Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] openvpn no internet connection
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Prof. Frink
n00b
n00b


Joined: 07 Jan 2017
Posts: 69

PostPosted: Sun Aug 13, 2017 5:55 pm    Post subject: [solved] openvpn no internet connection Reply with quote

Hey,

I don't get openvpn working. Here is my server.conf

Code:
port 1194
proto udp
dev tun
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key  # This file should be kept secret
dh ./easy-rsa2/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.178.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.178.1"
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
push "explicit-exit-notify 3"


Here is my client.conf

Code:
client
dev tun
proto udp
remote xxx.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert falke.crt
key falke.key
remote-cert-tls server
comp-lzo
verb 3


Here is server.log, after connecting

Code:
Sun Aug 13 17:48:11 2017 event_wait : Interrupted system call (code=4)
Sun Aug 13 17:48:11 2017 /sbin/ip route del 10.8.0.0/24
RTNETLINK answers: Operation not permitted
Sun Aug 13 17:48:11 2017 ERROR: Linux route delete command failed: external program exited with error status: 2
Sun Aug 13 17:48:11 2017 Closing TUN/TAP interface
Sun Aug 13 17:48:11 2017 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2
RTNETLINK answers: Operation not permitted
Sun Aug 13 17:48:11 2017 Linux ip addr del failed: external program exited with error status: 2
Sun Aug 13 17:48:11 2017 SIGTERM[hard,] received, process exiting
Sun Aug 13 17:48:11 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 27 2017
Sun Aug 13 17:48:11 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
Sun Aug 13 17:48:11 2017 Diffie-Hellman initialized with 2048 bit key
Sun Aug 13 17:48:11 2017 Socket Buffers: R=[163840->131072] S=[163840->131072]
Sun Aug 13 17:48:11 2017 ROUTE_GATEWAY 192.168.178.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:1f:08:23
Sun Aug 13 17:48:11 2017 TUN/TAP device tun0 opened
Sun Aug 13 17:48:11 2017 TUN/TAP TX queue length set to 100
Sun Aug 13 17:48:11 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Aug 13 17:48:11 2017 /sbin/ip link set dev tun0 up mtu 1500
Sun Aug 13 17:48:11 2017 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sun Aug 13 17:48:11 2017 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Sun Aug 13 17:48:11 2017 GID set to openvpn
Sun Aug 13 17:48:11 2017 UID set to openvpn
Sun Aug 13 17:48:11 2017 UDPv4 link local (bound): [undef]
Sun Aug 13 17:48:11 2017 UDPv4 link remote: [undef]
Sun Aug 13 17:48:11 2017 MULTI: multi_init called, r=256 v=256
Sun Aug 13 17:48:11 2017 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Aug 13 17:48:11 2017 ifconfig_pool_read(), in='falke,10.8.0.4', TODO: IPv6
Sun Aug 13 17:48:11 2017 succeeded -> ifconfig_pool_set()
Sun Aug 13 17:48:11 2017 IFCONFIG POOL LIST
Sun Aug 13 17:48:11 2017 falke,10.8.0.4
Sun Aug 13 17:48:11 2017 Initialization Sequence Completed
Sun Aug 13 17:48:27 2017 92.195.103.53:35463 TLS: Initial packet from [AF_INET]92.195.103.53:35463, sid=3ee2128c 55b85d59
Sun Aug 13 17:48:28 2017 92.195.103.53:35463 VERIFY OK: depth=1, C=DE, ST=Berlin, L=Berlin, O=Frink inc., OU=Frink, CN=Frink inc. CA, name=EasyRSA, emailAddress=xxx
Sun Aug 13 17:48:28 2017 92.195.103.53:35463 VERIFY OK: depth=0, C=DE, ST=Berlin, L=Berlin, O=Frink inc., OU=Frink, CN=falke, name=EasyRSA, emailAddress=xxx
Sun Aug 13 17:48:29 2017 92.195.103.53:35463 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Aug 13 17:48:29 2017 92.195.103.53:35463 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Aug 13 17:48:29 2017 92.195.103.53:35463 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Aug 13 17:48:29 2017 92.195.103.53:35463 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Aug 13 17:48:29 2017 92.195.103.53:35463 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Aug 13 17:48:29 2017 92.195.103.53:35463 [falke] Peer Connection Initiated with [AF_INET]92.195.103.53:35463
Sun Aug 13 17:48:29 2017 falke/92.195.103.53:35463 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Sun Aug 13 17:48:29 2017 falke/92.195.103.53:35463 MULTI: Learn: 10.8.0.6 -> falke/92.195.103.53:35463
Sun Aug 13 17:48:29 2017 falke/92.195.103.53:35463 MULTI: primary virtual IP for falke/92.195.103.53:35463: 10.8.0.6
Sun Aug 13 17:48:30 2017 falke/92.195.103.53:35463 PUSH: Received control message: 'PUSH_REQUEST'
Sun Aug 13 17:48:30 2017 falke/92.195.103.53:35463 send_push_reply(): safe_cap=940
Sun Aug 13 17:48:30 2017 falke/92.195.103.53:35463 SENT CONTROL [falke]: 'PUSH_REPLY,route 192.168.178.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 192.168.178.1,explicit-exit-notify 3,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)


ping google.de on client fails: "unkown host google.de"

Any ideas about this?

Thank you.


Last edited by Prof. Frink on Tue Aug 15, 2017 10:55 am; edited 1 time in total
Back to top
View user's profile Send private message
fpemud
Apprentice
Apprentice


Joined: 15 Feb 2012
Posts: 264

PostPosted: Sun Aug 13, 2017 7:41 pm    Post subject: Reply with quote

1. what is the result of "ping 8.8.8.8"?
2. what is the result of "cat /etc/resolv.conf"?
Back to top
View user's profile Send private message
Prof. Frink
n00b
n00b


Joined: 07 Jan 2017
Posts: 69

PostPosted: Sun Aug 13, 2017 7:49 pm    Post subject: Reply with quote

fpemud wrote:
1. what is the result of "ping 8.8.8.8"?

Code:
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
213 packets transmitted, 0 received, 100% packet loss, time 217125ms


Quote:
2. what is the result of "cat /etc/resolv.conf"?

Code:
# cat /etc/resolv.conf
# Generated by openvpn for interface tun0
nameserver 192.168.178.1
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Mon Aug 14, 2017 6:11 am    Post subject: Reply with quote

Hi,

please add "pull" to your client config and afterwards post the output of "ifconfig -a", "netstat -rn" and maybe a traceroute to 8.8.8.8

greets, bb

EDIT: Oh and btw, does your router know the way to your openvpn network? I guess not, looks like a Fritz!Box ip address ;) In this case, a bridged configuration could be an option for you. Let me know, if you want to try it.
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
Prof. Frink
n00b
n00b


Joined: 07 Jan 2017
Posts: 69

PostPosted: Mon Aug 14, 2017 2:20 pm    Post subject: Reply with quote

Code:

#ifconfig -a
enp0s25: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 8c:73:6e:db:6e:b9  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 17  memory 0xf2400000-f2420000 

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Lokale Schleife)
        RX packets 192  bytes 15552 (15.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 192  bytes 15552 (15.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

sit0: flags=128<NOARP>  mtu 1480
        sit  txqueuelen 1  (IPv6-nach-IPv4)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.6  netmask 255.255.255.255  destination 10.8.0.5
        inet6 fe80::f6ee:debc:7f57:50ee  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 65  bytes 6323 (6.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp16s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.104  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 fe80::bf1c:2d45:eb5e:30ff  prefixlen 64  scopeid 0x20<link>
        ether 18:3d:a2:0d:bb:b0  txqueuelen 1000  (Ethernet)
        RX packets 362229  bytes 494397580 (471.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 172105  bytes 17042500 (16.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0



Code:
 # netstat -rn
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
0.0.0.0         10.8.0.5        128.0.0.0       UG        0 0          0 tun0
0.0.0.0         192.168.2.1     0.0.0.0         UG        0 0          0 wlp16s0
10.8.0.1        10.8.0.5        255.255.255.255 UGH       0 0          0 tun0
10.8.0.5        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
92.195.17.137   192.168.2.1     255.255.255.255 UGH       0 0          0 wlp16s0
128.0.0.0       10.8.0.5        128.0.0.0       UG        0 0          0 tun0
192.168.2.0     0.0.0.0         255.255.255.0   U         0 0          0 wlp16s0
192.168.178.0   10.8.0.5        255.255.255.0   UG        0 0          0 tun0


Code:
traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  10.8.0.1 (10.8.0.1)  24.414 ms  24.417 ms  24.418 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *


Yes, I use a FritzBox. What do you mean by "bridged configuration"?

Thank you.
Back to top
View user's profile Send private message
bbgermany
Veteran
Veteran


Joined: 21 Feb 2005
Posts: 1785
Location: Oranienburg/Germany

PostPosted: Tue Aug 15, 2017 6:15 am    Post subject: Reply with quote

The problem is, your FritzBox doesnt know the way to your OpenVPN network. Thats why you cannot access anything via the vpn. A bridged configuration means, that your local dhcp server can provide ips from your network to the vpn client. So you could get a 192.168.178.x ip address from your fritzbox. You can also try to run an iptables rule instead. But you would mask all vpn traffic on your openvpn server then.

please replace eth0 with your server interface!

iptables rule:
Code:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Dont forget to enable ip forwarding.

Do you use openvpn for your wireless lan, or to access your lan via the internet? If you use it via the internet, this config could be one for you:

/etc/conf/net (server):
Code:

config_eth0="null"

tuntap_tap0="tap"
config_tap0="null"

config_br0="192.168.178.X/24" # enter your openvpn server ip address
routes_br0="default via 192.168.178.1"
bridge_forward_delay_br0=0
bridge_hello_time_br0=1000
bridge_stp_state_br0=1

bridge_br0="eth0"

depend_tap0() {
        need net.br0
        }

depend_br0() {
        need net.eth0
        }

depend_openvpn() {
        need net.tap0
        }


postup() {
        brctl addif br0 tap0
        }


openvpn server config:
Code:

port 1194
proto udp
dev tap0
dev-type tap
mode server
ca ./easy-rsa2/keys/ca.crt
cert ./easy-rsa2/keys/server.crt
key ./easy-rsa2/keys/server.key
dh ./easy-rsa2/keys/dh2048.pem
comp-lzo
verb 2
status-version 2
status /etc/openvpn/openvpn-status.log
client-config-dir /etc/openvpn/ccd
persist-key
persist-tun
reneg-sec 1200
keepalive 10 120
client-to-client
duplicate-cn
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
remote-cert-tls client



client config:
Code:

client
dev tap
proto tcp-client
remote your-server.org 1194 # dont forget to replace!!!
nobind
persist-key
persist-tun
ca ca.crt
cert falke.crt
key falke.key
key-direction 1
comp-lzo
verb 2
pull
tls-client
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
remote-cert-tls server
tls-version-min 1.2


You should create a tls key as well and add it to your server and client config asl well. If you have issues with the bridged configuration let me know about. You just should increase the verbosity then to at least 3 better 4.

greets bb
_________________
1st: i5-4570, 16GB, 1.75TB
2nd: i5-4570, 16GB, 620GB
3rd: i5-4570, 16GB, 10,5TB
4th: Asus N61VN, 8GB, 240GB
5th: C2D T7200, 2GB, 16GB USB + NFS
Back to top
View user's profile Send private message
Prof. Frink
n00b
n00b


Joined: 07 Jan 2017
Posts: 69

PostPosted: Tue Aug 15, 2017 10:55 am    Post subject: Reply with quote

Hey,

with the iptables.-rule enabled everything works fine, so I will leave everything as it is and won't switch to the bridged configuration. Thank you very much.

Greets

Frink
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum