[SOLVED] Need help, OpenVPN not routing

konradsa · 2015-04-30 12:01:18

Hi,

I need help with my OpenVPN setup. I am running the lastest ArchLinux on a Pogoplug E02. The issue I have is that it used to work, but then I installed sshguard and I noticed I need iptables running in order for sshguard to work. I brought up iptables, but since then I am not able to receive any data anymore on the client. The connection comes up fine, and also I see DNS requests in the server logs (I am running dnsmasq as well on the pogo), but there is no data flowing back to the client. Since this started with me brining up iptables, I think it must be a firewall issue, but I have not been able to get it working again, no matter what I tried.

Here is my setup:
- Pogo plug at 192.168.1.201
- Router at 192.168.1.1
- Router forwards dns requests to dnsmasq on 192.168.1.201

local 192.168.1.201 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/pogo.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/pogo.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.0 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 192.168.1.1" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1

client 
dev tun 
proto udp 
remote xxxx.ddns.net 1194 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
mute-replay-warnings 
ns-cert-type server 
key-direction 1 
cipher AES-128-CBC 
comp-lzo 
verb 1 
mute 20

[root@pogo ~]# iptables -nvL
Chain INPUT (policy ACCEPT 211 packets, 27415 bytes)
 pkts bytes target     prot opt in     out     source               destination 
   52  5577 sshguard   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 181 packets, 20149 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain sshguard (1 references)
 pkts bytes target     prot opt in     out     source               destination

[root@pogo ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.8.0.0/24          anywhere             to:192.168.1.201

Last edited by konradsa (2015-05-01 13:38:53)

konradsa · 2015-04-30 12:05:12

Here is the log of the client when connecting:

Try to start OpenVPN connection xxxx
Thu Apr 30 08:01:38 2015 OpenVPN 2.3.3 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr  9 2014
Thu Apr 30 08:01:38 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 30 08:01:38 2015 Control Channel Authentication: tls-auth using INLINE static key file
Thu Apr 30 08:01:38 2015 UDPv4 link local: [undef]
Thu Apr 30 08:01:38 2015 UDPv4 link remote: [AF_INET]192.168.1.201:1194

Thu Apr 30 08:01:39 2015 [pogo] Peer Connection Initiated with [AF_INET]192.168.1.201:1194
Thu Apr 30 08:01:41 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 30 08:01:41 2015 open_tun, tt->ipv6=0
Thu Apr 30 08:01:41 2015 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{3A73971A-6390-449F-B275-BF7374A030EB}.tap
Thu Apr 30 08:01:41 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {3A73971A-6390-449F-B275-BF7374A030EB} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Apr 30 08:01:41 2015 Successful ARP Flush on interface [28] {3A73971A-6390-449F-B275-BF7374A030EB}
Thu Apr 30 08:01:46 2015 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists.   [status=5010 if_index=28]
Thu Apr 30 08:01:46 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Apr 30 08:01:46 2015 Initialization Sequence Completed
Thu Apr 30 08:01:41 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 30 08:01:41 2015 open_tun, tt->ipv6=0
Thu Apr 30 08:01:41 2015 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{3A73971A-6390-449F-B275-BF7374A030EB}.tap
Thu Apr 30 08:01:41 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {3A73971A-6390-449F-B275-BF7374A030EB} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Apr 30 08:01:41 2015 Successful ARP Flush on interface [28] {3A73971A-6390-449F-B275-BF7374A030EB}

Last edited by konradsa (2015-04-30 12:05:34)

brebs · 2015-04-30 14:19:30

Show your iptables config properly:

iptables-save

konradsa · 2015-04-30 14:24:15

brebs wrote:

Show your iptables config properly:
iptables-save

Here you go:

[root@pogo ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Apr 30 10:22:23 2015
*nat
:PREROUTING ACCEPT [4166:473901]
:INPUT ACCEPT [2175:372944]
:OUTPUT ACCEPT [7266:783526]
:POSTROUTING ACCEPT [7266:783526]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.201
COMMIT
# Completed on Thu Apr 30 10:22:23 2015
# Generated by iptables-save v1.4.21 on Thu Apr 30 10:22:23 2015
*filter
:INPUT ACCEPT [27327:5962852]
:FORWARD ACCEPT [167:10344]
:OUTPUT ACCEPT [23017:2696399]
:sshguard - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j sshguard
COMMIT
# Completed on Thu Apr 30 10:22:23 2015

konradsa · 2015-04-30 23:29:44

Also, ip_forwarding is turned on, forgot to mention that.

[root@pogo ~]# sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 0
net.ipv6.conf.tun0.mc_forwarding = 0

konradsa · 2015-05-01 11:23:39

Ok, got it to work, had to add some forwarding rules between eth0 and tun0. Does this look correct now?

[root@pogo openvpn]# iptables-save
# Generated by iptables-save v1.4.21 on Fri May  1 07:20:55 2015
*nat
:PREROUTING ACCEPT [161:17402]
:INPUT ACCEPT [63:12242]
:OUTPUT ACCEPT [200:23878]
:POSTROUTING ACCEPT [200:23878]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri May  1 07:20:55 2015
# Generated by iptables-save v1.4.21 on Fri May  1 07:20:55 2015
*filter
:INPUT ACCEPT [7231:1167206]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [9158:9349872]
:sshguard - [0:0]
-A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A sshguard -s 221.229.166.30/32 -j DROP
-A sshguard -s 221.229.166.98/32 -j DROP
-A sshguard -s 221.229.166.29/32 -j DROP
COMMIT
# Completed on Fri May  1 07:20:55 2015

Last edited by konradsa (2015-05-01 11:24:20)

konradsa · 2015-05-02 13:46:00

Ok, it broke again this morning after a reboot, and I finally figured out the reason for it. It's just the stuff that pisses people off and makes them give up on Linux. I had a working setup for a while, and a recent change in systemd broke it. I can't image I am the only one that is affected by this. It will happen to you too if you do a paceman -Syu and then reboot.

So disregard my post about the forwarding rules, that's not the reason why it broke. Note my sysctl output above:

net.ipv4.conf.eth0.forwarding = 0  <--- THIS IS BAD!!!
...
net.ipv4.ip_forward=1

It used to be enough to set net.ipv4.ip_forward to 1 and that would affect all interfaces, but that's not the case anymore thanks to https://bugs.freedesktop.org/show_bug.cgi?id=89509, this behavior has changed. In order to have the desired effect now, you need to go to /etc/systemd/network and add

IPForward=yes

to all interface that you need it for.

Now I don't need the iptables forwarding rules anymore, just the single masquerade rule is required for OpenVPN to work.

Last edited by konradsa (2015-05-02 13:47:16)

klausenbusk · 2015-06-07 13:20:45

konradsa wrote:

[...] I can't image I am the only one that is affected by this.[...]
[...]
Now I don't need the iptables forwarding rules anymore, just the single masquerade rule is required for OpenVPN to work.

I was also affected I do not use my VPN server much more, so have not spent much time investigating the. Just saw you thread so thanks!
They also added a IPMasquerade= option, so you don't even need to apply any iptables rules.. Through it seems like UFW "overwrite" it.. Dunno.

IPMasquerade=
Configures IP masquerading for the network interface. If enabled
packets forwarded from the network interface will be appear as
coming from the local host. Takes a boolean argument. Implies
IPForward=yes.

Arch Linux

#1 2015-04-30 12:01:18

[SOLVED] Need help, OpenVPN not routing

#2 2015-04-30 12:05:12

Re: [SOLVED] Need help, OpenVPN not routing

#3 2015-04-30 14:19:30

Re: [SOLVED] Need help, OpenVPN not routing

#4 2015-04-30 14:24:15

Re: [SOLVED] Need help, OpenVPN not routing

#5 2015-04-30 23:29:44

Re: [SOLVED] Need help, OpenVPN not routing

#6 2015-05-01 11:23:39

Re: [SOLVED] Need help, OpenVPN not routing

#7 2015-05-02 13:46:00

Re: [SOLVED] Need help, OpenVPN not routing

#8 2015-06-07 13:20:45

Re: [SOLVED] Need help, OpenVPN not routing

Board footer