Openvpn as gateway client and personal server at same time.

[pir8]

Hello, I have very basic linux knowledge and I'd really like if someone can help me out here.

I currently have my raspberry Pi configured as a vpn gateway (working perfectly). Openvpn is setup to act as a client (tun0) and it connects to a vpn service provider, that way my devices in my house are connected through the vpn tunnel.
I'm trying to have another instance of openvpn running as a server in the same raspberry pi in order to be able to access my home network whenever I'm outside but I have not been able to do it. Independently I've been able to set up the raspberry as an openvpn client to my vpn service provider and also as a personal openvpn server successfully, allowing me to connect to my home but I haven't been able to have both instances running at the same time. Ports are forwarded correctly in the main router as I'm able to use the my personal oepnvpn server when I set it up alone (independently of the client conf)


Currently my home network is like (rpi acting only as a client):



***Now at the same time I want to have another instance of openvpn running as a server where it would allow me to browse my local lan remotely.***

I currently have the openvpn daemon autorun every time the rpi boots by using "systemctl enable openvpn@torguard"

My conf files:

torguard.conf (client conf file for connecting private vpn provider)

Code: Select all

client
dev tun
proto udp
remote la.serveraddress.com 443
resolv-retry infinite
remote-cert-tls server
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/ca.crt
auth-user-pass /etc/openvpn/login.txt
comp-lzo
fast-io
ping-restart 0
route-delay 2
route-method exe
script-security 3 system
mute-replay-warnings
verb 3

and my server.conf file (which is my personal openvpn server configuration file)

Code: Select all

local 192.168.3.100 # Raspberry IP address
dev tun1
proto tcp #Using TCP
port 443 
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/Home.crt # My CRT file
key /etc/openvpn/easy-rsa/keys/Home.key # My Key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0 
ifconfig 10.8.0.1 10.8.0.2 # server and remote endpoints
# Route to Client routing table for the OpenVPN Server 
push "route 10.8.0.1 255.255.255.255" 
# Route to Client routing table for the OpenVPN Subnet 
push "route 10.8.0.0 255.255.255.0" 
# My local subnet 
push "route 192.168.3.0 255.255.255.0" # Raspberry PI network range address
push "dhcp-option DNS 192.168.3.1"
push "redirect-gateway def1" 
client-to-client 
duplicate-cn 
keepalive 10 120 
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 
cipher AES-128-CBC 
comp-lzo 
user nobody 
group nogroup 
persist-key 
persist-tun 
status /var/log/openvpn-status.log 20 
log /var/log/openvpn.log 
verb 1

My Nat and Routing setup when running openvpn as client, is as follows (rules are persistent through boot):

Code: Select all

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

And the below iptable settings when setting up de raspberrypi as a personal server

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.3.100

Any guidance on how I can accomplish this would be greatly appreciated.
Thanks

[adamjgs]

Looks like we're trying to do somewhat similar things. What happens when you try running both concurrently?

[pir8]

Hi,
both instances go up but I'm not able to connect to the server.

Code: Select all

root@raspberrypi:/etc/openvpn# ifconfig
eth0      Link encap:Ethernet  HWaddr b8:27:eb:d4:99:e2  
          inet addr:192.168.3.100  Bcast:192.168.3.255  Mask:255.255.255.0
          inet6 addr: fe80::f15e:9308:397a:3053/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:26574 errors:0 dropped:1 overruns:0 frame:0
          TX packets:24429 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:11150167 (10.6 MiB)  TX bytes:11631514 (11.0 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:244 errors:0 dropped:0 overruns:0 frame:0
          TX packets:244 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:17843 (17.4 KiB)  TX bytes:17843 (17.4 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.9.1.42  P-t-P:10.9.1.41  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:11282 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10451 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:8972031 (8.5 MiB)  TX bytes:1094860 (1.0 MiB)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr b8:27:eb:81:cc:b7  
          inet6 addr: fe80::ba27:ebff:fe81:ccb7/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:3563 (3.4 KiB)

as you can see, both the client and server are running and I can ping 8.8.8.8 with success and everthing goes through the Tunnel but I can't connect to the server part from outside. When I see the server /var/log/openvpn.log file it shows:

Code: Select all

root@raspberrypi:/etc/openvpn# cat /var/log/openvpn.log 
Sat Apr 16 11:05:51 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Sat Apr 16 11:05:51 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Sat Apr 16 11:05:51 2016 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key file
Sat Apr 16 11:05:51 2016 TUN/TAP device tun1 opened
Sat Apr 16 11:05:51 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Apr 16 11:05:51 2016 /sbin/ip link set dev tun1 up mtu 1500
Sat Apr 16 11:05:51 2016 /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2
Sat Apr 16 11:05:51 2016 GID set to nogroup
Sat Apr 16 11:05:51 2016 UID set to nobody
Sat Apr 16 11:05:51 2016 UDPv4 link local (bound): [AF_INET]192.168.3.100:1194
Sat Apr 16 11:05:51 2016 UDPv4 link remote: [undef]
Sat Apr 16 11:05:51 2016 Initialization Sequence Completed
Sat Apr 16 11:06:03 2016 199.71.159.118:48361 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1460826370) Sat Apr 16 11:06:10 2016 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat Apr 16 11:06:03 2016 199.71.159.118:48361 TLS Error: incoming packet authentication failed from [AF_INET]199.71.159.118:48361
Sat Apr 16 11:07:12 2016 199.71.159.118:53087 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Apr 16 11:07:12 2016 199.71.159.118:53087 TLS Error: TLS handshake failed
root@raspberrypi:/etc/openvpn# 

Only if I stop the openvpn client from launching at boot and launch the server part then I'm able to connect.

I don't know if it has to do with the fact that when the openvpn client (which connects the raspberry to the private vpn provider) is active and as such every packet that comes out of the raspberry is routed through the VPN tunnel, whenever I try to make the connection to my home network from outside, I use my home public IP to establish the connection but the data received to my cell phone comes from the VPN tunnel running in the pi and packets dont't match. so the TLS handshake fail. This of course is a wild guess as I don't know much about this stuff.
I'm about to give up and buy another raspberry to set one up as a server and the other as client.

[adamjgs]

What happens if you run this on the server?

Code: Select all

ip rule add from <your-server-ip> table 10
ip route add default via <your-router-ip> table 10

Can you then connect to it while its client instance is up?

[pir8]

What happens if you run this on the server?

Code: Select all

ip rule add from <your-server-ip> table 10
ip route add default via <your-router-ip> table 10

Can you then connect to it while its client instance is up?

omg!!! this is so amazing!
Thank you very much for this info
I finally managed to run them (client and server instances on the raspberry) both at the same time...
Wow!!!! its running fine now after adding those routes. I can connect to my house remotely while having the openvpn client connected to torguard service at home.

you said you were trying to accomplish a similar setup have you succeeded already ?

Thank you so much for your help!

[raspi3]

Hi,
with this solution

Code: Select all

ip rule add from <your-server-ip> table 10
ip route add default via <your-router-ip> table 10

I can only connect to my local network.
After executing

Code: Select all

sudo ip rule add from 10.7.0.0/24 table 99
sudo ip route add default via 192.168.1.1 table 99

I can only connect to internet, not anymore to my local network. Did you figure out, how to connect to both, local network and internet?

[Aushilfsarnie]

Hi there. Is there a solution for this? Thanks in advance!

[Skynet86]

I don't get this configuration to run. Can someone help me?

[Skynet86]

I don't get this configuration to run. Can someone help me?

[300000]

you need to change port 445 not the same 443 so you can connect as client to vpn sevice provider, and act server at home but not the same port , because vpn try to all internet go over vpn so you need to decide which one it go . just use both like this one

route 42.118.90.17 255.255.255.0 vpn_gateway
route 42.118.90.17 255.255.255.0 net_gateway
this one route 42.118.90.17 255.255.255.0 vpn_gateway mean you want this ip go thought vpn provider and this one route 42.118.90.17 255.255.255.0 net_gateway you want this ip go thought you router



if you want to try redirect-gateway autolocal def1 bypass-dhcp just do it and decide which way you want , take sometime to deal wtih it and remember openvpn is point to point so you need nat make it work.

it is more simple you can install wireguard and make act as server and you can run both at the same time , wireguard is consider faster than openvpn 30% on every test and simple than openvpn.

[TinCanTech]

Yep, not only can he barely speak English but he also does not know what this thread is about ...