OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Setting up VPN server on a Raspberry Pi

https://forums.openvpn.net/viewtopic.php?t=28452

Page 1 of 1

Setting up VPN server on a Raspberry Pi

Posted: Tue Jun 11, 2019 5:10 pm
by lit999
I know there is a thread with the same topic, but I'm a different user. And yes, I read https://openvpn.net/community-resources ... /#redirect

I can connect to the opvn server but I can't see my wlan (my wlan is 192.168.1.x) and I can't go in internet

This is my server.conf
Server Config

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/xxxxxxxxxxxxxxxxxxxx.crt
key /etc/openvpn/easy-rsa/keys/xxxxxxxxxxxxxxxxxxxx.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
tls-server
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
server 192.168.2.0 255.255.255.0
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
duplicate-cn
keepalive 10 120

# cifratura
cipher AES-256-CBC
auth SHA512
key-direction 0

comp-lzo

max-clients 5

user nobody
group users

persist-key
persist-tun
# log
status /var/log/openvpn-status.log 300
log /var/log/openvpn.log
verb 2
mute 20


I also tried

Code: Select all

push "redirect-gateway local def1"
and

Code: Select all

push "redirect-gateway 192.168.2.1"

This is my client.opvn

Code: Select all

# Full Tunnel OpenVPN client configuration
client
dev tun
proto udp

resolv-retry infinite
key-direction 1
nobind
persist-key
persist-tun


remote xxxxxxxxxxxxxxxxxx.ddns.net 1194


cipher AES-256-CBC
auth SHA512


tls-client
tls-cipher DHE-RSA-AES256-SHA


comp-lzo

# gateway
redirect-gateway def1

# logging setup
mute-replay-warnings
verb 3
mute 20
This is my client log

Code: Select all

Tue Jun 11 18:40:03 2019 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
Tue Jun 11 18:40:03 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jun 11 18:40:03 2019 library versions: OpenSSL 1.0.2i  22 Sep 2016, LZO 2.09
Enter Management Password:
Tue Jun 11 18:40:03 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Tue Jun 11 18:40:03 2019 Need hold release from management interface, waiting...
Tue Jun 11 18:40:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Tue Jun 11 18:40:03 2019 MANAGEMENT: CMD 'state on'
Tue Jun 11 18:40:03 2019 MANAGEMENT: CMD 'log all on'
Tue Jun 11 18:40:03 2019 MANAGEMENT: CMD 'hold off'
Tue Jun 11 18:40:03 2019 MANAGEMENT: CMD 'hold release'
Tue Jun 11 18:40:03 2019 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Jun 11 18:40:04 2019 MANAGEMENT: CMD 'password [...]'
Tue Jun 11 18:40:04 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jun 11 18:40:04 2019 Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
Tue Jun 11 18:40:04 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jun 11 18:40:04 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jun 11 18:40:04 2019 MANAGEMENT: >STATE:1560271204,RESOLVE,,,,,,
Tue Jun 11 18:40:04 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Tue Jun 11 18:40:04 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Jun 11 18:40:04 2019 UDP link local: (not bound)
Tue Jun 11 18:40:04 2019 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Tue Jun 11 18:40:04 2019 MANAGEMENT: >STATE:1560271204,WAIT,,,,,,
Tue Jun 11 18:40:04 2019 MANAGEMENT: >STATE:1560271204,AUTH,,,,,,
Tue Jun 11 18:40:04 2019 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=fcee15fe 241ab26c
Tue Jun 11 18:40:04 2019 VERIFY OK: xxx
Tue Jun 11 18:40:04 2019 VERIFY OK: xxx
Tue Jun 11 18:40:05 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jun 11 18:40:05 2019 [gattosilvestro] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Tue Jun 11 18:40:06 2019 MANAGEMENT: >STATE:1560271206,GET_CONFIG,,,,,,
Tue Jun 11 18:40:06 2019 SENT CONTROL [gattosilvestro]: 'PUSH_REQUEST' (status=1)
Tue Jun 11 18:40:06 2019 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,dhcp-option DNS 8.8.8.8,route 192.168.2.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.2.6 192.168.2.5,peer-id 0,cipher AES-256-GCM'
Tue Jun 11 18:40:06 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jun 11 18:40:06 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jun 11 18:40:06 2019 OPTIONS IMPORT: route options modified
Tue Jun 11 18:40:06 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Jun 11 18:40:06 2019 OPTIONS IMPORT: peer-id set
Tue Jun 11 18:40:06 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Tue Jun 11 18:40:06 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Jun 11 18:40:06 2019 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jun 11 18:40:06 2019 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jun 11 18:40:06 2019 interactive service msg_channel=828
Tue Jun 11 18:40:06 2019 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 I=8 HWADDR=a4:db:30:41:b7:3f
Tue Jun 11 18:40:06 2019 open_tun
Tue Jun 11 18:40:06 2019 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{45A5D323-3B26-4AB9-AD55-E9CC64567E81}.tap
Tue Jun 11 18:40:06 2019 TAP-Windows Driver Version 9.21 
Tue Jun 11 18:40:06 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {45A5D323-3B26-4AB9-AD55-E9CC64567E81} [DHCP-serv: 192.168.2.5, lease-time: 31536000]
Tue Jun 11 18:40:06 2019 Successful ARP Flush on interface [9] {45A5D323-3B26-4AB9-AD55-E9CC64567E81}
Tue Jun 11 18:40:06 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jun 11 18:40:06 2019 MANAGEMENT: >STATE:1560271206,ASSIGN_IP,,192.168.2.6,,,,
Tue Jun 11 18:40:11 2019 TEST ROUTES: 3/3 succeeded len=2 ret=1 a=0 u/d=up
Tue Jun 11 18:40:11 2019 C:\Windows\system32\route.exe ADD yyy.yyy.yyy.yyy MASK 255.255.255.255 192.168.43.1
Tue Jun 11 18:40:11 2019 Route addition via service succeeded
Tue Jun 11 18:40:11 2019 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 192.168.2.5
Tue Jun 11 18:40:11 2019 Route addition via service succeeded
Tue Jun 11 18:40:11 2019 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 192.168.2.5
Tue Jun 11 18:40:11 2019 Route addition via service succeeded
Tue Jun 11 18:40:11 2019 MANAGEMENT: >STATE:1560271211,ADD_ROUTES,,,,,,
Tue Jun 11 18:40:11 2019 C:\Windows\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 192.168.2.5
Tue Jun 11 18:40:11 2019 Route addition via service succeeded
Tue Jun 11 18:40:11 2019 C:\Windows\system32\route.exe ADD 192.168.2.1 MASK 255.255.255.255 192.168.2.5
Tue Jun 11 18:40:11 2019 Route addition via service succeeded
Tue Jun 11 18:40:11 2019 Initialization Sequence Completed
Tue Jun 11 18:40:11 2019 MANAGEMENT: >STATE:1560271211,CONNECTED,SUCCESS,192.168.2.6,yyy.yyy.yyy.yyy,1194,,
Tue Jun 11 18:41:25 2019 C:\Windows\system32\route.exe DELETE 192.168.1.0 MASK 255.255.255.0 192.168.2.5
Tue Jun 11 18:41:25 2019 Route deletion via service succeeded
Tue Jun 11 18:41:25 2019 C:\Windows\system32\route.exe DELETE 192.168.2.1 MASK 255.255.255.255 192.168.2.5
Tue Jun 11 18:41:25 2019 Route deletion via service succeeded
Tue Jun 11 18:41:25 2019 C:\Windows\system32\route.exe DELETE yyy.yyy.yyy.yyy MASK 255.255.255.255 192.168.43.1
Tue Jun 11 18:41:25 2019 Route deletion via service succeeded
Tue Jun 11 18:41:25 2019 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 192.168.2.5
Tue Jun 11 18:41:25 2019 Route deletion via service succeeded
Tue Jun 11 18:41:25 2019 C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 192.168.2.5
Tue Jun 11 18:41:25 2019 Route deletion via service succeeded
Tue Jun 11 18:41:25 2019 Closing TUN/TAP interface
Tue Jun 11 18:41:25 2019 SIGTERM[hard,] received, process exiting
Tue Jun 11 18:41:25 2019 MANAGEMENT: >STATE:1560271285,EXITING,SIGTERM,,,,,
This is my client ipconfig

Code: Select all

Configurazione IP di Windows


Scheda Ethernet Ethernet:

   Stato supporto. . . . . . . . . . . . : Supporto disconnesso
   Suffisso DNS specifico per connessione: phy.a-tono.net

Scheda Ethernet Ethernet 2:

   Stato supporto. . . . . . . . . . . . : Supporto disconnesso
   Suffisso DNS specifico per connessione:

Scheda LAN wireless Connessione alla rete locale (LAN)* 3:

   Stato supporto. . . . . . . . . . . . : Supporto disconnesso
   Suffisso DNS specifico per connessione:

Scheda Ethernet Ethernet 3:

   Suffisso DNS specifico per connessione:
   Indirizzo IPv6 locale rispetto al collegamento . : fe80::f93d:d71b:6dd:6758%9
   Indirizzo IPv4. . . . . . . . . . . . : 192.168.2.6
   Subnet mask . . . . . . . . . . . . . : 255.255.255.252
   Gateway predefinito . . . . . . . . . :

Scheda LAN wireless Wi-Fi:

   Suffisso DNS specifico per connessione:
   Indirizzo IPv6 locale rispetto al collegamento . : fe80::306d:aa4c:ff4:ef9f%8
   Indirizzo IPv4. . . . . . . . . . . . : 192.168.43.34
   Subnet mask . . . . . . . . . . . . . : 255.255.255.0
   Gateway predefinito . . . . . . . . . : 192.168.43.1

Scheda LAN wireless Connessione alla rete locale (LAN)* 5:

   Suffisso DNS specifico per connessione:
   Indirizzo IPv6 locale rispetto al collegamento . : fe80::a566:fdea:d428:944c%10
   Indirizzo IPv4. . . . . . . . . . . . : 192.168.137.1
   Subnet mask . . . . . . . . . . . . . : 255.255.255.0
   Gateway predefinito . . . . . . . . . :

Scheda Ethernet Connessione di rete Bluetooth:

   Stato supporto. . . . . . . . . . . . : Supporto disconnesso
   Suffisso DNS specifico per connessione:
This is my server log

Code: Select all

Tue Jun 11 18:38:20 2019 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 14 2018
Tue Jun 11 18:38:20 2019 library versions: OpenSSL 1.0.2r  26 Feb 2019, LZO 2.08
Tue Jun 11 18:38:21 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jun 11 18:38:21 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Tue Jun 11 18:38:21 2019 TUN/TAP device tun0 opened
Tue Jun 11 18:38:21 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jun 11 18:38:21 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Jun 11 18:38:21 2019 /sbin/ip addr add dev tun0 local 192.168.2.1 peer 192.168.2.2
Tue Jun 11 18:38:21 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Jun 11 18:38:21 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Jun 11 18:38:21 2019 UDPv4 link remote: [AF_UNSPEC]
Tue Jun 11 18:38:21 2019 GID set to users
Tue Jun 11 18:38:21 2019 UID set to nobody
Tue Jun 11 18:38:21 2019 Initialization Sequence Completed
Tue Jun 11 18:38:45 2019 zzz.zzz.zzz.zzz:41863 VERIFY OK: depth=1, xxx
Tue Jun 11 18:38:45 2019 zzz.zzz.zzz.zzz:41863 VERIFY OK: depth=0, xxx
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_VER=2.4.0
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_PLAT=win
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_PROTO=2
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_NCP=2
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_LZ4=1
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_LZ4v2=1
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_LZO=1
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_COMP_STUB=1
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_COMP_STUBv2=1
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_TCPNL=1
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Jun 11 18:38:45 2019 93.36.92.74:41863 [myclient] Peer Connection Initiated with [AF_INET]zzz.zzz.zzz.zzz:41863
Tue Jun 11 18:38:45 2019 myclient/zzz.zzz.zzz.zzz:41863 MULTI_sva: pool returned IPv4=192.168.2.6, IPv6=(Not enabled)
Tue Jun 11 18:38:46 2019 myclient/zzz.zzz.zzz.zzz:41863 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jun 11 18:38:46 2019 myclient/zzz.zzz.zzz.zzz:41863 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jun 11 18:44:05 2019 myclient/zzz.zzz.zzz.zzz:41863 [myclient] Inactivity timeout (--ping-restart), restarting
This is my iptables on server

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
This is netstat -rn on server

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 enxb827eb7c590e
192.168.1.0     192.168.2.2     255.255.255.0   UG        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 enxb827eb7c590e
192.168.2.0     192.168.2.2     255.255.255.0   UG        0 0          0 tun0
192.168.2.2     0.0.0.0         255.255.255.255 UH        0 0          0 tun0
On server "cat /proc/sys/net/ipv4/ip_forward" shows 1

Re: Setting up VPN server on a Raspberry Pi

Posted: Fri Jun 14, 2019 5:39 pm
by lit999
Solved. I change topology to subnet, cleaned the server.conf file (using a standard configuration is ok) and added the nat configuration.

This is the most hard part because you should know what are doing and why it's not working

I did it using this steps:
- clean iptables removing all rules (you have to use a long set of commands)

- created an executable file (755 permission), I called it /etc/openvpn/nat.sh
This file execute only this command:
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE

where:
192.168.2.0/24 is my openvpn subnet (I think you are using something like 10.8.0.0)
eth0 is the name of the lan of my openvpn server (use netstat -rn to discover the right name, on raspberry it's NOT eth0, so be careful)

So, how to test: connect to openvpn server, in the server launch that command (use sudo) and try on the client if you can access internet and server lan. If you can, you are in!

Now the problem is: every time I reboot my raspberry this rule is lost. I tried modifying /etc/default/openvpn but this doesn't work, maybe this file is not used on raspberry, I don't know ...

So I added /etc/openvpn/nat.sh in rc.local before exit 0 and this did the job.

By the way, I didn't realized why OpenVPN server can't nat itself on its own. I think guides should be updated to explain why your VPN is useless without natting and how you should create it.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/