Raspberry pi + UMTS(3g) as OpenVPN Client not working
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Raspberry pi + UMTS(3g) as OpenVPN Client not working
Hi all,
total newbie to networking and OpenVPN .
I've successfully set up a OpenVPN server (were all my internet traffic goes through the vpn server) on a Google VM and can connect to it from my raspberry pi with WIFI. Pinging the server (10.8.0.1) and some random website (google.com) works all well.
Next, i've bought a 3g (UMTS) dongle and got it working with the PI (wvdial & ppp). I have pinged google and all works well.
Though when i connect to my OpenVPN server everything stops working. Can't ping my server (10.8.0.1) or any website.
I'm unsure what i'm doing wrong and would greatly appreciate some guidance
total newbie to networking and OpenVPN .
I've successfully set up a OpenVPN server (were all my internet traffic goes through the vpn server) on a Google VM and can connect to it from my raspberry pi with WIFI. Pinging the server (10.8.0.1) and some random website (google.com) works all well.
Next, i've bought a 3g (UMTS) dongle and got it working with the PI (wvdial & ppp). I have pinged google and all works well.
Though when i connect to my OpenVPN server everything stops working. Can't ping my server (10.8.0.1) or any website.
I'm unsure what i'm doing wrong and would greatly appreciate some guidance
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
This is the output when i connect
and this the output from ifconfig
Code: Select all
Mon Jun 13 14:43:58 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Mon Jun 13 14:43:58 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Mon Jun 13 14:43:58 2016 Socket Buffers: R=[87380->131072] S=[16384->131072]
Mon Jun 13 14:43:58 2016 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Jun 13 14:43:58 2016 Attempting to establish TCP connection with [AF_INET]130.211.70.62:25 [nonblock]
Mon Jun 13 14:43:59 2016 TCP connection established with [AF_INET]130.211.70.62:25
Mon Jun 13 14:43:59 2016 TCPv4_CLIENT link local: [undef]
Mon Jun 13 14:43:59 2016 TCPv4_CLIENT link remote: [AF_INET]130.211.70.62:25
Mon Jun 13 14:43:59 2016 TLS: Initial packet from [AF_INET]130.211.70.62:25, sid=f63697da 93601815
Mon Jun 13 14:44:01 2016 VERIFY OK: depth=1, C=DE, ST=NRW, L=Kamp-Lintfort, O=HSRW, OU=Test, CN=HSRW CA, name=Server, emailAddress=moritzpruem@gmail.com
Mon Jun 13 14:44:01 2016 VERIFY OK: nsCertType=SERVER
Mon Jun 13 14:44:01 2016 VERIFY OK: depth=0, C=DE, ST=NRW, L=Kamp-Lintfort, O=HSRW, OU=Test, CN=server, name=Server, emailAddress=moritzpruem@gmail.com
Mon Jun 13 14:44:03 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jun 13 14:44:03 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 13 14:44:03 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jun 13 14:44:03 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jun 13 14:44:03 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Jun 13 14:44:03 2016 [server] Peer Connection Initiated with [AF_INET]130.211.70.62:25
Mon Jun 13 14:44:06 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Jun 13 14:44:07 2016 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Mon Jun 13 14:44:07 2016 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jun 13 14:44:07 2016 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jun 13 14:44:07 2016 OPTIONS IMPORT: route options modified
Mon Jun 13 14:44:07 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jun 13 14:44:07 2016 ROUTE_GATEWAY ON_LINK IFACE=ppp0 HWADDR=00:00:00:00:00:00
Mon Jun 13 14:44:07 2016 TUN/TAP device tun0 opened
Mon Jun 13 14:44:07 2016 TUN/TAP TX queue length set to 100
Mon Jun 13 14:44:07 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jun 13 14:44:07 2016 /sbin/ip link set dev tun0 up mtu 1500
Mon Jun 13 14:44:07 2016 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Mon Jun 13 14:44:07 2016 /sbin/ip route add 130.211.70.62/32 via 0.0.0.0
RTNETLINK answers: No such device
Mon Jun 13 14:44:07 2016 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Jun 13 14:44:07 2016 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Mon Jun 13 14:44:07 2016 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Mon Jun 13 14:44:07 2016 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Mon Jun 13 14:44:07 2016 GID set to nogroup
Mon Jun 13 14:44:07 2016 UID set to nobody
Mon Jun 13 14:44:07 2016 Initialization Sequence Completed
Code: Select all
eth0 Link encap:Ethernet HWaddr b8:27:eb:37:9b:d8
inet6 addr: fe80::1ee1:8406:f2e6:f59d/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:662 errors:0 dropped:0 overruns:0 frame:0
TX packets:662 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:62676 (61.2 KiB) TX bytes:62676 (61.2 KiB)
ppp0 Link encap:Point-to-Point Protocol
inet addr:100.70.106.197 P-t-P:10.64.64.64 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:747 errors:0 dropped:0 overruns:0 frame:0
TX packets:697 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:98787 (96.4 KiB) TX bytes:84289 (82.3 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:2015 (1.9 KiB)
wwan0 Link encap:Ethernet HWaddr 02:50:f3:00:00:00
inet addr:169.254.12.135 Bcast:169.254.255.255 Mask:255.255.0.0
inet6 addr: fe80::edd:24ae:b709:88d8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:77 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:22254 (21.7 KiB)
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Link to this thread:
viewtopic.php?f=4&t=21844
The problem looks the same .. there is a temporary solution at the end of that thread.
viewtopic.php?f=4&t=21844
The problem looks the same .. there is a temporary solution at the end of that thread.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
I've tried the solution with the up and down scripts but unfortunately still unable to ping google
Also a mistake in my first post, with 3g i am able to ping my server(10.8.0.1) but no other website/internet
Also a mistake in my first post, with 3g i am able to ping my server(10.8.0.1) but no other website/internet
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Sorry my bad pinging the server doesnt work with 3g (without the scripts).
I had already configured the server to route all client traffic (including web traffic).
Here is what works and doesn't:
Raspberry pi as client on WIFI:
- can ping the server (10.8.0.1)
- all internet traffic is routed through the OpenVPN server
Raspberry pi + 3g without the up and down scripts:
- cant ping 10.8.0.1
- internet traffic not routed
- OpenVPN disconnects after a few minutes and tries to reconnect without success
Raspberry pi + 3g + up/down scripts
- pinging 10.8.0.1 works
- But internet traffic is still not routed
I had already configured the server to route all client traffic (including web traffic).
Here is what works and doesn't:
Raspberry pi as client on WIFI:
- can ping the server (10.8.0.1)
- all internet traffic is routed through the OpenVPN server
Raspberry pi + 3g without the up and down scripts:
- cant ping 10.8.0.1
- internet traffic not routed
- OpenVPN disconnects after a few minutes and tries to reconnect without success
Raspberry pi + 3g + up/down scripts
- pinging 10.8.0.1 works
- But internet traffic is still not routed
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Please set --verb 4 in both your configs and then post your configs and logs (remove private data)darellon wrote:Raspberry pi + 3g + up/down scripts
- pinging 10.8.0.1 works
- But internet traffic is still not routed
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Thanks for taking the time TinCanTech!
Client config file:
Client output upon connection:
Client config file:
Code: Select all
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote xxx.xxx.xx.xx 25
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert client1.crt
key client1.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 4
# Silence repeating messages
;mute 20
up /etc/openvpn/backup/up.sh
down /etc/openvpn/backup/down.sh
Code: Select all
Sat Jun 18 12:34:12 2016 us=976861 Current Parameter Settings:
Sat Jun 18 12:34:12 2016 us=977188 config = 'client.ovpn'
Sat Jun 18 12:34:12 2016 us=977266 mode = 0
Sat Jun 18 12:34:12 2016 us=977331 persist_config = DISABLED
Sat Jun 18 12:34:12 2016 us=977395 persist_mode = 1
Sat Jun 18 12:34:12 2016 us=977452 show_ciphers = DISABLED
Sat Jun 18 12:34:12 2016 us=977508 show_digests = DISABLED
Sat Jun 18 12:34:12 2016 us=977559 show_engines = DISABLED
Sat Jun 18 12:34:12 2016 us=977611 genkey = DISABLED
Sat Jun 18 12:34:12 2016 us=977663 key_pass_file = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=977715 show_tls_ciphers = DISABLED
Sat Jun 18 12:34:12 2016 us=977769 Connection profiles [default]:
Sat Jun 18 12:34:12 2016 us=977823 proto = tcp-client
Sat Jun 18 12:34:12 2016 us=977936 local = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=978006 local_port = 0
Sat Jun 18 12:34:12 2016 us=978060 remote = 'xxx.xxx.xx.xx'
Sat Jun 18 12:34:12 2016 us=978111 remote_port = 25
Sat Jun 18 12:34:12 2016 us=978162 remote_float = DISABLED
Sat Jun 18 12:34:12 2016 us=978214 bind_defined = DISABLED
Sat Jun 18 12:34:12 2016 us=978265 bind_local = DISABLED
Sat Jun 18 12:34:12 2016 us=978316 connect_retry_seconds = 5
Sat Jun 18 12:34:12 2016 us=978368 connect_timeout = 10
Sat Jun 18 12:34:12 2016 us=978419 connect_retry_max = 0
Sat Jun 18 12:34:12 2016 us=978469 socks_proxy_server = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=978522 socks_proxy_port = 0
Sat Jun 18 12:34:12 2016 us=978573 socks_proxy_retry = DISABLED
Sat Jun 18 12:34:12 2016 us=978626 tun_mtu = 1500
Sat Jun 18 12:34:12 2016 us=978677 tun_mtu_defined = ENABLED
Sat Jun 18 12:34:12 2016 us=978729 link_mtu = 1500
Sat Jun 18 12:34:12 2016 us=978781 link_mtu_defined = DISABLED
Sat Jun 18 12:34:12 2016 us=978832 tun_mtu_extra = 0
Sat Jun 18 12:34:12 2016 us=978884 tun_mtu_extra_defined = DISABLED
Sat Jun 18 12:34:12 2016 us=978935 mtu_discover_type = -1
Sat Jun 18 12:34:12 2016 us=978985 fragment = 0
Sat Jun 18 12:34:12 2016 us=979036 mssfix = 1450
Sat Jun 18 12:34:12 2016 us=979087 explicit_exit_notification = 0
Sat Jun 18 12:34:12 2016 us=979140 Connection profiles END
Sat Jun 18 12:34:12 2016 us=979192 remote_random = DISABLED
Sat Jun 18 12:34:12 2016 us=979243 ipchange = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=979296 dev = 'tun'
Sat Jun 18 12:34:12 2016 us=979346 dev_type = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=979400 dev_node = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=979450 lladdr = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=979502 topology = 1
Sat Jun 18 12:34:12 2016 us=979552 tun_ipv6 = DISABLED
Sat Jun 18 12:34:12 2016 us=979603 ifconfig_local = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=979656 ifconfig_remote_netmask = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=979708 ifconfig_noexec = DISABLED
Sat Jun 18 12:34:12 2016 us=979760 ifconfig_nowarn = DISABLED
Sat Jun 18 12:34:12 2016 us=979812 ifconfig_ipv6_local = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=979864 ifconfig_ipv6_netbits = 0
Sat Jun 18 12:34:12 2016 us=979916 ifconfig_ipv6_remote = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=979969 shaper = 0
Sat Jun 18 12:34:12 2016 us=980020 mtu_test = 0
Sat Jun 18 12:34:12 2016 us=980070 mlock = DISABLED
Sat Jun 18 12:34:12 2016 us=980122 keepalive_ping = 0
Sat Jun 18 12:34:12 2016 us=980172 keepalive_timeout = 0
Sat Jun 18 12:34:12 2016 us=980223 inactivity_timeout = 0
Sat Jun 18 12:34:12 2016 us=980275 ping_send_timeout = 0
Sat Jun 18 12:34:12 2016 us=980325 ping_rec_timeout = 0
Sat Jun 18 12:34:12 2016 us=980376 ping_rec_timeout_action = 0
Sat Jun 18 12:34:12 2016 us=980427 ping_timer_remote = DISABLED
Sat Jun 18 12:34:12 2016 us=980480 remap_sigusr1 = 0
Sat Jun 18 12:34:12 2016 us=980531 persist_tun = ENABLED
Sat Jun 18 12:34:12 2016 us=980582 persist_local_ip = DISABLED
Sat Jun 18 12:34:12 2016 us=980635 persist_remote_ip = DISABLED
Sat Jun 18 12:34:12 2016 us=980686 persist_key = ENABLED
Sat Jun 18 12:34:12 2016 us=980737 passtos = DISABLED
Sat Jun 18 12:34:12 2016 us=980789 resolve_retry_seconds = 1000000000
Sat Jun 18 12:34:12 2016 us=980840 username = 'nobody'
Sat Jun 18 12:34:12 2016 us=980894 groupname = 'nogroup'
Sat Jun 18 12:34:12 2016 us=980949 chroot_dir = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=981000 cd_dir = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=981051 writepid = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=981102 up_script = '/etc/openvpn/backup/up.sh'
Sat Jun 18 12:34:12 2016 us=981156 down_script = '/etc/openvpn/backup/down.sh'
Sat Jun 18 12:34:12 2016 us=981209 down_pre = DISABLED
Sat Jun 18 12:34:12 2016 us=981261 up_restart = DISABLED
Sat Jun 18 12:34:12 2016 us=981311 up_delay = DISABLED
Sat Jun 18 12:34:12 2016 us=981360 daemon = DISABLED
Sat Jun 18 12:34:12 2016 us=981414 inetd = 0
Sat Jun 18 12:34:12 2016 us=981464 log = DISABLED
Sat Jun 18 12:34:12 2016 us=981515 suppress_timestamps = DISABLED
Sat Jun 18 12:34:12 2016 us=981566 nice = 0
Sat Jun 18 12:34:12 2016 us=981616 verbosity = 4
Sat Jun 18 12:34:12 2016 us=981667 mute = 0
Sat Jun 18 12:34:12 2016 us=981717 gremlin = 0
Sat Jun 18 12:34:12 2016 us=981768 status_file = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=981818 status_file_version = 1
Sat Jun 18 12:34:12 2016 us=981869 status_file_update_freq = 60
Sat Jun 18 12:34:12 2016 us=981920 occ = ENABLED
Sat Jun 18 12:34:12 2016 us=981970 rcvbuf = 65536
Sat Jun 18 12:34:12 2016 us=982022 sndbuf = 65536
Sat Jun 18 12:34:12 2016 us=982072 mark = 0
Sat Jun 18 12:34:12 2016 us=982122 sockflags = 0
Sat Jun 18 12:34:12 2016 us=982172 fast_io = DISABLED
Sat Jun 18 12:34:12 2016 us=982222 lzo = 7
Sat Jun 18 12:34:12 2016 us=982273 route_script = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=982327 route_default_gateway = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=982382 route_default_metric = 0
Sat Jun 18 12:34:12 2016 us=982438 route_noexec = DISABLED
Sat Jun 18 12:34:12 2016 us=982490 route_delay = 0
Sat Jun 18 12:34:12 2016 us=982544 route_delay_window = 30
Sat Jun 18 12:34:12 2016 us=982595 route_delay_defined = DISABLED
Sat Jun 18 12:34:12 2016 us=982648 route_nopull = DISABLED
Sat Jun 18 12:34:12 2016 us=982698 route_gateway_via_dhcp = DISABLED
Sat Jun 18 12:34:12 2016 us=982751 max_routes = 100
Sat Jun 18 12:34:12 2016 us=982803 allow_pull_fqdn = DISABLED
Sat Jun 18 12:34:12 2016 us=982856 management_addr = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=982908 management_port = 0
Sat Jun 18 12:34:12 2016 us=982958 management_user_pass = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=983011 management_log_history_cache = 250
Sat Jun 18 12:34:12 2016 us=983063 management_echo_buffer_size = 100
Sat Jun 18 12:34:12 2016 us=983115 management_write_peer_info_file = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=983169 management_client_user = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=983222 management_client_group = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=983275 management_flags = 0
Sat Jun 18 12:34:12 2016 us=983326 shared_secret_file = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=983382 key_direction = 0
Sat Jun 18 12:34:12 2016 us=983434 ciphername_defined = ENABLED
Sat Jun 18 12:34:12 2016 us=983485 ciphername = 'BF-CBC'
Sat Jun 18 12:34:12 2016 us=983537 authname_defined = ENABLED
Sat Jun 18 12:34:12 2016 us=983588 authname = 'SHA1'
Sat Jun 18 12:34:12 2016 us=983640 prng_hash = 'SHA1'
Sat Jun 18 12:34:12 2016 us=983692 prng_nonce_secret_len = 16
Sat Jun 18 12:34:12 2016 us=983744 keysize = 0
Sat Jun 18 12:34:12 2016 us=983795 engine = DISABLED
Sat Jun 18 12:34:12 2016 us=983846 replay = ENABLED
Sat Jun 18 12:34:12 2016 us=983899 mute_replay_warnings = DISABLED
Sat Jun 18 12:34:12 2016 us=983951 replay_window = 64
Sat Jun 18 12:34:12 2016 us=984003 replay_time = 15
Sat Jun 18 12:34:12 2016 us=984054 packet_id_file = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=984105 use_iv = ENABLED
Sat Jun 18 12:34:12 2016 us=984157 test_crypto = DISABLED
Sat Jun 18 12:34:12 2016 us=984207 tls_server = DISABLED
Sat Jun 18 12:34:12 2016 us=984260 tls_client = ENABLED
Sat Jun 18 12:34:12 2016 us=984314 key_method = 2
Sat Jun 18 12:34:12 2016 us=984365 ca_file = 'ca.crt'
Sat Jun 18 12:34:12 2016 us=984421 ca_path = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=984471 dh_file = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=984524 cert_file = 'client1.crt'
Sat Jun 18 12:34:12 2016 us=984575 priv_key_file = 'client1.key'
Sat Jun 18 12:34:12 2016 us=984627 pkcs12_file = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=984678 cipher_list = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=984729 tls_verify = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=984781 tls_export_cert = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=984832 verify_x509_type = 0
Sat Jun 18 12:34:12 2016 us=984884 verify_x509_name = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=984936 crl_file = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=984986 ns_cert_type = 1
Sat Jun 18 12:34:12 2016 us=985038 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985089 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985142 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985193 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985245 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985296 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985347 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985400 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985450 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985501 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985552 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985603 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985656 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985707 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985759 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985809 remote_cert_ku[i] = 0
Sat Jun 18 12:34:12 2016 us=985861 remote_cert_eku = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=985914 ssl_flags = 0
Sat Jun 18 12:34:12 2016 us=985964 tls_timeout = 2
Sat Jun 18 12:34:12 2016 us=986017 renegotiate_bytes = 0
Sat Jun 18 12:34:12 2016 us=986069 renegotiate_packets = 0
Sat Jun 18 12:34:12 2016 us=986121 renegotiate_seconds = 3600
Sat Jun 18 12:34:12 2016 us=986173 handshake_window = 60
Sat Jun 18 12:34:12 2016 us=986223 transition_window = 3600
Sat Jun 18 12:34:12 2016 us=986274 single_session = DISABLED
Sat Jun 18 12:34:12 2016 us=986325 push_peer_info = DISABLED
Sat Jun 18 12:34:12 2016 us=986376 tls_exit = DISABLED
Sat Jun 18 12:34:12 2016 us=986426 tls_auth_file = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=986478 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=986532 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=986585 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=986638 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=986690 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=986743 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=986797 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=986849 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=986903 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=986955 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=987008 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=987061 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=987113 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=987167 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=987219 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=987273 pkcs11_protected_authentication = DISABLED
Sat Jun 18 12:34:12 2016 us=987328 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=987384 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=987437 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=987490 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=987544 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=987596 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=987650 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=987702 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=987756 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=987808 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=987957 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=988030 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=988088 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=988144 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=988198 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=988252 pkcs11_private_mode = 00000000
Sat Jun 18 12:34:12 2016 us=988310 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988362 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988419 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988471 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988526 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988580 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988634 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988688 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988741 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988796 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988852 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988908 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=988963 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=989017 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=989072 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=989129 pkcs11_cert_private = DISABLED
Sat Jun 18 12:34:12 2016 us=989184 pkcs11_pin_cache_period = -1
Sat Jun 18 12:34:12 2016 us=989238 pkcs11_id = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=989292 pkcs11_id_management = DISABLED
Sat Jun 18 12:34:12 2016 us=989411 server_network = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=989480 server_netmask = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=989605 server_network_ipv6 = ::
Sat Jun 18 12:34:12 2016 us=989672 server_netbits_ipv6 = 0
Sat Jun 18 12:34:12 2016 us=989752 server_bridge_ip = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=989817 server_bridge_netmask = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=989878 server_bridge_pool_start = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=989939 server_bridge_pool_end = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=989993 ifconfig_pool_defined = DISABLED
Sat Jun 18 12:34:12 2016 us=990054 ifconfig_pool_start = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=990112 ifconfig_pool_end = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=990172 ifconfig_pool_netmask = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=990224 ifconfig_pool_persist_filename = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=990280 ifconfig_pool_persist_refresh_freq = 600
Sat Jun 18 12:34:12 2016 us=990336 ifconfig_ipv6_pool_defined = DISABLED
Sat Jun 18 12:34:12 2016 us=990401 ifconfig_ipv6_pool_base = ::
Sat Jun 18 12:34:12 2016 us=990454 ifconfig_ipv6_pool_netbits = 0
Sat Jun 18 12:34:12 2016 us=990508 n_bcast_buf = 256
Sat Jun 18 12:34:12 2016 us=990561 tcp_queue_limit = 64
Sat Jun 18 12:34:12 2016 us=990613 real_hash_size = 256
Sat Jun 18 12:34:12 2016 us=990664 virtual_hash_size = 256
Sat Jun 18 12:34:12 2016 us=990717 client_connect_script = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=990770 learn_address_script = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=990823 client_disconnect_script = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=990877 client_config_dir = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=990928 ccd_exclusive = DISABLED
Sat Jun 18 12:34:12 2016 us=990979 tmp_dir = '/tmp'
Sat Jun 18 12:34:12 2016 us=991031 push_ifconfig_defined = DISABLED
Sat Jun 18 12:34:12 2016 us=991091 push_ifconfig_local = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=991150 push_ifconfig_remote_netmask = 0.0.0.0
Sat Jun 18 12:34:12 2016 us=991204 push_ifconfig_ipv6_defined = DISABLED
Sat Jun 18 12:34:12 2016 us=991263 push_ifconfig_ipv6_local = ::/0
Sat Jun 18 12:34:12 2016 us=991320 push_ifconfig_ipv6_remote = ::
Sat Jun 18 12:34:12 2016 us=991375 enable_c2c = DISABLED
Sat Jun 18 12:34:12 2016 us=991429 duplicate_cn = DISABLED
Sat Jun 18 12:34:12 2016 us=991480 cf_max = 0
Sat Jun 18 12:34:12 2016 us=991532 cf_per = 0
Sat Jun 18 12:34:12 2016 us=991582 max_clients = 1024
Sat Jun 18 12:34:12 2016 us=991634 max_routes_per_client = 256
Sat Jun 18 12:34:12 2016 us=991687 auth_user_pass_verify_script = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=991741 auth_user_pass_verify_script_via_file = DISABLED
Sat Jun 18 12:34:12 2016 us=991795 port_share_host = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=991847 port_share_port = 0
Sat Jun 18 12:34:12 2016 us=991899 client = ENABLED
Sat Jun 18 12:34:12 2016 us=991950 pull = ENABLED
Sat Jun 18 12:34:12 2016 us=992003 auth_user_pass_file = '[UNDEF]'
Sat Jun 18 12:34:12 2016 us=992063 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Sat Jun 18 12:34:12 2016 us=992147 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Sat Jun 18 12:34:12 2016 us=992753 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jun 18 12:34:12 2016 us=997057 LZO compression initialized
Sat Jun 18 12:34:12 2016 us=997507 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Jun 18 12:34:12 2016 us=997723 Socket Buffers: R=[87380->131072] S=[16384->131072]
Sat Jun 18 12:34:12 2016 us=997837 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Jun 18 12:34:12 2016 us=998022 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Jun 18 12:34:12 2016 us=998092 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Jun 18 12:34:12 2016 us=998235 Local Options hash (VER=V4): '69109d17'
Sat Jun 18 12:34:12 2016 us=998339 Expected Remote Options hash (VER=V4): 'c0103fa8'
Sat Jun 18 12:34:13 2016 us=821 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Jun 18 12:34:13 2016 us=1001 Attempting to establish TCP connection with [AF_INET] xxx.xxx.xx.xx:25 [nonblock]
Sat Jun 18 12:34:14 2016 us=1542 TCP connection established with [AF_INET]xxx.xxx.xx.xx:25
Sat Jun 18 12:34:14 2016 us=1697 TCPv4_CLIENT link local: [undef]
Sat Jun 18 12:34:14 2016 us=1775 TCPv4_CLIENT link remote: [AF_INET]xxx.xxx.xx.xx:25
Sat Jun 18 12:34:14 2016 us=64219 TLS: Initial packet from [AF_INET]xxx.xxx.xx.xx:25, sid=5552e54a a8d113df
Sat Jun 18 12:34:15 2016 us=117750 VERIFY OK: depth=1, C=DE, ST=NRW, L=KALI, O=RW, OU=Test, CN=RW CA, name=Server, emailAddress=blablabla@ddd.com
Sat Jun 18 12:34:15 2016 us=120632 VERIFY OK: nsCertType=SERVER
Sat Jun 18 12:34:15 2016 us=120723 VERIFY OK: depth=0, C=DE, ST=NRW, L=KALI, O=RW, OU=Test, CN=server, name=Server, emailAddress=blablabla@ddd.com
Sat Jun 18 12:34:17 2016 us=205304 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 18 12:34:17 2016 us=205473 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 18 12:34:17 2016 us=205749 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Jun 18 12:34:17 2016 us=205834 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jun 18 12:34:17 2016 us=206132 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sat Jun 18 12:34:17 2016 us=206286 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xx.xx:25
Sat Jun 18 12:34:19 2016 us=324969 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Jun 18 12:34:21 2016 us=150520 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Sat Jun 18 12:34:21 2016 us=150998 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jun 18 12:34:21 2016 us=151086 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jun 18 12:34:21 2016 us=151142 OPTIONS IMPORT: route options modified
Sat Jun 18 12:34:21 2016 us=151194 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jun 18 12:34:21 2016 us=151899 ROUTE_GATEWAY ON_LINK IFACE=ppp0 HWADDR=00:00:00:00:00:00
Sat Jun 18 12:34:21 2016 us=153495 TUN/TAP device tun0 opened
Sat Jun 18 12:34:21 2016 us=153702 TUN/TAP TX queue length set to 100
Sat Jun 18 12:34:21 2016 us=153905 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jun 18 12:34:21 2016 us=154133 /sbin/ip link set dev tun0 up mtu 1500
Sat Jun 18 12:34:21 2016 us=161716 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Sat Jun 18 12:34:21 2016 us=178409 /etc/openvpn/backup/up.sh tun0 1500 1544 10.8.0.6 10.8.0.5 init
Sat Jun 18 12:34:21 2016 us=227331 /sbin/ip route add 130.211.70.62/32 via 0.0.0.0
RTNETLINK answers: No such device
Sat Jun 18 12:34:21 2016 us=234874 ERROR: Linux route add command failed: external program exited with error status: 2
Sat Jun 18 12:34:21 2016 us=235204 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Sat Jun 18 12:34:21 2016 us=241289 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Sat Jun 18 12:34:21 2016 us=248238 /sbin/ip route add 10.8.0.0/24 via 10.8.0.5
Sat Jun 18 12:34:21 2016 us=255847 GID set to nogroup
Sat Jun 18 12:34:21 2016 us=256134 UID set to nobody
Sat Jun 18 12:34:21 2016 us=256280 Initialization Sequence Completed
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Suredarellon wrote:Thanks for taking the time TinCanTech!
I'm not sure up.sh worked ?darellon wrote:Sat Jun 18 12:34:21 2016 us=178409 /etc/openvpn/backup/up.sh tun0 1500 1544 10.8.0.6 10.8.0.5 init
Sat Jun 18 12:34:21 2016 us=227331 /sbin/ip route add 130.211.70.62/32 via 0.0.0.0
RTNETLINK answers: No such device
Sat Jun 18 12:34:21 2016 us=234874 ERROR: Linux route add command failed: external program exited with error
Please post your up.sh and ip route with openvpn started.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
I modified the up.sh file slightly since my 3G modem's ip address changes sometimes and for a more automated process
up.sh :
ip route:
i'm starting Openvpn as follows:
up.sh :
Code: Select all
#!/bin/bash
# up.sh
# 1.2.3.4 = Replace this with your UMTS Stick IP address
umts_gateway=$(/sbin/ifconfig ppp0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
/sbin/ip route add $trusted_ip/32 via $umts_gateway
Code: Select all
0.0.0.0/1 via 10.8.0.5 dev tun0
default dev ppp0 scope link
10.8.0.0/24 via 10.8.0.5 dev tun0
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6
10.64.64.64 dev ppp0 proto kernel scope link src 100.74.191.99
128.0.0.0/1 via 10.8.0.5 dev tun0
130.211.70.62 via 100.74.191.99 dev ppp0
169.254.0.0/16 dev wwan0 proto kernel scope link src 169.254.12.135 metric 303
Code: Select all
sudo openvpn --config client.ovpn --script-security 2
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Generally it looks like routing is correct.
Have you followed this HOWTO completely:
HOWTO: Routing all client traffic (including web-traffic) through the VPN
* Note the NAT requirement.
Have you followed this HOWTO completely:
HOWTO: Routing all client traffic (including web-traffic) through the VPN
* Note the NAT requirement.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
I have, but i'll set it up from scratch again. The odd thing is that the same set up works over wifi and routes all internet traffic.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Here is my server config file:
server
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 25
# TCP or UDP server?
proto tcp
;proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh2048.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 10
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 25
# TCP or UDP server?
proto tcp
;proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys.
dh dh2048.pem
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 10
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Try this script instead:
Code: Select all
#!/bin/bash
# /etc/openvpn/up.sh
umts_gateway=ppp0
/sbin/ip route add $trusted_ip/32 via $umts_gateway
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Get this error :
Code: Select all
Error: an inet address is expected rather than "ppp0"
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Hmm, seems i cant ping any domain name (eg. google.com) but i can ping IP addresses.
I've pinged:
also tried another of my servers ip address, getting a response from all four.
Am i correct in assuming it has something to do with the DNS settings?
I've pinged:
Code: Select all
(google-public-dns-a.google.com) 8.8.8.8
(google-public-dns-b.google.com) 8.8.4.4
(ns1.telstra.net) 139.130.4.5
Am i correct in assuming it has something to do with the DNS settings?
-
- OpenVpn Newbie
- Posts: 13
- Joined: Wed Jun 15, 2016 6:26 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
In case someone else encounters the same problem:
I've solved the problem using the update-resolv-conf script, which comes with OpenVPN and added the script lines provided by TinCanTech (viewtopic.php?f=4&t=21844)
Added the following two lines to my client config file:
Were update-resolv-conf-up is:
and update-resolv-conf-down is:
Finally connected by typing:
Thanks again for all the help
I've solved the problem using the update-resolv-conf script, which comes with OpenVPN and added the script lines provided by TinCanTech (viewtopic.php?f=4&t=21844)
Added the following two lines to my client config file:
Code: Select all
up update-resolv-conf-up
down update-resolv-conf-down
Were update-resolv-conf-up is:
Code: Select all
#!/bin/bash
#Added the following two lines
umts_gateway=$(/sbin/ifconfig ppp0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}')
/sbin/ip route add $trusted_ip/32 via $umts_gateway
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac
Code: Select all
#!/bin/bash
#Added the line below
/sbin/ip route delete $trusted_ip
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac
Code: Select all
sudo openvpn --config client.ovpn --script-security 2
-
- OpenVPN Protagonist
- Posts: 11136
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Raspberry pi + UMTS(3g) as OpenVPN Client not working
Thanks for letting us know your solution