OPENVPEN and an openvz container

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
schnibitz
OpenVpn Newbie
Posts: 12
Joined: Sun Feb 27, 2011 3:18 pm

OPENVPEN and an openvz container

Post by schnibitz » Thu Mar 03, 2011 11:10 pm

Hi everyone,
Been pulling my hair out. I have been renting an OPENVZ container, and asked them to enable everything I'd need for openvpn. The hosting co said they have, but try as I might, I can't get NAT to work, and I'm not sure if even ipforwarding is working.

There's a TON of documentation on the OPENVZ site, but so much of it deals with configuring the host which doesn't help me at all. Been trying to get this:

iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j SNAT --to {my IP}

to work, but no go. I changed the default private network in OPENVPN btw to the 10.9.x.x subnet. Just hoping some kind soul out there has been through all of this before and would be able to point me in the right direction here. I'm no IPTables guru either.

Thank you,
-S

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: OPENVPEN and an openvz container

Post by Bebop » Fri Mar 04, 2011 12:35 am

I can help you with this.

First read: topic7722.html

Its a guide I specifically created for circumstances such as yours. In the guide, the 2nd batch of code is specific to OpenVZ.

To break it down for you though, these lines are essential:

Code: Select all

#Accept connections on 1194 for vpn access from clients
#Take note that the rule says "UDP", and ensure that your OpenVPN server.conf says UDP too
#
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
  
#
#Apply forwarding for OpenVPN Tunneling
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT     #10.8.0.0 ? Check your OpenVPN server.conf to be sure
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 100.200.255.256   #Use your OpenVPN server's real external IP here

#
#Enable forwarding
# 
echo 1 > /proc/sys/net/ipv4/ip_forward
Your code says

Code: Select all

SNAT --to
whilst mine says

Code: Select all

SNAT --to-source
Whether or not that is a fatal difference or not, I don't know, but I do recommend you change yours to --to-source, at least until you get it all working as you please.

Also in your code you have completely omitted

Code: Select all

-o venet0


I would suggest you also add it to yours (unless you don't have a venet0 interface, but I would bet that you do).
The cure for boredom is curiosity

schnibitz
OpenVpn Newbie
Posts: 12
Joined: Sun Feb 27, 2011 3:18 pm

Re: OPENVPEN and an openvz container

Post by schnibitz » Fri Mar 04, 2011 2:25 am

Bebop, that tutorial was excellent. I just wish it resolved the problem. I turned the code into a shell script, and executed it. Below is what shows with iptables -L

___________________________________

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.9.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
___________________________________

From my openvpn client
___________________________________
Thu Mar 03 18:14:48 2011 OpenVPN 2.2-beta5 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 30 2010
Thu Mar 03 18:14:56 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Mar 03 18:14:56 2011 LZO compression initialized
Thu Mar 03 18:14:56 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Mar 03 18:14:56 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Mar 03 18:14:56 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Mar 03 18:14:56 2011 Local Options hash (VER=V4): '41690919'
Thu Mar 03 18:14:56 2011 Expected Remote Options hash (VER=V4): '530fdded'
Thu Mar 03 18:14:56 2011 UDPv4 link local: [undef]
Thu Mar 03 18:14:56 2011 UDPv4 link remote: {vps ip address}:1194
Thu Mar 03 18:14:56 2011 TLS: Initial packet from {vps ip address}:1194, sid=6a82dccb 0fea6eda
Thu Mar 03 18:14:57 2011 VERIFY OK: depth=1, /C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/emailAddress=me@myhost.mydomain
Thu Mar 03 18:14:57 2011 VERIFY OK: nsCertType=SERVER
Thu Mar 03 18:14:57 2011 VERIFY OK: depth=0, /C=KG/ST=NA/O=OpenVPN-TEST/CN=Test-Server/emailAddress=me@myhost.mydomain
Thu Mar 03 18:14:57 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar 03 18:14:57 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 03 18:14:57 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Mar 03 18:14:57 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Mar 03 18:14:57 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Mar 03 18:14:57 2011 [Test-Server] Peer Connection Initiated with {vps ip address}:1194
Thu Mar 03 18:15:00 2011 SENT CONTROL [Test-Server]: 'PUSH_REQUEST' (status=1)
Thu Mar 03 18:15:00 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway local def1 bypass-dhcp,route 10.9.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.9.0.6 10.9.0.5'
Thu Mar 03 18:15:00 2011 OPTIONS IMPORT: timers and/or timeouts modified
Thu Mar 03 18:15:00 2011 OPTIONS IMPORT: --ifconfig/up options modified
Thu Mar 03 18:15:00 2011 OPTIONS IMPORT: route options modified
Thu Mar 03 18:15:00 2011 ROUTE default_gateway=192.168.0.1
Thu Mar 03 18:15:00 2011 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{7A91B7B4-7D17-45A4-934F-8AEC114E39E4}.tap
Thu Mar 03 18:15:00 2011 TAP-Win32 Driver Version 9.7
Thu Mar 03 18:15:00 2011 TAP-Win32 MTU=1500
Thu Mar 03 18:15:00 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.9.0.6/255.255.255.252 on interface {7A91B7B4-7D17-45A4-934F-8AEC114E39E4} [DHCP-serv: 10.9.0.5, lease-time: 31536000]
Thu Mar 03 18:15:00 2011 Successful ARP Flush on interface [19] {7A91B7B4-7D17-45A4-934F-8AEC114E39E4}
Thu Mar 03 18:15:06 2011 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Thu Mar 03 18:15:06 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.9.0.5
Thu Mar 03 18:15:06 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 03 18:15:06 2011 Route addition via IPAPI succeeded [adaptive]
Thu Mar 03 18:15:06 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.9.0.5
Thu Mar 03 18:15:06 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 03 18:15:06 2011 Route addition via IPAPI succeeded [adaptive]
Thu Mar 03 18:15:06 2011 C:\WINDOWS\system32\route.exe ADD 10.9.0.1 MASK 255.255.255.255 10.9.0.5
Thu Mar 03 18:15:06 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Thu Mar 03 18:15:06 2011 Route addition via IPAPI succeeded [adaptive]
Thu Mar 03 18:15:06 2011 Initialization Sequence Completed
____________________________________

So to me it looks like openvpn is behaving both on the server end, and on the client end. Any further ideas you can contribute I'd very much appreciate.

-S

schnibitz
OpenVpn Newbie
Posts: 12
Joined: Sun Feb 27, 2011 3:18 pm

Re: OPENVPEN and an openvz container

Post by schnibitz » Fri Mar 04, 2011 2:41 am

BTW, to be clear, the way I'm testing whether it works is I pinged a popular website, and made note of it's IP, then tried to open the IP on a web browser. This is with a machine that is not VPNned into anything and to make sure it opens the site. Then I copied that IP into the web browser of the machine that is VPNed in so that the address field of the browser looks like this: http://{ipaddress}, and tried opening while connected. No-go. Also, pings to live IP's (that respond on when not connected to the vpn) do not respond.

-S

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: OPENVPEN and an openvz container

Post by Bebop » Fri Mar 04, 2011 4:20 am

More help on its way.
schnibitz wrote:I pinged a popular website, and made note of it's IP, then tried to open the IP on a web browser. This is with a machine that is not VPNned into anything and to make sure it opens the site. Then I copied that IP into the web browser of the machine that is VPNed in so that the address field of the browser looks like this: http://{ipaddress}, and tried opening while connected
Just be clear: Do you want a NAT'd tunnel that you can use for things such as web-browsing, email, everything else -- through the VPN? (so the client Internet is routed through VPN).

If yes, that's what I've been trying to help you achieve, based on your 1st post. Do let me know if I am trying to help you achieve the wrong goal.

Your testing method might not be reliable (although if you put an IP address in browser and nothing loads, then you're right -- the VPN is not working properly). Visit: http://87.230.55.47 or http://www.whatismyip.org

and see if your VPN server IP is displayed on screen. If yes, everything is working.

Your log looks fine to me. Next step would be to post server.conf

Also, did you make the suggested changes by adding "--to-source" and "-o venet0"?
The cure for boredom is curiosity

schnibitz
OpenVpn Newbie
Posts: 12
Joined: Sun Feb 27, 2011 3:18 pm

Re: OPENVPEN and an openvz container

Post by schnibitz » Fri Mar 04, 2011 5:11 am

Your original take was correct. I want a NATed tunnel that will allow me to access the internet using the VPN. The reason I mentioned my testing procedure was because I think I kept saying "it isn't working" or something to that effect which was vague. I tend to be vague sometimes (-:

Browser loading of "http://87.230.55.47" when connected to the VPN is not working BTW.

Oh, I also made sure that the "--to-source" and "-o venet0" items were in the script I executed. I basically copied it verbatim as you posted, then modified stuff the subnet and the external IP. That kind of thing.

Here comes the server.conf:
-------------------------------------------------
local {VPS ip address}
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
keepalive 10 120
comp-lzo
max-clients 10
persist-key
persist-tun
status openvpn-status.log
verb 3
--script-security 2
auth-user-pass-verify ./auth-pam.pl via-file
client-cert-not-required
username-as-common-name
-----------------------------------------

Two points of note:
1. The certs I'm using are sample certs that come with the install. I don't intend to use them in production, but just to test for now. I have a virtual machine at home that I did this with, and it worked.
2. I have it ask for my username and password. I set up an account on the VPS for this. That seems to be working fine.

Thank you again for your continued help.

-S

User avatar
Bebop
Forum Team
Posts: 301
Joined: Wed Dec 15, 2010 9:24 pm

Re: OPENVPEN and an openvz container

Post by Bebop » Fri Mar 04, 2011 5:24 am

I have to be elsewhere now, so I do hope a VPN expert will be here to assist you.

I can only say that you have done everything as I would have done myself. My working setup seems to be exactly as you have described yours to be.

Were there any errors when you ran the iptables script?

It still seems to me that its a forwarding problem.

I can only suggest delving into the log files. Also setup a tcpdump:

Code: Select all

tcpdump -i tun0 -X
to see if you can turn up any interesting clues.

Best of luck! (you will get it)
The cure for boredom is curiosity

schnibitz
OpenVpn Newbie
Posts: 12
Joined: Sun Feb 27, 2011 3:18 pm

Re: OPENVPEN and an openvz container

Post by schnibitz » Fri Mar 04, 2011 5:46 am

I understand, God bless you for your help!

-S

schnibitz
OpenVpn Newbie
Posts: 12
Joined: Sun Feb 27, 2011 3:18 pm

Re: OPENVPEN and an openvz container

Post by schnibitz » Fri Mar 04, 2011 5:55 am

Update. I restarted openvpn, and it's now working. I'm very thankful for all of your help.

-S

Post Reply