OpenVPN and Obfsproxy network problems.

[mabo]

Hi,

I am trying to setup my OpenVPN client/server to use the obfsproxy and I have run into a few problems.

The client/server setup has been working fine before trying the obfsproxy.

I have reached a point where I can connect to my server through the obfsproxy but then unable to connect to outside addresses, example unable to ping 8.8.8.8 ...

The connection will then disconnect after about a minute "Inactivity timeout", which is weird because "--inactive" is off by default, I also tried explicitly set "--inactive 0" but still it times out, presumably this won't be a problem when I am able to connect to external addresses.

The DNS server IP's are pushed and updated as expected, checked /etc/resolv.conf is changing as expected.

I think maybe I have routing problem, but not sure how to test the theory ...

Any suggestions how to check routing is setup correctly would be very much appreciated ...

Server side setup ---

VPN_Server_IP = A.B.C.D

tried both of these ...

Code: Select all

obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 --dest=127.0.0.1:1194 server 0.0.0.0:21194 &

Code: Select all

obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 --dest=127.0.0.1:1194 server A.B.C.D:21194 &

firewall setup

Code: Select all

iptables -A INPUT -i eth0 -p tcp -m --dport 21194 -j ACCEPT

tcp.conf

Code: Select all

port 1194

server netstat -rn

Code: Select all

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         A.B.C.254       0.0.0.0         UG        0 0          0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun1
A.B.C.0         0.0.0.0         255.255.255.0   U         0 0          0 eth0

Client side setup ---

Code: Select all

obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 socks 127.0.0.1:10194 &

client.conf, changes ...

Code: Select all

remote  VPN_Server_IP 21194
proto tcp
socks-proxy 127.0.0.1 10194
socks-proxy-retry

client netstat -rn

Code: Select all

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.8.0.34       0.0.0.0         UG        0 0          0 tun0
0.0.0.0         172.31.8.1      0.0.0.0         UG        0 0          0 wlan0
10.8.0.1        10.8.0.34       255.255.255.255 UGH       0 0          0 tun0
10.8.0.33       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.8.0.34       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
127.0.0.1       172.31.8.1      255.255.255.255 UGH       0 0          0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 wlan0

client ifconfig

Code: Select all

eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether ec:f4:bb:65:ea:ad  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7800000-f7820000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 4297  bytes 501861 (490.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4297  bytes 501861 (490.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.33  netmask 255.255.255.255  destination 10.8.0.34
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 36  bytes 2649 (2.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.31.8.210  netmask 255.255.248.0  broadcast 172.31.15.255
        inet6 fe80::3ea9:f4ff:fea7:da8c  prefixlen 64  scopeid 0x20<link>
        ether 3c:a9:f4:a7:da:8c  txqueuelen 1000  (Ethernet)
        RX packets 28206  bytes 4168156 (3.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4505  bytes 688565 (672.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[Traffic]

Your routing looks normal .. Please post your sanitized Openvpn configs and logs.

[mabo]

Thanks for taking an interest in the problem.

server.conf

Code: Select all

port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/vpn.myask.crt
key /etc/openvpn/vpn.myask.key  # This file should be kept secret 
dh /etc/openvpn/dh2048.pem 
server 10.8.0.0 255.255.255.0 
client-config-dir ccd 
push "redirect-gateway"
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher AES-128-CBC   # AES
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
tls-timeout 60
hand-window 120
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 3
#mute 3

server openvpn.log

Code: Select all

Thu Sep 17 21:18:16 2015 MULTI: multi_create_instance called 
Thu Sep 17 21:18:16 2015 Re-using SSL/TLS context 
Thu Sep 17 21:18:16 2015 LZO compression initialized 
Thu Sep 17 21:18:16 2015 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Thu Sep 17 21:18:16 2015 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Sep 17 21:18:16 2015 Local Options hash (VER=V4): 'a642654b'
Thu Sep 17 21:18:16 2015 Expected Remote Options hash (VER=V4): '0bdd0804'
Thu Sep 17 21:18:16 2015 TCP connection established with [AF_INET]127.0.0.1:53950
Thu Sep 17 21:18:16 2015 TCPv4_SERVER link local: [undef] 
Thu Sep 17 21:18:16 2015 TCPv4_SERVER link remote [AF_INET]127.0.0.1:53950
Thu Sep 17 21:18:16 2015 127.0.0.1:53950 TLS: Initial packet from [AF_INET]127.0.0.1:53950, sid=ddf0950d 112234c3 
Thu Sep 17 21:18:22 2015 127.0.0.1:53950 VERIFY OK: depth=1, /CN=myask/name=myask 
Thu Sep 17 21:18:22 2015 127.0.0.1:53950 VERIFY OK: depth=0, /CN=c8.myask 
Thu Sep 17 21:18:24 2015 127.0.0.1:53950 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key 
Thu Sep 17 21:18:24 2015 127.0.0.1:53950 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 
Thu Sep 17 21:18:24 2015 127.0.0.1:53950 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key 
Thu Sep 17 21:18:24 2015 127.0.0.1:53950 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication 
Thu Sep 17 21:18:26 2015 127.0.0.1:53950 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA 
Thu Sep 17 21:18:26 2015 127.0.0.1:53950 [c8.myask] Peer Connection Initiated with [AF_INET]127.0.0.1:53950 
Thu Sep 17 21:18:26 2015 c8.myask/127.0.0.1:53950 OPTIONS IMPORT: reading client specific options from: ccd/c8.myask 
Thu Sep 17 21:18:26 2015 c8.myask/127.0.0.1:53950 MULTI: Learn: 10.8.0.33 -> c8.myask/127.0.0.1:53950
Thu Sep 17 21:18:26 2015 c8.myask/127.0.0.1:53950 MULTI: primary virtual IP for c8.myask/127.0.0.1:53950: 10.8.0.33 
Thu Sep 17 21:18:29 2015 c8.myask/127.0.0.1:53950 PUSH: Received control message: 'PUSH_REQUEST' 
Thu Sep 17 21:18:29 2015 c8.myask/127.0.0.1:53950 send_push_reply(): safe_cap=960
Thu Sep 17 21:18:29 2015 c8.myask/127.0.0.1:53950 SENT CONTROL [c8.myask]: 'PUSH_REPLY,redirect-gateway,route 10.8.0.1,topology net30,ping 10,ping-restart 120,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,ifconfig 10.8.0.33 10.8.0.34' (status=1) 
Thu Sep 17 21:19:26 2015 c8.myask/127.0.0.1:53950 Connection reset, restarting [0] 
Thu Sep 17 21:19:26 2015 c8.myask/127.0.0.1:53950 SIGUSR1[soft,connection-reset] received, client-instance restarting 
Thu Sep 17 21:19:26 2015 TCP/UDP: Closing socket

client system.log

Code: Select all

Sep 17 19:18:15 debian NetworkManager[749]: <info>  Starting VPN service 'openvpn'...
Sep 17 19:18:15 debian NetworkManager[749]: <info>  VPN service 'openvpn' started org.freedesktop.NetworkManager.openvpn), PID 5007 
Sep 17 19:18:15 debian NetworkManager[749]: <info>  VPN service 'openvpn' appeared; activating connections 
Sep 17 19:18:16 debian NetworkManager[749]: (nm-openvpn-service:5007): nm-openvpn-WARNING **: Directory '/var/lib/openvpn/chroot' not usable for chroot by 'nm-openvpn', openvpn will not be chrooted.
Sep 17 19:18:16 debian NetworkManager[749]: <info>  VPN plugin state changed: starting (3)
Sep 17 19:18:16 debian NetworkManager[749]: nm-openvpn-Message: openvpn started with pid 5010 
Sep 17 19:18:16 debian NetworkManager[749]: <info>  VPN connection 'c8.myask' (ConnectInteractive) reply received.
Sep 17 19:18:16 debian nm-openvpn[5010]: OpenVPN 2.3.7 x86_64-pc-linux -gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Sep  8 2015
Sep 17 19:18:16 debian nm-openvpn[5010]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08 
Sep 17 19:18:16 debian nm-openvpn[5010]: NOTE: the current --script -security setting may allow this configuration to call user-defined scripts 
Sep 17 19:18:16 debian nm-openvpn[5010]: Control Channel Authentication: using '/home/xxxx/vpn/pki-myask/keys/ta.key' as a OpenVPN static key file 
Sep 17 19:18:16 debian nm-openvpn[5010]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay 
Sep 17 19:18:16 debian nm-openvpn[5010]: Attempting to establish TCP connection with [AF_INET]127.0.0.1:10194 [nonblock] 
Sep 17 19:18:16 debian nm-openvpn[5010]: TCP connection established with [AF_INET]127.0.0.1:10194 
Sep 17 19:18:16 debian nm-openvpn[5010]: TCPv4_CLIENT link local: [undef]
Sep 17 19:18:16 debian nm-openvpn[5010]: TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:10194
Sep 17 19:18:26 debian nm-openvpn[5010]: [vpn.myask] Peer Connection Initiated with [AF_INET]127.0.0.1:10194 
Sep 17 19:18:29 debian nm-openvpn[5010]: TUN/TAP device tun0 opened 
Sep 17 19:18:29 debian nm-openvpn[5010]: /usr/lib/NetworkManager/nm -openvpn-service-openvpn-helper --tun -- tun0 1500 1560 10.8.0.33 10.8.0.34 init
Sep 17 19:18:29 debian NetworkManager[749]: <info>  (tun0): new Tun device (carrier: OFF, driver: 'tun', ifindex: 5) 
Sep 17 19:18:29 debian NetworkManager[749]: <info>  devices added (path: /sys/devices/virtual/net/tun0, iface: tun0) 
Sep 17 19:18:29 debian NetworkManager[749]: <info>  device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Sep 17 19:18:29 debian NetworkManager[749]: <info>  VPN connection 'c8.myask' (IP Config Get) reply received.
Sep 17 19:18:29 debian NetworkManager[749]: <info>  VPN connection 'c8.myask' (IP4 Config Get) reply received.
Sep 17 19:18:29 debian NetworkManager[749]: <info>  VPN Gateway: 127.0.0.1
Sep 17 19:18:29 debian NetworkManager[749]: <info>  Tunnel Device: tun0 Sep 17 19:18:29 debian NetworkManager[749]: <info>  IPv4 configuration:
Sep 17 19:18:29 debian NetworkManager[749]: <info>    Internal Gateway:10.8.0.34
Sep 17 19:18:29 debian NetworkManager[749]: <info>    Internal Address:10.8.0.33
Sep 17 19:18:29 debian NetworkManager[749]: <info>    Internal Prefix:32
Sep 17 19:18:29 debian NetworkManager[749]: <info>    Internal Point-to-Point Address: 10.8.0.34
Sep 17 19:18:29 debian NetworkManager[749]: <info>    Maximum SegmentSize (MSS): 0
Sep 17 19:18:29 debian NetworkManager[749]: <info>    Static Route:10.8.0.1/32   Next Hop: 10.8.0.34
Sep 17 19:18:29 debian NetworkManager[749]: <info>    Forbid DefaultRoute: no
Sep 17 19:18:29 debian NetworkManager[749]: <info>    Internal DNS:8.8.8.8
Sep 17 19:18:29 debian NetworkManager[749]: <info>    Internal DNS:8.8.4.4
Sep 17 19:18:29 debian NetworkManager[749]: <info>    DNS Domain:'(none)'
Sep 17 19:18:29 debian NetworkManager[749]: <info>   No IPv6 configuration 
Sep 17 19:18:29 debian NetworkManager[749]:<info>  VPN plugin state changed: started (4)
Sep 17 19:18:29 debian nm-openvpn[5010]: GID set to nm-openvpn 
Sep 17 19:18:29 debian nm-openvpn[5010]: UID set to nm-openvpn 
Sep 17 19:18:29 debian nm-openvpn[5010]: Initialization Sequence Completed 
Sep 17 19:18:29 debian NetworkManager[749]: <info>  VPN connection 'c8.myask' (IP Config Get) complete.
Sep 17 19:18:29 debian NetworkManager[749]: <info>  (tun0): link connected 
Sep 17 19:18:29 debian NetworkManager[749]: <info>  NetworkManager state is now CONNECTED_LOCAL 
Sep 17 19:18:29 debian NetworkManager[749]: <info>  NetworkManager state is now CONNECTED_GLOBAL 
Sep 17 19:18:29 debian NetworkManager[749]: <info>  Writing DNS information to /sbin/resolvconf 
Sep 17 19:18:39 debian org.gnome.Documents[1447]: *** Error in`/usr/bin/gjs-console': free(): invalid next size fast):0x00007fe7fc12b7d0 ***
Sep 17 19:18:39 debian gnome-session[1404]: Gjs-Message: JS LOG:
Received error from DBus search provider org.gnome.Documents.desktop: Gio.DBusError: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying 
Sep 17 19:18:43 debian dbus[763]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus -org.freedesktop.nm-dispatcher.service'
Sep 17 19:18:43 debian NetworkManager[749]: <info>  Writing DNS information to /sbin/resolvconf 
Sep 17 19:18:43 debian systemd[1]: Starting Network Manager Script Dispatcher Service...
Sep 17 19:18:43 debian NetworkManager[749]: <info>  keyfile: add connection in-memory (e420832a-51f8-49b2-8cf8-35937b8e786,"tun0")
Sep 17 19:18:43 debian NetworkManager[749]: <info>  (tun0): device state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
Sep 17 19:18:43 debian NetworkManager[749]: <info>  (tun0): device state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
Sep 17 19:18:43 debian NetworkManager[749]: <info>  (tun0): Activation: starting connection 'tun0' (e420832a-51f8-49b2-8cf8-e35937b8e786)
Sep 17 19:18:43 debian NetworkManager[749]: <info>  Writing DNS information to /sbin/resolvconf 
Sep 17 19:18:44 debian dbus[763]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Sep 17 19:18:44 debian systemd[1]: Started Network Manager Script Dispatcher Service.
Sep 17 19:18:44 debian nm-dispatcher: Dispatching action 'vpn-up' for tun0
Sep 17 19:18:44 debian NetworkManager[749]: <info>  (tun0): device state change: disconnected -> prepare (reason 'none') [30 40 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info>  (tun0): device state change: prepare -> config (reason 'none') [40 50 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info>  (tun0): device state change: config -> ip-config (reason 'none') [50 70 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info>  (tun0): device state change: ip-config -> ip-check (reason 'none') [70 80 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info>  (tun0): device state change: ip-check -> secondaries (reason 'none') [80 90 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info>  (tun0): device state change: secondaries -> activated (reason 'none') [90 100 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info>  NetworkManager state is now CONNECTED_LOCAL 
Sep 17 19:18:44 debian NetworkManager[749]: <info>  NetworkManager state is now CONNECTED_GLOBAL 
Sep 17 19:18:44 debian NetworkManager[749]: <info>  Policy set 'tun0' (tun0) as default for IPv4 routing and DNS.
Sep 17 19:18:44 debian NetworkManager[749]: <info>  Writing DNS information to /sbin/resolvconf 
Sep 17 19:18:44 debian NetworkManager[749]: <info>  (tun0): Activation: successful, device activated.
Sep 17 19:18:44 debian gnome-session[1404]: (gnome-settings-daemon:1464): GLib-CRITICAL **: Source ID 980 was not found when attempting to remove it 
Sep 17 19:18:45 debian gnome-session[1404]: (gnome-shell:1550): Clutter -WARNING **: clutter-actor.c:9919: Actor 'StWidget' tried to allocate a size of 0.00 x -2.00 
Sep 17 19:18:45 debian gnome-session[1404]: (gnome-shell:1550): Clutter -WARNING **: clutter-actor.c:9919: Actor 'StWidget' tried to allocate a size of 0.00 x -2.00 
Sep 17 19:18:58 debian nm-dispatcher: Dispatching action 'up' for tun0

The client.conf file is a little difficult to produce because I am using the gui network manager with gnome-3 desktop manager on a linux system ...

I probably should have grabbed the client openvpn.log as well, it may be easier to read?

Also, apologies for the code snips. My geographic location forces me to work with both windows and linux to get the information and then post it so the formatting was screwed up, so I had to reformat it, apart from the line wrapping it should ok.

[jeefo]

Hi,

Did you fix your problem? I got exactly same problem too.

[john56477]

ok, I got somewhere.

I have same problem, using scramblesuit obfsproxy
openvpn connection could be established via scramblesuit, but cannot ping 8.8.8.8
openvpn client and obfsproxy client on the same machine (Linux VM)

Got it working by using 2 client machines, one for openvpn and one for obfsproxy,
while openvpn server and obfsproxy server are still on same target machine

anyone know how to modify the openvpn client script so when connection is established
it doesn't screw up the obfsproxy connection if its on the same machine ?

[mabo]

Hi,

Yes, I got it working a little while ago ...

I don't remember the full details, but I think the problem was with the redirect-gateway option.

I was using the "redirect-gateway def1" and I changed to "redirect-gateway local" and then setup the default route manually.

I also had to start my VPN from the command line because network-manager didn't work with this arrangement.

I don't have access to my config files just at the moment to confirm actual settings but maybe in a couple days I can get back again with more details.

The system has been working great in my geographic region and my VPN connections problems are fixed.

If you read man page information for the redirect-gateway option it may be a little clearer ...

[mabo]

The default route problem on my system was fixed by making these changes to my server conf file.

push "redirect-gateway local"
push "route vpn_server_ip 255.255.255.255 net_gateway"

[john56477]

The default route problem on my system was fixed by making these changes to my server conf file.

push "redirect-gateway local"
push "route vpn_server_ip 255.255.255.255 net_gateway"

thank you so much, just tested, and its working now
yes, that works when OpenVPN and Obfsproxy client on the same machine