed [adaptive]: sys
tem() returned error code 1
Looking at the error, it obviously points to a permissions excalation issue in Vista – the workaround:
Edit the config file of the SSL vpn (the .ovpn file) in C:\Program Files\OpenVpn\config and add the following lines:
#Force the use of route.exe
route-method exe
This will force OpenVPN to add the route using Route.exe
Then create a batch file to run the OpenVPN executable with the confif file specified::
“C:\program files\OpenVPN\bin\openVPN.exe” “C:\program files\openvpn\config\yourconfigname.ovpn”
Right click the batch file and run as administrator, and it should work!
