I need to hide the openvpn service under a public webpage Linux server, so I cannot apply the automatic `ref 1` settings by openvpn.
The idea is this:
App - > tun0(10.0.0.2) -> Openvpn Client -------> Openvpn Server -------> Any Site on WWW
While the tun0 is already established on client server:
Code: Select all
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/none
inet 10.0.0.2 peer 10.0.0.1/32 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::795f:d298:47f1:504f/64 scope link flags 800
valid_lft forever preferred_lft forever
First I set up `tcpdump -i tun0` to sniff the packages, and tried out
Code: Select all
ping -c 1 10.0.0.1
Code: Select all
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
01:43:40.304296 IP vps > gateway: ICMP echo request, id 3964, seq 1, length 64
01:43:40.328524 IP gateway > vps: ICMP echo reply, id 3964, seq 1, length 64
Code: Select all
curl --interface tun0 google.com
Code: Select all
01:43:58.053894 IP vps.40001 > waw02s13-in-f4.1e100.net.http: Flags [S], seq 123149306, win 27200, options [mss 1360,sackOK,TS val 238912080 ecr 0,nop,wscale 7], length 0
01:43:58.078342 IP waw02s13-in-f4.1e100.net.http > vps.40001: Flags [S.], seq 157491104, ack 123149307, win 65535, options [mss 1430,sackOK,TS val 126255572 ecr 238912080,nop,wscale 8], length 0
01:43:58.382454 IP waw02s13-in-f4.1e100.net.http > vps.40001: Flags [S.], seq 157491104, ack 123149307, win 65535, options [mss 1430,sackOK,TS val 126255876 ecr 238912080,nop,wscale 8], length 0
01:43:59.055416 IP vps.40001 > waw02s13-in-f4.1e100.net.http: Flags [S], seq 123149306, win 27200, options [mss 1360,sackOK,TS val 238913082 ecr 0,nop,wscale 7], length 0
01:43:59.079677 IP waw02s13-in-f4.1e100.net.http > vps.40001: Flags [S.], seq 157491104, ack 123149307, win 65535, options [mss 1430,sackOK,TS val 126256573 ecr 238912080,nop,wscale 8], length 0
01:44:01.061547 IP vps.40001 > waw02s13-in-f4.1e100.net.http: Flags [S], seq 123149306, win 27200, options [mss 1360,sackOK,TS val 238915088 ecr 0,nop,wscale 7], length 0
01:44:01.086079 IP waw02s13-in-f4.1e100.net.http > vps.40001: Flags [S.], seq 157491104, ack 123149307, win 65535, options [mss 1430,sackOK,TS val 126258579 ecr 238912080,nop,wscale 8], length 0
01:44:03.110614 IP waw02s13-in-f4.1e100.net.http > vps.40001: Flags [S.], seq 157491104, ack 123149307, win 65535, options [mss 1430,sackOK,TS val 126260604 ecr 238912080,nop,wscale 8], length 0
01:44:05.069409 IP vps.40001 > waw02s13-in-f4.1e100.net.http: Flags [S], seq 123149306, win 27200, options [mss 1360,sackOK,TS val 238919096 ecr 0,nop,wscale 7], length 0
Code: Select all
01:44:05.093616 IP waw02s13-in-f4.1e100.net.http > vps.40001: Flags [S.], seq 157491104, ack 123149307, win 65535, options [mss 1430,sackOK,TS val 126262587 ecr 238912080,nop,wscale 8], length 0
01:44:09.126563 IP waw02s13-in-f4.1e100.net.http > vps.40001: Flags [S.], seq 157491104, ack 123149307, win 65535, options [mss 1430,sackOK,TS val 126266620 ecr 238912080,nop,wscale 8], length 0
01:44:17.574572 IP waw02s13-in-f4.1e100.net.http > vps.40001: Flags [S.], seq 157491104, ack 123149307, win 65535, options [mss 1430,sackOK,TS val 126275068 ecr 238912080,nop,wscale 8], length 0
01:44:33.958467 IP waw02s13-in-f4.1e100.net.http > vps.40001: Flags [S.], seq 157491104, ack 123149307, win 65535, options [mss 1430,sackOK,TS val 126291452 ecr 238912080,nop,wscale 8], length 0
Code: Select all
Fri Jun 3 01:43:40 2022 us=305160 TUN READ [84]
Fri Jun 3 01:43:40 2022 us=305293 UDP WRITE [124] to [AF_INET][openvpn server]:1100: DATA len=124
Fri Jun 3 01:43:40 2022 us=328386 UDP READ [124] from [AF_INET][openvpn server]:1100: DATA len=124
Fri Jun 3 01:43:40 2022 us=328485 TUN WRITE [84]
Fri Jun 3 01:43:58 2022 us=54345 TUN READ [60]
Fri Jun 3 01:43:58 2022 us=54536 UDP WRITE [100] to [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:43:58 2022 us=78214 UDP READ [100] from [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:43:58 2022 us=78322 TUN WRITE [60]
Fri Jun 3 01:43:58 2022 us=382320 UDP READ [100] from [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:43:58 2022 us=382431 TUN WRITE [60]
Fri Jun 3 01:43:59 2022 us=55724 TUN READ [60]
Fri Jun 3 01:43:59 2022 us=55837 UDP WRITE [100] to [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:43:59 2022 us=79548 UDP READ [100] from [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:43:59 2022 us=79644 TUN WRITE [60]
Fri Jun 3 01:44:01 2022 us=61920 TUN READ [60]
Fri Jun 3 01:44:01 2022 us=62213 UDP WRITE [100] to [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:44:01 2022 us=85969 UDP READ [100] from [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:44:01 2022 us=86053 TUN WRITE [60]
Fri Jun 3 01:44:03 2022 us=110499 UDP READ [100] from [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:44:03 2022 us=110594 TUN WRITE [60]
Fri Jun 3 01:44:05 2022 us=69541 TUN READ [60]
Fri Jun 3 01:44:05 2022 us=69696 UDP WRITE [100] to [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:44:05 2022 us=93468 UDP READ [100] from [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:44:05 2022 us=93592 TUN WRITE [60]
Fri Jun 3 01:44:09 2022 us=126402 UDP READ [100] from [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:44:09 2022 us=126510 TUN WRITE [60]
Fri Jun 3 01:44:17 2022 us=574438 UDP READ [100] from [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:44:17 2022 us=574545 TUN WRITE [60]
Fri Jun 3 01:44:33 2022 us=958336 UDP READ [100] from [AF_INET][openvpn server]:1100: DATA len=100
Fri Jun 3 01:44:33 2022 us=958440 TUN WRITE [60]
Client Config
daemon
dev tun
remote [openvpn server]
rport 1100
lport 1100
proto udp
ifconfig 10.0.0.2 10.0.0.1
secret static 1
writepid /run/tunpid
log-append /var/some.log
tun-mtu 1400
txqueuelen 1000
fragment 0
mssfix 0
verb 11
The bash file to MANUALLY add the routing is:
Code: Select all
ip route add default via 10.0.0.1 table vpn
Code: Select all
# ip route list table vpn
default via 10.0.0.1 dev tun0
but somehow the communication yields no result so I have to interrupted it by CTRL+C.
And I retested the `curl` with `ss -tnp` this time - the openvpn server did not establish any http/tcp connection to google.com at all.
And the problem must be somewhere below:
The openvpn server is on a vultr vps, and it worked fine before this month. I have no idea what changed, but to illustrate,
here is the configuration of the server:
Server Config
dev tun0
lport 1100
proto udp
ifconfig 10.0.0.1 10.0.0.2
secret static 0
tun-mtu 1400
txqueuelen 1000
fragment 0
mssfix 0
log-append /var/some.log
here is the firewalld configuration
Code: Select all
# firewall-cmd --info-zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 1100/udp 1200/udp 1200/tcp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Code: Select all
# cd /proc/sys/net/ipv4
# cat ip_forward
1
Code: Select all
# curl google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
works on that server too.
This is the everything I know, thanks for reading.
So what is the problem?