Nick Howitt wrote:
Hmm. The normal way is to go into IP settings and, for your WAN, uncheck the Automatic DNS Servers. Go back to the previous screen and the Temporary Override will have changed to Edit and you can enter your settings there. If this does not work, what is the contents of /etc/resolv.conf?
The problem was i have 2 wan connections and I have to change both for the EDIT field to appear
I cannot find a way to set the global DNS IP.
I don't want to use my ISP's DNS, if i uncheck "Automatic DNS Servers" even though there is 126.96.36.199 in DNS Server, DNS does not work.
Each time the internet disconnects I need to manually use edit the DNS Servers ib "Temporary Override" in /app/network.
How can I turn off "Automatic DNS Servers" and set the global DNS server IP? (from webconfig or CLI)
(I am using multiwan)
Nick Howitt wrote:
So is it a setting in Network Manager OpenVPN Gnome? I don't use Ubuntu so I can't really guide you much.
I tried in debain & openvpn app on android both seem to redirect gateway (including configuring dns for it which ubuntu fails to do).
Question is is it something misconfigured on server side or are all clients supposed to work this way?
Nick Howitt wrote:
So there is no need to specify them.
I am not sure if all clients use 2.4 I am on Ubuntu 16.04 and the default is 2.3 (on my PC I added the repo and updated to 2.4)
Nick Howitt wrote:
What is your client and how is it configured? I suspect it is setting the the default route. I think I used kvpnc in the past and it used to automatically set the default route unless told otherwise.
I use mainly ubuntu 16.04 and 18.04 the openvpn clients vary between 2.3 & 2.4, i use network-manager-openvpn 1.1.93-1ubuntu1.1 network-manager-openvpn-gnome 1.1.93-1ubuntu1.1 for the front end client.
I cannot really use kvpnc as I need to to work for many users most (if not all) use network-manager-openvpn
Nick Howitt wrote:
With the default configs, OpenVPN only routes LAN traffic through the VPN. If you create you own client configuration then anything may happen. I used to use a configurator in another distro and this may have set OpenVPN as the default route but this is not the norm.
I posted a new issue relating to this, I would appreciate if you can take a look and see if you can give me some pointers https://www.clearos.com/clearfoundation/social/community/vpn-always-redirecting-gateway.
(I think I can close this issue)
I have an issue with my openvpn, although I only push a local LAN route, when I connect it seems to push all my traffic. The only way I get around it is to add "never-default = true" in my local connection file. (without this setting I only have access to the LAN on the VPN side no wan at all)
my server-side config is;
When connecting it seems to be pushing the vpn as default gateway;
Output of route on client when connected;
Output of route on client when connected using "never-default = true" in my local connection file. ;
in openvpn server log in response to "PUSH_REQUEST" i only see
How can I configure that it should not redirect gateway from server side?
You may do best to go to the OpenVPN forums for this set up.
I will thanks
Can I ask if these users also connect directly to your LAN? If they do then at that point they have full access to your LAN and then there may be little point in restricting access when connecting by VPN.
They connect using VPN, my rules are;
# Drop all traffic from VPN2 range
$IPTABLES -I FORWARD -o p4p6 -s 10.9.0.0/24 -d 192.168.5.12 -j ACCEPT# access machine 12 from VPN2
$IPTABLES -I FORWARD -o p4p6 -s 10.9.0.0/24 -d 192.168.5.17 -j ACCEPT# access machine 17 from VPN2
This works fine, just need to sort out the certs for VPN2
If you don't have multiple IP's then that rules out 1-to-1 NAT.
I do have multiple IP's but I wanted to start on a less complex 1 however it seems like i bit more than i can chew on this one so i am just gonna remove the port-forwarding and use local ip over vpn.
What I do want to do is allow different VPN users access to different machines, the way I want to achieve it is by creating multiple VPN instances each with a different ip range and sort the access in custom iptables rules.
It's pretty straight forward to set this up but there is nothing to stop the vpn user to change the port they connect to and be on a different ip range. The only way around this I can see is to create a different cert and key for each vpn instance. The question is would the clearos web portal be able to manage this (add user to specific vpn instance and generate user certs for that instance) if not how would I create them manually (the vpn cert/key for the vpn instance and the user certs)?
I don't understand where the VPN comes into this. You are bypassing OpenVPN by going directly via the WAN.
You are right, don't know what I was thinking.
If you are using 1-to-1 NAT, I presume you use a different IP to access the LAN machines from the one that OpenVPN connects with.
I was running before walking here, lets drop NAT and talk about regular port-forwarding. is there a way to make that I should be able to access through wan ip only when connected via tun+?.
Can you add more routes to the clients.conf covering the WAN IP that you use to connect to your machines? You can probably use the "EXTRALANS" parameter in /etc/clearos/network.conf. This wold force the WAN IP through the tunnel.
I am not sure what to put in EXTRALANS and what exactly it does.
You may then be able to use a POSTROUTING rule to DNAT any WAN_IPort combination to each machine which you can restrict to the incoming tun adaptor with a "-i tun+".
What would this rule llok like? (example?)
I also don't see what you are doing with OpenVPN and "ignore-auto-routes=true"/"never-default=true" unless you've told OpenVPN to push all traffic through the VPN manually as it does not normally do that.
I am at a loss on this, my clients.conf file pushed "dhcp-option DNS x.x.x.x", "dhcp-option DOMAIN example.tld" and all the vlans. disabling both dhcp-options still routed all traffic through the vpn (local dns would not resolve) i tried in my local conf file "never-default=true" (removed "ignore-auto-routes=true") and i can access all the lans and rest of traffic is not routed through the vpn.
Have you considered a DNS solution at all, where you give each machine a name in your external DNS provider and to the same to the internal DNS. Then you connect to the machine by name. When connected to OpenVPN, if it uses your internal resolver, you'll connect through OpenVPN, and, if not connected to OpenVPN, it will use the external resolver. Windows 10 is a bit dodgy with this but it can be got round.
I haven't considered this as it seems too much to manage, i add and remove machines constantly (I only use linux so not worried about config for windows)
MANY MANY THANKS for taking the time to reply.
What rules would i need to add (not sure if in firewall.d/custom or elsewhere) to open certain ports only from internal or tun+?
for example I want to connect to port 9999 on eth4 from wan but only when connected through VPN.
I need to access multiple machines on different vlans on the network and do not remember all the local ip's, i need to login frequently, and do so with waniport (they are all configured in 1:1 nat).
I want to change this so that I can only connect to them when connected to the clearos VPN (tun0/1) however I dont want all my local traffic to route through the VPN so in openvpn client config i set "ignore-auto-routes=true" and "never-default=true", now I want to connect using waniport without the port configured in 1:1 nat (or with it configured but blocked at some other level for ppp+)
any help appreciated