[Solved] Connection between AWS EC2 server and home client
Posted: Sun Jun 04, 2017 9:51 pm
Hi everyone,
So I've followed this guide to set up my own OpenVPN server from scratch on a Ubuntu box, only that I've used an AWS EC2 instance of Digital Ocean. I've got the OpenVPN server up and running as well as the client (my home desktop) duly configured. I can establish a VPN connection between the two, as I can see the "Initialization Sequence Completed" message on the client, but that's as far as it gets. After that, I can't access the Internet from the client nor ping anything at all, not even the OpenVPN server itself.
Here are a few details about my setup:
AWS
Ubuntu 16.04.2 running on an EC2 nano (1 core, 512MB RAM) instance on its own VPC and security group. Route table of the VPC below
It has its own Internet gateway (not an NAT gateway)
route -n of the server
The server has also an Elastic IP (static IP) allocated to it so I can SSH into it (when I'm not VPN'd, mind you) without a problem. As for the security group, my outbound traffic settings basically allow any kind of traffic to any kind of host and my inbound settings allow any UDP traffic on port 1194 from any source whatsoever (I will narrow this range down considerably but for the time being I just want to get it to work).
Server
iptable settings (basically none)
iptables -L
ifconfig -a
server.conf
OpenVPN Version
OpenVPN syslog snippet on startup and when the client connects
Client
client.ovpn
OpenVPN Version
Client's routing table when connected to the VPN server
As I said, judging by the stdout logs printed by both ends, VPN connection seems to be established OK but then the client has no network/Internet access at all.
I've spent a good amount of time troubleshooting this, looking into possible AWS security group issues, config file issues (e.g. mismatched settings between the client and server conf files), firewall issues on both ends, I have even run tcpdump on the server and could see incoming packets from the client although I'm not an expert at analysing network packet dumps so I couldn't really draw any solid conclusions by looking at it... Could anyone offer some help with this? I'd appreciate it immensely!
So I've followed this guide to set up my own OpenVPN server from scratch on a Ubuntu box, only that I've used an AWS EC2 instance of Digital Ocean. I've got the OpenVPN server up and running as well as the client (my home desktop) duly configured. I can establish a VPN connection between the two, as I can see the "Initialization Sequence Completed" message on the client, but that's as far as it gets. After that, I can't access the Internet from the client nor ping anything at all, not even the OpenVPN server itself.
Here are a few details about my setup:
AWS
Ubuntu 16.04.2 running on an EC2 nano (1 core, 512MB RAM) instance on its own VPC and security group. Route table of the VPC below
It has its own Internet gateway (not an NAT gateway)
route -n of the server
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.1.1 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.31.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Server
iptable settings (basically none)
iptables -L
Code: Select all
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Code: Select all
eth0 Link encap:Ethernet HWaddr 02:2e:e3:58:d0:26
inet addr:172.31.1.187 Bcast:172.31.1.255 Mask:255.255.255.0
inet6 addr: fe80::2e:e3ff:fe58:d026/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:18447 errors:0 dropped:0 overruns:0 frame:0
TX packets:15656 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2083132 (2.0 MB) TX bytes:2408726 (2.4 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:160 errors:0 dropped:0 overruns:0 frame:0
TX packets:160 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:11840 (11.8 KB) TX bytes:11840 (11.8 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:320 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:96332 (96.3 KB) TX bytes:0 (0.0 B)
Code: Select all
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
# Use Google's DNS servers to resolve external addresses
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-128-CBC
auth SHA1
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Code: Select all
OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
OpenVPN syslog snippet on startup and when the client connects
Code: Select all
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2525]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2525]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Jun 4 21:12:53 ip-172-31-1-187 systemd[1]: openvpn@server.service: PID file /run/openvpn/server.pid not readable (yet?) after start: No such file or directory
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: Diffie-Hellman initialized with 2048 bit key
Jun 4 21:12:53 ip-172-31-1-187 systemd[1]: Started OpenVPN connection to server.
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: TUN/TAP device tun0 opened
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: TUN/TAP TX queue length set to 100
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: /sbin/ip link set dev tun0 up mtu 1500
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: UDPv4 link local (bound): [undef]
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: UDPv4 link remote: [undef]
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: MULTI: multi_init called, r=256 v=256
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: ifconfig_pool_read(), in='client-with-pass,10.8.0.4', TODO: IPv6
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: succeeded -> ifconfig_pool_set()
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: ifconfig_pool_read(), in='client-pass,10.8.0.8', TODO: IPv6
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: succeeded -> ifconfig_pool_set()
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: IFCONFIG POOL LIST
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: client-with-pass,10.8.0.4
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: client-pass,10.8.0.8
Jun 4 21:12:53 ip-172-31-1-187 ovpn-server[2528]: Initialization Sequence Completed
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: <ip>:31969 TLS: Initial packet from [AF_INET]<ip>:31969, sid=f42796e8 a043209b
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: <ip>:31969 VERIFY OK: depth=1, C=GB, ST=CA, L=Cambridge, O=Anonymous, OU=Anonymous, CN=Anonymous CA, name=EasyRSA, emailAddress=anon@anon.com
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: <ip>:31969 VERIFY OK: depth=0, C=GB, ST=CA, L=Cambridge, O=Anonymous, OU=Anonymous, CN=client-pass, name=EasyRSA, emailAddress=anon@anon.com
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: <ip>:31969 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: <ip>:31969 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: <ip>:31969 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: <ip>:31969 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: <ip>:31969 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: <ip>:31969 [client-pass] Peer Connection Initiated with [AF_INET]<ip>:31969
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: client-pass/<ip>:31969 MULTI_sva: pool returned IPv4=10.8.0.8, IPv6=(Not enabled)
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: client-pass/<ip>:31969 MULTI: Learn: 10.8.0.8 -> client-pass/<ip>:31969
Jun 4 21:13:06 ip-172-31-1-187 ovpn-server[2528]: client-pass/<ip>:31969 MULTI: primary virtual IP for client-pass/<ip>:31969: 10.8.0.8
Jun 4 21:13:07 ip-172-31-1-187 ovpn-server[2528]: client-pass/<ip>:31969 PUSH: Received control message: 'PUSH_REQUEST'
Jun 4 21:13:07 ip-172-31-1-187 ovpn-server[2528]: client-pass/<ip>:31969 send_push_reply(): safe_cap=940
Jun 4 21:13:07 ip-172-31-1-187 ovpn-server[2528]: client-pass/<ip>:31969 SENT CONTROL [client-pass]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.8 255.255.255.0' (status=1)
client.ovpn
Code: Select all
ca ca.crt
cert client-pass.crt
key client-pass.key
remote <server_public_ip> 1194
comp-lzo
client
dev tun
redirect-gateway def1
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
proto udp
resolv-retry infinite
nobind
topology subnet
pull
persist-key
persist-tun
verb 3
mute 20
Code: Select all
OpenVPN 2.4.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 11 2017
library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.08
Code: Select all
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 100 0 0 enp3s0
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
<vpn_server_public_ip> 192.168.1.1 255.255.255.255 UGH 0 0 0 enp3s0
128.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 100 0 0 enp3s0
I've spent a good amount of time troubleshooting this, looking into possible AWS security group issues, config file issues (e.g. mismatched settings between the client and server conf files), firewall issues on both ends, I have even run tcpdump on the server and could see incoming packets from the client although I'm not an expert at analysing network packet dumps so I couldn't really draw any solid conclusions by looking at it... Could anyone offer some help with this? I'd appreciate it immensely!