linux-vserver

[Bebop]

This V-server is really not playing nicely with you at all.

I do suggest that the V-server is causing most of the pain right now. But you can solve it for sure.

The best idea is to follow the guide they offered you: here

it says to do:

Code: Select all

openvpn --mktun --dev tun16
ip link set dev tun16 txqueuelen 100
ifconfig tun16 192.168.16.1 pointopoint 192.168.16.2 mtu 1500
route add -net 192.168.16.0 netmask 255.255.255.0 gw 192.168.16.2

Whats interesting is the 'txqueuelen 100' command because that seems to be precisely the error you are facing "Cannot set tx queue length".

Its time to ask the provider to look at this problem. These are not normal problems. Also, what is 'guest' and 'server'. do you have access to both?

Also, if you can login as root, that will be good.

[comeback]

I am logged in as root

I wrote a few days ago to alvotech:

Hello,

Are you sure he is not a problem with my vps?

Every time I log it writes:

Acces denied (see picture)

He told me that it's normal

I typed the command:

Code: Select all

openvpn --mktun --dev tun16

I still have the error message:

Code: Select all

Sat Jul 30 08:26:52 2011 Note: Cannot ioctl TUNSETIFF tun16: Operation not permitted (errno=1)
Sat Jul 30 08:26:52 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Sat Jul 30 08:26:52 2011 Cannot open TUN/TAP dev /dev/tun16: No such file or directory (errno=2)
Sat Jul 30 08:26:52 2011 Exiting

I typed the command:

Code: Select all

ip link set dev tun16 txqueuelen 100

I still have the error message:

Code: Select all

SIOCSIFXQLEN: Operation not permitted

I typed the command:

ifconfig tun16 192.168.16.1 pointopoint 192.168.16.2 mtu 1500

I still have the error message:

Code: Select all

SIOCSIFADDR: Permission denied
tun16: unknown interface: No such device
SIOCSIFDSTADDR: Permission denied
tun16: unknown interface: No such device
SIOCSIFMTU: Operation not permitted

I typed the command:

Code: Select all

route add -net 192.168.16.0 netmask 255.255.255.0 gw 192.168.16.2

I still have the error message:

Code: Select all

SIOCADDRT: Operation not permitted

SIOCADDRT: Operation not permitted

I errors, because I do not have good access?

Is that correct?

thank you

[Bebop]

Can you post a link of this thread to your provider?

My knowledge does not extend far enough to solve this.

I will try to help you again, but I will be offline until later.

If anyone one here can help, please feel free to join.

[comeback]

I wrote an email to alvotech:

Hello,

I tried to install openvpn, but I can not ..

So I posted a message on the forum openvpn, but was also not do it.

Here is what he wrote to me:

***********************************************************************************************
Can you post a link of this thread to your provider?

My knowledge does not extend far enough to solve this.
************************************************************************************************

The link is:

http://forums.openvpn.net/topic8538-15.html

Can you look, because it seems that there really is a problem.

thank you

I had two responses:

1)

Hello Stéphane,

your vps has a preconfigured TUN devices, you are not able to create own new devices or change setting of preconfigured devices with ifconfig, route or changes in /proc and stuff like that - thats totaly unsupported with Linux-VServer.org vservers. If you want to use OpenVPN, you has to use the preconfigured TUN devices or it will not work.

Take a look to ifconfig, you can see you have already a tun devices (tun1280-76). Us this with your openvpn config and take a look to the example config at http://linux-vserver.org/Frequently_Ask ... a_guest.3F

Mit freundlichen Grüßen
Alvotech Support-Team

2)

Hello Stéphane,

what we mean with this link is, you have only to grep the config (because the others think are to do by us on the vps hostsystem, and this was already done)

*** *** *** ***
# Networking setup
server 192.168.16.0 255.255.255.0
dev tun16
ifconfig-noexec
comp-lzo
# Certificates
dh ...
ca ...
cert ...
key ...
# Management
persist-key
keepalive 10 60
verb 4
*** *** *** ***

you have to edit the lines with server & dev to the values wich we assigned to your vps:

*** *** *** ***
server 10.0.1.33 255.255.255.252
dev tun1280-76
*** *** *** ***

and very important is this config option: ifconfig-noexec
because OpenVPN can't run any ifconfig options inside a Linux-VServer.org based vsever.

Mit freundlichen Grüßen
Alvotech Support-Team

I did not understand everything.

Does it helps to understand the problem `?

Do I have to send another mail?

thank you

[Bebop]

Yes that helps very much. Give me a min..

Accoring to the info they gave us, this should work.. Make your server.conf look like this, then restart openvpn:

Code: Select all

port 1194
proto udp
dev tun1280-76
10.0.1.33 255.255.255.252
ifconfig-noexec

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem

verb 3
log         /etc/openvpn/openvpn.log

keepalive 10 120
comp-lzo

[comeback]

I delete my file server.conf

Then I put what is so below

The location is /etc/openvpn/server.conf

Code: Select all

port 1194
proto udp
dev tun1280-76
10.0.1.33 255.255.255.252
ifconfig-noexec

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem

verb 3
log         /etc/openvpn/openvpn.log

keepalive 10 120
comp-lzo

I typed the command:

Code: Select all

/etc/init.d/openvpn restart

or

Code: Select all

su -c ' /etc/init.d/openvpn restart'

I still have the error message:

Code: Select all

Shutting down openvpn:                                     [  OK  ]
Starting openvpn:                                            [FAILED]

Which is weird, I have no file openvpn.log

I may have to change too much.

Sunday or Monday, I will erase everything and reinstall everything

[Bebop]

Erase everything might not be necessary, but you will need the log file.

[comeback]

Hello,

To have the file openvpn.log, I had to put on the first line "log /etc/openvpn/openvpn.log"

There are always errors:

Options error: Unrecognized option or missing parameter(s) in server.conf:6: 10.0.1.33 (2.1.4)
Use --help for more information.

Do you know what's missing?

[Bebop]

Hello,

To have the file openvpn.log, I had to put on the first line "log /etc/openvpn/openvpn.log"

There are always errors:

Options error: Unrecognized option or missing parameter(s) in server.conf:6: 10.0.1.33 (2.1.4)
Use --help for more information.

Do you know what's missing?

yes there will be more errors to come. I think we passed the hardest part though.

Line 6 should be:

Code: Select all

server 10.0.1.33 255.255.255.252

[comeback]

Really bad luck, it still does not work

Options error: --server directive network/netmask combination is invalid
Use --help for more information.

I think we're almost done

[Bebop]

Options error: --server directive network/netmask combination is invalid
Use --help for more information.

I personally would have used: server 10.0.1.0 255.255.255.0, but to quote your provider, they said

you have to edit the lines with server & dev to the values wich we assigned to your vps:
server 10.0.1.33 255.255.255.252
dev tun1280-76

I'll see if Mimiko can help you for this part. In the mean time try: server 10.0.1.0 255.255.255.0

[comeback]

For openvpn, it works:

Code: Select all

/etc/init.d/openvpn restart
-bash-3.2# /etc/init.d/openvpn restart
Shutting down openvpn:                                     [  OK  ]
Starting openvpn:                                          [  OK  ]

If I go on the website:

http://www.ip-adress.com/

It's always my IP address.

It is not the IP address of the VPS.

Why?

Thank you for your help

[comeback]

Maybe this can help you

Code: Select all

Mon Aug 01 13:31:31 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Mon Aug 01 13:31:31 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Aug 01 13:31:31 2011 LZO compression initialized
Mon Aug 01 13:31:31 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Aug 01 13:31:31 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Aug 01 13:31:31 2011 Local Options hash (VER=V4): '41690919'
Mon Aug 01 13:31:31 2011 Expected Remote Options hash (VER=V4): '530fdded'
Mon Aug 01 13:31:31 2011 UDPv4 link local: [undef]
Mon Aug 01 13:31:31 2011 UDPv4 link remote: XXX.X.XX.XXX:1194
Mon Aug 01 13:31:31 2011 TLS: Initial packet from XXX.X.XX.XXX:1194, sid=f946d51a cab774e6
Mon Aug 01 13:31:31 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=XX@XX.com
Mon Aug 01 13:31:31 2011 VERIFY OK: nsCertType=SERVER
Mon Aug 01 13:31:31 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=XX@XX.com
Mon Aug 01 13:31:31 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 01 13:31:31 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 01 13:31:31 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Aug 01 13:31:31 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Aug 01 13:31:31 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Aug 01 13:31:31 2011 [server] Peer Connection Initiated with XXX.X.XX.XXX:1194
Mon Aug 01 13:31:32 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Aug 01 13:31:32 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.0.1.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.1.6 10.0.1.5'
Mon Aug 01 13:31:32 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology (2.0.9)
Mon Aug 01 13:31:32 2011 OPTIONS IMPORT: timers and/or timeouts modified
Mon Aug 01 13:31:32 2011 OPTIONS IMPORT: --ifconfig/up options modified
Mon Aug 01 13:31:32 2011 OPTIONS IMPORT: route options modified
Mon Aug 01 13:31:32 2011 TAP-WIN32 device [Connexion au réseau local 10] opened: \\.\Global\{80C0F286-CF53-4F2C-9B57-A0D701097A6A}.tap
Mon Aug 01 13:31:32 2011 TAP-Win32 Driver Version 8.4 
Mon Aug 01 13:31:32 2011 TAP-Win32 MTU=1500
Mon Aug 01 13:31:32 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.1.6/255.255.255.252 on interface {80C0F286-CF53-4F2C-9B57-A0D701097A6A} [DHCP-serv: 10.0.1.5, lease-time: 31536000]
Mon Aug 01 13:31:32 2011 NOTE: FlushIpNetTable failed on interface [43] {80C0F286-CF53-4F2C-9B57-A0D701097A6A} (status=5) : Accès refusé.  
Mon Aug 01 13:31:33 2011 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Mon Aug 01 13:31:33 2011 Route: Waiting for TUN/TAP interface to come up...
Mon Aug 01 13:31:34 2011 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up
Mon Aug 01 13:31:34 2011 route ADD 10.0.1.1 MASK 255.255.255.255 10.0.1.5
Mon Aug 01 13:31:34 2011 ROUTE: route addition failed using CreateIpForwardEntry: Un ou plusieurs arguments sont incorrects.   [if_index=43]
Mon Aug 01 13:31:34 2011 Route addition via IPAPI failed
Mon Aug 01 13:31:34 2011 Initialization Sequence Completed

[Bebop]

It's always my IP address.
It is not the IP address of the VPS.

Ok its good that you got it working.

Now that it works, post again a fresh copy of your server.conf, client config, and iptables.

You're basically almost there.

[comeback]

With the VPS, I did not iptables, but I received two mails:

ip_forward is enable by default (you can check the default value with "cat /proc/sys/net/ipv4/ip_forward").

Mit freundlichen Grüßen
Alvotech Support-Team

Hello,

our firewall is similar to the IPTables features and so the interface should be familiar. Comparing the two, you'll encounter one difference: each rule is processed according to "first match", meaning that once a rule is found where conditions are met, no further rules are examined to override the first matching rule.

To filter incoming requests, please enter an IP address as the source, a network (e.g. 1.2.3.4/24) or the entire Internet (the value 0 / 0 or 0.0.0.0 / 0) and as the target your VPS IP. Your can refine your rule by specifying a protocol and / or a port.

Outgoing requests are filtered in the same way as incoming requests. In this case the source is your VPS IP and the target is a specific IP, a network or the entire web.

To sort the rules, you can assign rule numbers. Rules are evaluated in order of the rule number, for easy reordering. We recommend that your initial setup increment rule numbers by 10: 10, 20, 30, 40 and so on, so you can later easily add rules in the middle, for example adding a rule 11 to go between rule 10 and 20.

The options you can use to filter:

Protocol: tcp, udp, icmp
Port: numeric value (0 = all ports / wildcard) all available actions: drop, reject and accept Rule number: numerical value to the sort of rules (e.g.: 20)

Mit freundlichen Grüßen
Alvotech Support-Team

server.conf:

Code: Select all

log /etc/openvpn/openvpn.log



port 1194
proto udp

dev tun1280-76
server 10.0.1.0 255.255.255.0


ifconfig-noexec

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem

verb 3


keepalive 10 120
comp-lzo

clien1.conf:

client
dev tun
proto udp
remote XXX.X.XXX.XXX 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

merci

[Bebop]

I forgot about you have no iptables. Not to worry.

add this to server.conf:

Code: Select all

push "redirect-gateway def1"

After this *maybe* one more step, that is masquerade or snat.

[comeback]

I added the line, but it's still my IP address I see.

Thank you for your help.

[Bebop]

I added the line, but it's still my IP address I see

Ok. I'm pretty sure the next step is the final step.

You need to add a snat command in the firewall, so all the packets you send are changed to show source address as being your vpn server.

[comeback]

Hello,

The problem that I do not have the "SNAT"

I can how?

thank you

Hello,

I disabled the firewall, and still have the same problem.

I wrote to alvotech, here are their answers:

Hello,

our firewall is similar to the IPTables features and so the interface should be familiar. Comparing the two, you'll encounter one difference: each rule is processed according to "first match", meaning that once a rule is found where conditions are met, no further rules are examined to override the first matching rule.

To filter incoming requests, please enter an IP address as the source, a network (e.g. 1.2.3.4/24) or the entire Internet (the value 0 / 0 or 0.0.0.0 / 0) and as the target your VPS IP. Your can refine your rule by specifying a protocol and / or a port.

Outgoing requests are filtered in the same way as incoming requests. In this case the source is your VPS IP and the target is a specific IP, a network or the entire web.

To sort the rules, you can assign rule numbers. Rules are evaluated in order of the rule number, for easy reordering. We recommend that your initial setup increment rule numbers by 10: 10, 20, 30, 40 and so on, so you can later easily add rules in the middle, for example adding a rule 11 to go between rule 10 and 20.

The options you can use to filter:

Protocol: tcp, udp, icmp
Port: numeric value (0 = all ports / wildcard) all available actions: drop, reject and accept Rule number: numerical value to the sort of rules (e.g.: 20)

Mit freundlichen Grüßen
Alvotech Support-Team

So I configure the firewall as shown in the image:



But I still have the same error message.

Files server.conf and client1.conf, are in the directory: / root.

server.conf:

Code: Select all

push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

client1.conf:

Code: Select all

client
dev tun
proto udp
remote XXX.X.XXX.XX 1194 (I replaced my ip, for XXX.X.XXX.XX)
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3

[Bebop]

There's a full guide to iptables stuff: here

I think for yours, we should forget about the not essential items.

So, using that firewall interface you have, these are the functions that need to be implemented -- order is important too.

• make a script file, eg: my_firewall.sh
• iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
• iptables -A FORWARD -s 10.0.1.0/24 -j ACCEPT #10.0.1.0 ? Check your OpenVPN server.conf to be sure
• iptables -A FORWARD -j REJECT
• iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 100.200.255.256 #Use your OpenVPN server's real external IP here

Best idea is to consult with the host provoder again, because I don't know how to convert the iptables format into the custom firewall of yours.