Page 1 of 1
OpenVPN and Obfsproxy network problems.
Posted: Wed Sep 16, 2015 3:43 am
by mabo
Hi,
I am trying to setup my OpenVPN client/server to use the obfsproxy and I have run into a few problems.
The client/server setup has been working fine before trying the obfsproxy.
I have reached a point where I can connect to my server through the obfsproxy but then unable to connect to outside addresses, example unable to ping 8.8.8.8 ...
The connection will then disconnect after about a minute "Inactivity timeout", which is weird because "--inactive" is off by default, I also tried explicitly set "--inactive 0" but still it times out, presumably this won't be a problem when I am able to connect to external addresses.
The DNS server IP's are pushed and updated as expected, checked /etc/resolv.conf is changing as expected.
I think maybe I have routing problem, but not sure how to test the theory ...
Any suggestions how to check routing is setup correctly would be very much appreciated ...
Server side setup ---
VPN_Server_IP = A.B.C.D
tried both of these ...
Code: Select all
obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 --dest=127.0.0.1:1194 server 0.0.0.0:21194 &
Code: Select all
obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 --dest=127.0.0.1:1194 server A.B.C.D:21194 &
firewall setup
Code: Select all
iptables -A INPUT -i eth0 -p tcp -m --dport 21194 -j ACCEPT
tcp.conf
server netstat -rn
Code: Select all
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 A.B.C.254 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
A.B.C.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Client side setup ---
Code: Select all
obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 socks 127.0.0.1:10194 &
client.conf, changes ...
Code: Select all
remote VPN_Server_IP 21194
proto tcp
socks-proxy 127.0.0.1 10194
socks-proxy-retry
client netstat -rn
Code: Select all
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.8.0.34 0.0.0.0 UG 0 0 0 tun0
0.0.0.0 172.31.8.1 0.0.0.0 UG 0 0 0 wlan0
10.8.0.1 10.8.0.34 255.255.255.255 UGH 0 0 0 tun0
10.8.0.33 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.34 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
127.0.0.1 172.31.8.1 255.255.255.255 UGH 0 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0
client ifconfig
Code: Select all
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether ec:f4:bb:65:ea:ad txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7800000-f7820000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 4297 bytes 501861 (490.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4297 bytes 501861 (490.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.33 netmask 255.255.255.255 destination 10.8.0.34
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 36 bytes 2649 (2.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.31.8.210 netmask 255.255.248.0 broadcast 172.31.15.255
inet6 fe80::3ea9:f4ff:fea7:da8c prefixlen 64 scopeid 0x20<link>
ether 3c:a9:f4:a7:da:8c txqueuelen 1000 (Ethernet)
RX packets 28206 bytes 4168156 (3.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4505 bytes 688565 (672.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Re: OpenVPN and Obfsproxy network problems.
Posted: Thu Sep 17, 2015 9:59 am
by Traffic
Your routing looks normal .. Please post your sanitized Openvpn configs and logs.
Re: OpenVPN and Obfsproxy network problems.
Posted: Fri Sep 18, 2015 1:45 am
by mabo
Thanks for taking an interest in the problem.
server.conf
Code: Select all
port 1194
proto tcp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/vpn.myask.crt
key /etc/openvpn/vpn.myask.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
client-config-dir ccd
push "redirect-gateway"
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher AES-128-CBC # AES
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
tls-timeout 60
hand-window 120
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 3
#mute 3
server openvpn.log
Code: Select all
Thu Sep 17 21:18:16 2015 MULTI: multi_create_instance called
Thu Sep 17 21:18:16 2015 Re-using SSL/TLS context
Thu Sep 17 21:18:16 2015 LZO compression initialized
Thu Sep 17 21:18:16 2015 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Thu Sep 17 21:18:16 2015 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Sep 17 21:18:16 2015 Local Options hash (VER=V4): 'a642654b'
Thu Sep 17 21:18:16 2015 Expected Remote Options hash (VER=V4): '0bdd0804'
Thu Sep 17 21:18:16 2015 TCP connection established with [AF_INET]127.0.0.1:53950
Thu Sep 17 21:18:16 2015 TCPv4_SERVER link local: [undef]
Thu Sep 17 21:18:16 2015 TCPv4_SERVER link remote [AF_INET]127.0.0.1:53950
Thu Sep 17 21:18:16 2015 127.0.0.1:53950 TLS: Initial packet from [AF_INET]127.0.0.1:53950, sid=ddf0950d 112234c3
Thu Sep 17 21:18:22 2015 127.0.0.1:53950 VERIFY OK: depth=1, /CN=myask/name=myask
Thu Sep 17 21:18:22 2015 127.0.0.1:53950 VERIFY OK: depth=0, /CN=c8.myask
Thu Sep 17 21:18:24 2015 127.0.0.1:53950 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Sep 17 21:18:24 2015 127.0.0.1:53950 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 17 21:18:24 2015 127.0.0.1:53950 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Thu Sep 17 21:18:24 2015 127.0.0.1:53950 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 17 21:18:26 2015 127.0.0.1:53950 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Sep 17 21:18:26 2015 127.0.0.1:53950 [c8.myask] Peer Connection Initiated with [AF_INET]127.0.0.1:53950
Thu Sep 17 21:18:26 2015 c8.myask/127.0.0.1:53950 OPTIONS IMPORT: reading client specific options from: ccd/c8.myask
Thu Sep 17 21:18:26 2015 c8.myask/127.0.0.1:53950 MULTI: Learn: 10.8.0.33 -> c8.myask/127.0.0.1:53950
Thu Sep 17 21:18:26 2015 c8.myask/127.0.0.1:53950 MULTI: primary virtual IP for c8.myask/127.0.0.1:53950: 10.8.0.33
Thu Sep 17 21:18:29 2015 c8.myask/127.0.0.1:53950 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 17 21:18:29 2015 c8.myask/127.0.0.1:53950 send_push_reply(): safe_cap=960
Thu Sep 17 21:18:29 2015 c8.myask/127.0.0.1:53950 SENT CONTROL [c8.myask]: 'PUSH_REPLY,redirect-gateway,route 10.8.0.1,topology net30,ping 10,ping-restart 120,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,ifconfig 10.8.0.33 10.8.0.34' (status=1)
Thu Sep 17 21:19:26 2015 c8.myask/127.0.0.1:53950 Connection reset, restarting [0]
Thu Sep 17 21:19:26 2015 c8.myask/127.0.0.1:53950 SIGUSR1[soft,connection-reset] received, client-instance restarting
Thu Sep 17 21:19:26 2015 TCP/UDP: Closing socket
client system.log
Code: Select all
Sep 17 19:18:15 debian NetworkManager[749]: <info> Starting VPN service 'openvpn'...
Sep 17 19:18:15 debian NetworkManager[749]: <info> VPN service 'openvpn' started org.freedesktop.NetworkManager.openvpn), PID 5007
Sep 17 19:18:15 debian NetworkManager[749]: <info> VPN service 'openvpn' appeared; activating connections
Sep 17 19:18:16 debian NetworkManager[749]: (nm-openvpn-service:5007): nm-openvpn-WARNING **: Directory '/var/lib/openvpn/chroot' not usable for chroot by 'nm-openvpn', openvpn will not be chrooted.
Sep 17 19:18:16 debian NetworkManager[749]: <info> VPN plugin state changed: starting (3)
Sep 17 19:18:16 debian NetworkManager[749]: nm-openvpn-Message: openvpn started with pid 5010
Sep 17 19:18:16 debian NetworkManager[749]: <info> VPN connection 'c8.myask' (ConnectInteractive) reply received.
Sep 17 19:18:16 debian nm-openvpn[5010]: OpenVPN 2.3.7 x86_64-pc-linux -gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Sep 8 2015
Sep 17 19:18:16 debian nm-openvpn[5010]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.08
Sep 17 19:18:16 debian nm-openvpn[5010]: NOTE: the current --script -security setting may allow this configuration to call user-defined scripts
Sep 17 19:18:16 debian nm-openvpn[5010]: Control Channel Authentication: using '/home/xxxx/vpn/pki-myask/keys/ta.key' as a OpenVPN static key file
Sep 17 19:18:16 debian nm-openvpn[5010]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sep 17 19:18:16 debian nm-openvpn[5010]: Attempting to establish TCP connection with [AF_INET]127.0.0.1:10194 [nonblock]
Sep 17 19:18:16 debian nm-openvpn[5010]: TCP connection established with [AF_INET]127.0.0.1:10194
Sep 17 19:18:16 debian nm-openvpn[5010]: TCPv4_CLIENT link local: [undef]
Sep 17 19:18:16 debian nm-openvpn[5010]: TCPv4_CLIENT link remote: [AF_INET]127.0.0.1:10194
Sep 17 19:18:26 debian nm-openvpn[5010]: [vpn.myask] Peer Connection Initiated with [AF_INET]127.0.0.1:10194
Sep 17 19:18:29 debian nm-openvpn[5010]: TUN/TAP device tun0 opened
Sep 17 19:18:29 debian nm-openvpn[5010]: /usr/lib/NetworkManager/nm -openvpn-service-openvpn-helper --tun -- tun0 1500 1560 10.8.0.33 10.8.0.34 init
Sep 17 19:18:29 debian NetworkManager[749]: <info> (tun0): new Tun device (carrier: OFF, driver: 'tun', ifindex: 5)
Sep 17 19:18:29 debian NetworkManager[749]: <info> devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Sep 17 19:18:29 debian NetworkManager[749]: <info> device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Sep 17 19:18:29 debian NetworkManager[749]: <info> VPN connection 'c8.myask' (IP Config Get) reply received.
Sep 17 19:18:29 debian NetworkManager[749]: <info> VPN connection 'c8.myask' (IP4 Config Get) reply received.
Sep 17 19:18:29 debian NetworkManager[749]: <info> VPN Gateway: 127.0.0.1
Sep 17 19:18:29 debian NetworkManager[749]: <info> Tunnel Device: tun0 Sep 17 19:18:29 debian NetworkManager[749]: <info> IPv4 configuration:
Sep 17 19:18:29 debian NetworkManager[749]: <info> Internal Gateway:10.8.0.34
Sep 17 19:18:29 debian NetworkManager[749]: <info> Internal Address:10.8.0.33
Sep 17 19:18:29 debian NetworkManager[749]: <info> Internal Prefix:32
Sep 17 19:18:29 debian NetworkManager[749]: <info> Internal Point-to-Point Address: 10.8.0.34
Sep 17 19:18:29 debian NetworkManager[749]: <info> Maximum SegmentSize (MSS): 0
Sep 17 19:18:29 debian NetworkManager[749]: <info> Static Route:10.8.0.1/32 Next Hop: 10.8.0.34
Sep 17 19:18:29 debian NetworkManager[749]: <info> Forbid DefaultRoute: no
Sep 17 19:18:29 debian NetworkManager[749]: <info> Internal DNS:8.8.8.8
Sep 17 19:18:29 debian NetworkManager[749]: <info> Internal DNS:8.8.4.4
Sep 17 19:18:29 debian NetworkManager[749]: <info> DNS Domain:'(none)'
Sep 17 19:18:29 debian NetworkManager[749]: <info> No IPv6 configuration
Sep 17 19:18:29 debian NetworkManager[749]:<info> VPN plugin state changed: started (4)
Sep 17 19:18:29 debian nm-openvpn[5010]: GID set to nm-openvpn
Sep 17 19:18:29 debian nm-openvpn[5010]: UID set to nm-openvpn
Sep 17 19:18:29 debian nm-openvpn[5010]: Initialization Sequence Completed
Sep 17 19:18:29 debian NetworkManager[749]: <info> VPN connection 'c8.myask' (IP Config Get) complete.
Sep 17 19:18:29 debian NetworkManager[749]: <info> (tun0): link connected
Sep 17 19:18:29 debian NetworkManager[749]: <info> NetworkManager state is now CONNECTED_LOCAL
Sep 17 19:18:29 debian NetworkManager[749]: <info> NetworkManager state is now CONNECTED_GLOBAL
Sep 17 19:18:29 debian NetworkManager[749]: <info> Writing DNS information to /sbin/resolvconf
Sep 17 19:18:39 debian org.gnome.Documents[1447]: *** Error in`/usr/bin/gjs-console': free(): invalid next size fast):0x00007fe7fc12b7d0 ***
Sep 17 19:18:39 debian gnome-session[1404]: Gjs-Message: JS LOG:
Received error from DBus search provider org.gnome.Documents.desktop: Gio.DBusError: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
Sep 17 19:18:43 debian dbus[763]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus -org.freedesktop.nm-dispatcher.service'
Sep 17 19:18:43 debian NetworkManager[749]: <info> Writing DNS information to /sbin/resolvconf
Sep 17 19:18:43 debian systemd[1]: Starting Network Manager Script Dispatcher Service...
Sep 17 19:18:43 debian NetworkManager[749]: <info> keyfile: add connection in-memory (e420832a-51f8-49b2-8cf8-35937b8e786,"tun0")
Sep 17 19:18:43 debian NetworkManager[749]: <info> (tun0): device state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
Sep 17 19:18:43 debian NetworkManager[749]: <info> (tun0): device state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
Sep 17 19:18:43 debian NetworkManager[749]: <info> (tun0): Activation: starting connection 'tun0' (e420832a-51f8-49b2-8cf8-e35937b8e786)
Sep 17 19:18:43 debian NetworkManager[749]: <info> Writing DNS information to /sbin/resolvconf
Sep 17 19:18:44 debian dbus[763]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Sep 17 19:18:44 debian systemd[1]: Started Network Manager Script Dispatcher Service.
Sep 17 19:18:44 debian nm-dispatcher: Dispatching action 'vpn-up' for tun0
Sep 17 19:18:44 debian NetworkManager[749]: <info> (tun0): device state change: disconnected -> prepare (reason 'none') [30 40 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info> (tun0): device state change: prepare -> config (reason 'none') [40 50 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info> (tun0): device state change: config -> ip-config (reason 'none') [50 70 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info> (tun0): device state change: ip-config -> ip-check (reason 'none') [70 80 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info> (tun0): device state change: ip-check -> secondaries (reason 'none') [80 90 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info> (tun0): device state change: secondaries -> activated (reason 'none') [90 100 0]
Sep 17 19:18:44 debian NetworkManager[749]: <info> NetworkManager state is now CONNECTED_LOCAL
Sep 17 19:18:44 debian NetworkManager[749]: <info> NetworkManager state is now CONNECTED_GLOBAL
Sep 17 19:18:44 debian NetworkManager[749]: <info> Policy set 'tun0' (tun0) as default for IPv4 routing and DNS.
Sep 17 19:18:44 debian NetworkManager[749]: <info> Writing DNS information to /sbin/resolvconf
Sep 17 19:18:44 debian NetworkManager[749]: <info> (tun0): Activation: successful, device activated.
Sep 17 19:18:44 debian gnome-session[1404]: (gnome-settings-daemon:1464): GLib-CRITICAL **: Source ID 980 was not found when attempting to remove it
Sep 17 19:18:45 debian gnome-session[1404]: (gnome-shell:1550): Clutter -WARNING **: clutter-actor.c:9919: Actor 'StWidget' tried to allocate a size of 0.00 x -2.00
Sep 17 19:18:45 debian gnome-session[1404]: (gnome-shell:1550): Clutter -WARNING **: clutter-actor.c:9919: Actor 'StWidget' tried to allocate a size of 0.00 x -2.00
Sep 17 19:18:58 debian nm-dispatcher: Dispatching action 'up' for tun0
The client.conf file is a little difficult to produce because I am using the gui network manager with gnome-3 desktop manager on a linux system ...
I probably should have grabbed the client openvpn.log as well, it may be easier to read?
Also, apologies for the code snips. My geographic location forces me to work with both windows and linux to get the information and then post it so the formatting was screwed up, so I had to reformat it, apart from the line wrapping it should ok.
Re: OpenVPN and Obfsproxy network problems.
Posted: Sun Oct 11, 2015 1:26 pm
by jeefo
Hi,
Did you fix your problem? I got exactly same problem too.
Re: OpenVPN and Obfsproxy network problems.
Posted: Fri Dec 04, 2015 5:33 am
by john56477
ok, I got somewhere.
I have same problem, using scramblesuit obfsproxy
openvpn connection could be established via scramblesuit, but cannot ping 8.8.8.8
openvpn client and obfsproxy client on the same machine (Linux VM)
Got it working by using 2 client machines, one for openvpn and one for obfsproxy,
while openvpn server and obfsproxy server are still on same target machine
anyone know how to modify the openvpn client script so when connection is established
it doesn't screw up the obfsproxy connection if its on the same machine ?
Re: OpenVPN and Obfsproxy network problems.
Posted: Fri Dec 04, 2015 8:26 am
by mabo
Hi,
Yes, I got it working a little while ago ...
I don't remember the full details, but I think the problem was with the redirect-gateway option.
I was using the "redirect-gateway def1" and I changed to "redirect-gateway local" and then setup the default route manually.
I also had to start my VPN from the command line because network-manager didn't work with this arrangement.
I don't have access to my config files just at the moment to confirm actual settings but maybe in a couple days I can get back again with more details.
The system has been working great in my geographic region and my VPN connections problems are fixed.
If you read man page information for the redirect-gateway option it may be a little clearer ...
Re: OpenVPN and Obfsproxy network problems.
Posted: Sat Dec 05, 2015 12:19 am
by mabo
The default route problem on my system was fixed by making these changes to my server conf file.
push "redirect-gateway local"
push "route vpn_server_ip 255.255.255.255 net_gateway"
Re: OpenVPN and Obfsproxy network problems.
Posted: Sat Dec 05, 2015 1:37 pm
by john56477
mabo wrote:The default route problem on my system was fixed by making these changes to my server conf file.
push "redirect-gateway local"
push "route vpn_server_ip 255.255.255.255 net_gateway"
thank you so much, just tested, and its working now
yes, that works when OpenVPN and Obfsproxy client on the same machine