You are not logged in.

Pages: 1 2

#1 2024-10-17 03:34:44

tupadown228
Member
Registered: 2022-10-25
Posts: 45

VPN issue...[Closed] T_T ru guys, welcome.

Hi, i have installed and configured openvpn on my remote machine. That has been used: https://github.com/Nyr/openvpn-install . Openvpn server is running.

I can connect to it, but when that happen all my app connections drop down.

I know, it is WIDE topic for searching, but i think the problem is at my machine in the client configuration... Sorry for my stupidity.


This is log from openvpn client connection try

2024-10-17 06:02:28 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-10-17 06:02:28 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2024-10-17 06:02:28 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Jul 18 2024
2024-10-17 06:02:28 library versions: OpenSSL 3.2.0 23 Nov 2023, LZO 2.10
2024-10-17 06:02:28 DCO version: N/A
2024-10-17 06:02:28 TCP/UDP: Preserving recently used remote address: [AF_INET]REMOTE_MACHINE_IP:1194
2024-10-17 06:02:28 Socket Buffers: R=[212992->212992] S=[212992->212992]
2024-10-17 06:02:28 UDPv4 link local: (not bound)
2024-10-17 06:02:28 UDPv4 link remote: [AF_INET]REMOTE_MACHINE_IP:1194
2024-10-17 06:02:28 TLS: Initial packet from [AF_INET]REMOTE_MACHINE_IP:1194, sid=afb4708b 0b35f6fd
2024-10-17 06:02:28 VERIFY OK: depth=1, CN=Easy-RSA CA
2024-10-17 06:02:28 VERIFY KU OK
2024-10-17 06:02:28 Validating certificate extended key usage
2024-10-17 06:02:28 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-10-17 06:02:28 VERIFY EKU OK
2024-10-17 06:02:28 VERIFY OK: depth=0, CN=server
2024-10-17 06:02:28 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
2024-10-17 06:02:28 [server] Peer Connection Initiated with [AF_INET]REMOTE_MACHINE_IP:1194
2024-10-17 06:02:28 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-10-17 06:02:28 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-10-17 06:02:28 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS 1.1.1.1,dhcp-option DNS 1.0.0.1,block-outside-dns,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1000/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2024-10-17 06:02:28 Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: block-outside-dns (2.6.12)
2024-10-17 06:02:28 OPTIONS IMPORT: --ifconfig/up options modified
2024-10-17 06:02:28 OPTIONS IMPORT: route options modified
2024-10-17 06:02:28 OPTIONS IMPORT: route-related options modified
2024-10-17 06:02:28 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-10-17 06:02:28 net_route_v4_best_gw query: dst 0.0.0.0
2024-10-17 06:02:28 net_route_v4_best_gw result: via 192.168.0.2 dev wlan0
2024-10-17 06:02:28 ROUTE_GATEWAY 192.168.0.2/255.255.255.0 IFACE=wlan0 HWADDR=84:7b:57:67:69:0c
2024-10-17 06:02:28 GDG6: remote_host_ipv6=n/a
2024-10-17 06:02:28 net_route_v6_best_gw query: dst ::
2024-10-17 06:02:28 sitnl_send: rtnl: generic error (-101): Network is unreachable
2024-10-17 06:02:28 ROUTE6: default_gateway=UNDEF
2024-10-17 06:02:28 TUN/TAP device tun0 opened
2024-10-17 06:02:28 net_iface_mtu_set: mtu 1500 for tun0
2024-10-17 06:02:28 net_iface_up: set tun0 up
2024-10-17 06:02:28 net_addr_v4_add: 10.8.0.2/24 dev tun0
2024-10-17 06:02:28 net_iface_mtu_set: mtu 1500 for tun0
2024-10-17 06:02:28 net_iface_up: set tun0 up
2024-10-17 06:02:28 net_addr_v6_add: fddd:1194:1194:1194::1000/64 dev tun0
2024-10-17 06:02:28 net_route_v4_add: REMOTE_MACHINE_IP/32 via 192.168.0.2 dev [NULL] table 0 metric -1
2024-10-17 06:02:28 net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2024-10-17 06:02:28 net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2024-10-17 06:02:28 add_route_ipv6(::/3 -> fddd:1194:1194:1194::1 metric -1) dev tun0
2024-10-17 06:02:28 net_route_v6_add: ::/3 via :: dev tun0 table 0 metric -1
2024-10-17 06:02:28 add_route_ipv6(2000::/4 -> fddd:1194:1194:1194::1 metric -1) dev tun0
2024-10-17 06:02:28 net_route_v6_add: 2000::/4 via :: dev tun0 table 0 metric -1
2024-10-17 06:02:28 add_route_ipv6(3000::/4 -> fddd:1194:1194:1194::1 metric -1) dev tun0
2024-10-17 06:02:28 net_route_v6_add: 3000::/4 via :: dev tun0 table 0 metric -1
2024-10-17 06:02:28 add_route_ipv6(fc00::/7 -> fddd:1194:1194:1194::1 metric -1) dev tun0
2024-10-17 06:02:28 net_route_v6_add: fc00::/7 via :: dev tun0 table 0 metric -1
2024-10-17 06:02:28 Initialization Sequence Completed
2024-10-17 06:02:28 Data Channel: cipher 'AES-256-GCM', peer-id: 0
2024-10-17 06:02:28 Timers: ping 10, ping-restart 120
^C2024-10-17 06:03:56 event_wait : Interrupted system call (fd=-1,code=4)
2024-10-17 06:03:56 net_route_v4_del: REMOTE_MACHINE_IP/32 via 192.168.0.2 dev [NULL] table 0 metric -1
2024-10-17 06:03:56 net_route_v4_del: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2024-10-17 06:03:56 net_route_v4_del: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1
2024-10-17 06:03:56 delete_route_ipv6(::/3)
2024-10-17 06:03:56 net_route_v6_del: ::/3 via :: dev tun0 table 0 metric -1
2024-10-17 06:03:56 delete_route_ipv6(2000::/4)
2024-10-17 06:03:56 net_route_v6_del: 2000::/4 via :: dev tun0 table 0 metric -1
2024-10-17 06:03:56 delete_route_ipv6(3000::/4)
2024-10-17 06:03:56 net_route_v6_del: 3000::/4 via :: dev tun0 table 0 metric -1
2024-10-17 06:03:56 delete_route_ipv6(fc00::/7)
2024-10-17 06:03:56 net_route_v6_del: fc00::/7 via :: dev tun0 table 0 metric -1
2024-10-17 06:03:56 Closing TUN/TAP interface
2024-10-17 06:03:56 net_addr_v4_del: 10.8.0.2 dev tun0
2024-10-17 06:03:56 net_addr_v6_del: fddd:1194:1194:1194::1000/64 dev tun0
2024-10-17 06:03:56 SIGINT[hard,] received, process exiting

this is user.ovpn config

client
dev tun
proto udp
remote REMOTE_MACHINE_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
ignore-unknown-option block-outside-dns
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIUUkh1/b5EZrYL1dod45sN3xg0SxcwDQYJKoZIhvcNAQEL
.....
certificates and keys

by googling 

sitnl_send: rtnl: generic error (-101): Network is unreachable

i found something close to solution,

alamahant wrote:

 
push-remove ifconfig-ipv6
push-remove route-ipv6

but it is not, bcz i disable ipv6 flag in gui settings. https://forums.gentoo.org/viewtopic-t-1 … 75752ffc22

i use networkmanager-openvpn plugin as client.


So, where should i dig?

Last edited by tupadown228 (2024-10-22 08:36:49)

Offline

#2 2024-10-17 04:55:34

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

Oh, and I haven't updated almost all packages for a year on my machine.

Last edited by tupadown228 (2024-10-17 04:57:15)

Offline

#3 2024-10-17 05:27:17

-thc
Member
Registered: 2017-03-15
Posts: 739

Re: VPN issue...[Closed] T_T ru guys, welcome.

The script sets up a OpenVPN server that works like a commercial "full tunnel" VPN - it redirects everything through the VPN tunnel.

This line from the connection log

tupadown228 wrote:
[...]
2024-10-17 06:02:28 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS option DNS 1.0.0.1,block-outside-dns,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1000/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
[...]

expresses what the OpenVPN server likes the OpenVPN client to do: redirect all future traffic (routing/gateway and DNS) through the VPN.

tupadown228 wrote:

I can connect to it, but when that happen all my app connections drop down.

Because the routing/gateway and the DNS setup changed this is exactly what is supposed to happen.

What did you expect? What did you intend with your own OpenVPN?

tupadown228 wrote:

Oh, and I haven't updated almost all packages for a year on my machine.

Then maybe Arch is not the distro for you?

Last edited by -thc (2024-10-17 05:29:08)

Offline

#4 2024-10-17 05:42:21

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

What did you expect?

Fast solution)))

I did not want to dive in depth at all, I just wanted everything in one click. T_T

Thank you and sorry.

Offline

#5 2024-10-18 00:56:23

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

Okay... So...

-thc wrote:

Because the routing/gateway and the DNS setup changed this is exactly what is supposed to happen.

Do you mean that everything is ok on my client? And i have made mistakes on the ovpn server? I guess the problem is in iptables & nftables( but centos drop it)... Bcz semanage and firewall-cmd have been got their rules.

semanage port -a -t openvpn_port_t -p tcp 11994;
semanage port -a -t openvpn_port_t -p udp 11994
firewall-cmd --zone=public --add-port=11994/tcp --permanent;
firewall-cmd --zone=public --add-port=11994/udp --permanent;
firewall-cmd --zone=public --add-service openvpn;
firewall-cmd --zone=public --add-service openvpn --permanent;
firewall-cmd --reload;
firewall-cmd --add-masquerade;
firewall-cmd --add-masquerade --permanent;
firewall-cmd --query-masquerade;
VAR=$(ip route get 1.1.1.1 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $VAR -j MASQUERADE;
firewall-cmd --reload;

openvpn server logs. and i do not see any criminal info...

7:48 openvpn[55133]: user/MY_MACHINE_IP:54417 SIGUSR1[soft,ping-restart] received, client-instance restarting
7:48 openvpn[55133]: user/MY_MACHINE_IP:54417 [user] Inactivity timeout (--ping-restart), restarting
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 SENT CONTROL [user]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,tun-ipv6,rout>
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: primary virtual IPv6 for user/MY_MACHINE_IP:54417: fd42:42:42:42::2
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: Learn: fd42:42:42:42::2 -> user/MY_MACHINE_IP:54417
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: primary virtual IP for user/MY_MACHINE_IP:54417: 10.8.0.2
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI: Learn: 10.8.0.2 -> user/MY_MACHINE_IP:54417
3:48 openvpn[55133]: user/MY_MACHINE_IP:54417 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=fd42:42:42:42::2
3:48 openvpn[55133]: MY_MACHINE_IP:54417 [user] Peer Connection Initiated with [AF_INET6]::ffff:MY_MACHINE_IP:54417
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_COMP_STUBv2=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_COMP_STUB=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_LZO_STUB=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_PROTO=990
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_NCP=2
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_MTU=1600
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_TCPNL=1
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_PLAT=linux
3:48 openvpn[55133]: MY_MACHINE_IP:54417 peer info: IV_VER=2.6.12
3:48 openvpn[55133]: MY_MACHINE_IP:54417 VERIFY OK: depth=0, CN=user
3:48 openvpn[55133]: MY_MACHINE_IP:54417 VERIFY OK: depth=1, CN=cn_qHIl2i2Rlyyfw4WD
3:48 openvpn[55133]: MY_MACHINE_IP:54417 TLS: Initial packet from [AF_INET6]::ffff:MY_MACHINE_IP:54417, sid=b652188d 79e81fe0
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
3:48 openvpn[55133]: MY_MACHINE_IP:54417 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2:59 openvpn[55133]: Initialization Sequence Completed
2:59 openvpn[55133]: IFCONFIG POOL LIST
2:59 openvpn[55133]: NOTE: IPv4 pool size is 253, IPv6 pool size is 65534. IPv4 pool size limits the number of clients that can be served from the pool
2:59 openvpn[55133]: IFCONFIG POOL IPv6: base=fd42:42:42:42::2 size=65534 netbits=112
2:59 openvpn[55133]: IFCONFIG POOL IPv4: base=10.8.0.2 size=253
2:59 openvpn[55133]: MULTI: multi_init called, r=256 v=256
2:59 openvpn[55133]: UID set to nobody
2:59 openvpn[55133]: GID set to nobody
2:59 openvpn[55133]: UDPv6 link remote: [AF_UNSPEC]
2:59 openvpn[55133]: UDPv6 link local (bound): [AF_INET6][undef]:11994
2:59 openvpn[55133]: setsockopt(IPV6_V6ONLY=0)
2:59 openvpn[55133]: Socket Buffers: R=[212992->212992] S=[212992->212992]
2:59 openvpn[55133]: net_addr_v6_add: fd42:42:42:42::1/112 dev tun0
2:59 openvpn[55133]: net_iface_up: set tun0 up
2:59 openvpn[55133]: net_iface_mtu_set: mtu 1500 for tun0
2:59 openvpn[55133]: net_addr_v4_add: 10.8.0.1/24 dev tun0
2:59 openvpn[55133]: net_iface_up: set tun0 up
2:59 openvpn[55133]: net_iface_mtu_set: mtu 1500 for tun0
2:59 openvpn[55133]: TUN/TAP device tun0 opened
2:59 openvpn[55133]: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2:59 openvpn[55133]: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2:59 openvpn[55133]: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2:59 openvpn[55133]: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2:59 openvpn[55133]: ECDH curve prime256v1 added
2:59 openvpn[55133]: CRL: loaded 1 CRLs from file crl.pem
2:59 systemd[1]: Started OpenVPN service for server.
-thc wrote:

What did you expect? What did you intend with your own OpenVPN?

I expect to have redirection of all traffic through the VPN after enabling it( load downloaded user.ovpn conf from remote server, add it and run ) on client. But i can't even connect to any ip address via curl.
And I have tested an user.ovpn on another laptop, result is the same.


-thc wrote:

tupadown228 wrote:

    Oh, and I haven't updated almost all packages for a year on my machine.

Then maybe Arch is not the distro for you?

This is for security reason, bcz of my country. I really scary to lost my data for nothing, i'm just siiting home and watching anime and working sometimes. But I agree, i don't have enough knowledges.

Last edited by tupadown228 (2024-10-18 02:26:11)

Offline

#6 2024-10-18 03:14:09

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

this is iptables rules... nothing changes T_T

sudo iptables -L -v -n | more
Chain INPUT (policy ACCEPT 33934 packets, 9787K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   43 12364 ACCEPT     17   --  ens192 *       0.0.0.0/0            0.0.0.0/0            udp dpt:11994
    0     0 ACCEPT     0    --  tun0   *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   17  1088 ACCEPT     0    --  tun0   ens192  0.0.0.0/0            0.0.0.0/0           
   17  1847 ACCEPT     0    --  ens192 tun0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

this is generated server.conf

port 11994
proto udp6
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_A7vEzNqMWKlJHLcR.crt
key server_A7vEzNqMWKlJHLcR.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-....
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

Last edited by tupadown228 (2024-10-18 03:54:42)

Offline

#7 2024-10-18 05:28:56

-thc
Member
Registered: 2017-03-15
Posts: 739

Re: VPN issue...[Closed] T_T ru guys, welcome.

O.K. - back to square one.

Here's what you wrote:

tupadown228 wrote:

I can connect to it, but when that happen all my app connections drop down.

Here's what I understood: As soon as you enable the VPN all your running/current connections (streams etc.) drop.

Here's what you meant: I can connect to my VPN but then I'm cut off from the internet.

[...]

Since all of your configs and logs look O.K. the most common error on the server side is: You forgot to enable IP forwarding.

Offline

#8 2024-10-18 05:56:46

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

-thc wrote:

Here's what you meant: I can connect to my VPN but then I'm cut off from the internet.

Yup, exactly.

-thc wrote:

Since all of your configs and logs look O.K. the most common error on the server side is: You forgot to enable IP forwarding.

Unfortunately, they are enabled.

net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1

net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.ens192.forwarding = 1
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.ens192.bc_forwarding = 0
net.ipv4.conf.ens192.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.bc_forwarding = 0
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.ens192.forwarding = 1
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.ens192.mc_forwarding = 0
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.mc_forwarding = 0

Offline

#9 2024-10-18 06:19:11

-thc
Member
Registered: 2017-03-15
Posts: 739

Re: VPN issue...[Closed] T_T ru guys, welcome.

The second most common error on the server side is: You forgot to enable masquerading.

Offline

#10 2024-10-18 06:20:39

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

Enabling NAT with firewalld and disabling iptables-openvpn.service did not help.


Hm... i'm trying to find more about it. wait

Last edited by tupadown228 (2024-10-18 06:23:07)

Offline

#11 2024-10-18 06:25:19

-thc
Member
Registered: 2017-03-15
Posts: 739

Re: VPN issue...[Closed] T_T ru guys, welcome.

When you are connected to the VPN

- make sure you client routing table looks O.K.

ip r
ip -6 r

- ping the VPN endpoint

ping 10.8.0.1

- ping dns.google

ping 8.8.8.8

- check the DNS

drill dns.google

Last edited by -thc (2024-10-18 06:25:52)

Offline

#12 2024-10-18 06:58:22

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

ip r

default via 10.8.0.1 dev tun0 proto static metric 50 
default via 192.168.0.2 dev wlan0 proto dhcp src 192.168.0.114 metric 600 
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.2 metric 50 
REMOTE_MACHINE_IP via 192.168.0.2 dev wlan0 proto static metric 50 
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.114 metric 600 
192.168.0.2 dev wlan0 proto static scope link metric 50

ip -6 r

::/3 via fd42:42:42:42::1 dev tun0 proto static metric 50 pref medium
2000::/4 via fd42:42:42:42::1 dev tun0 proto static metric 50 pref medium
3000::/4 via fd42:42:42:42::1 dev tun0 proto static metric 50 pref medium
2000::/3 via fd42:42:42:42::1 dev tun0 proto static metric 50 pref medium
fd42:42:42:42::/112 dev tun0 proto kernel metric 50 pref medium
fc00::/7 via fd42:42:42:42::1 dev tun0 proto static metric 50 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 1024 pref medium
default dev tun0 proto static metric 50 pref medium

ping 10.8.0.1

PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
^C
--- 10.8.0.1 ping statistics ---
26 packets transmitted, 0 received, 100% packet loss, time 25343ms

ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
42 packets transmitted, 0 received, 100% packet loss, time 41559ms

drill dns.google

Error: error sending query: Could not send or receive, because of network error

Offline

#13 2024-10-18 07:27:22

-thc
Member
Registered: 2017-03-15
Posts: 739

Re: VPN issue...[Closed] T_T ru guys, welcome.

In the first postings the port seems to be the default (1194) - in later posts it's 11994 - is that a typo?

Offline

#14 2024-10-18 15:44:37

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

Yes, it is. I set port to 11994 everywhere.

Sorry, I had to sleep.

Last edited by tupadown228 (2024-10-18 16:13:25)

Offline

#15 2024-10-18 16:19:38

-thc
Member
Registered: 2017-03-15
Posts: 739

Re: VPN issue...[Closed] T_T ru guys, welcome.

NP - since you're unable to ping the VPN endpoint  - make sure that neither your client nor the OpenVPN server blocks traffic on the tun-devices. If you're unsure - temporarily disable the firewalls and test the ping again.

Offline

#16 2024-10-18 21:53:09

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

So... I set same rules for firewalld as in generated iptables file

from generated /etc/iptables/add-openvpn-rules.sh

iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o ens192 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i ens192 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o ens192 -j ACCEPT
iptables -I INPUT 1 -i ens192 -p udp --dport 11994 -j ACCEPT
ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o ens192 -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i ens192 -o tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i tun0 -o ens192 -j ACCEPT
ip6tables -I INPUT 1 -i ens192 -p udp --dport 11994 -j ACCEPT


made rules for firewalld 

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens192 -j MASQUERADE;
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -i tun0 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -o tun0 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i tun0 -o ens192 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -i ens192 -p udp --dport 11994 -j ACCEPT;
firewall-cmd --permanent --direct --passthrough ipv6 -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o ens192 -j MASQUERADE;
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -i tun0 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 1 -i ens192 -o tun0 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 1 -i tun0 -o ens192 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -i ens192 -p udp --dport 11994 -j ACCEPT;

firewall-cmd --reload;

nothing changes( ip r; ip -6 r; ping 1.1.1.1; ping 10.8.0.1; drill dns.google)...


If you're unsure - temporarily disable the firewalls and test the ping again.

now i will try that. if nothing changes again, the problem is inside my laptop.

Last edited by tupadown228 (2024-10-18 21:55:15)

Offline

#17 2024-10-19 01:02:01

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

So... If this is a disabled firewall, then i disabled it.

systemctl stop firewalld.service; 
systemctl stop iptables-openvpn.service ;

nothing changes( ip r; ip -6 r; ping 1.1.1.1; ping 10.8.0.1; drill dns.google )...
and i tested it on my arch laptop and on ubuntu laptop( distro was just installed without any additional actions ).

then i restarted them. journal logs clean( firewall daemons have no errors, openvpn server logs have no errors too).

then i added this and tested with working firewall and without, nothing changes again.

firewall-cmd --permanent --add-service openvpn;
firewall-cmd --permanent --zone=trusted --add-service openvpn;
firewall-cmd --reload;

journal logs clean.

this is not funny at all... T_T

Last edited by tupadown228 (2024-10-19 01:07:51)

Offline

#18 2024-10-19 01:30:37

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

okay i will try to change ovpn server.conf via that info that info from arch wiki

If I use this arch wiki  "OpenVPN#Routing_client_traffic_through_the_server" guide as a battletested example, then I do not see line "route some_ip 255.255.255.0" in  /etc/openvpn/server.conf .

port 11994
proto udp6
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet

server 10.8.0.0 255.255.255.0  is it similar? upd. nope

ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_A7vEzNqMWKlJHLcR.crt
key server_A7vEzNqMWKlJHLcR.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

lol, i have ping on 10.8.0.2 on client when vpn enabled.

PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=0.065 ms
64 bytes from 10.8.0.2: icmp_seq=2 ttl=64 time=0.076 ms
64 bytes from 10.8.0.2: icmp_seq=3 ttl=64 time=0.073 ms
64 bytes from 10.8.0.2: icmp_seq=4 ttl=64 time=0.091 ms
64 bytes from 10.8.0.2: icmp_seq=5 ttl=64 time=0.076 ms
^C
--- 10.8.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4052ms

Last edited by tupadown228 (2024-10-19 01:43:02)

Offline

#19 2024-10-19 01:42:16

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

Hm... https://github.com/OpenVPN/openvpn/blob … .conf#L155

Should I add some of them?.. Goddamn, not having knowledge is sucks.

push "route 192.168.10.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"

Offline

#20 2024-10-19 02:16:34

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

This source recommends that

So, lets look at the iptables rules required for this to work.

    # Allow traffic initiated from VPN to access LAN           <=== this is not for me i guess
    iptables -I FORWARD -i tun0 -o eth0 \                              <=== 
         -s 10.8.0.0/24 -d 192.168.0.0/24 \                                <=== 
         -m conntrack --ctstate NEW -j ACCEPT                        <=== 

    # Allow traffic initiated from VPN to access "the world"
    iptables -I FORWARD -i tun0 -o eth1 \
         -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT             <=== i don't have that in my rules

    # Allow traffic initiated from LAN to access "the world"
    iptables -I FORWARD -i eth0 -o eth1 \
         -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

    # Allow established traffic to pass back and forth
    iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED \    <=== i don't have that in my rules
         -j ACCEPT                                                                                          <=== 

    # Notice that -I is used, so when listing it (iptables -vxnL) it
    # will be reversed.  This is intentional in this demonstration.

    # Masquerade traffic from VPN to "the world" -- done in the nat table
    iptables -t nat -I POSTROUTING -o eth1 \                                   <=== that i have i guess
          -s 10.8.0.0/24 -j MASQUERADE                                               <=== that i have i guess

    # Masquerade traffic from LAN to "the world"                 <=== this is not for me i guess
    iptables -t nat -I POSTROUTING -o eth1 \                           <=== 
          -s 192.168.0.0/24 -j MASQUERADE

all my passed rules on centos (sorry, out from main topic...) vps

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens192 -j MASQUERADE;
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -i tun0 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -o tun0 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i tun0 -o ens192 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -i ens192 -p udp --dport 11994 -j ACCEPT;
firewall-cmd --permanent --direct --passthrough ipv6 -t nat -A POSTROUTING -s fd42:42:42:42::/112 -o ens192 -j MASQUERADE;
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -i tun0 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 1 -i ens192 -o tun0 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 1 -i tun0 -o ens192 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -i ens192 -p udp --dport 11994 -j ACCEPT;

firewall-cmd --reload;


firewall-cmd --permanent --add-service openvpn;
firewall-cmd --permanent --zone=trusted --add-service openvpn;

firewall-cmd --reload;

semanage port -a -t openvpn_port_t -p tcp 11994;
semanage port -a -t openvpn_port_t -p udp 11994
firewall-cmd --zone=public --add-port=11994/tcp --permanent;
firewall-cmd --zone=public --add-port=11994/udp --permanent;
firewall-cmd --zone=public --add-service openvpn;
firewall-cmd --zone=public --add-service openvpn --permanent;
firewall-cmd --zone=external --add-port=11994/tcp --permanent;
firewall-cmd --zone=external --add-port=11994/udp --permanent;
firewall-cmd --zone=external --add-service openvpn;
firewall-cmd --zone=external --add-service openvpn --permanent;
firewall-cmd --zone=internal --add-port=11994/tcp --permanent;
firewall-cmd --zone=internal --add-port=11994/udp --permanent;
firewall-cmd --zone=internal --add-service openvpn;
firewall-cmd --zone=internal --add-service openvpn --permanent;
firewall-cmd --reload;
firewall-cmd --zone=internal --add-masquerade;
firewall-cmd --zone=internal --add-masquerade --permanent;
firewall-cmd --zone=internal --query-masquerade;
firewall-cmd --zone=external --add-masquerade;
firewall-cmd --zone=external --add-masquerade --permanent;
firewall-cmd --zone=external --query-masquerade;
firewall-cmd --reload;

Last edited by tupadown228 (2024-10-19 02:19:24)

Offline

#21 2024-10-19 06:37:37

-thc
Member
Registered: 2017-03-15
Posts: 739

Re: VPN issue...[Closed] T_T ru guys, welcome.

tupadown228 wrote:
from generated /etc/iptables/add-openvpn-rules.sh

iptables -t nat -I POSTROUTING 1 -s 10.8.0.0/24 -o ens192 -j MASQUERADE
iptables -I INPUT 1 -i tun0 -j ACCEPT
iptables -I FORWARD 1 -i ens192 -o tun0 -j ACCEPT
iptables -I FORWARD 1 -i tun0 -o ens192 -j ACCEPT
iptables -I INPUT 1 -i ens192 -p udp --dport 11994 -j ACCEPT
ip6tables -t nat -I POSTROUTING 1 -s fd42:42:42:42::/112 -o ens192 -j MASQUERADE
ip6tables -I INPUT 1 -i tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i ens192 -o tun0 -j ACCEPT
ip6tables -I FORWARD 1 -i tun0 -o ens192 -j ACCEPT
ip6tables -I INPUT 1 -i ens192 -p udp --dport 11994 -j ACCEPT

Those server rules look O.K. to me.

tupadown228 wrote:

Should I add some of them?.. Goddamn, not having knowledge is sucks.

We'll get there - be patient.

The most likely culprit now is a mismatched OpenVPN option.
Please use this server configuration:

port 11994
proto udp6
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
push "redirect-gateway def1 bypass-dhcp"
server-ipv6 fd42:42:42:42::/112
tun-ipv6
push tun-ipv6
push "route-ipv6 2000::/3"
push "redirect-gateway ipv6"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
ca ca.crt
cert server_A7vEzNqMWKlJHLcR.crt
key server_A7vEzNqMWKlJHLcR.key
tls-server
tls-version-min 1.3
status /var/log/openvpn/status.log
verb 3

and this client configuration:

client
dev tun
proto udp
remote REMOTE_MACHINE_IP 11994
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ignore-unknown-option block-outside-dns
verb 3
[...] inline keys and certs

Make sure the keys and ca cert match (same tls crypt key).

Try the ping again.

Offline

#22 2024-10-19 20:04:50

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

So.. nothing changes...(
ip r;
ip -6 r;
ping 1.1.1.1; not works
ping 10.8.0.1; not works
ping 10.8.0.2; works
drill dns.google; not works
)

I edited server.conf on remote machine
I restarted ovpn server service on remote machine.
I edited client.ovpn file, added it on laptop.
I enabled vpn and made tests.
Then I restarted networkManager service on my laptop and repeat previous actions.
upd2. i checked that on ubuntu laptop, result is the same. T_T

P.S.
Sorry, I had to sleep and to make some home tasks...

UPD. i see changes in ovpn server logs

2:58 openvpn[61139]: user/MY_MACHINE_IP:59272 SENT CONTROL [user]: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,tun-ipv6,rout>
2:58 openvpn[61139]: user/MY_MACHINE_IP:59272 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2:58 openvpn[61139]: user/MY_MACHINE_IP:59272 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2:58 openvpn[61139]: user/MY_MACHINE_IP:59272 MULTI: primary virtual IPv6 for user/MY_MACHINE_IP:59272: fd42:42:42:42::2
2:58 openvpn[61139]: user/MY_MACHINE_IP:59272 MULTI: Learn: fd42:42:42:42::2 -> user/MY_MACHINE_IP:59272
2:58 openvpn[61139]: user/MY_MACHINE_IP:59272 MULTI: primary virtual IP for user/MY_MACHINE_IP:59272: 10.8.0.2
2:58 openvpn[61139]: user/MY_MACHINE_IP:59272 MULTI: Learn: 10.8.0.2 -> user/MY_MACHINE_IP:59272
2:58 openvpn[61139]: user/MY_MACHINE_IP:59272 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=fd42:42:42:42::2
2:58 openvpn[61139]: MY_MACHINE_IP:59272 [user] Peer Connection Initiated with [AF_INET6]::ffff:MY_MACHINE_IP:59272
2:58 openvpn[61139]: MY_MACHINE_IP:59272 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bit EC, curve prime256v1, signature: ecdsa-with-SHA256
2:58 openvpn[61139]: MY_MACHINE_IP:59272 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'                        <----
2:58 openvpn[61139]: MY_MACHINE_IP:59272 WARNING: 'auth' is used inconsistently, local='auth [null-digest]', remote='auth SHA1'                    <----
2:58 openvpn[61139]: MY_MACHINE_IP:59272 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1549', remote='link-mtu 1541'             <----
2:58 openvpn[61139]: MY_MACHINE_IP:59272 peer info: IV_COMP_STUBv2=1
2:58 openvpn[61139]: MY_MACHINE_IP:59272 peer info: IV_COMP_STUB=1
2:58 openvpn[61139]: MY_MACHINE_IP:59272 peer info: IV_LZO_STUB=1
2:58 openvpn[61139]: MY_MACHINE_IP:59272 peer info: IV_PROTO=990
2:58 openvpn[61139]: MY_MACHINE_IP:59272 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
2:58 openvpn[61139]: MY_MACHINE_IP:59272 peer info: IV_NCP=2
2:58 openvpn[61139]: MY_MACHINE_IP:59272 peer info: IV_MTU=1600
2:58 openvpn[61139]: MY_MACHINE_IP:59272 peer info: IV_TCPNL=1
2:58 openvpn[61139]: MY_MACHINE_IP:59272 peer info: IV_PLAT=linux
2:58 openvpn[61139]: MY_MACHINE_IP:59272 peer info: IV_VER=2.6.12
2:58 openvpn[61139]: MY_MACHINE_IP:59272 VERIFY OK: depth=0, CN=user
2:58 openvpn[61139]: MY_MACHINE_IP:59272 VERIFY OK: depth=1, CN=cn_qHIl2i2Rlyyfw4WD
2:58 openvpn[61139]: MY_MACHINE_IP:59272 TLS: Initial packet from [AF_INET6]::ffff:MY_MACHINE_IP:59272, sid=ec9fcb7f ea1056d0
2:58 openvpn[61139]: MY_MACHINE_IP:59272 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2:58 openvpn[61139]: MY_MACHINE_IP:59272 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2:58 openvpn[61139]: MY_MACHINE_IP:59272 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2:58 openvpn[61139]: MY_MACHINE_IP:59272 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key

this is connection logs from ovpn client on my arch laptop

2:26 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2:26 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2:26 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Jul 18 2024
2:26 library versions: OpenSSL 3.2.0 23 Nov 2023, LZO 2.10
2:26 DCO version: N/A
2:26 TCP/UDP: Preserving recently used remote address: [AF_INET]REMOTE_MACHINE_IP:11994
2:26 Socket Buffers: R=[212992->212992] S=[212992->212992]
2:26 UDPv4 link local: (not bound)
2:26 UDPv4 link remote: [AF_INET]REMOTE_MACHINE_IP:11994
2:26 TLS: Initial packet from [AF_INET]REMOTE_MACHINE_IP:11994, sid=7f138284 74845018
2:28 VERIFY OK: depth=1, CN=cn_qHIl2i2Rlyyfw4WD
2:28 VERIFY KU OK
2:28 Validating certificate extended key usage
2:28 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2:28 VERIFY EKU OK
2:28 VERIFY OK: depth=0, CN=server_A7vEzNqMWKlJHLcR
2:28 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ECprime256v1, signature: ecdsa-with-SHA256, peer temporary key: 256 bits ECprime256v1
2:28 [server_A7vEzNqMWKlJHLcR] Peer Connection Initiated with [AF_INET]REMOTE_MACHINE_IP:11994
2:28 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2:28 TLS: tls_multi_process: initial untrusted session promoted to trusted
2:28 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,tun-ipv6,route-ipv6 2000::/3,redirect-gateway ipv6,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fd42:42:42:42::2/112 fd42:42:42:42::1,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
2:28 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2:28 OPTIONS IMPORT: --ifconfig/up options modified
2:28 OPTIONS IMPORT: route options modified
2:28 OPTIONS IMPORT: route-related options modified
2:28 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2:28 net_route_v4_best_gw query: dst 0.0.0.0
2:28 net_route_v4_best_gw result: via 192.168.0.2 dev wlan0
2:28 ROUTE_GATEWAY 192.168.0.2/255.255.255.0 IFACE=wlan0 HWADDR=84:7b:57:67:69:0c
2:28 GDG6: remote_host_ipv6=n/a
2:28 net_route_v6_best_gw query: dst ::
2:28 sitnl_send: rtnl: generic error (-101): Network is unreachable
2:28 ROUTE6: default_gateway=UNDEF
2:28 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
2:28 Exiting due to fatal error

Last edited by tupadown228 (2024-10-19 21:00:47)

Offline

#23 2024-10-20 15:04:40

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

I added this. nothing changes.

firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i ens192 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT;
firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i tun0 -o ens192 -m state --state ESTABLISHED,RELATED -j ACCEPT;
firewall-cmd --permanent --direct --passthrough ipv6 -A FORWARD -i ens192 -o tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT;
firewall-cmd --permanent --direct --passthrough ipv6 -A FORWARD -i tun0 -o ens192 -m state --state ESTABLISHED,RELATED -j ACCEPT;
firewall-cmd --reload;

this is connection logs from ovpn client on my laptop after adding this line in server.conf (this logs are different from previous ovpn client connection logs )

push "route 10.8.0.1 255.255.255.0"
4:17 Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
4:17 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
4:17 OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Jul 18 2024
4:17 library versions: OpenSSL 3.2.0 23 Nov 2023, LZO 2.10
4:17 DCO version: N/A
4:17 TCP/UDP: Preserving recently used remote address: [AF_INET]REMOTE_MACHINE_IP:11994
4:17 Socket Buffers: R=[212992->212992] S=[212992->212992]
4:17 UDPv4 link local: (not bound)
4:17 UDPv4 link remote: [AF_INET]REMOTE_MACHINE_IP:11994
4:17 TLS: Initial packet from [AF_INET]REMOTE_MACHINE_IP:11994, sid=5b992d28 7043be20
4:17 VERIFY OK: depth=1, CN=cn_qHIl2i2Rlyyfw4WD
4:17 VERIFY KU OK
4:17 Validating certificate extended key usage
4:17 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
4:17 VERIFY EKU OK
4:17 VERIFY OK: depth=0, CN=server_A7vEzNqMWKlJHLcR
4:17 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 256 bits ECprime256v1, signature: ecdsa-with-SHA256, peer temporary key: 256 bits ECprime256v1
4:17 [server_A7vEzNqMWKlJHLcR] Peer Connection Initiated with [AF_INET]REMOTE_MACHINE_IP:11994
4:17 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
4:17 TLS: tls_multi_process: initial untrusted session promoted to trusted
4:17 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1 255.255.255.0,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,redirect-gateway def1 bypass-dhcp,tun-ipv6,route-ipv6 2000::/3,redirect-gateway ipv6,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fd42:42:42:42::2/112 fd42:42:42:42::1,ifconfig 10.8.0.2 255.255.255.0,peer-id 1,cipher AES-256-GCM'
4:17 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
4:17 OPTIONS IMPORT: --ifconfig/up options modified
4:17 OPTIONS IMPORT: route options modified
4:17 OPTIONS IMPORT: route-related options modified
4:17 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
4:17 net_route_v4_best_gw query: dst 0.0.0.0
4:17 net_route_v4_best_gw result: via 10.8.0.1 dev tun0                                                                            <==== 
4:17 ROUTE_GATEWAY 10.8.0.1/255.255.255.0 IFACE=tun0 HWADDR=00:00:00:00:00:00                  <==== 
4:17 GDG6: remote_host_ipv6=n/a
4:17 net_route_v6_best_gw query: dst ::                                                                                                           <==== 
4:17 net_route_v6_best_gw result: via fd42:42:42:42::1 dev tun0                                                                            <==== 
4:17 ROUTE6_GATEWAY fd42:42:42:42::1 IFACE=tun0                                                                            <==== 
4:17 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
4:17 Exiting due to fatal error

Offline

#24 2024-10-20 15:25:11

-thc
Member
Registered: 2017-03-15
Posts: 739

Re: VPN issue...[Closed] T_T ru guys, welcome.

So it's getting a little weird now. Please stop making random changes that someone mentioned somewhere.

I can only help you if I understand the situation.

How did you manage to not apply updates to your system for a year, the OpenSSL is from November 2023 but the OpenVPN is the latest (2.6.12) from July 2024?

You mentioned that your client is networkmanager-openvpn, but thats not very likely. A typical networkmanager-openvpn connect log looks like this:

Oct 20 10:30:32 hal NetworkManager[673]: <info>  [1729413032.0346] vpn[0x57736bacd230,637f75a3-fdc6-4eb2-80b9-bdd5f756d9d7,"xxxxxxx"]: starting openvpn
Oct 20 10:30:35 box nm-openvpn[4934]: Note: --cipher is not set. OpenVPN versions before 2.5 defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
Oct 20 10:30:35 box nm-openvpn[4934]: OpenVPN 2.6.12 [git:makepkg/038a94bae57a446c+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Jul 18 2024
Oct 20 10:30:35 box nm-openvpn[4934]: library versions: OpenSSL 3.3.2 3 Sep 2024, LZO 2.10
Oct 20 10:30:35 box nm-openvpn[4934]: DCO version: N/A
Oct 20 10:30:35 box nm-openvpn[4934]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Oct 20 10:30:35 box nm-openvpn[4934]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Oct 20 10:30:35 box nm-openvpn[4934]: TCP/UDP: Preserving recently used remote address: [AF_INET]xx.xxx.171.129:1194
Oct 20 10:30:35 box nm-openvpn[4934]: UDPv4 link local: (not bound)
Oct 20 10:30:35 box nm-openvpn[4934]: UDPv4 link remote: [AF_INET]xx.xxx.171.129:1194
Oct 20 10:30:35 box nm-openvpn[4934]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Oct 20 10:30:36 box nm-openvpn[4934]: [synology] Peer Connection Initiated with [AF_INET]xx.xxx.171.129:1194
Oct 20 10:30:36 box nm-openvpn[4934]: TUN/TAP device tun0 opened
Oct 20 10:30:36 box nm-openvpn[4934]: /usr/lib/nm-openvpn-service-openvpn-helper --debug 0 4919 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_5 --tun -- tun0 1500 0 10.8.0.10 10.8.0.9 init
Oct 20 10:30:36 box nm-openvpn[4934]: UID set to nm-openvpn
Oct 20 10:30:36 box nm-openvpn[4934]: GID set to nm-openvpn
Oct 20 10:30:36 box nm-openvpn[4934]: Capabilities retained: CAP_NET_ADMIN
Oct 20 10:30:36 box nm-openvpn[4934]: Initialization Sequence Completed

Since you are providing the ovpn file (which is not actively used by networkmanager-openvpn) and verbose log files you seem to start OpenVPN on your own?

Why do you post server logs from 2:58 and client logs from 2:28? Is there a reason?

Your first OpenVPN client log looks different (date/long time/message) from the last two (short time/message) - what does that mean?

This line

4:17 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

indicates that the openvpn process has no root privileges. Why was this no problem in you first post?

Last edited by -thc (2024-10-20 15:41:46)

Offline

#25 2024-10-20 16:09:10

tupadown228
Member
Registered: 2022-10-25
Posts: 45

Re: VPN issue...[Closed] T_T ru guys, welcome.

This line

4:17 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

indicates that the openvpn process has no root privileges. Why was this no problem in you first post?

*facepalm* sorry. i posted it bcz i forgot about root privileges and did not read it normal ( twice...(*facepalm x100_000_000*)). I am degrading.

Your first OpenVPN client log looks different (date/long time/message) from the last two (short time/message) - what does that mean?

I think(lol) that logs without long time are cleaner...

Since you are providing the ovpn file (which is not used actively by networkmanager-openvpn) and verbose log files you seem to start OpenVPN on your own?

Yes, i run networkmanager-openvpn and then openvpn, but i posted logs from openvpn, bcz it should be under the hood of networkmanager-openvpn, so it has more credibility...

How did you manage to not apply updates to your system for a year, the OpenSSL is from November 2023 but the OpenVPN is the latest (2.6.12) from July 2024?

Idk what to say...

So it's getting a little weird now. Please stop making random changes that someone mentioned somewhere.

Okay. But I mark down entered commands/steps separately so as not to get confused.
How can you win without a fight...

Offline

Pages: 1 2

Board footer

Powered by FluxBB