You are not logged in.
When I try to connect to the server, everything gets completed successfully. The server's tun0 gets the ip address 10.8.0.1 & client's tun0 gets the ip address 10.8.0.6. From either of the systems, I can ping the other. My ISP's connection gets the address something like 123.*. What is it that I need to route all my traffic through VPN?
I also tried doing
curl --interface tun0 checkip.dyndns.org
but it was being timed out.
This is the log when the client connects to the server: (partial)
Fri Jun 8 10:16:06 2012 [aws_ec2] Peer Connection Initiated with 1.2.3.4:1194
Fri Jun 8 10:16:08 2012 SENT CONTROL [aws_ec2]: 'PUSH_REQUEST' (status=1)
Fri Jun 8 10:16:08 2012 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Fri Jun 8 10:16:08 2012 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jun 8 10:16:08 2012 OPTIONS IMPORT: --ifconfig/up options modified
Fri Jun 8 10:16:08 2012 OPTIONS IMPORT: route options modified
Fri Jun 8 10:16:08 2012 ROUTE default_gateway=123.237.128.1
Fri Jun 8 10:16:08 2012 TUN/TAP device tun0 opened
Fri Jun 8 10:16:08 2012 TUN/TAP TX queue length set to 100
Fri Jun 8 10:16:08 2012 /usr/sbin/ip link set dev tun0 up mtu 1500
Fri Jun 8 10:16:08 2012 /usr/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Fri Jun 8 10:16:08 2012 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Fri Jun 8 10:16:08 2012 Initialization Sequence Completed
Server says something like:
Fri Jun 8 04:48:24 2012 123.237.129.201:58931 [macbookpro] Peer Connection Initiated with 123.237.129.201:58931
Fri Jun 8 04:48:24 2012 macbookpro/123.237.129.201:58931 MULTI: Learn: 10.8.0.6 -> macbookpro/123.237.129.201:58931
Fri Jun 8 04:48:24 2012 macbookpro/123.237.129.201:58931 MULTI: primary virtual IP for macbookpro/123.237.129.201:58931: 10.8.0.6
Fri Jun 8 04:48:26 2012 macbookpro/123.237.129.201:58931 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jun 8 04:48:26 2012 macbookpro/123.237.129.201:58931 SENT CONTROL [macbookpro]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Routing table at the client side is:
shadyabhi@MBP-archlinux ~ $ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 123.237.128.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
123.237.128.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0
shadyabhi@MBP-archlinux ~
Server.conf:
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/aws_ec2.crt
key /etc/openvpn/aws_ec2.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Client.conf:
client
dev tun
proto udp
remote ec2-server.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/macbookpro.crt
key /etc/openvpn/macbookpro.key
ns-cert-type server
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 3
Last edited by shadyabhi (2012-06-08 10:58:30)
My blog:-
http://blog.abhijeetr.com
Offline
Did you activated masquerading on your server? This is required if you want your VPN network to be able to reach internet IP.
Offline
Did you activated masquerading on your server? This is required if you want your VPN network to be able to reach internet IP.
Can you please tell me, according to my setup, what command should I write? I only did what was told till section 5 of the arch wiki. https://wiki.archlinux.org/index.php/Op … figuration
Last edited by shadyabhi (2012-06-08 05:39:42)
My blog:-
http://blog.abhijeetr.com
Offline
Okay, that's not really indicated on the wiki. Basically, when the connection arrives on your openvpn server, it doesn't now what to do because it's not the destination IP.
What you need is a firewall such as shorewall to configure routing. It's not a problem concerning your VPN, you just need to set up masquerading between you VPN interface (tun0) and internet interface (eth0 ?).
Offline
Plain old iptables will do just fine. See this section of the wiki article for instructions.
Burninate!
Offline
Plain old iptables will do just fine. See this section of the wiki article for instructions.
I executed the required commands and now my iptables look like [on the server]
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
[root@ip-10-160-86-230 shadyabhi]# iptables -L -t nat -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.8.0.0/24 0.0.0.0/0
[root@ip-10-160-86-230 shadyabhi]#
My routing table, before & after connecting looks like: [on the client]
[root@MBP-archlinux shadyabhi]# ip route
default via 123.237.128.1 dev eth0 proto static
123.237.128.0/21 dev eth0 proto kernel scope link src 123.237.128.173
[root@MBP-archlinux shadyabhi]# ip route
default via 123.237.128.1 dev eth0 proto static
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
123.237.128.0/21 dev eth0 proto kernel scope link src 123.237.128.173
[root@MBP-archlinux shadyabhi]#
I am still getting timeout when I do $curl --interface tun0 checkip.dyndns.org on the client. On the server, doing $curl --interface tun0 checkip.dyndns.org works just fine.
I have NOT done this in the server.conf of openvpn
push "dhcp-option DNS 192.168.1.1"
push "redirect-gateway def1"
because doing that also it didn't work.
ALso, I tried looking at this post https://bbs.archlinux.org/viewtopic.php?id=91071 and tried running the two commands:
route add -net <public-openvpn-ip> netmask 255.255.255.255 gw 192.168.0.1 dev eth0
route add default gw 10.8.0.1 dev tap0
The first command results in error.
shadyabhi@MBP-archlinux ~ $ sudo route add -net 1.2.3.4 netmask 255.255.255.255 gw 192.168.0.1 dev eth0
SIOCADDRT: No such process
shadyabhi@MBP-archlinux ~ $
To solve this, I looked at this post http://www.symantec.com/business/suppor … TECH142841 and as soon as I ran $sudo route add -host 1.2.3.4 dev eth0 , my VPN connection started saying host unreachable. How do I solve this?
Last edited by shadyabhi (2012-06-08 09:28:51)
My blog:-
http://blog.abhijeetr.com
Offline
Enabling the following (serverside) is needed for starters, because it'll basically tell your client to route all traffic through the vpn tunnel (changing the default route which is not being done now).
push "redirect-gateway def1"
Burninate!
Offline
Enabling the following (serverside) is needed for starters, because it'll basically tell your client to route all traffic through the vpn tunnel (changing the default route which is not being done now).
push "redirect-gateway def1"
Doing that changed the routing table to
shadyabhi@MBP-archlinux ~ $ ip route
0.0.0.0/1 via 10.8.0.5 dev tun0
default via 123.237.128.1 dev eth0
10.8.0.1 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
123.237.128.0/21 dev eth0 proto kernel scope link src 123.237.128.173
128.0.0.0/1 via 10.8.0.5 dev tun0
1.2.3.4 via 123.237.128.1 dev eth0
shadyabhi@MBP-archlinux ~ $
or if you like route -n :
shadyabhi@MBP-archlinux ~ $ sudo route -n
Password:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 123.237.128.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
123.237.128.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0
128.0.0.0 10.8.0.5 128.0.0.0 UG 0 0 0 tun0
1.2.3.4 123.237.128.1 255.255.255.255 UGH 0 0 0 eth0
shadyabhi@MBP-archlinux ~ $
But, I can't still do $curl --interface tun0 checkip.dyndns.org. It's really frustrating. What else can be wrong? It seems like there are two rules for 0.0.0.0? Are they messing with each other?
The only improvement now is that the VPN connection from the client is not broken due to the "1.2.3.4 123.237.128.1 255.255.255.255 UGH 0 0 0 eth0" rule.
Last edited by shadyabhi (2012-06-08 09:20:52)
My blog:-
http://blog.abhijeetr.com
Offline
Do you have the possibility to do a packet capture on the external interface of the server to check if there are any related packets leaving (verify if they're getting source natted correctly etc)?
Normally the MASQUERADE should do the job just fine in this case; but just for the sake of it try using a specific source NAT statement:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <serverpublicip>
Burninate!
Offline
Do you have the possibility to do a packet capture on the external interface of the server to check if there are any related packets leaving (verify if they're getting source natted correctly etc)?
Normally the MASQUERADE should do the job just fine in this case; but just for the sake of it try using a specific source NAT statement:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to <serverpublicip>
Please guide me as to how do I do that?
My blog:-
http://blog.abhijeetr.com
Offline
For capturing, you can use tcpdump. The SNAT statement is literally as I posted it (fill in the server ip obviously).
Burninate!
Offline
For capturing, you can use tcpdump. The SNAT statement is literally as I posted it (fill in the server ip obviously).
So, the actual reason for not able to open a website on the client was that the DNS was not set properly. I debugged this after I pinged 8.8.8.8 and I was able to ping it successfully. After that I opened /etc/resolv.conf and saw that the nameserver ips were not updated accordingly. These IPs were the ones which are configured through DHCP by the ISP & they can't be accessed by the outside internet.
So, the real issue that still lasts is, how do I push the DNS setting to the client. I have already set
push "dhcp-option DNS 8.8.8.8"
but this isn't helping. If it is of any help, I use networkmanager to get the DHCP addresses from the ISP. So, it seems like openvpn is not doing the job of updating the resolv.conf.
For the time being, I have set the networkmanager to set the DHCP addresses manually and set the first one to be 8.8.8.8. But, I am really hoping for a better solution where openvpn writes to resolv.conf and also resets the resolv.conf after the stop the openvpn process.
Last edited by shadyabhi (2012-06-08 10:45:45)
My blog:-
http://blog.abhijeetr.com
Offline
Good to hear you're making some progress.
Setting up a sensible dns configuration consists of 2 phases:
1) Tell openvpn to push a dns config towards the client, which you've already done (push "dhcp-option DNS 8.8.8.8").
2) Setup your client to be able to rotate between resolv.conf configs when on and off the vpn. A decent way of doing this is by using openresolv. The setup instructions are documented here.
Burninate!
Offline
Setup your client to be able to rotate between resolv.conf configs when on and off the vpn. A decent way of doing this is by using openresolv. The setup instructions are documented here.
Awesome Gcool. You are a man of great talent. Thanks for the help.
My blog:-
http://blog.abhijeetr.com
Offline