Page 1 of 1
[Solved] Routing not working, can't connect to lan devices
Posted: Sat Nov 11, 2017 2:42 pm
by robster
hey there.
I set up my openVPN server and clients are able to connect.
I would like to enable the clients to access the other devices in my lan.
Therefor I enabled IP Forwarding and added the push route in my openvpn.conf, which looks like:
Code: Select all
dev tun
proto udp
port 1194
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
user nobody
group nogroup
server 10.8.0.0 255.255.255.0
management 127.0.0.1 1195
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 3
client-to-client
push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.0.1"
log-append /var/log/openvpn
comp-lzo
duplicate-cn
keepalive 10 120
tls-auth ta.key 0
mode server
tls-server
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
auth-nocache
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
My goal is that clients will be members of the 192.168.0.0 subnet and access other devices in that subnet.
When my client connects this is the log:
Code: Select all
Sat Nov 11 15:36:14 2017 109.45.0.214:35593 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:XXXXX, sid=1de3208e 8b6c637c
Sat Nov 11 15:36:16 2017 109.45.0.214:35593 VERIFY OK: depth=1, CN=server
Sat Nov 11 15:36:16 2017 109.45.0.214:35593 VERIFY OK: depth=0, CN=mobile
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA256, 2048 bit RSA
Sat Nov 11 15:36:17 2017 109.45.0.214:35593 [mobile] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:XXXXX
Sat Nov 11 15:36:17 2017 mobile/109.45.0.214:35593 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sat Nov 11 15:36:17 2017 mobile/109.45.0.214:35593 MULTI: Learn: 10.8.0.6 -> mobile/XXX.XXX.XXX.XXX:XXXXX
Sat Nov 11 15:36:17 2017 mobile/109.45.0.214:35593 MULTI: primary virtual IP for mobile/XXX.XXX.XXX.XXX:XXXXX: 10.8.0.6
Sat Nov 11 15:36:18 2017 mobile/109.45.0.214:35593 PUSH: Received control message: 'PUSH_REQUEST'
Sat Nov 11 15:36:18 2017 mobile/109.45.0.214:35593 send_push_reply(): safe_cap=940
Sat Nov 11 15:36:18 2017 mobile/109.45.0.214:35593 SENT CONTROL [mobile]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Once connected my client can access the internet and gets the WAN IP of my server, but the client is not able to connect to other lan devices.
What am I missing here? Where can I continue looking?
Any help is very much appriciated!
robster
Re: Routing not working, can't connect to lan devices
Posted: Sat Nov 11, 2017 3:04 pm
by TinCanTech
robster wrote: ↑Sat Nov 11, 2017 2:42 pm
my client can access the internet and gets the WAN IP of my server, but the client is not able to connect to other lan devices
NOTE:
- Your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Never use 192.168.0.0/24 or 192.168.1.0/24 (or other common subnets) for your OpenVPN Server LAN
- You are advised to change your server LAN to a more unique RFC1918 compliant subnet.
For example: 192.168.143.0/24
That
could be the reason ..
Please post your client log at --verb 4
Re: Routing not working, can't connect to lan devices
Posted: Sat Nov 11, 2017 7:36 pm
by robster
Hey TinCanTech.
Thanks for the advice. I will change the subnet at some point. But for now it would be too much effort and I consider it rather a last option before I go crazy
This is the server log at verbose 4 when my client connects.
Code: Select all
Sat Nov 11 20:29:44 2017 mobile/xxx.xxx.xxx.xxx:xxx TLS: new session incoming connection from [AF_INET]xxx.xxx.xxx.xxx:xxx
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx VERIFY OK: depth=1, CN=server
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx VERIFY OK: depth=0, CN=mobile
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx TLS: tls_multi_process: untrusted session promoted to semi-trusted
Sat Nov 11 20:29:46 2017 mobile/xxx.xxx.xxx.xxx:xxx Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA256, 2048 bit RSA
Sat Nov 11 20:29:47 2017 mobile/xxx.xxx.xxx.xxx:xxx PUSH: Received control message: 'PUSH_REQUEST'
Sat Nov 11 20:29:47 2017 mobile/xxx.xxx.xxx.xxx:xxx send_push_reply(): safe_cap=940
Sat Nov 11 20:29:47 2017 mobile/xxx.xxx.xxx.xxx:xxx SENT CONTROL [mobile]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Re: Routing not working, can't connect to lan devices
Posted: Sat Nov 11, 2017 9:22 pm
by TinCanTech
Re: Routing not working, can't connect to lan devices
Posted: Sun Nov 12, 2017 11:25 am
by robster
TinCanTech wrote: ↑Sat Nov 11, 2017 9:22 pm
Have you read these:
I followed the instructions and I solved it.
Those to routing information were missing:
route 192.168.0.0 255.255.255.0
client-config-dir /etc/openvpn
Plus I had to create a file that comtains the iroute information for the client.
I can access my lan devices now
Thanks TinCanTech
Re: Routing not working, can't connect to lan devices
Posted: Mon Nov 13, 2017 10:18 pm
by robster
Can I ask you one more thing? Even though it works, my log throws me errors. Sooner or later this will have side effects I guess, so I better ask now
First the log:
Code: Select all
Mon Nov 13 22:53:07 2017 event_wait : Interrupted system call (code=4)
Mon Nov 13 22:53:07 2017 /sbin/ip route del 10.8.0.0/24
Mon Nov 13 22:53:07 2017 ERROR: Linux route delete command failed: external program did not exit normally
Mon Nov 13 22:53:07 2017 Closing TUN/TAP interface
Mon Nov 13 22:53:07 2017 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Mon Nov 13 22:53:07 2017 Linux ip addr del failed: external program exited with error status: 2
Mon Nov 13 22:53:07 2017 SIGTERM[hard,] received, process exiting
Mon Nov 13 22:53:07 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Mon Nov 13 22:53:07 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Mon Nov 13 22:53:07 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1195
Mon Nov 13 22:53:07 2017 WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail
Mon Nov 13 22:53:07 2017 WARNING: using --duplicate-cn and --client-config-dir together is probably not what you want
Mon Nov 13 22:53:07 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Nov 13 22:53:07 2017 Diffie-Hellman initialized with 2048 bit key
Mon Nov 13 22:53:07 2017 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Nov 13 22:53:07 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:53:07 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:53:07 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Mon Nov 13 22:53:07 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:df:df:e5
Mon Nov 13 22:53:07 2017 TUN/TAP device tun0 opened
Mon Nov 13 22:53:07 2017 TUN/TAP TX queue length set to 100
Mon Nov 13 22:53:07 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Nov 13 22:53:07 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 13 22:53:07 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Nov 13 22:53:07 2017 /sbin/ip route add 192.168.0.0/24 via 10.8.0.2
RTNETLINK answers: File exists
Mon Nov 13 22:53:07 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Mon Nov 13 22:53:07 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mon Nov 13 22:53:07 2017 GID set to nogroup
Mon Nov 13 22:53:07 2017 UID set to nobody
Mon Nov 13 22:53:07 2017 UDPv4 link local (bound): [undef]
Mon Nov 13 22:53:07 2017 UDPv4 link remote: [undef]
Mon Nov 13 22:53:07 2017 MULTI: multi_init called, r=256 v=256
Mon Nov 13 22:53:07 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Nov 13 22:53:07 2017 Initialization Sequence Completed
Mon Nov 13 22:53:08 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Mon Nov 13 22:53:08 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Mon Nov 13 22:53:08 2017 MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:1195: Address already in use
Mon Nov 13 22:53:08 2017 Exiting due to fatal error
Mon Nov 13 22:53:32 2017 event_wait : Interrupted system call (code=4)
Mon Nov 13 22:53:32 2017 /sbin/ip route del 10.8.0.0/24
RTNETLINK answers: Operation not permitted
Mon Nov 13 22:53:32 2017 ERROR: Linux route delete command failed: external program exited with error status: 2
Mon Nov 13 22:53:32 2017 Closing TUN/TAP interface
Mon Nov 13 22:53:32 2017 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Mon Nov 13 22:53:32 2017 Linux ip addr del failed: external program exited with error status: 2
Mon Nov 13 22:53:32 2017 SIGTERM[hard,] received, process exiting
Mon Nov 13 22:53:32 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Mon Nov 13 22:53:32 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Mon Nov 13 22:53:32 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1195
Mon Nov 13 22:53:32 2017 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Nov 13 22:53:32 2017 Diffie-Hellman initialized with 2048 bit key
Mon Nov 13 22:53:32 2017 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Nov 13 22:53:32 2017 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:53:32 2017 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:53:32 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Mon Nov 13 22:53:32 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:df:df:e5
Mon Nov 13 22:53:32 2017 TUN/TAP device tun0 opened
Mon Nov 13 22:53:32 2017 TUN/TAP TX queue length set to 100
Mon Nov 13 22:53:32 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Nov 13 22:53:32 2017 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 13 22:53:32 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Nov 13 22:53:33 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mon Nov 13 22:53:33 2017 GID set to nogroup
Mon Nov 13 22:53:33 2017 UID set to nobody
Mon Nov 13 22:53:33 2017 UDPv4 link local (bound): [undef]
Mon Nov 13 22:53:33 2017 UDPv4 link remote: [undef]
Mon Nov 13 22:53:33 2017 MULTI: multi_init called, r=256 v=256
Mon Nov 13 22:53:33 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Nov 13 22:53:33 2017 Initialization Sequence Completed
Mon Nov 13 22:53:33 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Mon Nov 13 22:53:33 2017 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.08
Mon Nov 13 22:53:33 2017 MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:1195: Address already in use
Mon Nov 13 22:53:33 2017 Exiting due to fatal error
Mon Nov 13 22:55:08 2017 xxx.xxx.xxx.xxx:52548 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:52548, sid=4bc92b8f 775edc7e
Mon Nov 13 22:55:09 2017 xxx.xxx.xxx.xxx:52548 VERIFY OK: depth=1, CN=server
Mon Nov 13 22:55:09 2017 xxx.xxx.xxx.xxx:52548 VERIFY OK: depth=0, CN=mobile
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA256, 2048 bit RSA
Mon Nov 13 22:55:10 2017 xxx.xxx.xxx.xxx:52548 [mobile] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:52548
Mon Nov 13 22:55:10 2017 mobile/xxx.xxx.xxx.xxx:52548 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Mon Nov 13 22:55:10 2017 mobile/xxx.xxx.xxx.xxx:52548 MULTI: Learn: 10.8.0.6 -> mobile/xxx.xxx.xxx.xxx:52548
Mon Nov 13 22:55:10 2017 mobile/xxx.xxx.xxx.xxx:52548 MULTI: primary virtual IP for mobile/xxx.xxx.xxx.xxx:52548: 10.8.0.6
Mon Nov 13 22:55:11 2017 mobile/xxx.xxx.xxx.xxx:52548 PUSH: Received control message: 'PUSH_REQUEST'
Mon Nov 13 22:55:11 2017 mobile/xxx.xxx.xxx.xxx:52548 send_push_reply(): safe_cap=940
Mon Nov 13 22:55:11 2017 mobile/xxx.xxx.xxx.xxx:52548 SENT CONTROL [mobile]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Code: Select all
MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:1195: Address already in use
Mon Nov 13 22:53:33 2017 Exiting due to fatal error
First of all I wonder why openvpn wants to bind MANAGEMENT to port 1195. Because it already is bound, as you can see here:
Code: Select all
sudo lsof -i TCP:1195
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
openvpn 5773 nobody 3u IPv4 25238 0t0 TCP localhost:1195 (LISTEN)
Code: Select all
RTNETLINK answers: Operation not permitted
The second problem is that openvpn is not allowed add or delete ip addresses. What should or can I do about it?
Could you please give me another hint here?
Re: Routing not working, can't connect to lan devices
Posted: Tue Nov 14, 2017 12:49 am
by TinCanTech
robster wrote: ↑Mon Nov 13, 2017 10:18 pm
MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:1195:
Address already in use
Mon Nov 13 22:53:33 2017 Exiting due to fatal error
Because
openvpn is already running and using that port.
robster wrote: ↑Mon Nov 13, 2017 10:18 pm
RTNETLINK answers:
Operation not permitted
Because
you are dropping privileges with:
and openvpn cannot make any more changes. (delete those lines and try it)
Re: Routing not working, can't connect to lan devices
Posted: Wed Nov 15, 2017 8:03 pm
by robster
TinCanTech wrote: ↑Tue Nov 14, 2017 12:49 am
robster wrote: ↑Mon Nov 13, 2017 10:18 pm
MANAGEMENT: Socket bind failed on local address [AF_INET]127.0.0.1:1195:
Address already in use
Mon Nov 13 22:53:33 2017 Exiting due to fatal error
Because
openvpn is already running and using that port.
Mhh, I really do not understand why openvpn is already running as I am stopping and starting it everytime. Well, but then again, maybe it doesn't matter as the server is running well.
robster wrote: ↑Mon Nov 13, 2017 10:18 pm
RTNETLINK answers:
Operation not permitted
Because
you are dropping privileges with:
and openvpn cannot make any more changes. (delete those lines and try it)
Ok but it is not bad that I am dropping privileges as far as I understand. So I guess this is an error which I can consider just a warning, right?
So I guess I' happy
Thanks again.
Re: Routing not working, can't connect to lan devices
Posted: Wed Nov 15, 2017 8:08 pm
by TinCanTech
It is an error not a warning ..
I presume you can connect to your LAN devices ..
Re: Routing not working, can't connect to lan devices
Posted: Wed Nov 15, 2017 8:13 pm
by robster
Those to routing information were missing:
route 192.168.0.0 255.255.255.0
client-config-dir /etc/openvpn
Plus I had to create a file that comtains the iroute information for the client.
Yes, I worked it out by reading the documentary links you gave me. Three things were missing.