OpenVPN Support Forum

Posted: **Thu Aug 04, 2011 12:35 pm**

Hello,

The answer I got:

Hello,

sorry - but any kind of own iptables rules are not set able with our vservers.

Mit freundlichen Grüßen
Alvotech Support-Team

What can I do?

Posted: **Thu Aug 04, 2011 12:46 pm**

I just realized, something fundamental and basic is missing from the server.conf.

Add this:

Code: Select all

push "redirect-gateway def1"

Assuming your server.conf is still same as #p14224

Posted: **Sat Aug 06, 2011 8:26 am**

Bebop wrote:I just realized, something fundamental and basic is missing from the server.conf.

Add this:
Code: Select all
push "redirect-gateway def1"
Assuming your server.conf is still same as #p14224

There was already this line, because you have already told me

Bebop wrote:I forgot about you have no iptables. Not to worry.

add this to server.conf:
Code: Select all
push "redirect-gateway def1"
After this *maybe* one more step, that is masquerade or snat.

Code: Select all

log /etc/openvpn/openvpn.log

port 1194
proto udp

dev tun1280-76
server 10.0.1.0 255.255.255.0


ifconfig-noexec

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem

verb 3

keepalive 10 120
comp-lzo

push "redirect-gateway def1"

I do not know what to do.

Posted: **Sat Aug 06, 2011 9:14 am**

Your host provider said this:

comeback wrote:we have a lot of customers there are using OpenVPN with our vservers, it's possible.

Then they said this:

sorry - but any kind of own iptables rules are not set able with our vservers.

I can't make sense why its not working, except a firewall issue.

Let see if this is right: you can connect to vpn, you can ping vpn, but you can't get the vpn IP when you pass through the tunnel?

to me it looks like firewall / masquerade / snat issue. Maybe your provider can provider alternate answer.

Posted: **Sat Aug 06, 2011 10:17 am**

Yes that's right, here's what I get when I connect to my VPN.

Maybe this can help you:

Code: Select all

Sat Aug 06 12:10:18 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Sat Aug 06 12:10:18 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Aug 06 12:10:18 2011 LZO compression initialized
Sat Aug 06 12:10:18 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Aug 06 12:10:18 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Aug 06 12:10:18 2011 Local Options hash (VER=V4): '41690919'
Sat Aug 06 12:10:18 2011 Expected Remote Options hash (VER=V4): '530fdded'
Sat Aug 06 12:10:18 2011 UDPv4 link local: [undef]
Sat Aug 06 12:10:18 2011 UDPv4 link remote: XXX.X.XXX.XXX:1194
Sat Aug 06 12:10:18 2011 TLS: Initial packet from XXX.X.XXX.XXX:1194, sid=6b13fa4b 92c1c9d0
Sat Aug 06 12:10:18 2011 VERIFY OK: depth=1, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston_CA/emailAddress=x@x.com
Sat Aug 06 12:10:18 2011 VERIFY OK: nsCertType=SERVER
Sat Aug 06 12:10:18 2011 VERIFY OK: depth=0, /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=x@x.com
Sat Aug 06 12:10:19 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Aug 06 12:10:19 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 06 12:10:19 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Aug 06 12:10:19 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 06 12:10:19 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Aug 06 12:10:19 2011 [server] Peer Connection Initiated with XXX.X.XXX.XXX:1194
Sat Aug 06 12:10:20 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Aug 06 12:10:20 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.0.1.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.1.6 10.0.1.5'
Sat Aug 06 12:10:20 2011 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: topology (2.0.9)
Sat Aug 06 12:10:20 2011 OPTIONS IMPORT: timers and/or timeouts modified
Sat Aug 06 12:10:20 2011 OPTIONS IMPORT: --ifconfig/up options modified
Sat Aug 06 12:10:20 2011 OPTIONS IMPORT: route options modified
Sat Aug 06 12:10:20 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Aug 06 12:10:20 2011 TAP-WIN32 device [Connexion au réseau local 10] opened: \\.\Global\{80C0F286-CF53-4F2C-9B57-A0D701097A6A}.tap
Sat Aug 06 12:10:20 2011 TAP-Win32 Driver Version 8.4 
Sat Aug 06 12:10:20 2011 TAP-Win32 MTU=1500
Sat Aug 06 12:10:20 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.0.1.6/255.255.255.252 on interface {80C0F286-CF53-4F2C-9B57-A0D701097A6A} [DHCP-serv: 10.0.1.5, lease-time: 31536000]
Sat Aug 06 12:10:20 2011 NOTE: FlushIpNetTable failed on interface [43] {80C0F286-CF53-4F2C-9B57-A0D701097A6A} (status=5) : Accès refusé.  
Sat Aug 06 12:10:20 2011 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Sat Aug 06 12:10:20 2011 Route: Waiting for TUN/TAP interface to come up...
Sat Aug 06 12:10:21 2011 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Sat Aug 06 12:10:21 2011 route ADD XXX.X.XXX.XXX MASK 255.255.255.255 192.168.1.1
Sat Aug 06 12:10:21 2011 ROUTE: route addition failed using CreateIpForwardEntry: Un ou plusieurs arguments sont incorrects.   [if_index=35]
Sat Aug 06 12:10:21 2011 Route addition via IPAPI failed
Sat Aug 06 12:10:21 2011 route ADD 0.0.0.0 MASK 128.0.0.0 10.0.1.5
Sat Aug 06 12:10:21 2011 ROUTE: route addition failed using CreateIpForwardEntry: Un ou plusieurs arguments sont incorrects.   [if_index=43]
Sat Aug 06 12:10:21 2011 Route addition via IPAPI failed
Sat Aug 06 12:10:21 2011 route ADD 128.0.0.0 MASK 128.0.0.0 10.0.1.5
Sat Aug 06 12:10:21 2011 ROUTE: route addition failed using CreateIpForwardEntry: Un ou plusieurs arguments sont incorrects.   [if_index=43]
Sat Aug 06 12:10:21 2011 Route addition via IPAPI failed
Sat Aug 06 12:10:21 2011 route ADD 10.0.1.1 MASK 255.255.255.255 10.0.1.5
Sat Aug 06 12:10:21 2011 ROUTE: route addition failed using CreateIpForwardEntry: Un ou plusieurs arguments sont incorrects.   [if_index=43]
Sat Aug 06 12:10:21 2011 Route addition via IPAPI failed
Sat Aug 06 12:10:21 2011 Initialization Sequence Completed

I saw that there was more error message

Merci

Posted: **Sat Aug 06, 2011 7:07 pm**

Sorry to dissapoint you, but on vserver even bringing up OpenVPN, you cant use it to redirect client internet traffic thru OpenVPN server. As stated here http://linux-vserver.org/Frequently_Ask ... tables_.3F

Can I use iptables ?
Yes but right now only on the host (rootserver). Please realize that all traffic is local and will not touch the forward chain.
If you really, really, really need iptables on the guest and you are aware about loosing a big part of VServer isolation and security you could add the NET_ADMIN capability. Consider writing wrappers to manage iptables on the host instead.

Althought it may be possible using that net_admin as the stated, but I'm not sure, must be tested what that net_admin is.

Are you using WIndows 7? You have to run OpenVPN as administrator and as elevated user, i.e. right click -> run as administrator.

Also in server.conf you must use:

Code: Select all

server 10.0.1.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 10.0.1.1"

Its good that you use in server.conf:

Code: Select all

ifconfig-noexec

Because OpenVPN cant set tun interface parameters.

Also you already done this:

Code: Select all

# ip link set dev tun1280-76 txqueuelen 100
# ifconfig tun1280-76 10.0.1.1 pointopoint 10.0.1.2 mtu 1500
# route add -net 10.0.1.0 netmask 255.255.255.0 gw 10.0.1.2

To enable NET_ADMIN may be this must be done:

Code: Select all

>echo "NET_ADMIN" >> /etc/vservers/<your vserver name>/bcapabilities

This may not work so you will have to ask admin stuff for this.

Well may be they pre-configured your tun interface with ip 10.0.1.33 so using

Code: Select all

server 10.0.1.33 255.255.255.252

is good, and the ip pool will be 33-34 - enoth to connect one client.

Talk to vserver admin stuff about masquarading. Without it, client cant use VPS internet conenction to access internet.

Posted: **Sun Aug 07, 2011 2:30 am**

Thanks for looking into in this Mimiko. Great analysis and advice too. comeback, I do agree with Mimiko on this, so I dare say its really good advice to be following.

Posted: **Sun Aug 14, 2011 4:03 pm**

Hello,

I tried, but it does not work.

I decided to buy a new VPS to 15 € for one year.

The configuration is:

•128MB guaranteed/256MB burstable memory
•15GB storage
•1TB/month data transfer
•OpenVZ/SolusVM

I used the automated script which is the Internet address:

http://www.putdispenserhere.com/openvpn ... or-openvz/

It works perfectly.

Really thank you for your help.

It did not work, but you never give up.

MERCI

Posted: **Sun Aug 14, 2011 11:17 pm**

Also you didn't give up. Congrats on the new setup. Enjoy.

OpenVPN Support Forum

linux-vserver

Re: linux-vserver

Re: linux-vserver

Re: linux-vserver

Re: linux-vserver

Re: linux-vserver

Re: linux-vserver

Re: linux-vserver

Re: linux-vserver

Re: linux-vserver