Deny public traffic route to openvpn server

[huzaifa225]

I have installed the openvpn server on ubuntu22.04. I am able to connect with it but my all traffic are going to openvpn server which causing to me slow internet. i want only required traffic going to openvpn. I followed below URL to setup the openvpn server:
https://hinty.io/ivictbor/setup-openvpn-server-on-ubuntu-22-04/

I tried to fix this issue by following below URLS but those solutions are didn't work for me.
https://forums.openvpn.net/viewtopic.php?t=27618
https://askubuntu.com/questions/945978/how-to-disable-routing-all-network-traffic-through-openvpn
https://serverfault.com/questions/792118/openvpn-how-to-stop-public-traffic-routing-through-vpn-server

MY server.con

Code: Select all

port 1194
;proto tcp
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
crl-verify keys/crl.pem
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
tls-crypt keys/ta.key
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /tmp/openvpn-status.log 3
verb 3
tun-mtu             1500
mssfix              1300

Client.ovpn

Code: Select all

dev                 tun_test

proto               udp

client

remote              demo15.xyz.com 1194

cipher              BF-CBC

auth                SHA256

resolv-retry        infinite

persist-key

persist-tun

comp-lzo

keepalive           9 30

verb                3

nobind

tun-mtu             1500

mssfix              1300

mute                20

redirect-gateway autolocal

key-direction 1

status             /var/log/tun_test.status

[ordex]

You have to remove the following line from the client config:

Code: Select all

redirect-gateway autolocal

That one is causing all the client traffic to be redirected to the server.

[huzaifa225]

I already tried this but nothing change all traffic still going to openvpn

[ordex]

can you please set verb to 4 on the client and post the log here? (you may want to remove sensitive data, like IPs)

[huzaifa225]

That IPs can change later. Here is the my logs generated when i connect to my vpn.

Code: Select all

2022-11-08 14:22:10 10.936.0.103:7855 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 384 bit EC, curve secp384r1, signature: ecdsa-with-SHA512
2022-11-08 14:22:10 10.936.0.103:7855 [test] Peer Connection Initiated with [AF_INET]10.936.0.103:7855
2022-11-08 14:22:10 10.936.0.103:7855 PUSH: Received control message: 'PUSH_REQUEST'
2022-11-08 14:22:10 test/10.936.0.103:7855 MULTI_sva: pool returned IPv4=10.9.0.2, IPv6=(Not enabled)
2022-11-08 14:22:10 test/10.936.0.103:7855 MULTI: Learn: 10.9.0.2 -> test/10.936.0.103:7855
2022-11-08 14:22:10 test/10.936.0.103:7855 MULTI: primary virtual IP for test/10.936.0.103:7855: 10.9.0.2
2022-11-08 14:22:10 test/10.936.0.103:7855 Data Channel: using negotiated cipher 'AES-256-GCM'
2022-11-08 14:22:10 test/10.936.0.103:7855 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-11-08 14:22:10 test/10.936.0.103:7855 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2022-11-08 14:22:10 test/10.936.0.103:7855 SENT CONTROL [test]: 'PUSH_REPLY,route  10.9.0.0 255.255.255.255,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.9.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

[Pippin]

Now where do these addresses come from?

Code: Select all

MULTI: Learn: 10.9.0.2 -> test/10.936.0.103:7855

[ordex]

Yeah Pippin is right - this log is from a server running a different configuration from the one you posted.

However, it would be interesting to also see the full *client* log.

[huzaifa225]

Guys, My bad i post the wrong logs. Below are the logs from client side.

Code: Select all

Nov  9 18:58:49 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002329.1386] vpn[0x55d2557e6220,da5f70e6-4b42-4e3b-9e79-93fd557fd005,"tun_huzaifa"]: starting openvpn
Nov  9 18:58:49 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002329.1409] audit: op="connection-activate" uuid="da5f70e6-4b42-4e3b-9e79-93fd557fd005" name="tun_huzaifa" pid=1519 uid=1000 result="success"
Nov  9 18:58:49 ubuntu-VirtualBox NetworkManager[47932]: 2022-11-09 18:58:49 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: TCP/UDP: Preserving recently used remote address: [AF_INET]110.93.239.21:1194
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: UDP link local: (not bound)
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: UDP link remote: [AF_INET]110.93.239.21:1194
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov  9 18:58:49 ubuntu-VirtualBox systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: [server] Peer Connection Initiated with [AF_INET]110.93.239.21:1194
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: TUN/TAP device tun_huzaifa opened
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --debug 0 47928 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_83 --tun -- tun_huzaifa 1500 1553 10.8.0.3 255.255.255.0 init
Nov  9 18:58:50 ubuntu-VirtualBox systemd-udevd[47933]: Using default interface naming scheme 'v249'.
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.5981] manager: (tun_huzaifa): new Tun device (/org/freedesktop/NetworkManager/Devices/43)
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: chroot to '/var/lib/openvpn/chroot' and cd to '/' succeeded
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: GID set to nm-openvpn
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: UID set to nm-openvpn
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: Initialization Sequence Completed
Nov  9 18:58:50 ubuntu-VirtualBox dbus-daemon[532]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.11' (uid=0 pid=535 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined")
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.7430] device (tun_huzaifa): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')
Nov  9 18:58:50 ubuntu-VirtualBox systemd[1]: Starting Network Manager Script Dispatcher Service...
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.7818] device (tun_huzaifa): state change: unavailable -> disconnected (reason 'connection-assumed', sys-iface-state: 'external')
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.8011] device (tun_huzaifa): Activation: starting connection 'tun_huzaifa' (ac993761-2700-4a16-8189-8fdeb1f62dbe)
Nov  9 18:58:50 ubuntu-VirtualBox dbus-daemon[532]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Nov  9 18:58:50 ubuntu-VirtualBox systemd[1]: Started Network Manager Script Dispatcher Service.
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.8400] policy: set 'tun_huzaifa' (tun_huzaifa) as default for IPv4 routing and DNS
Nov  9 18:58:50 ubuntu-VirtualBox systemd-resolved[421]: enp0s3: Bus client set default route setting: no
Nov  9 18:58:50 ubuntu-VirtualBox systemd-resolved[421]: enp0s3: Bus client reset DNS server list.
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.8744] device (tun_huzaifa): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'external')
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.8755] device (tun_huzaifa): state change: prepare -> config (reason 'none', sys-iface-state: 'external')
Nov  9 18:58:50 ubuntu-VirtualBox systemd-resolved[421]: tun_huzaifa: Bus client set default route setting: yes
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.8951] device (tun_huzaifa): state change: config -> ip-config (reason 'none', sys-iface-state: 'external')
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.8971] device (tun_huzaifa): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'external')
Nov  9 18:58:50 ubuntu-VirtualBox systemd-resolved[421]: tun_huzaifa: Bus client set DNS server list to: 8.8.8.8, 8.8.4.4
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.9399] device (tun_huzaifa): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'external')
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.9402] device (tun_huzaifa): state change: secondaries -> activated (reason 'none', sys-iface-state: 'external')
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.9430] device (tun_huzaifa): Activation: successful, device activated.




Nov  9 18:58:49 ubuntu-VirtualBox kernel: [70741.441909] audit: type=1400 audit(1668002329.005:278): apparmor="DENIED" operation="connect" profile="/usr/sbin/cups-browsed" name="/run/systemd/resolve/io.systemd.Resolve" pid=768 comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=101
Nov  9 18:58:49 ubuntu-VirtualBox kernel: [70741.477195] audit: type=1400 audit(1668002329.037:279): apparmor="DENIED" operation="connect" profile="/usr/sbin/cups-browsed" name="/run/systemd/resolve/io.systemd.Resolve" pid=768 comm="cups-browsed" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=101
Nov  9 18:58:49 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002329.1386] vpn[0x55d2557e6220,da5f70e6-4b42-4e3b-9e79-93fd557fd005,"tun_huzaifa"]: starting openvpn
Nov  9 18:58:49 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002329.1409] audit: op="connection-activate" uuid="da5f70e6-4b42-4e3b-9e79-93fd557fd005" name="tun_huzaifa" pid=1519 uid=1000 result="success"
Nov  9 18:58:49 ubuntu-VirtualBox NetworkManager[47932]: 2022-11-09 18:58:49 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: TCP/UDP: Preserving recently used remote address: [AF_INET]110.93.239.21:1194
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: UDP link local: (not bound)
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: UDP link remote: [AF_INET]110.93.239.21:1194
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Nov  9 18:58:49 ubuntu-VirtualBox nm-openvpn[47932]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov  9 18:58:49 ubuntu-VirtualBox systemd[1]: NetworkManager-dispatcher.service: Deactivated successfully.
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: [server] Peer Connection Initiated with [AF_INET]110.93.239.21:1194
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: TUN/TAP device tun_huzaifa opened
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --debug 0 47928 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_83 --tun -- tun_huzaifa 1500 1553 10.8.0.3 255.255.255.0 init
Nov  9 18:58:50 ubuntu-VirtualBox systemd-udevd[47933]: Using default interface naming scheme 'v249'.
Nov  9 18:58:50 ubuntu-VirtualBox NetworkManager[535]: <info>  [1668002330.5981] manager: (tun_huzaifa): new Tun device (/org/freedesktop/NetworkManager/Devices/43)
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: chroot to '/var/lib/openvpn/chroot' and cd to '/' succeeded
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: GID set to nm-openvpn
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: UID set to nm-openvpn
Nov  9 18:58:50 ubuntu-VirtualBox nm-openvpn[47932]: Initialization Sequence Completed

[ordex]

is it possible that you did not change "verb 3" to "verb 4" in your client config? You are using NM, so I presume there should be a knob for it?

[huzaifa225]

Here is the Client side Logs with Verb 4. Can you please tell how can i enable knob on it.

Code: Select all

Nov 10 13:42:01 ubuntu-VirtualBox NetworkManager[530]: <info>  [1668069721.6043] vpn[0x55590ea7c630,a696965d-0e70-4c31-9837-4bd24aa13268,"tun_huzaifa"]: starting openvpn
Nov 10 13:42:01 ubuntu-VirtualBox NetworkManager[530]: <info>  [1668069721.6170] audit: op="connection-activate" uuid="a696965d-0e70-4c31-9837-4bd24aa13268" name="tun_huzaifa" pid=1584 uid=1000 result="success"
Nov 10 13:42:01 ubuntu-VirtualBox NetworkManager[3671]: 2022-11-10 13:42:01 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: DEPRECATED OPTION: --cipher set to 'BF-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'BF-CBC' to --data-ciphers or change --cipher 'BF-CBC' to --data-ciphers-fallback 'BF-CBC' to silence this warning.
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: WARNING: INSECURE cipher (BF-CBC) with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Support for these insecure ciphers will be removed in OpenVPN 2.7.
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: TCP/UDP: Preserving recently used remote address: [AF_INET]110.93.239.21:1194
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: UDP link local: (not bound)
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: UDP link remote: [AF_INET]110.93.239.21:1194
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: [server] Peer Connection Initiated with [AF_INET]110.93.239.21:1194
Nov 10 13:42:01 ubuntu-VirtualBox systemd-udevd[3672]: Using default interface naming scheme 'v249'.
Nov 10 13:42:01 ubuntu-VirtualBox NetworkManager[530]: <info>  [1668069721.9461] manager: (tun_huzaifa): new Tun device (/org/freedesktop/NetworkManager/Devices/5)
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: TUN/TAP device tun_huzaifa opened
Nov 10 13:42:01 ubuntu-VirtualBox nm-openvpn[3671]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --debug 0 3667 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_6 --tun -- tun_huzaifa 1500 1553 10.8.0.3 255.255.255.0 init
Nov 10 13:42:02 ubuntu-VirtualBox nm-openvpn[3671]: chroot to '/var/lib/openvpn/chroot' and cd to '/' succeeded
Nov 10 13:42:02 ubuntu-VirtualBox nm-openvpn[3671]: GID set to nm-openvpn
Nov 10 13:42:02 ubuntu-VirtualBox nm-openvpn[3671]: UID set to nm-openvpn
Nov 10 13:42:02 ubuntu-VirtualBox nm-openvpn[3671]: Initialization Sequence Completed

[ordex]

I am sorry, but this log still is pretty silent. It seems Network Manager is ignoring your verb setting.
Maybe you have to change the verb value from within NM?

[Pippin]

Hi,

Yeah, confusing NM.....

If what ordex wrote fails or cannot be done then add

Code: Select all

log /etc/openvpn/client/openvpn.log
verb 4

and remove

Code: Select all

mute 20

.