Page 1 of 1

VPN established but local ressources not available

Posted: Mon Feb 16, 2015 9:52 am
by siulman
Hello,

I wanted to use my last post to ask my next question on it but it has been closed before I couldn't write...Maikat is a very efficient guy! :D

The thing is that I have my VPN working right now so I can SSH my local ressources but I can't do several things:
1) Can't reach local ressources over the browser
2) Can't access to the internet
3) Can't connect on samba to my local devices.

I suppose it's a config thing but I don't really know what to change..... Could you help me?



My server configuration
root@raspberrypi:/var/log# cat /etc/openvpn/server.conf
local 192.168.1.12O # adresse IP locale de votre serveur
dev tun # type de VPN, tun (tunnel IP) ou tap (tunnel Ethernet/bridge)
proto udp # protocole à utiliser : tcp ou udp, généralement udp
port 8080 # le port par défaut pour OpenVPN, à ajuster au besoin
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/raspi.crt # à ajuster à votre serveur
key /etc/openvpn/easy-rsa/keys/raspi.key # idem
dh /etc/openvpn/easy-rsa/keys/dh1024.pem # si vous êtes restés sur du 1024 bits, changez ici
server 10.8.0.0 255.255.255.0 #le réseau au sein duquel vous allez attribuer des IP
ifconfig 10.8.0.1 10.8.0.2 # serveur et point de sortie distant
push "redirect-gateway def1"
push "route 10.8.0.1 255.255.255.255" # route vers le serveur VPN
push "route 10.8.0.0 255.255.255.0" # route vers le sous-réseau VPN
push "route 192.168.1.120 255.255.255.0" #sous-réseau local - adaptez l'adresse IP locale de votre serveur
push "dhcp-option DNS 192.168.1.254" # votre serveur DNS primaire (votre routeur, souvent)
# vous pouvez aussi utiliser le DNS Google 8.8.8.8 ou OpenDNS 208.67.222.222
# pour le reste, a priori pas de raisons d'y toucher à moins de savoir ce que vous faites !
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1


Client configuration
Quote:
root@raspberrypi:/var/log# cat /etc/openvpn/easy-rsa/keys/Default.txt
client
dev tun
proto udp
remote my_domaine.no-ip.org 8080
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
root@raspberrypi:/var/log#


My samba configuration on the server which is on the network (working when connected on LAN):

#======================= Global Settings =======================
[global]
workgroup = WORKGROUP
server string = %h server
dns proxy = no
log level = 0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = yes
aio read size = 16384
aio write size = 16384
null passwords = no
local master = yes
time server = no
wins support = no

#======================= Share Definitions =======================

[Data]
read list =
write list = "siulman",@"siulman"
store dos attributes = no
force directory mode = 0775
guest ok = no
hide dot files = yes
ea support = no
inherit acls = yes
writable = yes
inherit permissions = no
printable = no
invalid users =
path = /media/97f93447-ec94-467a-821c-9745c9a46684//
force create mode = 0775
valid users = "siulman",@"siulman"
create mode = 0755
directory mode = 0755

Re: VPN established but local ressources not available

Posted: Mon Feb 16, 2015 11:51 am
by maikcat
I wanted to use my last post to ask my next question on it but it has been closed before I couldn't write.
its a good practice to keep one issue per post ;)

first clean up your server config by removing these:

Code: Select all

ifconfig 10.8.0.1 10.8.0.2 
push "route 10.8.0.1 255.255.255.255" # route vers le serveur VPN
push "route 10.8.0.0 255.255.255.0" # route vers le sous-réseau VPN
also this is wrong

Code: Select all

push "route 192.168.1.120 255.255.255.0" 
when you push route to host you must use 32bit mask like

Code: Select all

push "route 192.168.1.120 255.255.255.255" 
to your questions now,
1) Can't reach local ressources over the browser
browser? you mean network neighborhood style? if yes you will need to setup wins,
broadcasts wont pass via tunnel...
2) Can't access to the internet
did you enabled ip forwarding on your server?
post the output of
iptables -L -v
iptables -L -v -t nat

on your openvpn server

also you are pushing 192.168.1.254 as your DNS server,is 254 runs dns services?
3) Can't connect on samba to my local devices.
device or devices? , you mean the pi itself?

please clarify.

Michael.

Re: VPN established but local ressources not available

Posted: Mon Feb 16, 2015 3:24 pm
by siulman
Hello,

thank you for your answer.
I made all the changes that you said and here are the results:

- When I have my smartphone connected to a WIFI:
I can access to my home servers via SSH
I can access to my web services (on my LAN)
I can access to the internet over my VPN
I can access to a samba server and transfer files even if the speed is really poor: 90Kbs. My samba server upload is about 1Mbs. Do you know why?

--> So everything seems OK. Except the transfer speed... :(...with webdav (without VPN) seems the same... strange...


- When I am connected to the 4G provider network with my smartphone:
I can access on ssh to my home servers
I can NOT access to the internet
I can NOT access to my web services via web Browser


It seems like the provider filters?? but how can I established my VPN session and access to my local servers on SSH? The tunnel is supposed to be filtered so if I'm connected the rest should be ok....or not??

I'm shocked !

Re: VPN established but local ressources not available

Posted: Mon Feb 16, 2015 4:25 pm
by maikcat
you didnt provided any answer to my questions...
did you enabled ip forwarding on your server?
post the output of
iptables -L -v
iptables -L -v -t nat

on your openvpn server

also you are pushing 192.168.1.254 as your DNS server,is 254 runs dns services?
- When I have my smartphone connected to a WIFI:
I can access to my home servers via SSH
I can access to my web services (on my LAN)
I can access to the internet over my VPN
I can access to a samba server and transfer files even if the speed is really poor: 90Kbs. My samba server upload is about 1Mbs. Do you know why?
you connect via a wifi network OUTSIDE your openvpn servers lan,right?
how do you verify that you access internet over the tunnel and not via your local router?
the speed thing can be an mtu issue...
It seems like the provider filters??
if connection is established then no,it can however limit udp rate...

Michael.

Re: VPN established but local ressources not available

Posted: Mon Feb 16, 2015 4:52 pm
by siulman
I'm sorry, I thought the answers were not important anymore because that partially worked. But let's see all of this:
did you enabled ip forwarding on your server?
post the output of
iptables -L -v
iptables -L -v -t nat

on your openvpn server

also you are pushing 192.168.1.254 as your DNS server,is 254 runs dns services?
pi@raspberrypi ~ $ sudo iptables -L -v
Chain INPUT (policy ACCEPT 36985 packets, 21M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 13688 packets, 9143K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 30536 packets, 25M bytes)
pkts bytes target prot opt in out source destination
pi@raspberrypi ~ $ sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 3203 packets, 367K bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 1701 packets, 253K bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1383 packets, 117K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1383 packets, 117K bytes)
pkts bytes target prot opt in out source destination
1481 112K MASQUERADE all -- any eth0 10.8.0.0/24 anywhere
pi@raspberrypi ~ $ cat /etc/network/interfaces
auto lo

iface lo inet loopback
iface eth0 inet dhcp
pre-up /etc/firewall-openvpn-rules.sh

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp



--> 192.168.1.254 is the provider router in my house which connect me to the internet. The service DHCP is on it. I suppose DNS too...

- When I have my smartphone connected to a WIFI:
I can access to my home servers via SSH
I can access to my web services (on my LAN)
I can access to the internet over my VPN
I can access to a samba server and transfer files even if the speed is really poor: 90Kbs. My samba server upload is about 1Mbs. Do you know why?

you connect via a wifi network OUTSIDE your openvpn servers lan,right?
how do you verify that you access internet over the tunnel and not via your local router?
the speed thing can be an mtu issue...
Of course, outside, wifi at work (maybe I should work instead...;P).
It is pretty easy to verify: Open a browser and write on google: who is my ip? --> answer: my home IP.

I haven't set any mtu on the eth0, should I? which one?

It seems like the provider filters??
if connection is established then no,it can however limit udp rate...


Ok that's reassuring...because as far as I know, when VPN tunnel is established, any filter can be done by the provider except as you say on the kind of connection UDP vs TCP...
Should I try on TCP port?
Is there any impact for my server in terms of load? (Raspberry is not really strong...)

Re: VPN established but local ressources not available

Posted: Mon Feb 16, 2015 5:01 pm
by siulman
I'm sorry, I thought the answers were not important anymore because that partially worked. But let's see all of this:
did you enabled ip forwarding on your server?
post the output of
iptables -L -v
iptables -L -v -t nat

on your openvpn server

also you are pushing 192.168.1.254 as your DNS server,is 254 runs dns services?

Code: Select all

pi@raspberrypi ~ $ sudo iptables -L -v
Chain INPUT (policy ACCEPT 36985 packets, 21M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 13688 packets, 9143K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 30536 packets, 25M bytes)
 pkts bytes target     prot opt in     out     source               destination

Code: Select all

pi@raspberrypi ~ $ sudo iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 3203 packets, 367K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 1701 packets, 253K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1383 packets, 117K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1383 packets, 117K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1481  112K MASQUERADE  all  --  any    eth0    10.8.0.0/24          anywhere

Code: Select all

pi@raspberrypi ~ $ cat /etc/network/interfaces
auto lo

iface lo inet loopback
iface eth0 inet dhcp
pre-up /etc/firewall-openvpn-rules.sh

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

Code: Select all

pi@raspberrypi ~ $ sudo cat /etc/firewall-openvpn-rules.sh
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE



--> 192.168.1.254 is the provider router in my house which connect me to the internet. The service DHCP is on it. I suppose DNS too...

- When I have my smartphone connected to a WIFI:
I can access to my home servers via SSH
I can access to my web services (on my LAN)
I can access to the internet over my VPN
I can access to a samba server and transfer files even if the speed is really poor: 90Kbs. My samba server upload is about 1Mbs. Do you know why?

you connect via a wifi network OUTSIDE your openvpn servers lan,right?
how do you verify that you access internet over the tunnel and not via your local router?
the speed thing can be an mtu issue...
Of course, outside, wifi at work (maybe I should work instead...;P).
It is pretty easy to verify: Open a browser and write on google: who is my ip? --> answer: my home IP.

I haven't set any mtu on the eth0, should I? which one?

It seems like the provider filters??
if connection is established then no,it can however limit udp rate...


Ok that's reassuring...because as far as I know, when VPN tunnel is established, any filter can be done by the provider except as you say on the kind of connection UDP vs TCP...
Should I try on TCP port?
Is there any impact for my server in terms of load? (Raspberry is not really strong...)

Re: VPN established but local ressources not available

Posted: Mon Feb 16, 2015 6:07 pm
by siulman
Sorry...
but I don't know what I have done with the last post to duplicate it....

Update:

I have tried with TCP. It works now! So that means that my mobile network provider filters the UDP....like you said. Thank you again.
I just need to solve now my transfer rate...which is really poor considering my home upload (1Mbs) I'm still on 80Kbs with TCP conexion....

I'm waiting for you to tell me about the MTU.

FYI: I have a raspberry pi working as VPN server and a server inside my LAN (with Samba server). I haven't set MTU of any of it. Should I?
If yes, on what device? which value?

The default MTU IP is 1500, that should be enough...

Re: VPN established but local ressources not available

Posted: Tue Feb 17, 2015 7:08 am
by maikcat
--> 192.168.1.254 is the provider router in my house which connect me to the internet. The service DHCP is on it. I suppose DNS too...
if dhcp is on it doesnt mean that your router provides dns services as well,
but in your case if it works then maybe your router does dns relay,othe routers
assign (via their dhcp) your ISPs dns.
I have tried with TCP. It works now! So that means that my mobile network provider filters the UDP
using tcp is not a very good choice but if udp is filtered/limited then you can go ahead and use it...
I can access to a samba server and transfer files even if the speed is really poor: 90Kbs. My samba server upload is about 1Mbs. Do you know why?
need to clarify this,

your upload speed is 1mbps and your upload speed via the vpn is 90kb/s (kb per sec) or 90kbps?

if you have an MTU issue ALL transfers will suffer...

Michael.

Re: VPN established but local ressources not available

Posted: Tue Feb 17, 2015 8:57 am
by siulman
--> 192.168.1.254 is the provider router in my house which connect me to the internet. The service DHCP is on it. I suppose DNS too...
if dhcp is on it doesnt mean that your router provides dns services as well,
but in your case if it works then maybe your router does dns relay,othe routers
assign (via their dhcp) your ISPs dns.
I have tried with TCP. It works now! So that means that my mobile network provider filters the UDP
using tcp is not a very good choice but if udp is filtered/limited then you can go ahead and use it...
Why not?
as I asked, is there any impact on my raspberry in terms of load? is it less secure?

I can access to a samba server and transfer files even if the speed is really poor: 90Kbs. My samba server upload is about 1Mbs. Do you know why?
need to clarify this,

your upload speed is 1mbps and your upload speed via the vpn is 90kb/s (kb per sec) or 90kbps?

if you have an MTU issue ALL transfers will suffer...

Michael.
When I make a speed test on the internet at home, I have:
20Mb/s on download speed rate
1Mb/s on upload speed rate

So, that means that I should transfer at least with 1Mb/s or not???

What can I do ? if MTU is the solution, can you give me some clues?

Thanks !

Re: VPN established but local ressources not available

Posted: Tue Feb 17, 2015 9:54 am
by maikcat
Why not?
as I asked, is there any impact on my raspberry in terms of load? is it less secure?
tunneling tcp-over-tcp is a bad idea,
search for something called tcp meltdown...

to test your upload (from openvpn server to client) please do something simple like an
ftp or sftp transfer and check it speed..

then we talk about MTU...

michael.

Re: VPN established but local ressources not available

Posted: Tue Feb 17, 2015 4:25 pm
by siulman
tunneling tcp-over-tcp is a bad idea,
search for something called tcp meltdown...
I'm affraid that I've got no choice here... hope that will be fine... :(
to test your upload (from openvpn server to client) please do something simple like an
ftp or sftp transfer and check it speed..

then we talk about MTU...

michael.
I have test with FTP over VPN, it's about 90 Kb/s. I didn't realize but I thinck it is actually pretty normal... I have 1Mb/s on upload when I do some speed tests on the net but the thing is the provider ensure only 10% of the rate contracter, which is aprox 100Kb/s and that's what I have.....


--> I have two new questions:
1) how can I configure split tunneling on the server configuration in order to use my VPN tunnel only for my home network (192.168.1.x/24) ?
2) is it possible to have a clientless OpenVPN via web browser?

Re: VPN established but local ressources not available

Posted: Tue Feb 17, 2015 5:15 pm
by maikcat
--> I have two new questions:
:roll:
1) how can I configure split tunneling on the server configuration in order to use my VPN tunnel only for my home network (192.168.1.x/24) ?
split tunneling?
can you be more specific on what you want to do?

2) is it possible to have a clientless OpenVPN via web browser?
nope

Michael.

Re: VPN established but local ressources not available

Posted: Tue Feb 17, 2015 5:40 pm
by siulman
split tunneling?
can you be more specific on what you want to do?
The only communication through the tunnel would be the packets to join my private LAN (192.168.1.X/24).
The other packets would pass out of the tunnel.

Re: VPN established but local ressources not available

Posted: Tue Feb 17, 2015 6:28 pm
by Traffic
siulman wrote:The only communication through the tunnel would be the packets to join my private LAN (192.168.1.X/24).
Server - remove:

Code: Select all

push "redirect-gateway def1" ## Delete me ##

Re: VPN established but local ressources not available

Posted: Tue Feb 17, 2015 7:52 pm
by siulman
Traffic wrote:
siulman wrote:The only communication through the tunnel would be the packets to join my private LAN (192.168.1.X/24).
Server - remove:

Code: Select all

push "redirect-gateway def1" ## Delete me ##
Do I have to pass this command?

Re: VPN established but local ressources not available

Posted: Wed Feb 18, 2015 8:50 am
by siulman
I have a problem....
when I upload and FTP file over my VPN connection to my server.
It starts well and after a while (about 10 seconds), the transfert stays frozen...I'm getting disconnected from my session is that the "tcp meltdown" phenomenon ??? is there any solution?? grrr!

Edit: Same problem if a try over SSH Tunnel from my PC....so I suppose it is not tcp meltdown :S
Part of the files are actually transferred well until I'm getting disconnected. No problem downloading, just uploading...

Edit2: No problem with Samba over VPN uploading same file. Could it be the TCP window of FTP which saturates the session?

Re: VPN established but local ressources not available

Posted: Wed Feb 18, 2015 9:27 am
by maikcat
same behaviour if you use sftp?

Michael.

Re: VPN established but local ressources not available

Posted: Wed Feb 18, 2015 10:06 am
by siulman
maikcat wrote:same behaviour if you use sftp?

Michael.
Ok, that's fun

I changed the FTP config on my server with timeout "0" and more sessions per host available (10) and now:

1) Upload with filezilla from my PC over SSH tunnel (proxy socks) is OK with even better rate than at home on local WIFI LAN (that's another discussion)
2) Upload with FTP over OpenVPN with my smartphone NO OK: still frozen after a while
--> I have tried with another client and same problem, timeout after a while.... :S

3) Upload with Samba over OpenVPN with my smartphone OK (but the rates are worse than FTP on my PC).

Note: local FTP is ok too...the problem is really through the VPN....

Re: VPN established but local ressources not available

Posted: Fri Feb 20, 2015 12:39 pm
by siulman
Any idea?? :S
Thanks...

Re: VPN established but local ressources not available

Posted: Fri Feb 20, 2015 7:34 pm
by Traffic
If your VPN is connected and you can ping the required hosts then it is probably not OpenVPN at fault ..