Page 1 of 1
Openvpn as gateway client and personal server at same time.
Posted: Fri Apr 15, 2016 5:58 pm
by pir8
Hello, I have very basic linux knowledge and I'd really like if someone can help me out here.
I currently have my raspberry Pi configured as a vpn gateway (working perfectly). Openvpn is setup to act as a client (tun0) and it connects to a vpn service provider, that way my devices in my house are connected through the vpn tunnel.
I'm trying to have another instance of openvpn running as a server in the same raspberry pi in order to be able to access my home network whenever I'm outside but I have not been able to do it. Independently I've been able to set up the raspberry as an openvpn client to my vpn service provider and also as a personal openvpn server successfully, allowing me to connect to my home but I haven't been able to have both instances running at the same time. Ports are forwarded correctly in the main router as I'm able to use the my personal oepnvpn server when I set it up alone (independently of the client conf)
Currently my home network is like (rpi acting only as a client):
***Now at the same time I want to have another instance of openvpn running as a server where it would allow me to browse my local lan remotely.
***
I currently have the openvpn daemon autorun every time the rpi boots by using "systemctl enable openvpn@torguard"
My conf files:
torguard.conf (client conf file for connecting private vpn provider)
Code: Select all
client
dev tun
proto udp
remote la.serveraddress.com 443
resolv-retry infinite
remote-cert-tls server
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/ca.crt
auth-user-pass /etc/openvpn/login.txt
comp-lzo
fast-io
ping-restart 0
route-delay 2
route-method exe
script-security 3 system
mute-replay-warnings
verb 3
and my
server.conf file (which is my personal openvpn server configuration file)
Code: Select all
local 192.168.3.100 # Raspberry IP address
dev tun1
proto tcp #Using TCP
port 443
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/Home.crt # My CRT file
key /etc/openvpn/easy-rsa/keys/Home.key # My Key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig 10.8.0.1 10.8.0.2 # server and remote endpoints
# Route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# My local subnet
push "route 192.168.3.0 255.255.255.0" # Raspberry PI network range address
push "dhcp-option DNS 192.168.3.1"
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 1
My Nat and Routing setup when running openvpn as client, is as follows (rules are persistent through boot):
Code: Select all
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
And the below iptable settings when setting up de raspberrypi as a personal server
Code: Select all
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.3.100
Any guidance on how I can accomplish this would be greatly appreciated.
Thanks
Re: Openvpn as gateway client and personal server at same ti
Posted: Sat Apr 16, 2016 7:16 am
by adamjgs
Looks like we're trying to do somewhat similar things. What happens when you try running both concurrently?
Re: Openvpn as gateway client and personal server at same ti
Posted: Sat Apr 16, 2016 6:47 pm
by pir8
Hi,
both instances go up but I'm not able to connect to the server.
Code: Select all
root@raspberrypi:/etc/openvpn# ifconfig
eth0 Link encap:Ethernet HWaddr b8:27:eb:d4:99:e2
inet addr:192.168.3.100 Bcast:192.168.3.255 Mask:255.255.255.0
inet6 addr: fe80::f15e:9308:397a:3053/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26574 errors:0 dropped:1 overruns:0 frame:0
TX packets:24429 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11150167 (10.6 MiB) TX bytes:11631514 (11.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:244 errors:0 dropped:0 overruns:0 frame:0
TX packets:244 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:17843 (17.4 KiB) TX bytes:17843 (17.4 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.9.1.42 P-t-P:10.9.1.41 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:11282 errors:0 dropped:0 overruns:0 frame:0
TX packets:10451 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:8972031 (8.5 MiB) TX bytes:1094860 (1.0 MiB)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr b8:27:eb:81:cc:b7
inet6 addr: fe80::ba27:ebff:fe81:ccb7/64 Scope:Link
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:3563 (3.4 KiB)
as you can see, both the client and server are running and I can ping 8.8.8.8 with success and everthing goes through the Tunnel but I can't connect to the server part from outside. When I see the server /var/log/openvpn.log file it shows:
Code: Select all
root@raspberrypi:/etc/openvpn# cat /var/log/openvpn.log
Sat Apr 16 11:05:51 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Sat Apr 16 11:05:51 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Sat Apr 16 11:05:51 2016 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key file
Sat Apr 16 11:05:51 2016 TUN/TAP device tun1 opened
Sat Apr 16 11:05:51 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Apr 16 11:05:51 2016 /sbin/ip link set dev tun1 up mtu 1500
Sat Apr 16 11:05:51 2016 /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2
Sat Apr 16 11:05:51 2016 GID set to nogroup
Sat Apr 16 11:05:51 2016 UID set to nobody
Sat Apr 16 11:05:51 2016 UDPv4 link local (bound): [AF_INET]192.168.3.100:1194
Sat Apr 16 11:05:51 2016 UDPv4 link remote: [undef]
Sat Apr 16 11:05:51 2016 Initialization Sequence Completed
Sat Apr 16 11:06:03 2016 199.71.159.118:48361 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1460826370) Sat Apr 16 11:06:10 2016 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat Apr 16 11:06:03 2016 199.71.159.118:48361 TLS Error: incoming packet authentication failed from [AF_INET]199.71.159.118:48361
Sat Apr 16 11:07:12 2016 199.71.159.118:53087 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Apr 16 11:07:12 2016 199.71.159.118:53087 TLS Error: TLS handshake failed
root@raspberrypi:/etc/openvpn#
Only if I stop the openvpn client from launching at boot and launch the server part then I'm able to connect.
I don't know if it has to do with the fact that when the openvpn client (which connects the raspberry to the private vpn provider) is active and as such every packet that comes out of the raspberry is routed through the VPN tunnel, whenever I try to make the connection to my home network from outside, I use my home public IP to establish the connection but the data received to my cell phone comes from the VPN tunnel running in the pi and packets dont't match. so the TLS handshake fail. This of course is a wild guess as I don't know much about this stuff.
I'm about to give up and buy another raspberry to set one up as a server and the other as client.
Re: Openvpn as gateway client and personal server at same ti
Posted: Sun Apr 17, 2016 11:22 am
by adamjgs
What happens if you run this on the server?
Code: Select all
ip rule add from <your-server-ip> table 10
ip route add default via <your-router-ip> table 10
Can you then connect to it while its client instance is up?
Re: Openvpn as gateway client and personal server at same ti
Posted: Sun Apr 17, 2016 7:27 pm
by pir8
adamjgs wrote:What happens if you run this on the server?
Code: Select all
ip rule add from <your-server-ip> table 10
ip route add default via <your-router-ip> table 10
Can you then connect to it while its client instance is up?
omg!!! this is so amazing!
Thank you very much for this info
I finally managed to run them (client and server instances on the raspberry) both at the same time...
Wow!!!! its running fine now after adding those routes. I can connect to my house remotely while having the openvpn client connected to torguard service at home.
you said you were trying to accomplish a similar setup have you succeeded already ?
Thank you so much for your help!
Re: Openvpn as gateway client and personal server at same time.
Posted: Tue Jun 26, 2018 4:47 pm
by raspi3
Hi,
with this solution
Code: Select all
ip rule add from <your-server-ip> table 10
ip route add default via <your-router-ip> table 10
I can only connect to my local network.
After executing
Code: Select all
sudo ip rule add from 10.7.0.0/24 table 99
sudo ip route add default via 192.168.1.1 table 99
I can only connect to internet, not anymore to my local network. Did you figure out, how to connect to both, local network and internet?
Re: Openvpn as gateway client and personal server at same time.
Posted: Mon Mar 23, 2020 7:44 pm
by Aushilfsarnie
Hi there. Is there a solution for this? Thanks in advance!
Re: Openvpn as gateway client and personal server at same time.
Posted: Tue May 19, 2020 11:51 am
by Skynet86
I don't get this configuration to run. Can someone help me?
Re: Openvpn as gateway client and personal server at same time.
Posted: Tue May 19, 2020 11:54 am
by Skynet86
I don't get this configuration to run. Can someone help me?
Re: Openvpn as gateway client and personal server at same time.
Posted: Wed May 20, 2020 1:41 am
by 300000
you need to change port 445 not the same 443 so you can connect as client to vpn sevice provider, and act server at home but not the same port , because vpn try to all internet go over vpn so you need to decide which one it go . just use both like this one
route 42.118.90.17 255.255.255.0 vpn_gateway
route 42.118.90.17 255.255.255.0 net_gateway
this one route 42.118.90.17 255.255.255.0 vpn_gateway mean you want this ip go thought vpn provider and this one route 42.118.90.17 255.255.255.0 net_gateway you want this ip go thought you router
if you want to try redirect-gateway autolocal def1 bypass-dhcp just do it and decide which way you want , take sometime to deal wtih it and remember openvpn is point to point so you need nat make it work.
it is more simple you can install wireguard and make act as server and you can run both at the same time , wireguard is consider faster than openvpn 30% on every test and simple than openvpn.
Re: Openvpn as gateway client and personal server at same time.
Posted: Wed May 20, 2020 11:52 am
by TinCanTech
Yep, not only can he barely speak English but he also does not know what this thread is about ...