server client tun routing - no internet access - no routing

[pw44]

Hi,

i have the following configuration:
- ubuntu 18.04 server
- ios iphone client

connection works, but routing don't. when connected, ios client is unable to access to server and the internet (tunneled).

Maybe i oversaw something and that's why i ask for kind help.

View OriginalServer config

;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem
tls-crypt /etc/openvpn/server/tc.key
topology subnet
server 10.10.30.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.10.30.4 255.255.255.0 10.10.30.50 10.10.30.100
;server-bridge
push "route 192.168.80.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway local def1 bypass-dhcp"
;push "redirect-gateway local def1"
push "dhcp-option DNS 192.168.80.4"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
keepalive 10 120
cipher AES-256-CBC
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
;mute 20
explicit-exit-notify 1
verb 5
auth SHA512

View OriginalServer config

client
dev tun
proto udp
remote wolke.myserver.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
...........
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...........
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
...........
-----END OpenVPN Static key V1-----
</tls-crypt>

Log (server)

Code: Select all

Wed May 20 15:16:35 2020 us=743877 OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 20 2020
Wed May 20 15:16:35 2020 us=743887 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.08
Wed May 20 15:16:35 2020 us=745241 Diffie-Hellman initialized with 2048 bit key
Wed May 20 15:16:35 2020 us=745657 CRL: loaded 1 CRLs from file /etc/openvpn/server/crl.pem
Wed May 20 15:16:35 2020 us=745726 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed May 20 15:16:35 2020 us=745741 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed May 20 15:16:35 2020 us=745749 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Wed May 20 15:16:35 2020 us=745759 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Wed May 20 15:16:35 2020 us=745769 TLS-Auth MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Wed May 20 15:16:35 2020 us=746047 TUN/TAP device tun0 opened
Wed May 20 15:16:35 2020 us=746073 TUN/TAP TX queue length set to 100
Wed May 20 15:16:35 2020 us=746088 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed May 20 15:16:35 2020 us=746102 /sbin/ifconfig tun0 10.10.30.1 netmask 255.255.255.0 mtu 1500 broadcast 10.10.30.255
Wed May 20 15:16:35 2020 us=746928 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed May 20 15:16:35 2020 us=746952 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed May 20 15:16:35 2020 us=746969 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed May 20 15:16:35 2020 us=746985 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed May 20 15:16:35 2020 us=746993 UDPv4 link remote: [AF_UNSPEC]
Wed May 20 15:16:35 2020 us=747003 MULTI: multi_init called, r=256 v=256
Wed May 20 15:16:35 2020 us=747022 IFCONFIG POOL: base=10.10.30.2 size=252, ipv6=0
Wed May 20 15:16:35 2020 us=747042 ifconfig_pool_read(), in='iPH6PW,10.10.30.48', TODO: IPv6
Wed May 20 15:16:35 2020 us=747050 succeeded -> ifconfig_pool_set()
Wed May 20 15:16:35 2020 us=747058 IFCONFIG POOL LIST
Wed May 20 15:16:35 2020 us=747066 iPH6PW,10.10.30.48
Wed May 20 15:16:35 2020 us=747092 Initialization Sequence Completed
Wed May 20 15:17:26 2020 us=375947 MULTI: multi_create_instance called
Wed May 20 15:17:26 2020 us=375990 201.5.167.225:12879 Re-using SSL/TLS context
Wed May 20 15:17:26 2020 us=376092 201.5.167.225:12879 Control Channel MTU parms [ L:1621 D:1156 EF:94 EB:0 ET:0 EL:3 ]
Wed May 20 15:17:26 2020 us=376102 201.5.167.225:12879 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed May 20 15:17:26 2020 us=376149 201.5.167.225:12879 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Wed May 20 15:17:26 2020 us=376157 201.5.167.225:12879 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
RWed May 20 15:17:26 2020 us=376190 201.5.167.225:12879 TLS: Initial packet from [AF_INET]201.5.167.225:12879, sid=ff5e13c2 9b496347
WRWWWWWRRRRWRWed May 20 15:17:28 2020 us=75732 201.5.167.225:12879 VERIFY OK: depth=1, C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=vpn.myserver.com, emailAddress=webmaster@myserver.com
Wed May 20 15:17:28 2020 us=75880 201.5.167.225:12879 VERIFY OK: depth=0, C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=iPH6PW, emailAddress=webmaster@myserver.com
WRWed May 20 15:17:28 2020 us=184672 201.5.167.225:12879 peer info: IV_GUI_VER=net.openvpn.connect.ios_3.1.2-3096
Wed May 20 15:17:28 2020 us=184698 201.5.167.225:12879 peer info: IV_VER=3.git::f225fcd0
Wed May 20 15:17:28 2020 us=184706 201.5.167.225:12879 peer info: IV_PLAT=ios
Wed May 20 15:17:28 2020 us=184712 201.5.167.225:12879 peer info: IV_AUTO_SESS=1
Wed May 20 15:17:28 2020 us=184797 201.5.167.225:12879 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 20 15:17:28 2020 us=184811 201.5.167.225:12879 Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Wed May 20 15:17:28 2020 us=184827 201.5.167.225:12879 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 20 15:17:28 2020 us=184836 201.5.167.225:12879 Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
WRWed May 20 15:17:28 2020 us=254842 201.5.167.225:12879 Control Channel: TLSv1.2, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed May 20 15:17:28 2020 us=254873 201.5.167.225:12879 [iPH6PW] Peer Connection Initiated with [AF_INET]201.5.167.225:12879
Wed May 20 15:17:28 2020 us=254895 iPH6PW/201.5.167.225:12879 MULTI_sva: pool returned IPv4=10.10.30.48, IPv6=(Not enabled)
Wed May 20 15:17:28 2020 us=254940 iPH6PW/201.5.167.225:12879 MULTI: Learn: 10.10.30.48 -> iPH6PW/201.5.167.225:12879
Wed May 20 15:17:28 2020 us=254949 iPH6PW/201.5.167.225:12879 MULTI: primary virtual IP for iPH6PW/201.5.167.225:12879: 10.10.30.48
RWed May 20 15:17:28 2020 us=255013 iPH6PW/201.5.167.225:12879 PUSH: Received control message: 'PUSH_REQUEST'
Wed May 20 15:17:28 2020 us=255062 iPH6PW/201.5.167.225:12879 SENT CONTROL [iPH6PW]: 'PUSH_REPLY,route 192.168.80.0 255.255.255.0,redirect-gateway local def1 bypass-dhcp,dhcp-option DNS 192.168.80.4,route-gateway 10.10.30.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.10.30.48 255.255.255.0' (status=1)
WWRRwRwRwrWrWrWRwWRRwRWwrWRwrWRwrWRwRwRwRwRwRwRwRwRwRwRwrWrWRwRwRwrWrWrWrWrWrWrWRwRwrWrWrWrWrWRwRwrWRwRwRwRwRwRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwrWRwRwRwRwRwRwRwRwRwRwRwRwRwRwRwWRWed May 20 15:18:08 2020 us=580902 iPH6PW/201.5.167.225:12879 SIGTERM[soft,remote-exit] received, client-instance exiting

client log:

Code: Select all

2020-05-20 15:17:25 1

2020-05-20 15:17:25 ----- OpenVPN Start -----
OpenVPN core 3.git::f225fcd0 ios arm64 64-bit PT_PROXY built on Mar  5 2020 13:46:31

2020-05-20 15:17:25 OpenVPN core 3.git::f225fcd0 ios arm64 64-bit PT_PROXY built on Mar  5 2020 13:46:31

2020-05-20 15:17:25 Frame=512/2048/512 mssfix-ctrl=1250

2020-05-20 15:17:25 UNUSED OPTIONS
4 [resolv-retry] [infinite] 
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
11 [ignore-unknown-option] [block-outside-dns] 
12 [block-outside-dns] 
13 [verb] [3] 

2020-05-20 15:17:25 EVENT: RESOLVE

2020-05-20 15:17:26 Contacting [201.19.181.221]:1194/UDP via UDP

2020-05-20 15:17:26 EVENT: WAIT

2020-05-20 15:17:26 Connecting to [wolke.myserver.com]:1194 (201.19.181.221) via UDPv4

2020-05-20 15:17:26 EVENT: CONNECTING

2020-05-20 15:17:26 Tunnel Options:V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client

2020-05-20 15:17:26 Creds: UsernameEmpty/PasswordEmpty

2020-05-20 15:17:26 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 3.1.2-3096
IV_VER=3.git::f225fcd0
IV_PLAT=ios
IV_AUTO_SESS=1

2020-05-20 15:17:27 VERIFY OK : depth=1
cert. version     : 3
serial number     : 72:4D:9B:78:52:15:9B:C0:CE:CF:B1:4E:91:7B:A6:5A:3E:1D:79:03
issuer name       : C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=vpn.myserver.com, emailAddress=webmaster@myserver.com
subject name      : C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=vpn.myserver.com, emailAddress=webmaster@myserver.com
issued  on        : 2020-05-10 15:40:14
expires on        : 2030-05-08 15:40:14
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=true
key usage         : Key Cert Sign, CRL Sign


2020-05-20 15:17:27 VERIFY OK : depth=0
cert. version     : 3
serial number     : 71:FA:EC:8B:1F:FD:60:6C:A3:74:10:EC:D3:FA:0E:81
issuer name       : C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=vpn.myserver.com, emailAddress=webmaster@myserver.com
subject name      : C=BR, ST=RJ, L=Rio de Janeiro, O=PjW ISS, OU=VPN PW, CN=server, emailAddress=webmaster@myserver.com
issued  on        : 2020-05-10 15:40:14
expires on        : 2030-05-08 15:40:14
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  : server
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication


2020-05-20 15:17:28 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-CBC-SHA

2020-05-20 15:17:28 Session is ACTIVE

2020-05-20 15:17:28 EVENT: GET_CONFIG

2020-05-20 15:17:28 Sending PUSH_REQUEST to server...

2020-05-20 15:17:28 OPTIONS:
0 [route] [192.168.80.0] [255.255.255.0] 
1 [redirect-gateway] [local] [def1] [bypass-dhcp] 
2 [dhcp-option] [DNS] [192.168.80.4] 
3 [route-gateway] [10.10.30.1] 
4 [topology] [subnet] 
5 [ping] [10] 
6 [ping-restart] [120] 
7 [ifconfig] [10.10.30.48] [255.255.255.0] 


2020-05-20 15:17:28 PROTOCOL OPTIONS:
  cipher: AES-256-CBC
  digest: SHA512
  compress: NONE
  peer ID: -1

2020-05-20 15:17:28 EVENT: ASSIGN_IP

2020-05-20 15:17:28 NIP: preparing TUN network settings

2020-05-20 15:17:28 NIP: init TUN network settings with endpoint: 201.19.181.221

2020-05-20 15:17:28 NIP: adding IPv4 address to network settings 10.10.30.48/255.255.255.0

2020-05-20 15:17:28 NIP: adding (included) IPv4 route 10.10.30.0/24

2020-05-20 15:17:28 NIP: adding (included) IPv4 route 192.168.80.0/24

2020-05-20 15:17:28 NIP: redirecting all IPv4 traffic to TUN interface

2020-05-20 15:17:28 NIP: adding DNS 192.168.80.4

2020-05-20 15:17:28 Connected via NetworkExtensionTUN

2020-05-20 15:17:28 EVENT: CONNECTED wolke.myserver.com:1194 (201.19.181.221) via /UDPv4 on NetworkExtensionTUN/10.10.30.48/ gw=[/]

2020-05-20 15:18:08 EVENT: DISCONNECTED

2020-05-20 15:18:08 Raw stats on disconnect:
  BYTES_IN : 7351
  BYTES_OUT : 16847
  PACKETS_IN : 24
  PACKETS_OUT : 93
  TUN_BYTES_IN : 5803
  TUN_BYTES_OUT : 1194
  TUN_PACKETS_IN : 80
  TUN_PACKETS_OUT : 10

2020-05-20 15:18:08 Performance stats on disconnect:
  CPU usage (microseconds): 443690
  Tunnel compression ratio (uplink): 2.90315
  Tunnel compression ratio (downlink): 6.15662
  Network bytes per CPU second: 54538
  Tunnel bytes per CPU second: 15770

Can anyone help find out what is wrong?

Thx in advance.

[pw44]

Anyone able to help?

[TinCanTech]

You have come so far on your own ....

https://community.openvpn.net/openvpn/wiki/HOWTO

[pw44]

You have come so far on your own ....

https://community.openvpn.net/openvpn/wiki/HOWTO

Yes, i also read it, but i am not finding the error Can you help me out?

[TinCanTech]

Make sure you have setup NAT etc on your server.

And then try pushing a real DNS server.

[pw44]

Make sure you have setup NAT etc on your server.

And then try pushing a real DNS server.

Thx for the answer.

Could you post an example?

[TinCanTech]

Could you post an example?

Code: Select all

--push "dhcp-option DNS 1.1.1.1"

[pw44]

Could you post an example?

Code: Select all

--push "dhcp-option DNS 1.1.1.1"

is there:

push "dhcp-option DNS 192.168.80.4" - 192.168.80.4 is my openvpn server + dns server.


seams that my problem is routing..... just not finding out where.

With wireguard, no problem. but i want to make openvpn work

[TinCanTech]

Maybe something to do with PiVPN ?

[pw44]

Maybe something to do with PiVPN ?

and what does PiVPN means?

[TinCanTech]

With wireguard, no problem. but i want to make openvpn work

Just use wireguard

[pw44]

With wireguard, no problem. but i want to make openvpn work

Just use wireguard

Yea, but now it became a challenge Are you able to help or not?

[TinCanTech]

Your configs look fine, your logs look fine and you use Ubuntu for your server OS.

The Howto is literally written for you .. so follow it.

[300000]

there is no lan routing , there is no NAT rule on iptables so it is stay like that , this is free software so that is up to you make it work or leave it like that


your iptables not perform correct NAT so it is not going to work for you . check firewall rule .

[pw44]

Ok, this is my iptables rules for openvpn:

Code: Select all

/etc/systemd/system/openvpn-iptables.service 
[Unit]
Before=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.10.30.0/24 -o enp2s0 -j MASQUERADE
ExecStart=/sbin/iptables -t nat -I POSTROUTING -o enp2s0 -s 10.10.30.0/24 -j MASQUERADE
ExecStart=/sbin/iptables -I INPUT -p udp --dport 1194 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -s 10.10.30.0/24 -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -i tun0 -o enp2s0 -s 10.10.30.0/24 -m conntrack --ctstate NEW -j ACCEPT
ExecStart=/sbin/iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED  -j ACCEPT
ExecStart=/sbin/iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE
ExecStart=/sbin/iptables -A FORWARD -i tun0 -j ACCEPT 
ExecStart=/sbin/iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

ExecStop=/sbin/iptables -t nat -D POSTROUTING -s 10.10.30.0/24 -o enp2s0 -j MASQUERADE
ExecStop=/sbin/iptables -t nat -D POSTROUTING -o enp2s0 -s 10.10.30.0/24 -j MASQUERADE
ExecStop=/sbin/iptables -D INPUT -p udp --dport 1194 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -s 10.10.30.0/24 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -i tun0 -o enp2s0 -s 10.10.30.0/24 -m conntrack --ctstate NEW -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED  -j ACCEPT
ExecStop=/sbin/iptables -D nat -A POSTROUTING -o enp2s0 -j MASQUERADE
ExecStop=/sbin/iptables -D FORWARD -i tun0 -j ACCEPT
ExecStop=/sbin/iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

The server config is as follow:

Code: Select all

server/server.conf 
;local 192.168.80.4
server 10.10.30.0 255.255.255.0
port 1194
proto udp
dev tun0
;
ca   /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key  /etc/openvpn/server/server.key
dh   /etc/openvpn/server/dh.pem
tls-crypt /etc/openvpn/server/tc.key
crl-verify /etc/openvpn/server/crl.pem
auth SHA512
cipher AES-256-CBC
;
topology subnet
route 10.10.30.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;
dhcp-option DNS 10.10.30.1
dhcp-option DNS 192.168.80.4
;
push "redirect-gateway local def1 bypass-dhcp"
;push "remote-gateway vpn_server_ip"
push "route 192.168.80.0 255.255.255.0"
push "route 10.10.30.1 255.255.255.255"
push "dhcp-option DNS 10.10.30.1"
push "dhcp-option DNS 192.168.80.4"
push "dhcp-option DNS 8.8.8.8"
;
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
#management localhost port /etc/openvpn/management-password
# ROUTE THE CLIENT'S INTERNET ACCESS THROUGH THIS SERVER:
explicit-exit-notify
status      /var/log/openvpn-status.log
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
;mute 20
explicit-exit-notify 1
verb 5

and my client.conf:

Code: Select all

client/iPH6PW.ovpn
client
dev tun
proto udp
remote wolke.myserver.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
ns-cert-type server
cipher AES-256-CBC
comp-lzo
ignore-unknown-option block-outside-dns
block-outside-dns
redirect-gateway def1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
--------
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-------
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
---------
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
-------
-----END OpenVPN Static key V1-----
</tls-crypt>

still not routing... any i simply am not finding out what is wrong any help is appreciated.

[pw44]

anyone? i really need help.

[TinCanTech]

I am available for hire: tincanteksup <at> gmail dot com

[pw44]

Dear friends,

i finally gave up.

The main reason for using openvpn was because my older apple devices (iphone 5 and ipad 3) did not accept (f*ck apple) the wireguard app.

So, i tried openvn and anyconnect apps, which installs on those devices.

With ocserv i was able to use my certs, etc and with openvpn i was also able to do it.

But i really coud not find out why openvpn did not route correctly. annyconnect do it and wireguard also. and for both, the iptable rules did work without a glitch.

As the tries with openvpn are taking simply too long and without the desired results, i'm giving up. Yes, it worked from linux desktop to linux server, but i need it from apple devices to linux server, and i could not find out how.

So, good luck and goodbye/