You are not logged in.

Pages: 1

#1 Yesterday 03:34:44

tupadown228
Member
Registered: 2022-10-25
Posts: 25

VPN issue...[Open]

Hi, i have installed and configured openvpn on my remote machine. That has been used: https://github.com/Nyr/openvpn-install . Openvpn server is running.

I can connect to it, but when that happen all my app connections drop down.

I know, it is WIDE topic for searching, but i think the problem is at my machine in the client configuration... Sorry for my stupidity.


This is log from openvpn client connection try

2024-10-17 06:02:28 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-10-17 06:02:28 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2024-10-17 06:02:28 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Jul 18 2024
2024-10-17 06:02:28 library versions: OpenSSL 3.2.0 23 Nov 2023, LZO 2.10
2024-10-17 06:02:28 DCO version: N/A
2024-10-17 06:02:28 TCP/UDP: Preserving recently used remote address: [AF_INET]REMOTE_MACHINE_IP:1194
2024-10-17 06:02:28 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-10-17 06:02:28 UDPv4 link local: (not bound)
2024-10-17 06:02:28 UDPv4 link remote: [AF_INET]REMOTE_MACHINE_IP:1194
2024-10-17 06:02:28 TLS: Initial packet from [AF_INET]REMOTE_MACHINE_IP:1194, sid=afb4708b 0b35f6fd
2024-10-17 06:02:28 VERIFY OK: depth=1, CN=Easy-RSA CA
2024-10-17 06:02:28 VERIFY KU OK
2024-10-17 06:02:28 Validating certificate extended key usage
2024-10-17 06:02:28 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-10-17 06:02:28 VERIFY EKU OK
2024-10-17 06:02:28 VERIFY OK: depth=0, CN=server
2024-10-17 06:02:28 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2024-10-17 06:02:28 [server] Peer Connection Initiated with [AF_INET]REMOTE_MACHINE_IP:1194
2024-10-17 06:02:28 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-10-17 06:02:28 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-10-17 06:02:28 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,block-outside-dns,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1000/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2024-10-17 06:02:28 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.6.12)
2024-10-17 06:02:28 OPTIONS IMPORT: --ifconfig/up options modified
2024-10-17 06:02:28 OPTIONS IMPORT: route options modified
2024-10-17 06:02:28 OPTIONS IMPORT: route-related options modified
2024-10-17 06:02:28 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-10-17 06:02:28 net_route_v4_best_gw query: dst 0.0.0.0
2024-10-17 06:02:28 net_route_v4_best_gw result: via 192.168.0.2 dev wlan0
2024-10-17 06:02:28 ROUTE_GATEWAY 192.168.0.2/255.255.255.0 IFACE=wlan0 HWADDR=84:7b:57:67:69:0c
2024-10-17 06:02:28 GDG6: remote_host_ipv6=n/a
2024-10-17 06:02:28 net_route_v6_best_gw query: dst ::
2024-10-17 06:02:28 sitnl_send: rtnl: generic error (-101): Network is unreachable
2024-10-17 06:02:28 ROUTE6: default_gateway=UNDEF
2024-10-17 06:02:28 TUN/TAP device tun0 opened
2024-10-17 06:02:28 net_iface_mtu_set: mtu 1500 for tun0
2024-10-17 06:02:28 net_iface_up: set tun0 up
2024-10-17 06:02:28 net_addr_v4_add: 10.8.0.2/24 dev tun0
2024-10-17 06:02:28 net_iface_mtu_set: mtu 1500 for tun0
2024-10-17 06:02:28 net_iface_up: set tun0 up
2024-10-17 06:02:28 net_addr_v6_add: fddd:1194:1194:1194::1000/64 dev tun0
2024-10-17 06:02:28 net_route_v4_add: REMOTE_MACHINE_IP/32 via 192.168.0.2 dev [NULL] table 0 metric -1
2024-10-17 06:02:28 net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2024-10-17 06:02:28 net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2024-10-17 06:02:28 add_route_ipv6(::/3 -> fddd:1194:1194:1194::1 metric -1) dev tun0
2024-10-17 06:02:28 net_route_v6_add: ::/3 via :: dev tun0 table 0 metric -1
2024-10-17 06:02:28 add_route_ipv6(2000::/4 -> fddd:1194:1194:1194::1 metric -1) dev tun0
2024-10-17 06:02:28 net_route_v6_add: 2000::/4 via :: dev tun0 table 0 metric -1
2024-10-17 06:02:28 add_route_ipv6(3000::/4 -> fddd:1194:1194:1194::1 metric -1) dev tun0
2024-10-17 06:02:28 net_route_v6_add: 3000::/4 via :: dev tun0 table 0 metric -1
2024-10-17 06:02:28 add_route_ipv6(fc00::/7 -> fddd:1194:1194:1194::1 metric -1) dev tun0
2024-10-17 06:02:28 net_route_v6_add: fc00::/7 via :: dev tun0 table 0 metric -1
2024-10-17 06:02:28 Initialization Sequence Completed
2024-10-17 06:02:28 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2024-10-17 06:02:28 Timers: ping 10, ping-restart 120
^C2024-10-17 06:03:56 event_wait : Interrupted system call (fd=-1,code=4)
2024-10-17 06:03:56 net_route_v4_del: REMOTE_MACHINE_IP/32 via 192.168.0.2 dev [NULL] table 0 metric -1
2024-10-17 06:03:56 net_route_v4_del: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2024-10-17 06:03:56 net_route_v4_del: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2024-10-17 06:03:56 delete_route_ipv6(::/3)
2024-10-17 06:03:56 net_route_v6_del: ::/3 via :: dev tun0 table 0 metric -1
2024-10-17 06:03:56 delete_route_ipv6(2000::/4)
2024-10-17 06:03:56 net_route_v6_del: 2000::/4 via :: dev tun0 table 0 metric -1
2024-10-17 06:03:56 delete_route_ipv6(3000::/4)
2024-10-17 06:03:56 net_route_v6_del: 3000::/4 via :: dev tun0 table 0 metric -1
2024-10-17 06:03:56 delete_route_ipv6(fc00::/7)
2024-10-17 06:03:56 net_route_v6_del: fc00::/7 via :: dev tun0 table 0 metric -1
2024-10-17 06:03:56 Closing TUN/TAP interface
2024-10-17 06:03:56 net_addr_v4_del: 10.8.0.2 dev tun0
2024-10-17 06:03:56 net_addr_v6_del: fddd:1194:1194:1194::1000/64 dev tun0
2024-10-17 06:03:56 SIGINT[hard,] received, process exiting

this is user.ovpn config

client
dev tun
proto udp
remote REMOTE_MACHINE_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
ignore-unknown-option block-outside-dns
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUUkh1/b5EZrYL1dod45sN3xg0SxcwDQYJKoZIhvcNAQEL
.....
certificates and keys

by googling 

sitnl_send: rtnl: generic error (-101): Network is unreachable

i found something close to solution,

alamahant wrote:

 
push-remove ifconfig-ipv6
push-remove route-ipv6

but it is not, bcz i disable ipv6 flag in gui settings. https://forums.gentoo.org/viewtopic-t-1 … 75752ffc22

i use networkmanager-openvpn plugin as client.


So, where should i dig?

Last edited by tupadown228 (Today 01:06:08)

Online

#2 Yesterday 04:55:34

tupadown228
Member
Registered: 2022-10-25
Posts: 25

Re: VPN issue...[Open]

Oh, and I haven't updated almost all packages for a year on my machine.

Last edited by tupadown228 (Yesterday 04:57:15)

Online

#3 Yesterday 05:27:17

-thc
Member
Registered: 2017-03-15
Posts: 615

Re: VPN issue...[Open]

The script sets up a OpenVPN server that works like a commercial "full tunnel" VPN - it redirects everything through the VPN tunnel.

This line from the connection log

tupadown228 wrote:
[...]
2024-10-17 06:02:28 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS option DNS 1.0.0.1,block-outside-dns,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1000/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
[...]

expresses what the OpenVPN server likes the OpenVPN client to do: redirect all future traffic (routing/gateway and DNS) through the VPN.

tupadown228 wrote:

I can connect to it, but when that happen all my app connections drop down.

Because the routing/gateway and the DNS setup changed this is exactly what is supposed to happen.

What did you expect? What did you intend with your own OpenVPN?

tupadown228 wrote:

Oh, and I haven't updated almost all packages for a year on my machine.

Then maybe Arch is not the distro for you?

Last edited by -thc (Yesterday 05:29:08)

Offline

#4 Yesterday 05:42:21

tupadown228
Member
Registered: 2022-10-25
Posts: 25

Re: VPN issue...[Open]

What did you expect?

Fast solution)))

I did not want to dive in depth at all, I just wanted everything in one click. T_T

Thank you and sorry.

Online

#5 Today 00:56:23

tupadown228
Member
Registered: 2022-10-25
Posts: 25

Re: VPN issue...[Open]

Okay... So...

-thc wrote:

Because the routing/gateway and the DNS setup changed this is exactly what is supposed to happen.

Do you mean that everything is ok on my client? And i have made mistakes on the ovpn server? I guess the problem is in iptables & nftables( but centos drop it)... Bcz semanage and firewall-cmd have been got their rules.

semanage port -a -t openvpn_port_t -p tcp 11994;
semanage port -a -t openvpn_port_t -p udp 11994
firewall-cmd --zone=public --add-port=11994/tcp --permanent;
firewall-cmd --zone=public --add-port=11994/udp --permanent;
firewall-cmd --zone=public --add-service openvpn;
firewall-cmd --zone=public --add-service openvpn --permanent;
firewall-cmd --reload;
firewall-cmd --add-masquerade;
firewall-cmd --add-masquerade --permanent;
firewall-cmd --query-masquerade;
VAR=$(ip route get 1.1.1.1 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $VAR -j MASQUERADE;
firewall-cmd --reload;

openvpn server logs. and i do not see any criminal info...

7:48 openvpn[55133]: user/MY_MACHINE_IP:54417 SIGUSR1[soft,ping-restart] received, client-instance restarting
7:48 openvpn[55133]: user/MY_MACHINE_IP:54417 [user] Inactivity timeout (--ping-restart), restarting
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 SENT CONTROL [user]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,tun-ipv6,rout>
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: primary virtual IPv6 for user/MY_MACHINE_IP:54417: fd42:42:42:42::2
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: Learn: fd42:42:42:42::2 -> user/MY_MACHINE_IP:54417
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: primary virtual IP for user/MY_MACHINE_IP:54417: 10.8.0.2
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: Learn: 10.8.0.2 -> user/MY_MACHINE_IP:54417
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=fd42:42:42:42::2
3:48 openvpn[55133]: MY_MACHINE_IP:54417 [user] Peer Connection Initiated with [AF_INET6]::ffff:MY_MACHINE_IP:54417
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_COMP_STUBv2=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_COMP_STUB=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_LZO_STUB=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_PROTO=990
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_NCP=2
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_MTU=1600
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_TCPNL=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_PLAT=linux
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_VER=2.6.12
3:48 openvpn[55133]: MY_MACHINE_IP:54417 VERIFY OK: depth=0, CN=user
3:48 openvpn[55133]: MY_MACHINE_IP:54417 VERIFY OK: depth=1, CN=cn_qHIl2i2Rlyyfw4WD
3:48 openvpn[55133]: MY_MACHINE_IP:54417 TLS: Initial packet from [AF_INET6]::ffff:MY_MACHINE_IP:54417, sid=b652188d 79e81fe0
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2:59 openvpn[55133]: Initialization Sequence Completed
2:59 openvpn[55133]: IFCONFIG POOL LIST
2:59 openvpn[55133]: NOTE: IPv4 pool size is 253, IPv6 pool size is 65534. IPv4 pool size limits the number of clients that can be served from the pool
2:59 openvpn[55133]: IFCONFIG POOL IPv6: base=fd42:42:42:42::2 size=65534 netbits=112
2:59 openvpn[55133]: IFCONFIG POOL IPv4: base=10.8.0.2 size=253
2:59 openvpn[55133]: MULTI: multi_init called, r=256 v=256
2:59 openvpn[55133]: UID set to nobody
2:59 openvpn[55133]: GID set to nobody
2:59 openvpn[55133]: UDPv6 link remote: [AF_UNSPEC]
2:59 openvpn[55133]: UDPv6 link local (bound): [AF_INET6][undef]:11994
2:59 openvpn[55133]: setsockopt(IPV6_V6ONLY=0)
2:59 openvpn[55133]: Socket Buffers: R=[212992->212992] S=[212992->212992]
2:59 openvpn[55133]: net_addr_v6_add: fd42:42:42:42::1/112 dev tun0
2:59 openvpn[55133]: net_iface_up: set tun0 up
2:59 openvpn[55133]: net_iface_mtu_set: mtu 1500 for tun0
2:59 openvpn[55133]: net_addr_v4_add: 10.8.0.1/24 dev tun0
2:59 openvpn[55133]: net_iface_up: set tun0 up
2:59 openvpn[55133]: net_iface_mtu_set: mtu 1500 for tun0
2:59 openvpn[55133]: TUN/TAP device tun0 opened
2:59 openvpn[55133]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2:59 openvpn[55133]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2:59 openvpn[55133]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2:59 openvpn[55133]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2:59 openvpn[55133]: ECDH curve prime256v1 added
2:59 openvpn[55133]: CRL: loaded 1 CRLs from file crl.pem
2:59 systemd[1]: Started OpenVPN service for server.
-thc wrote:

What did you expect? What did you intend with your own OpenVPN?

I expect to have redirection of all traffic through the VPN after enabling it( load downloaded user.ovpn conf from remote server, add it and run ) on client. But i can't even connect to any ip address via curl.
And I have tested an user.ovpn on another laptop, result is the same.


-thc wrote:

tupadown228 wrote:

    Oh, and I haven't updated almost all packages for a year on my machine.

Then maybe Arch is not the distro for you?

This is for security reason, bcz of my country. I really scary to lost my data for nothing, i'm just siiting home and watching anime and working sometimes. But I agree, i don't have enough knowledges.

Last edited by tupadown228 (Today 02:26:11)

Online

#6 Today 03:14:09

tupadown228
Member
Registered: 2022-10-25
Posts: 25

Re: VPN issue...[Open]

this is iptables rules... nothing changes T_T

sudo iptables -L -v -n | more
Chain INPUT (policy ACCEPT 33934 packets, 9787K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   43 12364 ACCEPT     17   --  ens192 *       0.0.0.0/0            0.0.0.0/0            udp dpt:11994
    0     0 ACCEPT     0    --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   17  1088 ACCEPT     0    --  tun0   ens192  0.0.0.0/0            0.0.0.0/0           
   17  1847 ACCEPT     0    --  ens192 tun0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Online

Pages: 1

Board footer

Powered by FluxBB