You are not logged in.

Pages: 1

#1 2016-04-25 19:33:19

lisinge
Member
Registered: 2016-01-11
Posts: 5

Possible routing issues with OpenVPN

I'm trying to use OpenVPN on my arch box to be able to route some traffic through an OpenVPN connection, but not all traffic.
But I'm having trouble trying to use my OpenVPN tunnel when using for example

curl --interface tun0 --ipv4 ifconfig.co

Curl will just stand there and chew. I've tried to use tcpdump to look and this is what i can see

sudo tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
21:26:47.157506 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86206754 ecr 0,nop,wscale 7], length 0
21:26:47.175936 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89410613 ecr 86206754,nop,wscale 7], length 0
21:26:48.159089 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86207055 ecr 0,nop,wscale 7], length 0
21:26:48.177388 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89410863 ecr 86206754,nop,wscale 7], length 0
21:26:49.350452 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89411157 ecr 86206754,nop,wscale 7], length 0
21:26:50.162463 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86207656 ecr 0,nop,wscale 7], length 0
21:26:50.180780 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89411364 ecr 86206754,nop,wscale 7], length 0
21:26:54.175887 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86208860 ecr 0,nop,wscale 7], length 0
21:26:54.194130 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89412367 ecr 86206754,nop,wscale 7], length 0
21:26:58.350110 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89413407 ecr 86206754,nop,wscale 7], length 0
21:27:02.189071 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86211264 ecr 0,nop,wscale 7], length 0
21:27:02.207028 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89414371 ecr 86206754,nop,wscale 7], length 0

My OpenVPN config looks like this

client
user nobody
group nobody
auth-retry nointeract
dev tun
proto udp
remote pool.prd.se.ovpn.se 1194
remote pool.prd.se.ovpn.se 1195
dhcp-option DNS 46.227.67.134
dhcp-option DNS 46.227.67.135
remote-random
remote-cert-tls server
cipher AES-256-CBC
pull
nobind
auth-user-pass /etc/openvpn/ovpn.se.cred
reneg-sec 432000
resolv-retry infinite
comp-lzo
verb 4
mute-replay-warnings
replay-window 256
persist-key
persist-tun
ca /etc/openvpn/ovpn-ca.crt
tls-auth /etc/openvpn/ovpn-tls.key 1
script-security 2
route-nopull

My iptables looks like this

# Generated by iptables-save v1.6.0 on Mon Apr 25 00:27:51 2016
*nat
:PREROUTING ACCEPT [3262:437462]
:INPUT ACCEPT [171:18235]
:OUTPUT ACCEPT [1901:151707]
:POSTROUTING ACCEPT [1734:132967]
-A POSTROUTING -s 10.128.0.0/16 -o enp3s0 -j MASQUERADE
-A POSTROUTING -s 10.128.0.0/24 -o enp3s0 -j MASQUERADE
-A POSTROUTING -o enp3s0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 25 00:27:51 2016
# Generated by iptables-save v1.6.0 on Mon Apr 25 00:27:51 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [38410:467842615]
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -o enp3s0 -j ACCEPT
-A FORWARD -i enp3s0 -o tun+ -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Apr 25 00:27:51 2016

ip addr gives

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether d0:50:99:52:b3:6d brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.10/24 brd 10.0.0.255 scope global enp3s0
       valid_lft forever preferred_lft forever
    inet6 fe80::febb:c610:7e4c:e134/64 scope link
       valid_lft forever preferred_lft forever
32: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
    link/none
    inet 10.128.0.37/16 brd 10.128.255.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2a03:8600:1003:101:96c0:ee8d:9162:4fd0/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::48f2:b482:4ab6:fb52/64 scope link flags 800
       valid_lft forever preferred_lft forever

ip route gives

default via 10.0.0.1 dev enp3s0  src 10.0.0.10  metric 202
10.0.0.0/24 dev enp3s0  proto kernel  scope link  src 10.0.0.10  metric 202
10.128.0.0/16 dev tun0  proto kernel  scope link  src 10.128.0.37
~ $ sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.enp3s0.forwarding = 1
net.ipv4.conf.enp3s0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.enp3s0.stable_secret"
net.ipv6.conf.enp3s0.forwarding = 1
net.ipv6.conf.enp3s0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.tun0.mc_forwarding = 0

I'm not an network guy so it's quite possible that i've missed something silly

Last edited by lisinge (2016-04-25 20:41:35)

Offline

#2 2016-04-25 20:40:20

brebs
Member
Registered: 2007-04-03
Posts: 3,742

Re: Possible routing issues with OpenVPN

Did you mean ifconfig.co? Check your spelling.

Also, your iptables rules are a mess.

Offline

#3 2016-04-25 20:43:33

lisinge
Member
Registered: 2016-01-11
Posts: 5

Re: Possible routing issues with OpenVPN

brebs wrote:

Did you mean ifconfig.co? Check your spelling.

Yes, it was only misspelled in my post, i fixed it.

brebs wrote:

Also, your iptables rules are a mess.

Care to elaborate? How can i improve them and could that be the source of my issue?

Offline

Pages: 1

Board footer

Powered by FluxBB