Socksproxy wiped out by redirect-gateway def1

[MortalSYNs]

Hello,

As a fun exercise, I am trying to run OpenVPN as a TOR hidden service on my Raspberry Pi 3B+

I am able to host and access a .onion website, access SSH over TOR and essentially every other service. I also successfully installed and configured OpenVPN to accept TCP clients. I am able to connect over the clearnet from my laptop through its internal LTE modem to the RPI on my home's broadband, confirm that my public IP on my laptop is my broadband provider's and not my wireless provider's.

The problem happens when I attempt to connect via SOCKS5/TOR. The connection sequence completes, but as soon as the routing tables are populated, no packets can reach the VPN. I suspect the SOCKS connection is getting sucked into VPN. I think there's a related problem/solution in this blog post:

https://kiljan.org/2017/11/15/routing-t ... cks-proxy/

However, his solution is not for VPN over TOR. If I were to use his script, it would populate $remote_1 with the onion address I am using. Can anyone point me to what I variable I should use instead? Or rather what I should modify? I am sorry if this is a NOOB question, still learning networking.

View Originalclient.ovpn

client
dev tun
proto tcp

remote <onionhashaddressredacted>.onion 1194 tcp-client
socks-proxy 127.0.0.1 9050

resolv-retry infinite
nobind
key-direction 1
remote-cert-tls server
tls-version-min 1.2
verify-x509-name <nameredacted> name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
script-security 2

up redirectgateway-def1-socks.sh # Redirect other traffic
down redirectgateway-def1-socks.sh # through the VPN

[TinCanTech]

Is it your server you are using ?

[MortalSYNs]

Yes, I am using my own server.

So I made *some* progress by turning off the routing tables modifications pushed by the server. I can now ping the tunnel (tun0) at 10.8.0.1.

after added this manually to the routing table:
0.0.0.0/1 via 10.8.0.1 dev tun0

Doesn't this route all traffic to the tunnel, unless some other rule catches it?

Now, I go to ipchicken, whatismyip, etc and it shows my VPN's assigned public IP. Great, but when I check gmail, it occasionally picks up my laptop's wireless carrier's assigned public IP. Also, pings to google.com seem to be bypassing the tunnel altogether. Some traffic is obviously not going through the tunnel.

I then added this manually to the routing table:
128.0.0.0/1 via 10.8.0.1 dev tun0

and I can no longer ping the server, nor can I access the internet.

[TinCanTech]

You need to remove push "redirect-gateway def1" from your server config.

[MortalSYNs]

Yes, that's what I've done.

What remains is to setup the routing table manually client-side. I looks like some traffic goes through my VPN tunnel, but some does not. What am I missing here?

root@wintermute:~# ip -s route get 142.250.72.238
142.250.72.238 via 192.168.10.1 dev wlo1 src 192.168.10.152 uid 0
cache users 5 age 2437sec
root@wintermute:~# ip -s route get 104.26.8.109
104.26.8.109 via 10.8.0.1 dev tun0 src 10.8.0.2 uid 0
cache users 9 age 2472sec
root@wintermute:~# ip -s route get 172.67.73.20
172.67.73.20 via 192.168.10.1 dev wlo1 src 192.168.10.152 uid 0
cache users 3 age 2487sec


What routing rules do I need to add other than 0.0.0.0/1 via the tunnel?

[TinCanTech]

Read your tutorial, again ..

[MortalSYNs]

I have read the blog post multiple times and I missed something. It's not a tutorial either, there *ARE* no tutorials on setting up VPN over TOR like this. Maybe I will write one if I can get a little help.

Thus far, I haven't gotten anything from you that I haven't already done myself. I said "I made *some* progress by turning off the routing tables modifications pushed by the server." Then you say "You need to remove push "redirect-gateway def1" from your server config.", which clearly I already said I did.

I need help getting to the next step. "Read your tutorial again", is that supposed to be genuinely helpful?

[TinCanTech]

If you read the tutorial carefully, you will see there are a total of three routes you need to manually add.

However, obfuscation is less secure than encryption. You should try --tls-crypt and --tls-crypt-v2.

This script will help a lot:
https://github.com/TinCanTech/easy-tls

[MortalSYNs]

Yes, I am routing over TOR using the socks proxy, not using an obfuscation Proxy. As far as I know, the packets are indeed encrypted, though I am primarily using TOR so the VPN does not have to know the client's IP.

I am making progress. It looks like by some miracle the TOR connection was able to get through despite the default route I first added (0.0.0.0/1->tun0.) There's some rule in my existing routing table that still let some sites go over my wireless interface, along with some traffic correctly going over the VPN over TOR tunnel. Adding the 128.0.0.0/1 -> tun0 rule is what sucked it in, hence my connection going dead immediately afterwards. What I need to do is get the IP for the TOR guard node, then add a routing table entry for it that goes to my laptop's wireless interface. I will update this thread as soon as I find an automated way of getting the guard node's IP, possibly using stem library.

I saw your GitHub, you're quite a contributor to OpenVPN project. I will also write up a quick summary, as I have seen this question pop up in this forum multiple times without any real solution. My way of giving back.

[TinCanTech]

Try running your Socks server on either another PC or a Virtual machine ..

[MortalSYNs]

That's a clever idea.

If I needed to be cheap as possible (I might instantiate quite a number of these), could I make some kind of virtual lan interface that TOR binds to, and this virtual interface just goes out over my wireless interface?

[TinCanTech]

Play with the tools..

[MortalSYNs]

I will indeed. So my friend, I got it to work. It was absolutely the need for getting the guard node IP and establishing route to my wireless interface. I used stem to do it, but the solution feels less than elegant. I will spend tomorrow trying various things, like making a virtual interface, running VM, etc. Then, I'll come back here and let you know what I learn.

Thank you.