Connection Issues

taylorabc101 · Post by **taylorabc101** » Tue Aug 13, 2019 5:02 pm

I'm currently working on a dual homed config that should route all traffic through the tun interface. The vpn is sitting behind a dd-wrt router with port 23111 forwarded. The first server config works for 10 seconds and then the user loses access to everything within the local subnets (192 and 10). The second config just leaves the client unable to touch anything at all including the tun interface. Thank you for your time getting me straitened out.

Current broken configuration

dev tun
proto udp
port 23111
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_Yl0XwXX1dQ0rSxK7.crt
key /etc/openvpn/easy-rsa/pki/private/server_Yl0XwXX1dQ0rSxK7.key
#client-config-dir /etc/openvpn/ccd
dh none
topology subnet
server 10.8.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 192.168.0.100"
# Prevent DNS leaks on Windows
push "block-outside-dns"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
# log level
verb 3

Goal configuration

dev tun
proto udp
port 23111
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server_Yl0XwXX1dQ0rSxK7.crt
key /etc/openvpn/easy-rsa/pki/private/server_Yl0XwXX1dQ0rSxK7.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
# Set your primary domain name server address for clients
push "dhcp-option DNS 192.169.0.100"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
keepalive 1800 3600
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3

ifconfig

Code: Select all

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.199  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::ffe2:1360:e597:c5b6  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:d8:58:7a  txqueuelen 1000  (Ethernet)
        RX packets 568517  bytes 640844929 (611.1 MiB)
        RX errors 0  dropped 3452  overruns 0  frame 0
        TX packets 775716  bytes 685124423 (653.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::d0f1:873:e424:a71e  prefixlen 64  scopeid 0x20<link>
        ether 00:0e:c6:bc:42:0a  txqueuelen 1000  (Ethernet)
        RX packets 352507  bytes 115353595 (110.0 MiB)
        RX errors 3  dropped 3461  overruns 0  frame 3
        TX packets 174  bytes 10014 (9.7 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        inet6 fe80::9792:975f:f665:4185  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 46  bytes 3605 (3.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

IPtables

Code: Select all

Chain INPUT (policy ACCEPT 343K packets, 114M bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   392 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  !lo    *       127.0.0.0/8          0.0.0.0/0            reject-with icmp-port-unreachable
    4   240 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW icmptype 8
  525 58790 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 6006  484K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED tcp dpt:22
 2484  482K ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED udp dpt:23111
   19  5987 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED udp spt:53
   19 16344 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED tcp spt:80
   24  1824 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED udp spt:123
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED tcp spt:443
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 255K   22M ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  tun+   eth0    0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED
 512K  636M ACCEPT     all  --  eth0   tun+    0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED
  212 51972 ACCEPT     all  --  eth1   tun+    0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   66  5800 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
   10   776 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 4804  736K ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            state ESTABLISHED tcp spt:22
 499K  642M ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            state ESTABLISHED udp spt:23111
   19  1367 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED udp dpt:53
12572  663K ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED tcp dpt:80
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED tcp dpt:443
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0
  655 55172 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0


Nat table

Chain PREROUTING (policy ACCEPT 15548 packets, 1918K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 2153 packets, 283K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 235 packets, 18648 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 238 packets, 18828 bytes)
 pkts bytes target     prot opt in     out     source               destination
 5205 1200K MASQUERADE  all  --  *      eth0    10.8.0.0/24          0.0.0.0/0

Routes

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    202    0        0 eth0
0.0.0.0         10.8.0.1        0.0.0.0         UG    203    0        0 eth1
10.0.0.0        0.0.0.0         255.255.255.0   U     203    0        0 eth1
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.8.0.1        0.0.0.0         255.255.255.255 UH    203    0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0