OpenVPN - How to access remote router and DNS leaks?

[jkroeder]

I've been using a fairly basic PPTP setup on my home router. I know it's not secure but it's the easiest to use.

Now I want to switch to OpenVPN but I can't quite get it to work the same.


My Setup:
Asus N66U with Shibby Tomato firmware with OpenVPN support
OSX laptop with Viscocity or Tunnelblick clients

Screenshots of Tomato OpenVPN config

https://i.imgur.com/62fwPG0.png
https://i.imgur.com/uxQ4KSU.png

OVPN File Contents

client
dev tun
proto udp
remote serverIPaddress 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3




I've got it up and running. I can connect to it just fine. If I go to a site like ipleak.net and check my IP address, I get the IP of my home router. So far, so good.

Now I have two issues.

1) If I'm connecting from a friends wifi and his router has the same gateway (192.168.1.1) and I try to access my home routers gateway, it goes to his router instead.


2) When I check ipleak.net, it is saying my DNS requests are leaking. It shows this by showing my friends ISPs DNS servers instead of my ISP I use at home.



I'm thinking these two issues are client based. I tried using the "OpenVPN for Android" app on my Nexus 6P and imported my config. Neither of the above two issues are present.

In the Viscosity OpenVPN client, I have the option "Send all traffic through VPN connection" enabled.

Would appreciate any ideas. Hopefully these are pretty basic questions. Thanks

 

[mxnerd]

1. Either you or your friend needs to change IP range. IP range can't be the same.

2. https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html

 

[jkroeder]

Thanks.


I'll try changing the range when I get the chance. At the same time though, if I connect with my phone, I don't experience this issue at all. It goes straight to my home router. I can't pinpoint the difference. And yes, I'm connecting through wifi of course and not my mobile data.

I can't connect to or start the OpenVPN server at all with "block-outside-dns" entered but that must be because it's running a version older than 2.3.9. I'll try that later too when I can upgrade.

 

[freeskier93]

Unless there's something weird about OpenVPN you should still be able to connect, even if the subnets are the same. The issue usually arises when you try to access another device. For example, I run L2TP on my router, when I VPN from my parents house, to RDP into my desktop, it won't work because we have the same 192.168.1.0/24 subnet. I can still establish the VPN connection though.

On your phone are you connected to wifi or cellular when you connect to the VPN?

 

[jkroeder]

Unless there's something weird about OpenVPN you should still be able to connect, even if the subnets are the same. The issue usually arises when you try to access another device. For example, I run L2TP on my router, when I VPN from my parents house, to RDP into my desktop, it won't work because we have the same 192.168.1.0/24 subnet. I can still establish the VPN connection though.

On your phone are you connected to wifi or cellular when you connect to the VPN?

Yeah, mxnerd suggested I could change my subnet to get around this.

On my phone, I am connecting through wifi when I am testing OpenVPN.

That's why I think it's a client side configuration issue. I am leaving all clients I am testing with on their default settings. The router/server settings are shown in the screenshots in the first post.

PPTP doesn't seem to be bothered with these things and is so much simpler to setup. Too bad that means the security sucks too.

 

[jkroeder]

Welp. I just tested it with a Windows 10 laptop with the latest OpenVPN GUI. And just like my phone, everything works as I was hoping.

Instead of going to my friends router @ 192.168.1.1, it went to my home router. That's without having to change the subnet range.

Going to ipleak.net, and no DNS leak

So, I'm not sure what it is yet. But it seems like there's an issue here either with OSX or the clients i.e Tunnelblick and Viscosity.

But I can't pinpoint what the issue is yet

 

[mxnerd]

According to OpenVPN Howto:

https://openvpn.net/index.php/open-source/documentation/howto.html

Numbering private subnets

Setting up a VPN often entails linking together private subnets from different locations.

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (codified in RFC 1918):

10.0.0.0 10.255.255.255 (10/8 prefix)
172.16.0.0 172.31.255.255 (172.16/12 prefix)
192.168.0.0 192.168.255.255 (192.168/16 prefix)
While addresses from these netblocks should normally be used in VPN configurations, it's important to select addresses that minimize the probability of IP address or subnet conflicts. The types of conflicts that need to be avoided are:

conflicts from different sites on the VPN using the same LAN subnet numbering, or
remote access connections from sites which are using private subnets which conflict with your VPN subnets.

For example, suppose you use the popular 192.168.0.0/24 subnet as your private LAN subnet. Now you are trying to connect to the VPN from an internet cafe which is using the same subnet for its WiFi LAN. You will have a routing conflict because your machine won't know if 192.168.0.1 refers to the local WiFi gateway or to the same address on the VPN.

As another example, suppose you want to link together multiple sites by VPN, but each site is using 192.168.0.0/24 as its LAN subnet. This won't work without adding a complexifying layer of NAT translation, because the VPN won't know how to route packets between multiple sites if those sites don't use a subnet which uniquely identifies them.

The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 as private LAN network addresses. Instead, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely. The best candidates are subnets in the middle of the vast 10.0.0.0/8 netblock (for example 10.66.77.0/24).

And to avoid cross-site IP numbering conflicts, always use unique numbering for your LAN subnets.

===

Don't know how yours really works. If you are testing your phone with your laptop, I guess you did not disable mobile data on your phone. You probably think you are using smartphone WiFi, but actually you are using mobile data link.

 

[jkroeder]

I understand the logic of what you're describing mxnerd and I agree with you. I'm just not sure why I'm experiencing two different results.

Same OpenVPN server.
Same remote secondary network
Same .ovpn configuration client files on all systems I've tried it with

Works on Android phone with OpenVPN on Android app
Works on Surface Pro 3 w/ OpenVPN GUI latest release

Doesn't work on MBP w/ either Viscosity or Tunnelblick

and yeah, I am definitely not going through the mobile data. Also, in the post above yours, I also experienced the same result as the phone using a Surface Pro 3.

 

[jkroeder]

Anyway, thought I'd provide an update.


mxnerd, you were right all along. All I had to do was change the IP range and both problems are gone.

I understood the logic behind changing the range and why it would help me resolve the conflict between the two routers. I don't quite understand why it also helps with the DNS leak issue but I'm not complaining.

I also don't understand why my Android phone and a Surface Pro 3 worked fine without having to change the IP range and my MBP didn't. But all is well now.

Thanks mxnerd and freeskier93