Need help will Pay $25 to make OpenVpn routing work.

[tscon]

Hello..

I, alone with server provider support team cannot make OpenVPN

working.. Too much confusing configs/templates/scripts all of them

different..

I have OpenVZ Virtuozzo on Centos 5.5, OpenVPN set up already..

OpenVPN working with TUN, support is on

Can login just fine, but cannot ping/browse/ no traffic path through what so ever.

Been playing with those 'PUSH"

push "route 10.66.0.0 255.255.255.0"
push "route 127.0.0.0 255.0.0.0"
push "route 192.168.1.0 255.255.255.0"

few days now.. Time is money, I cannot spend no more time on this..

In windows setting up PPTP VPN on Server takes about 30 seconds..

I feel there is about 5 min of work, for those who have experience with all those

10000 lines of code for simple thing. only need to look for routing..

Can anybody help? I'll pay via paypal 25$..

I need 2 client computer from the same network browse through that VPN server,

that's all.

Please PM me, Thank you for you time.

[Bebop]

You need only to understand 4 things:

• Server.conf
• Client.conf
• IPTABLES
• Certificate generation

The following guide will assume 2 things:
[1] Your VPN server subnet is 10.8.0.0
[2] Your VPN server external IP is 333.333.333.333

Since 333.333.333.333 can not exist, you must replace 333.333.333.333 with your real VPN external IP in the code below.

Server.conf

Code: Select all

port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0

push "redirect-gateway def1"  

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

keepalive 10 120
comp-lzo
persist-key
persist-tun
status ./openvpn-status.log
log ./openvpn.log
verb 3

Client.conf

Code: Select all

client
dev tun
proto udp
remote 333.333.333.333 #  <-- replace 333 with the *public* IP of VPN server
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client.crt
key client.key
ns-cert-type server

comp-lzo
verb 3
ping 10
ping-restart 60

firewall_setup_script.sh
#You must make a new file called firewall_setup_script.sh (name it any name you like)
#chmod 755 and execute this from cmd line
#This is the contents of the file:

Code: Select all

#!/bin/sh
# Accept responses to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept traceroutes
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
  
#Enable forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward

#Allow all TUN
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT  
 
#Accept connections on 1194 
 iptables -A INPUT -p udp --dport 1194 -j ACCEPT
 
#Apply forwarding

 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
 iptables -A FORWARD -j REJECT
 iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 333.333.333.333 #  <-- replace 333 with the *public* IP of VPN server

#did you notice that we don't use the *masquerade* option?
#That's because you stated that you use OpenVZ, and
#OpenVZ doesn't use the masquerade option. Instead just used
#pure SNAT. 
 
# Display 
 iptables -L -v

The IPTABLES rules above are not optional. They are essential, because these IPTABLES rules enable you to browse the internet through the VPN from your clients.

Certificate generation:

Do you know how to generate authentication certificates? You need these 4 files

• ca ca.crt
• cert server.crt
• key server.key
• dh dh1024.pem

After all of these changes

Code: Select all

service openvpn restart

and then connect your client. Web-browsing via the VPN will be enabled.

[tscon]

Thank you for reply.. Here is few things

#1) my Virtuozzo doesn't have eth0 interface

instead it has venet0:0

Server ifconfig
===========================================================
[root@VZ-3110 ~]# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1281 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:82968 (81.0 KiB) TX bytes:1038 (1.0 KiB)

venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:5943 errors:0 dropped:0 overruns:0 frame:0
TX packets:4889 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:694527 (678.2 KiB) TX bytes:667627 (651.9 KiB)

venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:205.20*.16*.*1 P-t-P:205.20*.16*.*1 Bcast:205.20*.16*.*1 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
=======================================================================

2) everything is fine with Client/Server certificates as connection made smoothly without

any errors..

HERE is the last VPN Connection log file
========================================================================

========================================================================================================
Tue Mar 01 17:24:55 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 8 2010
Tue Mar 01 17:24:55 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Mar 01 17:24:55 2011 LZO compression initialized
Tue Mar 01 17:24:55 2011 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Mar 01 17:24:55 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Mar 01 17:24:55 2011 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Mar 01 17:24:55 2011 Local Options hash (VER=V4): '66096c33'
Tue Mar 01 17:24:55 2011 Expected Remote Options hash (VER=V4): '691e95c7'
Tue Mar 01 17:24:55 2011 UDPv4 link local: [undef]
Tue Mar 01 17:24:55 2011 UDPv4 link remote: vpn_server_IP:1194
Tue Mar 01 17:24:55 2011 TLS: Initial packet from vpn_server_IP:1194, sid=c8746880 4f56a6f0
Tue Mar 01 17:24:55 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanJose/O=DCS/CN=DCS_CA/emailAddress=support@server.com
Tue Mar 01 17:24:55 2011 Validating certificate key usage
Tue Mar 01 17:24:55 2011 ++ Certificate has key usage 00a0, expects 00a0
Tue Mar 01 17:24:55 2011 VERIFY KU OK
Tue Mar 01 17:24:55 2011 Validating certificate extended key usage
Tue Mar 01 17:24:55 2011 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Mar 01 17:24:55 2011 VERIFY EKU OK
Tue Mar 01 17:24:55 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=SanJose/O=DCS/CN=server/emailAddress=support@server.com
Tue Mar 01 17:24:56 2011 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 01 17:24:56 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 01 17:24:56 2011 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Tue Mar 01 17:24:56 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Mar 01 17:24:56 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Mar 01 17:24:56 2011 [server] Peer Connection Initiated with vpn_server_IP:1194
Tue Mar 01 17:24:59 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Mar 01 17:24:59 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Tue Mar 01 17:24:59 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Mar 01 17:24:59 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Mar 01 17:24:59 2011 OPTIONS IMPORT: route options modified
Tue Mar 01 17:24:59 2011 ROUTE default_gateway=192.168.1.1
Tue Mar 01 17:24:59 2011 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{33029ADD-46AC-4F3A-B775-C9238B12FD9B}.tap
Tue Mar 01 17:24:59 2011 TAP-Win32 Driver Version 9.7
Tue Mar 01 17:24:59 2011 TAP-Win32 MTU=1500
Tue Mar 01 17:24:59 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {33029ADD-46AC-4F3A-B775-C9238B12FD9B} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Tue Mar 01 17:24:59 2011 Successful ARP Flush on interface [1900549] {33029ADD-46AC-4F3A-B775-C9238B12FD9B}
Tue Mar 01 17:25:04 2011 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Tue Mar 01 17:25:04 2011 C:\WINDOWS\system32\route.exe ADD vpn_server_IP MASK 255.255.255.255 192.168.1.1
Tue Mar 01 17:25:04 2011 Route addition via IPAPI succeeded [adaptive]
Tue Mar 01 17:25:04 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Mar 01 17:25:04 2011 Route addition via IPAPI succeeded [adaptive]
Tue Mar 01 17:25:04 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Tue Mar 01 17:25:04 2011 Route addition via IPAPI succeeded [adaptive]
Tue Mar 01 17:25:04 2011 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Tue Mar 01 17:25:04 2011 Route addition via IPAPI succeeded [adaptive]
Tue Mar 01 17:25:04 2011 Initialization Sequence Completed
========================================================================

And by the way Server doesn't have Firewall on, and Local Windows Network behind

Verizon Fios Router.. Never did any changes and using WIndows PPTP VPN currently..

without any problems..

Can you please look over those logs/settings, see if there is something unusual?

Thank you.

[Bebop]

doesn't have eth0 interface

the corrected code is:

Code: Select all

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 333.333.333.333  # change 333 to your server external IP

can you also go to command-line on the server and type:

Code: Select all

iptables -L

and then paste the output here.

iptables has to be running if you want to forward VPN traffic to/from internet.

[tscon]

doesn't have eth0 interface

the corrected code is:

Code: Select all

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 333.333.333.333  # change 333 to your server external IP

Thanks a lot, will report back when finish probably tomorrow...

Best Regards,

Alex.

P.S:

Sorry, forgot, here is IPTALBES -L

===========================================
[root@VZ-3110 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
============================================

[Bebop]

===========================================
[root@VZ-3110 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
============================================

As long as your IPTABLES is empty like that, then your goal of traffic forwarding will not be met.

Did you execute firewall_setup_script.sh?

Best of luck.

[tscon]

As long as your IPTABLES is empty like that, then your goal of traffic forwarding will not be met.

Did you execute firewall_setup_script.sh?

Best of luck.

Thanks, yes just did, got some Error on NAT table part here:

====================================================
[root@VZ-3110 ~]# sh firewall.sh
iptables: Unknown error 4294967295
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Chain INPUT (policy ACCEPT 6197 packets, 721K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:traceroute:33523
0 0 ACCEPT all -- tun+ any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn

Chain FORWARD (policy ACCEPT 1269 packets, 82098 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any tun+ anywhere anywhere
0 0 ACCEPT all -- any any 10.8.0.0/24 anywhere
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 5152 packets, 719K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any tun+ anywhere anywhere
====================================================================

[Bebop]

iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Not a good error.

Your openVZ VPS might not be equipped for a proper forwarding VPN installation. Can you confirm with your provider?

There's a thread here: http://www.howtoforge.com/forums/showthread.php?t=3196 which people are experiencing the same error.

Does your VPS have automatic OS reloads?

If so, you might want to see if there is a newer Centos, or alternatively, install Debian, hoping that it has an up to date kernel.

Failing that, a new VPS provider maybe.

Those are only a couple off suggestions. Its not an error I am familiar with, so some Google research of the error message might turn up an easier solution.

The major point is though, that you do need IPTABLES with a proper NAT module (99% of IPTABLES these days do have NAT enabled), or your forwarding wont work.

[edit]

after a little Googling, I see some info that says

That error means they have not enabled NAT support for your kernel and usually with VPS's you cannot load your own modules so you need to contact them to get them to do it for you

So I suggest you just contact VPS provider and ask them to "please enable the NAT module in IPTABLES".

[tscon]

Bebop, Thank you very much, I contact support and they
enabled NAT tables. I just flashed server with that firewall script one more time
and it's all working now! Thanks a lot again for your time and help
in that matter. I saved this page for further reference

[Bebop]

Bebop, Thank you very much, I contact support and they
enabled NAT tables. I just flashed server with that firewall script one more time
and it's all working now

This is great news. Good on you for persevering, and good on your provider for sorting that out too.

As for your IPTABLES -- what you have now is a good basic working model. If you want a more complete model, with higher security, then here is a link to the full guide: post10140.html

[Douglas]

Bebop, Thank you very much, I contact support and they
enabled NAT tables. I just flashed server with that firewall script one more time
and it's all working now

This is great news. Good on you for persevering, and good on your provider for sorting that out too.

As for your IPTABLES -- what you have now is a good basic working model. If you want a more complete model, with higher security, then here is a link to the full guide: post10140.html

In the future for anyone reading, with OpenVZ, if your provider cannot or will not enable NAT for masquerading, you can use a SNAT rule.