I need help with my OpenVPN setup. I am running the lastest ArchLinux on a Pogoplug E02. The issue I have is that it used to work, but then I installed sshguard and I noticed I need iptables running in order for sshguard to work. I brought up iptables, but since then I am not able to receive any data anymore on the client. The connection comes up fine, and also I see DNS requests in the server logs (I am running dnsmasq as well on the pogo), but there is no data flowing back to the client. Since this started with me brining up iptables, I think it must be a firewall issue, but I have not been able to get it working again, no matter what I tried.
Here is my setup:
- Pogo plug at 192.168.1.201
- Router at 192.168.1.1
- Router forwards dns requests to dnsmasq on 192.168.1.201
Code: Select all
local 192.168.1.201 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp #Some people prefer to use tcp. Don't change it if you don't know.
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/pogo.crt # SWAP WITH YOUR CRT NAME
key /etc/openvpn/easy-rsa/keys/pogo.key # SWAP WITH YOUR KEY NAME
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # If you changed to 2048, change that here!
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.1.0 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 192.168.1.1" # This should already match your router address and not need to be changed.
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
Code: Select all
client
dev tun
proto udp
remote xxxx.ddns.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
Code: Select all
[root@pogo ~]# iptables-save
# Generated by iptables-save v1.4.21 on Thu Apr 30 10:22:23 2015
*nat
:PREROUTING ACCEPT [4166:473901]
:INPUT ACCEPT [2175:372944]
:OUTPUT ACCEPT [7266:783526]
:POSTROUTING ACCEPT [7266:783526]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.201
COMMIT
# Completed on Thu Apr 30 10:22:23 2015
# Generated by iptables-save v1.4.21 on Thu Apr 30 10:22:23 2015
*filter
:INPUT ACCEPT [27327:5962852]
:FORWARD ACCEPT [167:10344]
:OUTPUT ACCEPT [23017:2696399]
:sshguard - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j sshguard
COMMIT
# Completed on Thu Apr 30 10:22:23 2015
Code: Select all
Try to start OpenVPN connection xxxx
Thu Apr 30 08:01:38 2015 OpenVPN 2.3.3 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Apr 9 2014
Thu Apr 30 08:01:38 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Apr 30 08:01:38 2015 Control Channel Authentication: tls-auth using INLINE static key file
Thu Apr 30 08:01:38 2015 UDPv4 link local: [undef]
Thu Apr 30 08:01:38 2015 UDPv4 link remote: [AF_INET]192.168.1.201:1194
Thu Apr 30 08:01:39 2015 [pogo] Peer Connection Initiated with [AF_INET]192.168.1.201:1194
Thu Apr 30 08:01:41 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 30 08:01:41 2015 open_tun, tt->ipv6=0
Thu Apr 30 08:01:41 2015 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{3A73971A-6390-449F-B275-BF7374A030EB}.tap
Thu Apr 30 08:01:41 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {3A73971A-6390-449F-B275-BF7374A030EB} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Apr 30 08:01:41 2015 Successful ARP Flush on interface [28] {3A73971A-6390-449F-B275-BF7374A030EB}
Thu Apr 30 08:01:46 2015 ROUTE: route addition failed using CreateIpForwardEntry: The object already exists. [status=5010 if_index=28]
Thu Apr 30 08:01:46 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Thu Apr 30 08:01:46 2015 Initialization Sequence Completed
Thu Apr 30 08:01:41 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Apr 30 08:01:41 2015 open_tun, tt->ipv6=0
Thu Apr 30 08:01:41 2015 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{3A73971A-6390-449F-B275-BF7374A030EB}.tap
Thu Apr 30 08:01:41 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {3A73971A-6390-449F-B275-BF7374A030EB} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Thu Apr 30 08:01:41 2015 Successful ARP Flush on interface [28] {3A73971A-6390-449F-B275-BF7374A030EB}