[Debian6] Good .conf / No incoming from internet to client

[BrandonS]

Hello,

I managed to set up OpenVPN on my Debian 6.0.3 Squeeze server. I never had any issue about connecting to the server, it just works well. Congratulations to all the Dev. Team and all the Contributors to this great pice of software.

Unfortunately, despite of all the Tutorials and How-to's I have read (beginning by the Official one), I'm unable to receive any package from internet while connected to my OpenVPN server. I have triple-check everything, and found a bug wich is not really annoying.

My local ip is fixed to 192.168.0.8 .

To begin with, here are all my files:

- On the server side -> /etc/openvpn/server.conf

Code: Select all

;local a.b.c.d

port 1194

;proto tcp
proto udp

;dev tap
dev tun

;dev-node MyTap

ca ca.crt
cert serv.crt
key serv.key

dh dh2048.pem  # Yes I'm pretty paranoid

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;server-bridge

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

;learn-address ./script

push "redirect-gateway def1"

push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option DNS 10.8.0.1"

;client-to-client

;duplicate-cn

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

comp-lzo

;max-clients 100

;user nobody
;group nogroup

persist-key
persist-tun

status openvpn-status.log

;log         openvpn.log
;log-append  openvpn.log

verb 3

;mute 20

- On the server side -> /etc/sysctl.conf

Code: Select all

#kernel.domainname = example.com
#kernel.printk = 3 4 1 3
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
#net.ipv4.tcp_syncookies=1

net.ipv4.ip_forward=1

#net.ipv6.conf.all.forwarding=1
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#net.ipv4.conf.all.log_martians = 1

- On the server side -> /etc/init.d/openvpn

Code: Select all

#Only thing changed is:
AUTOSTART="none"

- On the server side -> /etc/rc.local

Code: Select all

#!/bin/sh -e
#
#

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -t filter -A INPUT -p tcp -dport80 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

exit 0

- On the client side -> /etc/openvpn/client.conf

Code: Select all

client

;dev tap
dev tun

;dev-node MyTap

;proto tcp
proto udp

remote [I prefer to hide my server ip] 1194
;remote my-server-2 1194

;remote-random

resolv-retry infinite

nobind

;user nobody
;group nogroup

persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

mute-replay-warnings

ca ca.crt
cert personne.crt
key personne.key

ns-cert-type server

;tls-auth ta.key 1

Updates- Added the logs on both sides:

Client side:

Code: Select all

# openvpn client.conf
Wed Nov  9 20:31:12 2011 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010
Wed Nov  9 20:31:12 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Enter Private Key Password:
Wed Nov  9 20:31:18 2011 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Nov  9 20:31:18 2011 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>
Wed Nov  9 20:31:19 2011 LZO compression initialized
Wed Nov  9 20:31:19 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Nov  9 20:31:19 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Nov  9 20:31:19 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Nov  9 20:31:19 2011 Local Options hash (VER=V4): '69109d17'
Wed Nov  9 20:31:19 2011 Expected Remote Options hash (VER=V4): 'c0103fa8'
Wed Nov  9 20:31:19 2011 Attempting to establish TCP connection with [AF_INET](myserverip):1194 [nonblock]
Wed Nov  9 20:31:20 2011 TCP connection established with [AF_INET](myserverip):1194
Wed Nov  9 20:31:20 2011 TCPv4_CLIENT link local: [undef]
Wed Nov  9 20:31:20 2011 TCPv4_CLIENT link remote: [AF_INET](myserverip):1194
Wed Nov  9 20:31:20 2011 TLS: Initial packet from [AF_INET](myserverip):1194, sid=2e70ecd6 8e4501ce
Wed Nov  9 20:31:20 2011 VERIFY OK: depth=1, (prefer to hide those data)
Wed Nov  9 20:31:20 2011 VERIFY OK: nsCertType=SERVER
Wed Nov  9 20:31:20 2011 VERIFY OK: depth=0, (prefer to hide those data)
Wed Nov  9 20:31:22 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Nov  9 20:31:22 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov  9 20:31:22 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Nov  9 20:31:22 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov  9 20:31:22 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Nov  9 20:31:22 2011 [victoire] Peer Connection Initiated with [AF_INET](myserverip):1194
Wed Nov  9 20:31:24 2011 SENT CONTROL [victoire]: 'PUSH_REQUEST' (status=1)
Wed Nov  9 20:31:24 2011 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Nov  9 20:31:24 2011 OPTIONS IMPORT: timers and/or timeouts modified
Wed Nov  9 20:31:24 2011 OPTIONS IMPORT: --ifconfig/up options modified
Wed Nov  9 20:31:24 2011 OPTIONS IMPORT: route options modified
Wed Nov  9 20:31:24 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Nov  9 20:31:24 2011 ROUTE default_gateway=192.168.0.254
Wed Nov  9 20:31:24 2011 TUN/TAP device tun0 opened
Wed Nov  9 20:31:24 2011 TUN/TAP TX queue length set to 100
Wed Nov  9 20:31:24 2011 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Wed Nov  9 20:31:24 2011 /sbin/route add -net (myserverip) netmask 255.255.255.255 gw 192.168.0.254
Wed Nov  9 20:31:24 2011 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Wed Nov  9 20:31:24 2011 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.5
Wed Nov  9 20:31:24 2011 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.5
Wed Nov  9 20:31:24 2011 Initialization Sequence Completed

On server side:

Code: Select all

# openvpn server.conf
Wed Nov  9 19:31:20 2011 OpenVPN 2.1.3 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Oct 21 2010
Wed Nov  9 19:31:20 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Nov  9 19:31:20 2011 Diffie-Hellman initialized with 2048 bit key
Wed Nov  9 19:31:20 2011 /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>
Wed Nov  9 19:31:21 2011 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Nov  9 19:31:21 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Nov  9 19:31:21 2011 ROUTE default_gateway=92.243.7.254
Wed Nov  9 19:31:21 2011 TUN/TAP device tun1 opened
Wed Nov  9 19:31:21 2011 TUN/TAP TX queue length set to 100
Wed Nov  9 19:31:21 2011 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Wed Nov  9 19:31:21 2011 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
SIOCADDRT: File exists
Wed Nov  9 19:31:21 2011 ERROR: Linux route add command failed: external program exited with error status: 7
Wed Nov  9 19:31:21 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Nov  9 19:31:21 2011 Listening for incoming TCP connection on [undef]
Wed Nov  9 19:31:21 2011 TCPv4_SERVER link local (bound): [undef]
Wed Nov  9 19:31:21 2011 TCPv4_SERVER link remote: [undef]
Wed Nov  9 19:31:21 2011 MULTI: multi_init called, r=256 v=256
Wed Nov  9 19:31:21 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Nov  9 19:31:21 2011 IFCONFIG POOL LIST
Wed Nov  9 19:31:21 2011 brandon,10.8.0.4
Wed Nov  9 19:31:21 2011 MULTI: TCP INIT maxclients=1024 maxevents=1028
Wed Nov  9 19:31:21 2011 Initialization Sequence Completed
Wed Nov  9 19:31:45 2011 MULTI: multi_create_instance called
Wed Nov  9 19:31:45 2011 Re-using SSL/TLS context
Wed Nov  9 19:31:45 2011 LZO compression initialized
Wed Nov  9 19:31:45 2011 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Nov  9 19:31:45 2011 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Nov  9 19:31:45 2011 Local Options hash (VER=V4): 'c0103fa8'
Wed Nov  9 19:31:45 2011 Expected Remote Options hash (VER=V4): '69109d17'
Wed Nov  9 19:31:45 2011 TCP connection established with [AF_INET](myip):56025
Wed Nov  9 19:31:45 2011 TCPv4_SERVER link local: [undef]
Wed Nov  9 19:31:45 2011 TCPv4_SERVER link remote: [AF_INET](myip):56025
Wed Nov  9 19:31:46 2011 82.226.128.64:56025 TLS: Initial packet from [AF_INET](myip):56025, sid=78387fb5 7fc0cdbb
Wed Nov  9 19:31:47 2011 82.226.128.64:56025 VERIFY OK: depth=1,  (hiden data)
Wed Nov  9 19:31:47 2011 82.226.128.64:56025 VERIFY OK: depth=0, (hiden data)
Wed Nov  9 19:31:47 2011 (myip):56025 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Nov  9 19:31:47 2011 (myip):56025 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov  9 19:31:47 2011 (myip):56025 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Nov  9 19:31:47 2011 (myip):56025 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov  9 19:31:48 2011 (myip):56025 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Nov  9 19:31:48 2011 (myip):56025 [brandon] Peer Connection Initiated with [AF_INET](myip):56025
Wed Nov  9 19:31:48 2011 brandon/(myip):56025 MULTI: Learn: 10.8.0.6 -> brandon/(myip):56025
Wed Nov  9 19:31:48 2011 brandon/(myip):56025 MULTI: primary virtual IP for brandon/(myip):56025: 10.8.0.6
Wed Nov  9 19:31:50 2011 brandon/(myip):56025 PUSH: Received control message: 'PUSH_REQUEST'
Wed Nov  9 19:31:50 2011 brandon/(myip):56025 SENT CONTROL [brandon]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

Ping on client side :

Code: Select all

~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

Ping on server side:

Code: Select all

~# tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 65535 bytes
19:39:15.826574 IP google-public-dns-a.google.com > 10.8.0.6: ICMP echo reply, id 4633, seq 1, length 64
19:39:16.836724 IP google-public-dns-a.google.com > 10.8.0.6: ICMP echo reply, id 4633, seq 2, length 64
19:39:17.845847 IP google-public-dns-a.google.com > 10.8.0.6: ICMP echo reply, id 4633, seq 3, length 64
19:39:18.850584 IP google-public-dns-a.google.com > 10.8.0.6: ICMP echo reply, id 4633, seq 4, length 64
19:39:19.858886 IP google-public-dns-a.google.com > 10.8.0.6: ICMP echo reply, id 4633, seq 5, length 64

The boung I found is that one: https://bugs.archlinux.org/task/24466
So even if I set /proc/sys/net/ipv4/ip_forward to "1", it will reset to 0 after reboot.

The bug is fixed in 1.4.12-1 version of iptables, but the stable package available in Squeeze is 1.4.8-3 . And I do not want to install anything unstable on my server! But it doesn't mater since I rarely plan to reboot my server, and if needed I can set it to "1" myself.

Also, I have openned the 1194 UDP port on my internet broadcaster firewall at home.

If you want me to ping something or to sniffer a package so you could help me, let me know!

[Mimiko]

I'm unable to receive any package from internet while connected to my OpenVPN server.

I didn't understood. Who cant receive packets: client or server? What does not work?

[Bebop]

Heya Mimiko, I think what BrandonS means is that the tunnel to Internet is not working (eg - anonymous web surfing).

BrandonS can you confirm if this is true? By the way, you did well so far, most of it looks pretty good (no errors in logs).

The weak point might be your IPTABLES implementation. Check this page just to be sure you got all bases covered: topic7722.html

Compare yours to mine:

Mine

Code: Select all

iptables -A INPUT -p udp --dport 1194 -j ACCEPT  
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT     
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Yours

Code: Select all

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -t filter -A INPUT -p tcp -dport80 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

To comment further, I don't think you will need 3 instances of masquerade, just 1 is enough (so, remove the 2 unnecessary masquerades, and remember to execute the shell script after making the change).