Page 1 of 1
Every thing configured, client connected, but no trafic
Posted: Fri Sep 30, 2011 11:49 pm
by maestro
Hello, here is the scenario :
My local computer : windows 7
a dedicated server hosted somewhere : debian
a virtual machine on my local computer : windows XP
I installed and configured OpenVPN and dnsmasq on the debian server, and OpenVPN Gui on the virtual machine.
here is the server configuration on /etc/openvpn/server.conf:
Code: Select all
port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
here is the content of /etc/rc.local
Code: Select all
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
/etc/init.d/dnsmasq restart
exit 0
and the virtual machine client1.ovpn
Code: Select all
client
dev tun
dev-node tap
proto udp
remote ____IP_____ 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"
ns-cert-type server
comp-lzo
verb 3
When I run OpenVPN GUI on the virtual machine, he connect very well to the server with no errors, but after that, I'm unable to use internet.
I can Ping 10.8.0.6, but any ping to an external IP the request time out.
Here is the OpenVPN Gui connection log:
Code: Select all
Fri Sep 30 16:25:35 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011
Fri Sep 30 16:25:35 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Sep 30 16:25:35 2011 LZO compression initialized
Fri Sep 30 16:25:35 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Sep 30 16:25:35 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Sep 30 16:25:35 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Sep 30 16:25:36 2011 Local Options hash (VER=V4): '41690919'
Fri Sep 30 16:25:36 2011 Expected Remote Options hash (VER=V4): '530fdded'
Fri Sep 30 16:25:36 2011 UDPv4 link local: [undef]
Fri Sep 30 16:25:36 2011 UDPv4 link remote: ____IP____:1194
Fri Sep 30 16:25:36 2011 TLS: Initial packet from ____IP____:1194, sid=08d0fe98 9073db29
Fri Sep 30 16:25:37 2011 VERIFY OK: depth=1, /C=__/ST=__/L=__/O=____/CN=____/emailAddress=___@___.__
Fri Sep 30 16:25:37 2011 VERIFY OK: nsCertType=SERVER
Fri Sep 30 16:25:37 2011 VERIFY OK: depth=0, /C=__/ST=__/L=_____/O=______/CN=server/emailAddress=____@_____.__
Fri Sep 30 16:25:40 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 30 16:25:40 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 30 16:25:40 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Sep 30 16:25:40 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 30 16:25:40 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Fri Sep 30 16:25:40 2011 [server] Peer Connection Initiated with ____IP____:1194
Fri Sep 30 16:25:42 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Fri Sep 30 16:25:42 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Fri Sep 30 16:25:42 2011 OPTIONS IMPORT: timers and/or timeouts modified
Fri Sep 30 16:25:42 2011 OPTIONS IMPORT: --ifconfig/up options modified
Fri Sep 30 16:25:42 2011 OPTIONS IMPORT: route options modified
Fri Sep 30 16:25:42 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Fri Sep 30 16:25:42 2011 ROUTE default_gateway=10.0.2.2
Fri Sep 30 16:25:42 2011 TAP-WIN32 device [tap] opened: \\.\Global\{53877D45-021D-4D2B-A4A9-27829394F7B7}.tap
Fri Sep 30 16:25:42 2011 TAP-Win32 Driver Version 9.8
Fri Sep 30 16:25:42 2011 TAP-Win32 MTU=1500
Fri Sep 30 16:25:42 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {53877D45-021D-4D2B-A4A9-27829394F7B7} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Fri Sep 30 16:25:42 2011 Successful ARP Flush on interface [3] {53877D45-021D-4D2B-A4A9-27829394F7B7}
Fri Sep 30 16:25:47 2011 TEST ROUTES: 0/0 succeeded len=1 ret=0 a=0 u/d=down
Fri Sep 30 16:25:47 2011 Route: Waiting for TUN/TAP interface to come up...
Fri Sep 30 16:25:52 2011 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Fri Sep 30 16:25:52 2011 C:\WINDOWS\system32\route.exe ADD ____IP____ MASK 255.255.255.255 10.0.2.2
Fri Sep 30 16:25:52 2011 Route addition via IPAPI succeeded [adaptive]
Fri Sep 30 16:25:52 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Fri Sep 30 16:25:52 2011 Route addition via IPAPI succeeded [adaptive]
Fri Sep 30 16:25:52 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Fri Sep 30 16:25:52 2011 Route addition via IPAPI succeeded [adaptive]
Fri Sep 30 16:25:52 2011 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Fri Sep 30 16:25:52 2011 Route addition via IPAPI succeeded [adaptive]
Fri Sep 30 16:25:52 2011 Initialization Sequence Completed
So, where is the problem ?
Thanks in advance.
Re: Every thing configured, client connected, but no trafic
Posted: Sat Oct 01, 2011 9:09 pm
by janjust
looks like you're almost there... try the following from the client:
- ping 10.8.0.1
ping 8.8.8.8
nslookup 8.8.8.8
most likely your DNS resolution is not working properly - post the output of the commands above and we'll know.
Re: Every thing configured, client connected, but no trafic
Posted: Sat Oct 01, 2011 11:56 pm
by maestro
Hello,
Thank you for the answer.
Here is the output of the commands:
Code: Select all
C:\>ping 10.8.0.1
Pinging 10.8.0.1 with 32 bytes of data:
Reply from 10.8.0.1: bytes=32 time=198ms TTL=64
Reply from 10.8.0.1: bytes=32 time=199ms TTL=64
Reply from 10.8.0.1: bytes=32 time=202ms TTL=64
Reply from 10.8.0.1: bytes=32 time=201ms TTL=64
Ping statistics for 10.8.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 198ms, Maximum = 202ms, Average = 200ms
C:\>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>nslookup 8.8.8.8
*** Can't find server name for address 10.8.0.1: Non-existent domain
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.1.1: Timed out
*** Default servers are not available
Server: UnKnown
Address: 10.8.0.1
Name: google-public-dns-a.google.com
Address: 8.8.8.8
hmm hmm .. I thought I properly configure the DNS server.
For testing, I replaced the line
with the ones on the default config
Code: Select all
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
but now I get this results to the commands
Code: Select all
C:\>ping 10.8.0.1
Pinging 10.8.0.1 with 32 bytes of data:
Reply from 10.8.0.1: bytes=32 time=209ms TTL=64
Reply from 10.8.0.1: bytes=32 time=209ms TTL=64
Reply from 10.8.0.1: bytes=32 time=207ms TTL=64
Reply from 10.8.0.1: bytes=32 time=207ms TTL=64
Ping statistics for 10.8.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 207ms, Maximum = 209ms, Average = 208ms
C:\>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\>nslookup 8.8.8.8
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 208.67.222.222: Timed out
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 208.67.220.220: Timed out
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.1.1: Timed out
*** Default servers are not available
Server: UnKnown
Address: 208.67.222.222
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
.
And then tryed the GoogleDNS service, with the same result.
any suggestion ?
PS: I prefere use my own dns server.
Re: Every thing configured, client connected, but no trafic
Posted: Mon Oct 03, 2011 8:35 am
by janjust
the 'ping 8.8.8.8' did not work - then it's not a DNS issue (yet) but a routing issue.
I reread your rc.local file:
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
and there is a rule missing:
Code: Select all
iptables -A FORWARD -d 10.8.0.0/24 -j ACCEPT
alternatively, try it without any blocking rules on the FORWARD chain and make sure that IP forwarding is enabled:
Code: Select all
echo /proc/sys/net/ipv4/ip_forward
if it is not enabled then modify /etc/sysctl.cnf and run
Re: Every thing configured, client connected, but no trafic
Posted: Mon Oct 03, 2011 1:29 pm
by maestro
hello,
I added "iptables -A FORWARD -d 10.8.0.0/24 -j ACCEPT", disabled blocking on forward, IP forwarding is already enabled "cat /proc/sys/net/ipv4/ip_forward" gives 1, and still have the same result.
Re: Every thing configured, client connected, but no trafic
Posted: Mon Oct 03, 2011 8:48 pm
by janjust
doh, I meant 'cat .../ip_forward' of course.
can you run 'tcpdump -nnel -i eth0 host 8.8.8.8' on the server and then ping that host from the VPN client when connected. Do you see outgoing traffic?
Re: Every thing configured, client connected, but no trafic
Posted: Mon Oct 03, 2011 10:17 pm
by maestro
tcpdump -nnel -i eth0 host 8.8.8.8
Code: Select all
tcpdump: SIOCGIFHWADDR: No such device
The VPN server is on a VPS, made with OpenVZ virtualisation (with TUN/TAP enabled).
Re: Every thing configured, client connected, but no trafic
Posted: Mon Oct 03, 2011 10:42 pm
by janjust
then you're masquerading rule
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
does not make sense either - change 'eth0' to the network interface that is used by the VPS and try again with the masquerading rule.
Re: Every thing configured, client connected, but no trafic
Posted: Tue Oct 04, 2011 12:46 pm
by Mimiko
For OpenVZ, the masquarading must look like this:
Code: Select all
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 100.200.255.256 #Use your OpenVPN server's real external IP here
Read this link
topic7722.html on how to configure your OpenVZ VPS.
Re: Every thing configured, client connected, but no trafic
Posted: Tue Oct 04, 2011 12:55 pm
by maestro
Hello,
I just did this.
"tcpdump -nnel -i venet0 host 8.8.8.8", when pinging 8.8.8.8 from the connected client :
Code: Select all
tcpdump: WARNING: arptype 65535 not supported by libpcap - falling back to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
08:53:17.585460 Out ethertype IPv4 (0x0800), length 76: 10.8.0.6 > 8.8.8.8: ICMP echo request, id 768, seq 5632, length 40
08:53:23.058836 Out ethertype IPv4 (0x0800), length 76: 10.8.0.6 > 8.8.8.8: ICMP echo request, id 768, seq 5888, length 40
08:53:28.069159 Out ethertype IPv4 (0x0800), length 76: 10.8.0.6 > 8.8.8.8: ICMP echo request, id 768, seq 6144, length 40
08:53:33.073409 Out ethertype IPv4 (0x0800), length 76: 10.8.0.6 > 8.8.8.8: ICMP echo request, id 768, seq 6400, length 40
on the client side, ping still time out
EDIT: I used venet0:0 instead of venet0, but both gives the same result
Re: Every thing configured, client connected, but no trafic
Posted: Tue Oct 04, 2011 12:58 pm
by janjust
does
Code: Select all
iptables -t nat -I POSTROUTING -o venet0 -j MASQUERADE
not work on VPS? hmmmm yet another reason to not like VPS
Re: Every thing configured, client connected, but no trafic
Posted: Tue Oct 04, 2011 1:17 pm
by maestro
janjust wrote:does
Code: Select all
iptables -t nat -I POSTROUTING -o venet0 -j MASQUERADE
not work on VPS? hmmmm yet another reason to not like VPS
Aaaha ! it's all good ! this one finaly does
tsuuu is was long.
Now you can like VPS
Now take a look at this
Code: Select all
C:\>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=218ms TTL=57
Reply from 8.8.8.8: bytes=32 time=216ms TTL=57
Reply from 8.8.8.8: bytes=32 time=216ms TTL=57
Reply from 8.8.8.8: bytes=32 time=218ms TTL=57
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 216ms, Maximum = 218ms, Average = 217ms
C:\>nslookup 8.8.8.8
*** Can't find server name for address 10.8.0.1: Non-existent domain
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.1.1: Timed out
*** Default servers are not available
Server: UnKnown
Address: 10.8.0.1
Name: google-public-dns-a.google.com
Address: 8.8.8.8
on /etc/openvpn/server.conf I use
this seems ok to you ?
Re: Every thing configured, client connected, but no trafic
Posted: Tue Oct 04, 2011 2:04 pm
by janjust
you've configured a name server on 10.8.0.1 yet the address 10.8.0.1 does not have a DNS name itself - nslookup will complain about this, but name resolution will work. Go to
http://www.whatismyip.com to check if traffic is redirected via the VPN now.
Re: Every thing configured, client connected, but no trafic
Posted: Tue Oct 04, 2011 2:16 pm
by maestro
Yes it work fine, all trafic (http, ftp, ...) is redirected.
Thank you very much.
Re: Every thing configured, client connected, but no trafic
Posted: Fri Oct 07, 2011 12:07 am
by maestro
Hello again,
Well, last time was just good lock ?
I formated the remote vps, now with debian 6 (it was debian 5 before), installed openvpn, configured it exactly as the first time, and now, again, the client connect but no trafic.
on ping 8.8.8.8, requet time out, and on the server side :
tcpdump -nnel -i venet0 host 8.8.8.8
Code: Select all
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
03:59:29.216881 Out ethertype IPv4 (0x0800), length 76: 10.8.0.6 > 8.8.8.8: ICMP echo request, id 768, seq 39936, length 40
03:59:34.221083 Out ethertype IPv4 (0x0800), length 76: 10.8.0.6 > 8.8.8.8: ICMP echo request, id 768, seq 40192, length 40
03:59:39.228496 Out ethertype IPv4 (0x0800), length 76: 10.8.0.6 > 8.8.8.8: ICMP echo request, id 768, seq 40448, length 40
any idea ?
Re: Every thing configured, client connected, but no trafic
Posted: Fri Oct 07, 2011 5:15 am
by Mimiko
Enable forwarding, check firewall table. I suppose you took same config files for OpenVPN.