[SOLVED] OpenVPN server help

cjohnson · 2014-06-15 22:19:43

Hello Arch forum!
I'm trying to set up an OpenVPN server for myself to secure my internet traffic on public networks. I can connect to it, but I cannot access the internet. I have tried both text URLs and IP addresses. Your help is appreciated. Here are my configs and such.
server.conf:

local 10.0.1.3
port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/openvpn.crt
key /etc/openvpn/openvpn.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "route 10.0.1.3 255.255.254.0"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
client-to-client
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 4

client.ovpn:

client
dev tun
proto udp
remote <my public IP> 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert welmac.crt
key welmac.key
ns-cert-type server
tls-auth ta.key 1
comp-lzo
verb 3
<ca>
-----BEGIN CERTIFICATE-----
#ca certificate
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
#certificate
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
#private key
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
#tls key
-----END OpenVPN Static key V1-----
</tls-auth>

Output of iptables -L -t nat -n:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.8.0.0/24          0.0.0.0/0            to:<my public IP>
MASQUERADE  all  --  10.8.0.0/24          0.0.0.0/0
MASQUERADE  all  --  10.8.0.0/24          0.0.0.0/0
MASQUERADE  all  --  10.8.0.0/24          0.0.0.0/0

I do have port forwarding configured on my router for UDP 1194.

Last edited by cjohnson (2014-06-23 18:23:11)

fukawi2 · 2014-06-15 22:59:20

After you connect, post the output of the following commands from the client

ip a s
ip r s
cat /etc/resolv.conf
mtr google.com

You'll need to install mtr if it's not already installed; it is in [extra]

cjohnson · 2014-06-16 14:40:23

My clients are a Mac and an iPhone. What would equivalent commands be for OS X?
Here's ifconfig (on the Mac):

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 ::1 prefixlen 128
	inet 127.0.0.1 netmask 0xff000000
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	nd6 options=1<PERFORMNUD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	ether 5c:f9:38:9f:51:2c
	inet6 fe80::5ef9:38ff:fe9f:512c%en0 prefixlen 64 scopeid 0x4
	inet 10.0.1.11 netmask 0xffffff00 broadcast 10.0.1.255
	nd6 options=1<PERFORMNUD>
	media: autoselect
	status: active
en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=60<TSO4,TSO6>
	ether 32:00:1f:45:60:00
	media: autoselect <full-duplex>
	status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=63<RXCSUM,TXCSUM,TSO4,TSO6>
	ether 5e:f9:38:f9:39:00
	Configuration:
		id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
		maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
		root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
		ipfilter disabled flags 0x2
	member: en3 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 5 priority 0 path cost 0
	nd6 options=1<PERFORMNUD>
	media: <unknown type>
	status: inactive
p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304
	ether 0e:f9:38:9f:51:2c
	media: autoselect
	status: inactive
tun0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff
	open (pid 2881)

Should I find the logs?

fukawi2 · 2014-06-16 23:16:03

cjohnson wrote:

My clients are a Mac and an iPhone. What would equivalent commands be for OS X?

I have no idea.

On the Arch box, run this command: tcpdump -lnn -i tun0 host 8.8.8.8

And then run a ping to 8.8.8.8 on the client.

cjohnson · 2014-06-22 17:16:29

The server printed this:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
13:10:49.297967 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 48132, seq 0, length 64
13:10:50.298532 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 48132, seq 1, length 64
13:10:51.300423 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 48132, seq 2, length 64
13:10:52.301540 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 48132, seq 3, length 64
13:10:53.302736 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 48132, seq 4, length 64
13:10:54.303425 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 48132, seq 5, length 64
13:10:55.304963 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 48132, seq 6, length 64
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel

The client printed:

PING 8.8.8.8 (8.8.8.8): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
^C
--- 8.8.8.8 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss

Last edited by cjohnson (2014-06-22 17:21:55)

cjohnson · 2014-06-22 17:27:12

The results of that test made me suspect that this is a problem with my outgoing port settings. Here is the port configuration on my Time Capsule for the VPN:
Port configuration dialog on Apple Time Capsule, showing UDP 1194 being enabled

fukawi2 · 2014-06-22 23:03:09

cjohnson wrote:

The server printed this:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
13:10:49.297967 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 48132, seq 0, length 64
13:10:50.298532 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 48132, seq 1, length 64

OK, so the traffic is getting from the client to the server, there's obviously no return traffic.

Run the same command on the "other" side of your server (ie, the interface that goes to the internet) and run the ping again. For example, eth0: tcpdump -lnn -i eth0 host 8.8.8.8

cjohnson · 2014-06-22 23:07:36

Here are the results:
Client:

PING 8.8.8.8 (8.8.8.8): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

Server:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), capture size 65535 bytes
19:02:31.608370 IP ***my public IP*** > 8.8.8.8: ICMP echo request, id 65103, seq 0, length 64
19:02:32.611766 IP ***my public IP*** > 8.8.8.8: ICMP echo request, id 65103, seq 1, length 64
19:02:33.610707 IP ***my public IP*** > 8.8.8.8: ICMP echo request, id 65103, seq 2, length 64
19:02:34.612023 IP ***my public IP*** > 8.8.8.8: ICMP echo request, id 65103, seq 3, length 64
19:02:35.612858 IP ***my public IP*** > 8.8.8.8: ICMP echo request, id 65103, seq 4, length 64
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel

fukawi2 · 2014-06-23 01:47:27

Well that is indeed interesting. I did expect to see your internal address in that dump, not your public IP (ie, SNAT rules were missing in iptables).

I just re-read your initial post:

cjohnson wrote:

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.8.0.0/24          0.0.0.0/0            to:<my public IP>
MASQUERADE  all  --  10.8.0.0/24          0.0.0.0/0
MASQUERADE  all  --  10.8.0.0/24          0.0.0.0/0
MASQUERADE  all  --  10.8.0.0/24          0.0.0.0/0

I do have port forwarding configured on my router for UDP 1194.

If you had to configure port forwarding on your router, that suggests that you public IP is *not* actually configured on your server? In that case, you can not SNAT to your public IP; the router will get all sorts of confused when it sees packets coming in from it's own address.

Just use the MASQUERADE rule in POSTROUTING (and you don't need 3); let the kernel work out what address to SNAT to, and let the router handle SNAT'ing to your public IP address.

cjohnson · 2014-06-23 18:22:44

Yes! That has solved it. Thank you for your help. The VPN is connected properly and all HTTP traffic is being correctly routed through it. I'm glad this wasn't a stupid thing that I overlooked.

Arch Linux

#1 2014-06-15 22:19:43

[SOLVED] OpenVPN server help

#2 2014-06-15 22:59:20

Re: [SOLVED] OpenVPN server help

#3 2014-06-16 14:40:23

Re: [SOLVED] OpenVPN server help

#4 2014-06-16 23:16:03

Re: [SOLVED] OpenVPN server help

#5 2014-06-22 17:16:29

Re: [SOLVED] OpenVPN server help

#6 2014-06-22 17:27:12

Re: [SOLVED] OpenVPN server help

#7 2014-06-22 23:03:09

Re: [SOLVED] OpenVPN server help

#8 2014-06-22 23:07:36

Re: [SOLVED] OpenVPN server help

#9 2014-06-23 01:47:27

Re: [SOLVED] OpenVPN server help

#10 2014-06-23 18:22:44

Re: [SOLVED] OpenVPN server help

Board footer