VPN Connected - No Traffic on tun0

[egghead0]

Hi Guys,

Wondering if you can help, need a fresh pair of eyes. I am connecting and getting an IP from the server, but traffic is not forced down the VPN

Code: Select all

root@ns390846:~# iptables-save -c
# Generated by iptables-save v1.4.8 on Tue Jul  5 19:14:40 2011
*raw
:PREROUTING ACCEPT [1887:177880]
:OUTPUT ACCEPT [2316:775087]
COMMIT
# Completed on Tue Jul  5 19:14:40 2011
# Generated by iptables-save v1.4.8 on Tue Jul  5 19:14:40 2011
*nat
:PREROUTING ACCEPT [113:7522]
:INPUT ACCEPT [113:7522]
:OUTPUT ACCEPT [453:92419]
:POSTROUTING ACCEPT [453:92419]
[0:0] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Jul  5 19:14:40 2011
# Generated by iptables-save v1.4.8 on Tue Jul  5 19:14:40 2011
*mangle
:PREROUTING ACCEPT [1887:177880]
:INPUT ACCEPT [1887:177880]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2316:775087]
:POSTROUTING ACCEPT [2316:775087]
COMMIT
# Completed on Tue Jul  5 19:14:40 2011
# Generated by iptables-save v1.4.8 on Tue Jul  5 19:14:40 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2316:775087]
[1772:170278] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[115:7602] -A INPUT -i eth0 -j ACCEPT
[0:0] -A INPUT -i tun0 -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --sport 10000 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --sport 1194 -j ACCEPT
[0:0] -A FORWARD -i tun0 -j ACCEPT
COMMIT
# Completed on Tue Jul  5 19:14:40 2011

Code: Select all

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

using on server:

Code: Select all

push "redirect-gateway def1"

I have read like 10 of these forums in an effort not to post and gone threw as many different options I can see - so I think im not overthinking and missing something obvious.

Thanks in advance

Kind Regards,

eggy

[maikcat]

hi there,

iam not iptables guru but i have to suggest the following:

if you disable iptables for test,does it works?
just for the record,what distro itis?
can you please post the output from iptables -L and iptables -L -t nat ?

also posting configs and logs would be helpfull too..

Michael.

[egghead0]

Hi Michael,

Thanks for your reply.

I believe disabling iptables would not help as I require it to masquerade 10.8.0.0/24. Unless there is another way within the OpenVPN config?

Code: Select all

iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  10.8.0.0/24          anywhere

Code: Select all

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:webmin
ACCEPT     udp  --  anywhere             anywhere            udp spt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Server Conf:

Code: Select all

port 1194
proto udp
dev tun0
ca keys/egghead0/ca.crt
cert keys/egghead0/admin.crt
key keys/egghead0/admin.key
dh keys/egghead0/dh4096.pem
server 10.8.0.0 255.255.255.0
crl-verify keys/egghead0/crl.pem
ifconfig-pool-persist servers/egghead0/logs/ipp.txt
cipher AES-256-CBC
user root
group root
status servers/egghead0/logs/openvpn-status.log
log-append servers/egghead0/logs/openvpn.log
verb 2
mute 20
max-clients 100
keepalive 10 120
client-config-dir /etc/openvpn/servers/egghead0/ccd
comp-lzo
persist-key
persist-tun
ccd-exclusive
push "route 192.168.254.0 255.255.255.0"
push "redirect-gateway def1"

client.opvn:

Code: Select all

client
proto udp
dev tun
ca ca.crt
dh dh4096.pem
cert client.crt
key client.key
remote IPADDRESS PORT
cipher DES-CFB
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind

Log:

Code: Select all

Tue Jul  5 19:25:58 2011 event_wait : Interrupted system call (code=4)
Tue Jul  5 19:25:58 2011 TCP/UDP: Closing socket
Tue Jul  5 19:25:58 2011 Closing TUN/TAP interface
Tue Jul  5 19:25:58 2011 /sbin/ifconfig tun0 0.0.0.0
Tue Jul  5 19:25:58 2011 SIGTERM[hard,] received, process exiting
Tue Jul  5 19:26:00 2011 OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 22 2010
Tue Jul  5 19:26:00 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Jul  5 19:26:00 2011 WARNING: file 'keys/egghead0ltd/admin.key' is group or others accessible
Tue Jul  5 19:26:00 2011 /usr/bin/openssl-vulnkey -q -b 4096 -m <modulus omitted>
WARN: could not open database for 4096 bits. Skipped 
Tue Jul  5 19:26:00 2011 TLS-Auth MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jul  5 19:26:00 2011 TUN/TAP device tun0 opened
Tue Jul  5 19:26:00 2011 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Tue Jul  5 19:26:00 2011 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jul  5 19:26:00 2011 GID set to root
Tue Jul  5 19:26:00 2011 UID set to root
Tue Jul  5 19:26:00 2011 UDPv4 link local (bound): [undef]
Tue Jul  5 19:26:00 2011 UDPv4 link remote: [undef]
Tue Jul  5 19:26:00 2011 Initialization Sequence Completed
Tue Jul  5 19:26:07 2011 IPADDRESS:PORT Re-using SSL/TLS context
Tue Jul  5 19:26:07 2011 IPADDRESS:PORT LZO compression initialized
Tue Jul  5 19:26:07 2011 IPADDRESS:PORT Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Jul  5 19:26:07 2011 IPADDRESS:PORT Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Jul  5 19:26:07 2011 IPADDRESS:PORT Local Options hash (VER=V4): 'a8f55717'
Tue Jul  5 19:26:07 2011 IPADDRESS:PORT Expected Remote Options hash (VER=V4): '22188c5b'
Tue Jul  5 19:26:09 2011 IPADDRESS:PORT CRL CHECK OK: /C=UK/ST=UK/L=UK/O=egghead0Ltd/emailAddress=admin@egghead0.co.uk
Tue Jul  5 19:26:09 2011 IPADDRESS:PORT VERIFY OK: depth=1, /C=UK/ST=UK/L=UK/O=egghead0Ltd/emailAddress=admin@egghead0.co.uk
Tue Jul  5 19:26:09 2011 IPADDRESS:PORT CRL CHECK OK: /C=UK/ST=UK/L=UK/O=egghead0Ltd/OU=Office/CN=client/emailAddress=admin@egghead0.co.uk
Tue Jul  5 19:26:09 2011 IPADDRESS:PORT VERIFY OK: depth=0, /C=UK/ST=UK/L=UK/O=egghead0Ltd/OU=Office/CN=client/emailAddress=admin@egghead0.co.uk
Tue Jul  5 19:26:10 2011 IPADDRESS:PORT WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 1539'
Tue Jul  5 19:26:10 2011 IPADDRESS:PORT WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher DES-CFB'
Tue Jul  5 19:26:10 2011 IPADDRESS:PORT WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 64'
Tue Jul  5 19:26:10 2011 IPADDRESS:PORT Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jul  5 19:26:10 2011 IPADDRESS:PORT Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul  5 19:26:10 2011 IPADDRESS:PORT Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jul  5 19:26:10 2011 IPADDRESS:PORT Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul  5 19:26:10 2011 IPADDRESS:PORT Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Tue Jul  5 19:26:10 2011 IPADDRESS:PORT [client] Peer Connection Initiated with [AF_INET]IPADDRESS:PORT
Tue Jul  5 19:30:12 2011 client/IPADDRESS:PORT [client] Inactivity timeout (--ping-restart), restarting

Your thoughts?

Kind Regards,

eggy

[maikcat]

i noticed this:

server

cipher AES-256-CBC

client

cipher DES-CFB

cipher should be same client/server

Michael.

[egghead0]

Hi Michael,

Good point - I have updated it but still no change :S.

Any other thoughts?

Kind Regards,

eggy

[maikcat]

due to the fact i am not openssl expert,

can you tell me how did you created the certificates? (which commands etc).

basically this troubles me

Tue Jul 5 19:26:00 2011 /usr/bin/openssl-vulnkey -q -b 4096 -m <modulus omitted>
WARN: could not open database for 4096 bits. Skipped

Michael.

[egghead0]

I am cheating and using the webmin plugin lol

[maikcat]

you little ...... (homer chokes bart..)

come on ,few steps

edit vars (set to bottom your location etc)
source vars
build-ca
build-key-server server (key for server)
build-dh
build-key client (key for client)

ready!

Michael.

[egghead0]

Might have to dumb it down a lil further for me

can only see example vars on the box:

/usr/share/doc/openvpn/examples/easy-rsa/1.0/vars
/usr/share/doc/openvpn/examples/easy-rsa/2.0/vars

For OpenVPN atleast

Kind Regards,

eggy

[maikcat]

copy all files from /usr/share/doc/openvpn/examples/easy-rsa/2.0/
to /etc/openvpn

chmod 755 /etc/openvpn/*

edit vars and so on..

Michael.