Need help configuring your VPN? Just post here and you'll get that help.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
egghead0
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jul 05, 2011 5:18 pm
Post
by egghead0 » Tue Jul 05, 2011 5:29 pm
Hi Guys,
Wondering if you can help, need a fresh pair of eyes. I am connecting and getting an IP from the server, but traffic is not forced down the VPN
Code: Select all
root@ns390846:~# iptables-save -c
# Generated by iptables-save v1.4.8 on Tue Jul 5 19:14:40 2011
*raw
:PREROUTING ACCEPT [1887:177880]
:OUTPUT ACCEPT [2316:775087]
COMMIT
# Completed on Tue Jul 5 19:14:40 2011
# Generated by iptables-save v1.4.8 on Tue Jul 5 19:14:40 2011
*nat
:PREROUTING ACCEPT [113:7522]
:INPUT ACCEPT [113:7522]
:OUTPUT ACCEPT [453:92419]
:POSTROUTING ACCEPT [453:92419]
[0:0] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Jul 5 19:14:40 2011
# Generated by iptables-save v1.4.8 on Tue Jul 5 19:14:40 2011
*mangle
:PREROUTING ACCEPT [1887:177880]
:INPUT ACCEPT [1887:177880]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2316:775087]
:POSTROUTING ACCEPT [2316:775087]
COMMIT
# Completed on Tue Jul 5 19:14:40 2011
# Generated by iptables-save v1.4.8 on Tue Jul 5 19:14:40 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2316:775087]
[1772:170278] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[115:7602] -A INPUT -i eth0 -j ACCEPT
[0:0] -A INPUT -i tun0 -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --sport 10000 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --sport 1194 -j ACCEPT
[0:0] -A FORWARD -i tun0 -j ACCEPT
COMMIT
# Completed on Tue Jul 5 19:14:40 2011
Code: Select all
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
using on server:
I have read like 10 of these forums in an effort not to post and gone threw as many different options I can see - so I think im not overthinking and missing something obvious.
Thanks in advance
Kind Regards,
eggy
-
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
-
Contact:
Post
by maikcat » Tue Jul 05, 2011 6:34 pm
hi there,
iam not iptables guru but i have to suggest the following:
if you disable iptables for test,does it works?
just for the record,what distro itis?
can you please post the output from iptables -L and iptables -L -t nat ?
also posting configs and logs would be helpfull too..
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
egghead0
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jul 05, 2011 5:18 pm
Post
by egghead0 » Tue Jul 05, 2011 7:51 pm
Hi Michael,
Thanks for your reply.
I believe disabling iptables would not help as I require it to masquerade 10.8.0.0/24. Unless there is another way within the OpenVPN config?
Code: Select all
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.8.0.0/24 anywhere
Code: Select all
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:webmin
ACCEPT udp -- anywhere anywhere udp spt:openvpn
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Server Conf:
Code: Select all
port 1194
proto udp
dev tun0
ca keys/egghead0/ca.crt
cert keys/egghead0/admin.crt
key keys/egghead0/admin.key
dh keys/egghead0/dh4096.pem
server 10.8.0.0 255.255.255.0
crl-verify keys/egghead0/crl.pem
ifconfig-pool-persist servers/egghead0/logs/ipp.txt
cipher AES-256-CBC
user root
group root
status servers/egghead0/logs/openvpn-status.log
log-append servers/egghead0/logs/openvpn.log
verb 2
mute 20
max-clients 100
keepalive 10 120
client-config-dir /etc/openvpn/servers/egghead0/ccd
comp-lzo
persist-key
persist-tun
ccd-exclusive
push "route 192.168.254.0 255.255.255.0"
push "redirect-gateway def1"
client.opvn:
Code: Select all
client
proto udp
dev tun
ca ca.crt
dh dh4096.pem
cert client.crt
key client.key
remote IPADDRESS PORT
cipher DES-CFB
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind
Log:
Code: Select all
Tue Jul 5 19:25:58 2011 event_wait : Interrupted system call (code=4)
Tue Jul 5 19:25:58 2011 TCP/UDP: Closing socket
Tue Jul 5 19:25:58 2011 Closing TUN/TAP interface
Tue Jul 5 19:25:58 2011 /sbin/ifconfig tun0 0.0.0.0
Tue Jul 5 19:25:58 2011 SIGTERM[hard,] received, process exiting
Tue Jul 5 19:26:00 2011 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 22 2010
Tue Jul 5 19:26:00 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jul 5 19:26:00 2011 WARNING: file 'keys/egghead0ltd/admin.key' is group or others accessible
Tue Jul 5 19:26:00 2011 /usr/bin/openssl-vulnkey -q -b 4096 -m <modulus omitted>
WARN: could not open database for 4096 bits. Skipped
Tue Jul 5 19:26:00 2011 TLS-Auth MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jul 5 19:26:00 2011 TUN/TAP device tun0 opened
Tue Jul 5 19:26:00 2011 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Tue Jul 5 19:26:00 2011 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jul 5 19:26:00 2011 GID set to root
Tue Jul 5 19:26:00 2011 UID set to root
Tue Jul 5 19:26:00 2011 UDPv4 link local (bound): [undef]
Tue Jul 5 19:26:00 2011 UDPv4 link remote: [undef]
Tue Jul 5 19:26:00 2011 Initialization Sequence Completed
Tue Jul 5 19:26:07 2011 IPADDRESS:PORT Re-using SSL/TLS context
Tue Jul 5 19:26:07 2011 IPADDRESS:PORT LZO compression initialized
Tue Jul 5 19:26:07 2011 IPADDRESS:PORT Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jul 5 19:26:07 2011 IPADDRESS:PORT Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jul 5 19:26:07 2011 IPADDRESS:PORT Local Options hash (VER=V4): 'a8f55717'
Tue Jul 5 19:26:07 2011 IPADDRESS:PORT Expected Remote Options hash (VER=V4): '22188c5b'
Tue Jul 5 19:26:09 2011 IPADDRESS:PORT CRL CHECK OK: /C=UK/ST=UK/L=UK/O=egghead0Ltd/emailAddress=admin@egghead0.co.uk
Tue Jul 5 19:26:09 2011 IPADDRESS:PORT VERIFY OK: depth=1, /C=UK/ST=UK/L=UK/O=egghead0Ltd/emailAddress=admin@egghead0.co.uk
Tue Jul 5 19:26:09 2011 IPADDRESS:PORT CRL CHECK OK: /C=UK/ST=UK/L=UK/O=egghead0Ltd/OU=Office/CN=client/emailAddress=admin@egghead0.co.uk
Tue Jul 5 19:26:09 2011 IPADDRESS:PORT VERIFY OK: depth=0, /C=UK/ST=UK/L=UK/O=egghead0Ltd/OU=Office/CN=client/emailAddress=admin@egghead0.co.uk
Tue Jul 5 19:26:10 2011 IPADDRESS:PORT WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1539'
Tue Jul 5 19:26:10 2011 IPADDRESS:PORT WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher DES-CFB'
Tue Jul 5 19:26:10 2011 IPADDRESS:PORT WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 64'
Tue Jul 5 19:26:10 2011 IPADDRESS:PORT Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jul 5 19:26:10 2011 IPADDRESS:PORT Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 5 19:26:10 2011 IPADDRESS:PORT Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jul 5 19:26:10 2011 IPADDRESS:PORT Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 5 19:26:10 2011 IPADDRESS:PORT Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Tue Jul 5 19:26:10 2011 IPADDRESS:PORT [client] Peer Connection Initiated with [AF_INET]IPADDRESS:PORT
Tue Jul 5 19:30:12 2011 client/IPADDRESS:PORT [client] Inactivity timeout (--ping-restart), restarting
Your thoughts?
Kind Regards,
eggy
Last edited by
egghead0 on Wed Jul 06, 2011 7:47 am, edited 1 time in total.
-
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
-
Contact:
Post
by maikcat » Wed Jul 06, 2011 6:48 am
i noticed this:
server
cipher AES-256-CBC
client
cipher DES-CFB
cipher should be same client/server
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
egghead0
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jul 05, 2011 5:18 pm
Post
by egghead0 » Wed Jul 06, 2011 5:48 pm
Hi Michael,
Good point - I have updated it but still no change :S.
Any other thoughts?
Kind Regards,
eggy
-
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
-
Contact:
Post
by maikcat » Wed Jul 06, 2011 6:04 pm
due to the fact i am not openssl expert,
can you tell me how did you created the certificates? (which commands etc).
basically this troubles me
Tue Jul 5 19:26:00 2011 /usr/bin/openssl-vulnkey -q -b 4096 -m <modulus omitted>
WARN: could not open database for 4096 bits. Skipped
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
egghead0
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jul 05, 2011 5:18 pm
Post
by egghead0 » Wed Jul 06, 2011 6:10 pm
I am cheating and using the webmin plugin lol
-
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
-
Contact:
Post
by maikcat » Wed Jul 06, 2011 6:12 pm
you little ...... (homer chokes bart..)
come on ,few steps
edit vars (set to bottom your location etc)
source vars
build-ca
build-key-server server (key for server)
build-dh
build-key client (key for client)
ready!
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"
-
egghead0
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Jul 05, 2011 5:18 pm
Post
by egghead0 » Wed Jul 06, 2011 6:39 pm
Might have to dumb it down a lil further for me
can only see example vars on the box:
/usr/share/doc/openvpn/examples/easy-rsa/1.0/vars
/usr/share/doc/openvpn/examples/easy-rsa/2.0/vars
For OpenVPN atleast
Kind Regards,
eggy
-
maikcat
- Forum Team
- Posts: 4200
- Joined: Wed Jan 12, 2011 9:23 am
- Location: Athens,Greece
-
Contact:
Post
by maikcat » Thu Jul 07, 2011 6:28 am
copy all files from /usr/share/doc/openvpn/examples/easy-rsa/2.0/
to /etc/openvpn
chmod 755 /etc/openvpn/*
edit vars and so on..
Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)
Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)
"objects in mirror are losing"