# [NAS4Free] Cannot establish internet connection over VPN



## nicks88 (Apr 20, 2013)

Hello all,

First let me start by saying that I am running NAS4Free - I am aware of the forum rules and have already posted on their forums a number of days ago, but have not had a response. I actually think my problem is not OS related, but more that the routing tables I have setup are incorrect.

For background, I want to route all my traffic to/from NAS4Free server to my VPN provider - to do so I have successfully installed OpenVPN. From the configuration files and certificates by the VPN provider, I am able to successfully connect:


```
Apr 20 10:08:10	nas4free	openvpn[4148]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Apr 20 10:08:10	nas4free	openvpn[4148]: LZO compression initialized
Apr 20 10:08:10	nas4free	openvpn[4148]: RESOLVE: NOTE: us-florida.privateinternetaccess.com resolves to 5 addresses
Apr 20 10:08:10	nas4free	openvpn[4149]: UDPv4 link local: [undef]
Apr 20 10:08:10	nas4free	openvpn[4149]: UDPv4 link remote: 68.233.247.240:1194
Apr 20 10:08:10	nas4free	openvpn[4149]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 20 10:08:11	nas4free	openvpn[4149]: [server] Peer Connection Initiated with 68.233.247.240:1194
Apr 20 10:08:14	nas4free	openvpn[4149]: TUN/TAP device /dev/tun0 opened
Apr 20 10:08:14	nas4free	kernel: tun0: link state changed to UP
Apr 20 10:08:14	nas4free	openvpn[4149]: /sbin/ifconfig tun0 10.153.1.10 10.153.1.9 mtu 1500 netmask 255.255.255.255 up
Apr 20 10:08:14	nas4free	openvpn[4149]: Initialization Sequence Completed
```

The problem is that after VPN is up and running, the server cannot access the internet (for instance ping does not work). I think this has something to do with the routing tables, but it is very confusing to me - here is a result [cmd=]netstat -rn[/cmd] after VPN running:

```
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
0.0.0.0/1          10.153.1.9         UGS         0        0   tun0 =>
default            192.168.0.1        UGS         0    41728    em0
10.153.1.1/32      10.153.1.9         UGS         0        0   tun0
10.153.1.9         link#12            UH          0        0   tun0
10.153.1.10        link#12            UHS         0        0    lo0
68.233.247.240/32  192.168.0.1        UGS         0       13    em0
127.0.0.1          link#10            UH          0       40    lo0
128.0.0.0/1        10.153.1.9         UGS         0        8   tun0
192.168.0.0/24     link#7             U           0    71431    em0
192.168.0.3        link#7             UHS         0    14868    lo0
```

Here is [cmd=]ifconfig[/cmd]:

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
        ether 00:07:e9:0a:2b:b2
        inet 192.168.0.3 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun2: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::207:e9ff:fe0a:2bb2%tun0 prefixlen 64 scopeid 0xc
        inet 10.153.1.10 --> 10.153.1.9 netmask 0xffffffff
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 4149
```

Here is [cmd=]netstat -rn[/cmd] without VPN connection (I can access Internet OK):

```
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.1        UGS         0    41730    em0
127.0.0.1          link#10            UH          0       40    lo0
192.168.0.0/24     link#7             U           0    72025    em0
192.168.0.3        link#7             UHS         0    14870    lo0
```

and [cmd=]ifconfig[/cmd]:

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
        ether 00:07:e9:0a:2b:b2
        inet 192.168.0.3 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun2: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```

Any help on this would be very much appreciated - I am sure it is something very simple missing.

Many thanks


----------



## kpa (Apr 20, 2013)

Can you post the full openvpn.conf. 

It looks like you're redirecting all traffic over the VPN connection, is that intended? If that is intended the other side of the tunnel must allow the traffic from your end and also NAT it to it's own public IP address, otherwise no traffic will return from internet hosts with public IP addresses.

Edit: sorry yes I just spotted that you in fact want to redirect all traffic over the VPN.


----------



## nicks88 (Apr 20, 2013)

Thank you for the reply kpa. Below is my openvpn.conf:

```
client
dev tun
proto udp
remote us-florida.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
```

In actual fact, you make a very valid point about the traffic I want to go over VPN it might be an oversight on my part. For clarification, I want all external traffic (i.e. Internet) to go over VPN - I would still however like to access the server from local network PCs/devices. I hope this makes sense.

Thank you.


----------



## kpa (Apr 20, 2013)

Well, it should just work. The default route does get changed to point over the VPN tunnel, however local traffic will follow the more specific routes in the routing table. Are you setting the default route yourself and how? Or does it get pushed from the VPN server to you? Show the full log of one connection.


----------



## nicks88 (Apr 20, 2013)

I am not setting the default route - I believe it is getting pushed from the VPN provider. 

Digging a little further, it seems that it may be due to hostname resolution. Below is ping test:


```
64 bytes from 74.125.132.106: icmp_seq=31 ttl=46 time=37.294 ms
64 bytes from 74.125.132.106: icmp_seq=32 ttl=46 time=27.439 ms
64 bytes from 74.125.132.106: icmp_seq=33 ttl=47 time=228.860 ms
64 bytes from 74.125.132.106: icmp_seq=34 ttl=47 time=236.300 ms
64 bytes from 74.125.132.106: icmp_seq=35 ttl=47 time=229.820 ms
64 bytes from 74.125.132.106: icmp_seq=36 ttl=47 time=228.089 ms
64 bytes from 74.125.132.106: icmp_seq=37 ttl=47 time=230.473 ms
64 bytes from 74.125.132.106: icmp_seq=38 ttl=47 time=230.367 ms
64 bytes from 74.125.132.106: icmp_seq=39 ttl=47 time=228.378 ms
^C
--- www.google.com ping statistics ---
40 packets transmitted, 40 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 18.205/57.956/236.300/79.461 ms

nas4free:~# ping www.google.com
ping: cannot resolve www.google.com: Host name lookup failure

nas4free:~# ping 74.125.132.106
PING 74.125.132.106 (74.125.132.106): 56 data bytes
64 bytes from 74.125.132.106: icmp_seq=0 ttl=47 time=232.769 ms
64 bytes from 74.125.132.106: icmp_seq=1 ttl=47 time=229.083 ms
64 bytes from 74.125.132.106: icmp_seq=2 ttl=47 time=228.455 ms
64 bytes from 74.125.132.106: icmp_seq=3 ttl=47 time=229.092 ms
64 bytes from 74.125.132.106: icmp_seq=4 ttl=47 time=228.868 ms
64 bytes from 74.125.132.106: icmp_seq=5 ttl=47 time=228.249 ms
```

The first two <200ms ping times are when the VPN is off. When switched on, this jumps to >200ms. 

As you can see, after switching on VPN, it is unable to resolve hostname http://www.google.com. But the ping test works when directly hitting the IP address.

Checking in /var/log/system.log I can see the following:


```
Apr 20 11:53:05 nas4free openvpn[4238]: /sbin/ifconfig tun0 10.118.120.18 10.118.120.17 mtu 1500 netmask 255.255.255.255 up
Apr 20 11:53:05 nas4free openvpn[4238]: Initialization Sequence Completed
Apr 20 11:54:37 nas4free INADYN[2615]: Sat Apr 20 11:54:37 2013: W:IP: Error 0x0 resolving host name 'google.com'
Apr 20 11:54:37 nas4free INADYN[2615]: Sat Apr 20 11:54:37 2013: W:'RC_ERROR' (0x1) updating the IPs. (it 1459)
```

Any ideas what would cause this?

Thanks.


----------



## kpa (Apr 20, 2013)

What is in your /etc/resolv.conf? What does traceroute(8) show for the nameserver address when the tunnel is up?


----------



## nicks88 (Apr 21, 2013)

Thanks for the advice @kpa - from which I located the problem. Previously, my resolve.conf file was:


```
nameserver 192.168.4.100
nameserver 192.168.8.100
```

This was the gateway of the router connected to the server. I have since changed this to:


```
nameserver 208.67.220.220
nameserver 208.67.222.222
```

I am now successfully able to resolve hostnames with and without the VPN connection.

Many thanks.


----------

