Linode Forum :: Setup OpenVPN server

Linode Forum https://forum.linode.com/

Setup OpenVPN server https://forum.linode.com/viewtopic.php?f=19&t=11779	Page 2 of 3

Author:	Webkungen [ Tue Apr 28, 2015 8:02 am ]
Post subject:	Re: Setup OpenVPN server
Now I tried to copy/paste your server config exactly, but I added the values for: Code: dh ca cert key I'm connected, but still with gateway 192.168.255.5 and DCHP 192.168.255.5 instead of 192.168.255.1 Can't figure out what's going on, or how I can fix this. Have googled for hours reading threads from people with different issues but doesn't matter what I try, the problem persits.

Author:	obs [ Tue Apr 28, 2015 11:14 am ]
Post subject:	Re: Setup OpenVPN server
192.168.255.5 is the correct gateway that's how openvpn works, you'll see 192.168.255.6 as your IP. You should get your servers IP if you connect to an external site.

Author:	sweh [ Tue Apr 28, 2015 11:20 am ]
Post subject:	Re: Setup OpenVPN server
obs wrote: You should get your servers IP if you connect to an external site. Don't you need to set up IP Masquerading for that to work?

Author:	Webkungen [ Tue Apr 28, 2015 6:16 pm ]
Post subject:	Re: Setup OpenVPN server
I have setup "dnsmasq" or what it was called, and nope, sorry, still not working. Do I have to bridge the ethernet adapters or something like that? Was thinking, could it possibly be a limitation in my modem/isp? I've got a pocket Wifi (3g) LTE Modem. I still don't understand why I cannot ping the DNS or Gateway (192.168.255.5) I'm getting, what is the reason for that?

Author:	obs [ Wed Apr 29, 2015 4:57 am ]
Post subject:	Re: Setup OpenVPN server
sweh wrote: obs wrote: You should get your servers IP if you connect to an external site. Don't you need to set up IP Masquerading for that to work? Possibly, I don't on my server but it could be the OPs firewall killing it or something else specific to their server or even their ISP. I run openvpn from docker so all I have is ip forwarding enabled in the kernel, and iptables forwarding ovpn requests to the docker instance, it just works out of the box for me.

Author:	Webkungen [ Wed Apr 29, 2015 5:20 am ]
Post subject:	Re: Setup OpenVPN server
So how do I look my iptables settings for these openVPN clients traffic?

Author:	kangaby [ Wed Apr 29, 2015 11:06 pm ]
Post subject:	Re: Setup OpenVPN server
Webkungen wrote: Good morning Note that in the image above, I also enabled push "redirect-gateway" in the config (which is different from your config) but when I comment it out, the only difference is that "Default gateway" is blank when connected to the server. I read in one of the online guides, you need to put the redirect-gateway in the client config file, as putting it in the server config file didn't work properly. This may or may not help: http://marguspala.com/simple-way-to-rou ... h-openvpn/ “redirect-gateway def1″ changes client routing table so that all traffic is directed via server. Without it only traffic sent to servers ip 10.66.77.1 will be sent there. Most materials in web recommend to add to server config push “redirect-gateway def1″ but this is not working in some cases so better add this config directly to client

Author:

Webkungen [ Thu Apr 30, 2015 3:32 am ]

Post subject:

Re: Setup OpenVPN server

Still not getting gateway correct, have the push directive in server config, and redirect-gateway in the client config. But I can telnet the smtp server with the local IP, which is good.

Code:

#:/etc/openvpn# ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.255.1  P-t-P:192.168.255.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1542 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:113781 (111.1 KiB)  TX bytes:724 (724.0 B)

My server is configured with local IP as well, is there a way to use those ip addresses for the VPN as well, i.e. so I will be able to reach the other debian boxes in the local network?

Code:

eth0:0    Link encap:Ethernet  HWaddr f2:3c:91:df:58:af
          inet addr:192.168.192.172  Bcast:192.168.255.255  Mask:255.255.128.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

Author:

Webkungen [ Thu Apr 30, 2015 8:57 pm ]

Post subject:

Re: Setup OpenVPN server

The OpenVPN log for the client looks like this when connecting:

Code:

Fri May 01 08:45:44 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 8.8.4.4,dhcp-option DNS 8.8.8.8,route 192.168.255.1,topology net30,ping 10,ping-restart 60,ifconfig 192.168.255.6 192.168.255.5'
Fri May 01 08:45:44 2015 OPTIONS IMPORT: timers and/or timeouts modified
Fri May 01 08:45:44 2015 OPTIONS IMPORT: --ifconfig/up options modified
Fri May 01 08:45:44 2015 OPTIONS IMPORT: route options modified
Fri May 01 08:45:44 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri May 01 08:45:44 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri May 01 08:45:44 2015 MANAGEMENT: >STATE:1430441144,ASSIGN_IP,,192.168.255.6,
Fri May 01 08:45:44 2015 open_tun, tt->ipv6=0
Fri May 01 08:45:44 2015 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{BB81A1BE-F61B-4431-A315-F44EA2AA0E91}.tap
Fri May 01 08:45:44 2015 TAP-Windows Driver Version 9.21 
Fri May 01 08:45:44 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.255.6/255.255.255.252 on interface {BB81A1BE-F61B-4431-A315-F44EA2AA0E91} [DHCP-serv: 192.168.255.5, lease-time: 31536000]
Fri May 01 08:45:44 2015 Successful ARP Flush on interface [48] {BB81A1BE-F61B-4431-A315-F44EA2AA0E91}
Fri May 01 08:45:49 2015 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Fri May 01 08:45:49 2015 C:\WINDOWS\system32\route.exe ADD 178.79.135.11 MASK 255.255.255.255 192.168.0.1
Fri May 01 08:45:49 2015 Warning: route gateway is ambiguous: 192.168.0.1 (2 matches)
Fri May 01 08:45:49 2015 Route addition via IPAPI failed [adaptive]
Fri May 01 08:45:49 2015 Route addition fallback to route.exe
Fri May 01 08:45:49 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Fri May 01 08:45:49 2015 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.255.5
Fri May 01 08:45:49 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri May 01 08:45:49 2015 Route addition via IPAPI succeeded [adaptive]
Fri May 01 08:45:49 2015 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.255.5
Fri May 01 08:45:49 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri May 01 08:45:49 2015 Route addition via IPAPI succeeded [adaptive]
Fri May 01 08:45:49 2015 MANAGEMENT: >STATE:1430441149,ADD_ROUTES,,,
Fri May 01 08:45:49 2015 C:\WINDOWS\system32\route.exe ADD 192.168.255.1 MASK 255.255.255.255 192.168.255.5
Fri May 01 08:45:49 2015 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Fri May 01 08:45:49 2015 Route addition via IPAPI succeeded [adaptive]
Fri May 01 08:45:49 2015 Initialization Sequence Completed
Fri May 01 08:45:49 2015 MANAGEMENT: >STATE:1430441149,CONNECTED,SUCCESS,192.168.255.6,178.79.135.11

This looks like an error, but what does it mean?

Code:

Fri May 01 08:45:49 2015 C:\WINDOWS\system32\route.exe ADD 178.79.135.11 MASK 255.255.255.255 192.168.0.1
Fri May 01 08:45:49 2015 Warning: route gateway is ambiguous: 192.168.0.1 (2 matches)
Fri May 01 08:45:49 2015 Route addition via IPAPI failed [adaptive]
Fri May 01 08:45:49 2015 Route addition fallback to route.exe

Can the problem had to do with my local ips?

From my modem I'm getting 192.168.0.x in my local network, and on the vpn server there is also a local ip setup, using 192.168.192.x

Author:	kangaby [ Thu Apr 30, 2015 10:41 pm ]
Post subject:	Re: Setup OpenVPN server
This might be un-related. On my Linode I had Debian 7, with openvpn, and I could send traffic up the VPN and out to the world. Checking whatsmyip, my traffic was originating from my Linode. I upgraded to Debian 8 this week, to get openvpn with IP6, but with my original configs, I can't get to the outside world anymore, and yes, I have set IP forwarding in the kernel. So are you by chance running Debian 8. If so I don't have an answer. Also you need to have redirect-gateway without the def1 to get the default gateway to be set for the vpn. Well at least I did, and it was also mentioned at one other tutorial site. Problem is so much has changed, and most of the tutorials appear out of date, compared to how you had to do things, and how you now have to do things. In the log above, you have: Code: Warning: route gateway is ambiguous: 192.168.0.1 (2 matches) this could be bad, maybe.

Author:	Webkungen [ Fri May 01, 2015 1:14 am ]
Post subject:	Re: Setup OpenVPN server
I removed "def1" now from both server and client config. When I connect to the VPN, I'm unable to browse any website at all. However, I can ping and telnet services on the local network (VPN server). Trying to trace Google.com: Code: # tracert google.com Tracing route to google.com [216.58.221.46] over a maximum of 30 hops: 1 464 ms 448 ms 399 ms 192.168.255.1 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out. 6 * * * Request timed out. 7 * * * Request timed out. ... 30 * * * Request timed out. As you see I never come outside the network on the server. Same result with firewall (csf) disabled. My guess is that there MUST BE some kind of server config betwen the network interfaces (bridging or similar?) I'm missing?

Author:

kangaby [ Fri May 01, 2015 6:09 am ]

Post subject:

Re: Setup OpenVPN server

Well I've got my problem sorted out - I hadn't done the iptables bit at the bottom.
Also you can have def1 in the client side, and existing connections (ssh) will be maintained when the VPN comes up.

On the Server:

Code:

# Set your server IP address here
local xx.xx.xx.xx
port 1194
proto udp
dev tun
# Default topology is net30 - change to use normal subnet
topology subnet
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh2048.pem
server 172.16.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 1800 4000
tls-auth ta.key 0 # This file is secret
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 4

On the client:

Code:

client
dev tun
dev-node "Windows TAP Adapter"
proto udp
# Put your server IP address or Domain name here
remote example.com 1194
redirect-gateway def1
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\PC.crt"
key "C:\\Program Files\\OpenVPN\\config\\PC.key"
remote-cert-tls server
tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 1
comp-lzo
verb 3

Turn on IP forwarding on the server:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE

Now, back to that pesky IP6 part.

Author:

kangaby [ Fri May 01, 2015 6:17 am ]

Post subject:

Re: Setup OpenVPN server

With the VPN up - here is the server ip addr:

Code:

18: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 172.16.1.1/24 brd 172.16.1.255 scope global tun0
       valid_lft forever preferred_lft forever

and the client ipconfig /all (trimmed)

Code:

Ethernet adapter Windows TAP Adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-C6-B6-B4-D3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.16.1.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, 1 May 2015 7:26:56 PM
   Lease Expires . . . . . . . . . . : Saturday, 30 April 2016 7:26:56 PM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 172.16.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

Note there is no default gateway, but whatismyip returns my servers ip address, not my ISP's.
Removing the def1 from the client config sets this.

Code:

Ethernet adapter Windows TAP Adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-C6-B6-B4-D3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 172.16.1.4(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, 1 May 2015 8:23:03 PM
   Lease Expires . . . . . . . . . . : Saturday, 30 April 2016 8:23:02 PM
   Default Gateway . . . . . . . . . : 172.16.1.1
   DHCP Server . . . . . . . . . . . : 172.16.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

Author:	Webkungen [ Fri May 01, 2015 11:09 pm ]
Post subject:	Re: Setup OpenVPN server
Not getting this... I tried to copy your config exactly except the ca, cert and key (and changed local as well). Still same issue.. I can connect, I can ping the vpn server etc. but cannot browse internet at all. No matter what I do, I'm getting ERR_CONNECTION_TIMED_OUT. Tried to disable both csf and my anti-virus/firewall software (ESET).

Author:	kangaby [ Sat May 02, 2015 12:09 am ]
Post subject:	Re: Setup OpenVPN server
Is eth0 on a public IP address and not a private IP address? If it's on a private 192, 172, 10 it will be dropped by your servers upstream routers. Also if you are trying to connect other servers / computes on the private IP address subnet of the VPN, you need to look into the client-to-client server config option and associated magic with ccd files that is required to make this work. I can't help you with that as I don't use it or need it.

Page 2 of 3	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/