Trouble getting internet connection through VPN on Ubuntu 13

[vpnnoob]

As my name implies this is my first time working with OpenVPN and I've been having some trouble getting it to function. I followed these two guides for setting up openvpn in bridged mode:

https://help.ubuntu.com/community/OpenVPN
http://www.slsmk.com/installing-openvpn ... ver-12-04/

My server is running Ubuntu 13.04 and the only client that I've been testing is on Windows 8.1. Your help would be appreciated and please let me know if there is anything that is missing from my post that could help diagnose the issue. Here are the relevant configs:

IP addresses have been changed to protect the innocent.

Code: Select all

$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo br0
iface lo inet loopback

auto eth0
iface br0 inet static
        address 198.123.123.123
        netmask 255.255.255.0
        network 198.123.123.0
        broadcast 198.123.123.255
        gateway 198.123.123.254
        bridge_ports eth0

iface eth0 inet manual
        up ifconfig $IFACE 0.0.0.0 up
        up ip link set $IFACE up promisc on
        down ip link set $IFACE down promisc off
        down ifconfig $IFACE down

I omitted IPv6 settings from the above. Server configuration:

Code: Select all

$ cat /etc/openvpn/server.conf
mode server
tls-server

local 198.123.123.123
port 1194
proto udp

dev tap0
up "/etc/openvpn/up.sh br0 tap0 1500"
down "/etc/openvpn/down.sh br0 tap0"

persist-key
persist-tun

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
tls-auth ta.key 0

cipher BF-CBC
comp-lzo

ifconfig-pool-persist ipp.txt
server-bridge 192.168.144.10 255.255.255.0 192.168.144.100 192.168.144.110
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DOMAIN example.com"
max-clients 10

user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
log openvpn.log
verb 6

Client configuration:

Code: Select all

client

dev tap
remote 198.123.123.123 1194
nobind
resolv-retry infinite

persist-key
persist-tun

ca ca.crt
cert bro.crt
key bro.key
tls-auth ta.key 1
cipher BF-CBC
comp-lzo

verb 3

Up and down scripts:

Code: Select all

$ cat /etc/openvpn/up.sh /etc/openvpn/down.sh
#!/bin/sh

BR=$1
DEV=$2
MTU=$3
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/sbin/brctl addif $BR $DEV
#!/bin/sh

BR=$1
DEV=$2

/sbin/brctl delif $BR $DEV
/sbin/ip link set "$DEV" down

Also, I do have ipv4 forwarding enabled:

Code: Select all

$ cat /proc/sys/net/ipv4/ip_forward
1
$ cat /etc/sysctl.conf | grep ip_forward
net.ipv4.ip_forward=1

And iptables rules according to the HOWTO:

Code: Select all

sudo iptables -A INPUT -i tap0 -j ACCEPT
sudo iptables -A INPUT -i br0 -j ACCEPT
sudo iptables -A FORWARD -i br0 -j ACCEPT

And this one for the NAT:

Code: Select all

sudo iptables -t nat -A POSTROUTING -s 192.168.144.0/24 -o eth0 -j MASQUERADE

Unfortunately, it doesn't seem to work. Here is the connection log:

Code: Select all

C:\Program Files\OpenVPN\config>..\bin\openvpn.exe config.ovpn
Fri Aug 23 00:37:36 2013 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO]
[PKCS11] [eurephia] [IPv6] built on Aug  8 2013
Fri Aug 23 00:37:36 2013 WARNING: No server certificate verification method has
been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Aug 23 00:37:37 2013 Control Channel Authentication: using 'ta.key' as a Ope
nVPN static key file
Fri Aug 23 00:37:37 2013 Outgoing Control Channel Authentication: Using 160 bit
message hash 'SHA1' for HMAC authentication
Fri Aug 23 00:37:37 2013 Incoming Control Channel Authentication: Using 160 bit
message hash 'SHA1' for HMAC authentication
Fri Aug 23 00:37:37 2013 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Aug 23 00:37:37 2013 UDPv4 link local: [undef]
Fri Aug 23 00:37:37 2013 UDPv4 link remote: [AF_INET]198.123.123.123:1194
Fri Aug 23 00:37:37 2013 TLS: Initial packet from [AF_INET]198.123.123.123:1194,
sid=19b61074 6330d0f3
Fri Aug 23 00:37:37 2013 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort
-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain

Fri Aug 23 00:37:37 2013 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort
-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain

Fri Aug 23 00:37:38 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with
128 bit key
Fri Aug 23 00:37:38 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
 for HMAC authentication
Fri Aug 23 00:37:38 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with
128 bit key
Fri Aug 23 00:37:38 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1'
 for HMAC authentication
Fri Aug 23 00:37:38 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES2
56-SHA, 1024 bit RSA
Fri Aug 23 00:37:38 2013 [changeme] Peer Connection Initiated with [AF_INET]198.123.123.123:1194
Fri Aug 23 00:37:41 2013 SENT CONTROL [changeme]: 'PUSH_REQUEST' (status=1)
Fri Aug 23 00:37:41 2013 PUSH: Received control message: 'PUSH_REPLY,dhcp-option
 DNS 8.8.8.8,dhcp-option DOMAIN example.com,route-gateway 192.168.144.10,ping 10
,ping-restart 120,ifconfig 192.168.144.100 255.255.255.0'
Fri Aug 23 00:37:41 2013 OPTIONS IMPORT: timers and/or timeouts modified
Fri Aug 23 00:37:41 2013 OPTIONS IMPORT: --ifconfig/up options modified
Fri Aug 23 00:37:41 2013 OPTIONS IMPORT: route-related options modified
Fri Aug 23 00:37:41 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options
 modified
Fri Aug 23 00:37:41 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Aug 23 00:37:41 2013 open_tun, tt->ipv6=0
Fri Aug 23 00:37:41 2013 TAP-WIN32 device [Local Area Connection 2] opened: \\.\
Global\{428F9DD0-5EBA-427F-B963-CB4426370218}.tap
Fri Aug 23 00:37:41 2013 TAP-Windows Driver Version 9.9
Fri Aug 23 00:37:41 2013 Notified TAP-Windows driver to set a DHCP IP/netmask of
 192.168.144.100/255.255.255.0 on interface {428F9DD0-5EBA-427F-B963-CB442637021
8} [DHCP-serv: 192.168.144.0, lease-time: 31536000]
Fri Aug 23 00:37:41 2013 Successful ARP Flush on interface [12] {428F9DD0-5EBA-4
27F-B963-CB4426370218}
Fri Aug 23 00:37:46 2013 TEST ROUTES: 0/0 succeeded len=0 ret=1 a=0 u/d=up
Fri Aug 23 00:37:46 2013 Initialization Sequence Completed

And the state of the network on the client after connection attempt (removed useless cruft):

Code: Select all

PS C:\Windows\system32> ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : example.com
   Link-local IPv6 Address . . . . . : blah::4
   IPv4 Address. . . . . . . . . . . : 192.168.144.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Tunnel adapter isatap.example.com:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : example.com

So it seems like I'm not getting a gateway.. And on the server:

Code: Select all

~$ sudo ifconfig
br0       Link encap:Ethernet  HWaddr 38:60:77:4f:e0:16
          inet addr:198.123.123.123  Bcast:198.123.123.255  Mask:255.255.255.0
          inet6 addr: blah/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1458 errors:0 dropped:0 overruns:0 frame:0
          TX packets:791 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:190830 (190.8 KB)  TX bytes:124097 (124.0 KB)

eth0      Link encap:Ethernet  HWaddr 38:60:77:4f:e0:16
          inet6 addr: blah::1/64 Scope:Global
          inet6 addr: blah/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1181 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:189957 (189.9 KB)  TX bytes:164121 (164.1 KB)
          Interrupt:20 Memory:fe500000-fe520000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:335 errors:0 dropped:0 overruns:0 frame:0
          TX packets:335 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:38679 (38.6 KB)  TX bytes:38679 (38.6 KB)

tap0      Link encap:Ethernet  HWaddr 62:36:08:66:18:8e
          inet6 addr: blah/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:387 errors:0 dropped:0 overruns:0 frame:0
          TX packets:198 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:35097 (35.0 KB)  TX bytes:21729 (21.7 KB)

I've tried pinging the gateway from the client (ping 192.168.144.10) and all requests time out. Same for pinging the client IP (192.168.144.100) from the server.

So that's where I'm at.. Any ideas would be much appreciated.

[maikcat]

what you are trying to do is wrong...

in bridging mode you bridge tap0 & eth0 forming br0 and you
assign your clients ips from br0 network range...

so assinging ips from 192.168.144.0/24 range when your br0 is a public ip
doesnt make any sense at all....

Michael.

[vpnnoob]

Thanks for the reply. Any suggested change in the configuration then? I only have one NIC and the router on the server isn't really under my control as its a dedicated server.. Should I be looking at route mode instead?

What I was aiming for was to use the NAT created by iptables to redirect all traffic from 192.168.144.0/24 to the public ip.

Thanks again!

[maikcat]

Should I be looking at route mode instead?

yeap

also use

push "redirect-gateway def1"

on your server config , then add an iptables rule for NAT.

Michael.

[vpnnoob]

Okay, thanks again. Will report back when/if I get it running.

Just for further clarification, there is no simple way to setup bridge mode if I don't have control of the server router?

[maikcat]

there is no simple way to setup bridge mode if I don't have control of the server router?

why would you need control of server router?


Michael.

[vpnnoob]

there is no simple way to setup bridge mode if I don't have control of the server router?

why would you need control of server router?


Michael.

Let me rephrase my question, is there any way I can get bridge mode working given that I have only one NIC and my eth0 has a public facing IP?

[maikcat]

is there any way I can get bridge mode working given that I have only one NIC and my eth0 has a public facing IP?

you can setup bridging by givind out PUBLIC ips (if you have a public ip range available on your eth0)
otherwise no.....you need routing based mode.

Michael.

[vpnnoob]

is there any way I can get bridge mode working given that I have only one NIC and my eth0 has a public facing IP?

you can setup bridging by givind out PUBLIC ips (if you have a public ip range available on your eth0)
otherwise no.....you need routing based mode.

Michael.

Ah, okay, understood. Unfortunately I only have one IP assigned.

Thanks again!