How to tunnel all traffic through an OpenVPN Server?How to force all traffic through VPN?Problems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?pfsense peer-to-peer OpenVPN not connectingStrange OpenVPN behavior - disconnects after one minuteConfiguring OpenVPN server (Debian 8) and client (Windows 10)tls error : tls handshake failedOpenVPN and multicast routingOpenVPN Client Local LAN AccessOpenVPN using TAP with a dummy interfaceHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?
Intuition for the role of diffeomorphisms
How can I get my left hand to sound legato when I'm leaping?
`-` in tar xzf -
How many people are necessary to maintain modern civilisation?
Do I have any obligations to my PhD supervisor's requests after I have graduated?
Is there any difference between Т34ВМ1 and КМ1858ВМ1/3?
What is the meaning of "понаехать"?
What's currently blocking the construction of the wall between Mexico and the US?
Confusion over 220 and 230 volt outlets
What does it mean to not be able to take the derivative of a function multiple times?
When to remove insignificant variables?
Do I have to explain the mechanical superiority of the player-character within the fiction of the game?
Why does Linux list NVMe drives as /dev/nvme0 instead of /dev/sda?
Heavily limited premature compiler translates text into excecutable python code
Android Material and appcompat Manifest merger failed in react-native or ExpoKit
King or Queen-Which piece is which?
UK - Working without a contract. I resign and guy wants to sue me
How can you guarantee that you won't change/quit job after just couple of months?
Similarity score: Can Sklearn SVR predict values greater than 1 and less than 0?
Counterfeit checks were created for my account. How does this type of fraud work?
Count All Possible Unique Combinations of Letters in a Word
Is there any proof that high saturation and contrast makes a picture more appealing in social media?
What happened to Steve's Shield in Iron Man 2?
What determines the direction in which motor proteins go?
How to tunnel all traffic through an OpenVPN Server?
How to force all traffic through VPN?Problems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?pfsense peer-to-peer OpenVPN not connectingStrange OpenVPN behavior - disconnects after one minuteConfiguring OpenVPN server (Debian 8) and client (Windows 10)tls error : tls handshake failedOpenVPN and multicast routingOpenVPN Client Local LAN AccessOpenVPN using TAP with a dummy interfaceHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
1
I'm trying to get all traffic to be routed through the VPN so that the OpenVPN Server's IP address is what shows up when I'm browsing the internet.
Not that it should matter, but we're using password based authentication via a PAM module. That PAM module makes an HTTP call to a website to validate things.
This is my OpenVPN Server Configuration:
port 1194
proto udp
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
;topology subnet
server 10.8.0.0 255.255.255.0
;route 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
;duplicate-cn
;max-clients 30
;user nobody
;group nogroup
;mute 20
;explicit-exit-notify 1
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
;push "route 10.8.0.0 255.255.255.0"
This is my client OpenVPN configuration:
client
dev tun
proto udp
remote MY_SERVERS_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
auth-user-pass
This is what iptables --list looks like:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- ip-10-8-0-0.ec2.internal/24 anywhere ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
These iptables entries were created with:
iptables -I FORWARD -i tun0 -o eth0
-s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
iptables -t nat -I POSTROUTING -o eth0
-s 10.8.0.0/24 -j MASQUERADE
This is what ifconfig looks like on the OpenVPN Server:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.26.12.92 netmask 255.255.240.0 broadcast 172.26.15.255
inet6 fe80::89c:e4ff:feab:ccce prefixlen 64 scopeid 0x20<link>
ether 0a:9c:e4:ab:cc:ce txqueuelen 1000 (Ethernet)
RX packets 219194 bytes 218590052 (218.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 98397 bytes 11103942 (11.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4886 bytes 669299 (669.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4886 bytes 669299 (669.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::ef51:ccb3:ccc0:f02b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
IP Forwarding is enabled:
ubuntu@ip-172-26-2-31:~$ cat /proc/sys/net/ipv4/ip_forward
1
This is what I see if my client log:
Wed Jun 05 07:40:02 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Jun 05 07:40:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jun 05 07:40:02 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Wed Jun 05 07:40:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:02 2019 Need hold release from management interface, waiting...
Wed Jun 05 07:40:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'state on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'log all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'echo all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'bytecount 5'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold off'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold release'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'username "Auth" "dlogan"'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'password [...]'
Wed Jun 05 07:40:04 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 05 07:40:04 2019 MANAGEMENT: >STATE:1559734804,RESOLVE,,,,,,
Wed Jun 05 07:40:05 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
Wed Jun 05 07:40:05 2019 UDP link local: (not bound)
Wed Jun 05 07:40:05 2019 UDP link remote: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,WAIT,,,,,,
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,AUTH,,,,,,
Wed Jun 05 07:40:05 2019 TLS: Initial packet from [AF_INET]MY_SERVERS_PUBLIC_IP:1194, sid=ea2002fc a21451ed
Wed Jun 05 07:40:05 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=1, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=Cyber Ninjas CA, name=CyberNinjas, emailAddress=ethical-hacking@cyberninjas.com
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=0, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=remote2.cyberninjas.com, name=remote2.cyberninjas.com, emailAddress=ethical-hacking@cyberninjas.com
Wed Jun 05 07:40:32 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jun 05 07:40:32 2019 [remote2.cyberninjas.com] Peer Connection Initiated with [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,GET_CONFIG,,,,,,
Wed Jun 05 07:40:33 2019 SENT CONTROL [remote2.cyberninjas.com]: 'PUSH_REQUEST' (status=1)
Wed Jun 05 07:40:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: route options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: peer-id set
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Jun 05 07:40:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 05 07:40:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 interactive service msg_channel=832
Wed Jun 05 07:40:33 2019 ROUTE_GATEWAY 192.168.1.99/255.255.255.0 I=15 HWADDR=8c:ae:4c:f6:89:4d
Wed Jun 05 07:40:33 2019 open_tun
Wed Jun 05 07:40:33 2019 TAP-WIN32 device [Ethernet 3] opened: \.GlobalA4956E3A-C1FC-45BF-9857-31E5725E5011.tap
Wed Jun 05 07:40:33 2019 TAP-Windows Driver Version 9.21
Wed Jun 05 07:40:33 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface A4956E3A-C1FC-45BF-9857-31E5725E5011 [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jun 05 07:40:33 2019 Successful ARP Flush on interface [23] A4956E3A-C1FC-45BF-9857-31E5725E5011
Wed Jun 05 07:40:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,ASSIGN_IP,,10.8.0.6,,,,
Wed Jun 05 07:40:38 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD MY_SERVERS_PUBLIC_IP MASK 255.255.255.255 192.168.1.99
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,ADD_ROUTES,,,,,,
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 Initialization Sequence Completed
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,CONNECTED,SUCCESS,10.8.0.6,MY_SERVERS_PUBLIC_IP,1194,,
This is what I see in my server's OpenVPN Log:
Wed Jun 5 11:39:35 2019 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Wed Jun 5 11:39:35 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 9 2019
Wed Jun 5 11:39:35 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jun 5 11:39:35 2019 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_
VERIFY
Wed Jun 5 11:39:35 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jun 5 11:39:35 2019 ROUTE_GATEWAY 172.26.0.1/255.255.240.0 IFACE=eth0 HWADDR=0a:9c:e4:ab:cc:ce
Wed Jun 5 11:39:35 2019 TUN/TAP device tun0 opened
Wed Jun 5 11:39:35 2019 TUN/TAP TX queue length set to 100
Wed Jun 5 11:39:35 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 5 11:39:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun 5 11:39:35 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun 5 11:39:35 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun 5 11:39:35 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jun 5 11:39:35 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 5 11:39:35 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jun 5 11:39:35 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jun 5 11:39:35 2019 MULTI: multi_init called, r=256 v=256
Wed Jun 5 11:39:35 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun 5 11:39:35 2019 IFCONFIG POOL LIST
Wed Jun 5 11:39:35 2019 Initialization Sequence Completed
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Initial packet from [AF_INET]THE_CLIENT_PUBLIC_IP:50490, sid=80eafd2f b659fb60
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_VER=2.4.6
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PLAT=win
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PROTO=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_NCP=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4v2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZO=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUB=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUBv2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_TCPNL=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_GUI_VER=OpenVPN_GUI_11
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Username/Password authentication succeeded for username 'dlogan'
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 [] Peer Connection Initiated with [AF_INET]THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: Learn: 10.8.0.6 -> THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: primary virtual IP for THE_CLIENT_PUBLIC_IP:50490: 10.8.0.6
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 SENT CONTROL [UNDEF]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.
8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 [UNDEF] Inactivity timeout (--ping-restart), restarting
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 SIGUSR1[soft,ping-restart] received, client-instance restarting
I have looked at and tried to adopt / try settings from the following articles with no success:
https://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server/
How to force all traffic through VPN?
https://askubuntu.com/questions/462533/route-all-traffic-through-openvpn
https://openvpn.net/community-resources/how-to/#redirect
Most likely I just haven't put the right combination together, but I'm at a loss here and definitely looking for help.
It would be greatly appreciated if you are able to explain why a given setting might solve the issue, as that may help me figure this out if what you give isn't the complete solution.
iptables openvpn
asked Jun 4 at 20:07
DougDoug
247311
add a comment |
1
I'm trying to get all traffic to be routed through the VPN so that the OpenVPN Server's IP address is what shows up when I'm browsing the internet.
Not that it should matter, but we're using password based authentication via a PAM module. That PAM module makes an HTTP call to a website to validate things.
This is my OpenVPN Server Configuration:
port 1194
proto udp
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
;topology subnet
server 10.8.0.0 255.255.255.0
;route 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
;duplicate-cn
;max-clients 30
;user nobody
;group nogroup
;mute 20
;explicit-exit-notify 1
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
;push "route 10.8.0.0 255.255.255.0"
This is my client OpenVPN configuration:
client
dev tun
proto udp
remote MY_SERVERS_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
auth-user-pass
This is what iptables --list looks like:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- ip-10-8-0-0.ec2.internal/24 anywhere ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
These iptables entries were created with:
iptables -I FORWARD -i tun0 -o eth0
-s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
iptables -t nat -I POSTROUTING -o eth0
-s 10.8.0.0/24 -j MASQUERADE
This is what ifconfig looks like on the OpenVPN Server:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.26.12.92 netmask 255.255.240.0 broadcast 172.26.15.255
inet6 fe80::89c:e4ff:feab:ccce prefixlen 64 scopeid 0x20<link>
ether 0a:9c:e4:ab:cc:ce txqueuelen 1000 (Ethernet)
RX packets 219194 bytes 218590052 (218.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 98397 bytes 11103942 (11.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4886 bytes 669299 (669.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4886 bytes 669299 (669.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::ef51:ccb3:ccc0:f02b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
IP Forwarding is enabled:
ubuntu@ip-172-26-2-31:~$ cat /proc/sys/net/ipv4/ip_forward
1
This is what I see if my client log:
Wed Jun 05 07:40:02 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Jun 05 07:40:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jun 05 07:40:02 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Wed Jun 05 07:40:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:02 2019 Need hold release from management interface, waiting...
Wed Jun 05 07:40:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'state on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'log all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'echo all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'bytecount 5'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold off'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold release'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'username "Auth" "dlogan"'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'password [...]'
Wed Jun 05 07:40:04 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 05 07:40:04 2019 MANAGEMENT: >STATE:1559734804,RESOLVE,,,,,,
Wed Jun 05 07:40:05 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
Wed Jun 05 07:40:05 2019 UDP link local: (not bound)
Wed Jun 05 07:40:05 2019 UDP link remote: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,WAIT,,,,,,
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,AUTH,,,,,,
Wed Jun 05 07:40:05 2019 TLS: Initial packet from [AF_INET]MY_SERVERS_PUBLIC_IP:1194, sid=ea2002fc a21451ed
Wed Jun 05 07:40:05 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=1, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=Cyber Ninjas CA, name=CyberNinjas, emailAddress=ethical-hacking@cyberninjas.com
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=0, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=remote2.cyberninjas.com, name=remote2.cyberninjas.com, emailAddress=ethical-hacking@cyberninjas.com
Wed Jun 05 07:40:32 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jun 05 07:40:32 2019 [remote2.cyberninjas.com] Peer Connection Initiated with [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,GET_CONFIG,,,,,,
Wed Jun 05 07:40:33 2019 SENT CONTROL [remote2.cyberninjas.com]: 'PUSH_REQUEST' (status=1)
Wed Jun 05 07:40:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: route options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: peer-id set
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Jun 05 07:40:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 05 07:40:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 interactive service msg_channel=832
Wed Jun 05 07:40:33 2019 ROUTE_GATEWAY 192.168.1.99/255.255.255.0 I=15 HWADDR=8c:ae:4c:f6:89:4d
Wed Jun 05 07:40:33 2019 open_tun
Wed Jun 05 07:40:33 2019 TAP-WIN32 device [Ethernet 3] opened: \.GlobalA4956E3A-C1FC-45BF-9857-31E5725E5011.tap
Wed Jun 05 07:40:33 2019 TAP-Windows Driver Version 9.21
Wed Jun 05 07:40:33 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface A4956E3A-C1FC-45BF-9857-31E5725E5011 [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jun 05 07:40:33 2019 Successful ARP Flush on interface [23] A4956E3A-C1FC-45BF-9857-31E5725E5011
Wed Jun 05 07:40:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,ASSIGN_IP,,10.8.0.6,,,,
Wed Jun 05 07:40:38 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD MY_SERVERS_PUBLIC_IP MASK 255.255.255.255 192.168.1.99
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,ADD_ROUTES,,,,,,
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 Initialization Sequence Completed
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,CONNECTED,SUCCESS,10.8.0.6,MY_SERVERS_PUBLIC_IP,1194,,
This is what I see in my server's OpenVPN Log:
Wed Jun 5 11:39:35 2019 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Wed Jun 5 11:39:35 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 9 2019
Wed Jun 5 11:39:35 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jun 5 11:39:35 2019 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_
VERIFY
Wed Jun 5 11:39:35 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jun 5 11:39:35 2019 ROUTE_GATEWAY 172.26.0.1/255.255.240.0 IFACE=eth0 HWADDR=0a:9c:e4:ab:cc:ce
Wed Jun 5 11:39:35 2019 TUN/TAP device tun0 opened
Wed Jun 5 11:39:35 2019 TUN/TAP TX queue length set to 100
Wed Jun 5 11:39:35 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 5 11:39:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun 5 11:39:35 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun 5 11:39:35 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun 5 11:39:35 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jun 5 11:39:35 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 5 11:39:35 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jun 5 11:39:35 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jun 5 11:39:35 2019 MULTI: multi_init called, r=256 v=256
Wed Jun 5 11:39:35 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun 5 11:39:35 2019 IFCONFIG POOL LIST
Wed Jun 5 11:39:35 2019 Initialization Sequence Completed
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Initial packet from [AF_INET]THE_CLIENT_PUBLIC_IP:50490, sid=80eafd2f b659fb60
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_VER=2.4.6
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PLAT=win
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PROTO=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_NCP=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4v2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZO=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUB=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUBv2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_TCPNL=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_GUI_VER=OpenVPN_GUI_11
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Username/Password authentication succeeded for username 'dlogan'
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 [] Peer Connection Initiated with [AF_INET]THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: Learn: 10.8.0.6 -> THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: primary virtual IP for THE_CLIENT_PUBLIC_IP:50490: 10.8.0.6
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 SENT CONTROL [UNDEF]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.
8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 [UNDEF] Inactivity timeout (--ping-restart), restarting
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 SIGUSR1[soft,ping-restart] received, client-instance restarting
I have looked at and tried to adopt / try settings from the following articles with no success:
https://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server/
How to force all traffic through VPN?
https://askubuntu.com/questions/462533/route-all-traffic-through-openvpn
https://openvpn.net/community-resources/how-to/#redirect
Most likely I just haven't put the right combination together, but I'm at a loss here and definitely looking for help.
It would be greatly appreciated if you are able to explain why a given setting might solve the issue, as that may help me figure this out if what you give isn't the complete solution.
iptables openvpn
asked Jun 4 at 20:07
DougDoug
247311
add a comment |
1
1
1
1
I'm trying to get all traffic to be routed through the VPN so that the OpenVPN Server's IP address is what shows up when I'm browsing the internet.
Not that it should matter, but we're using password based authentication via a PAM module. That PAM module makes an HTTP call to a website to validate things.
This is my OpenVPN Server Configuration:
port 1194
proto udp
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
;topology subnet
server 10.8.0.0 255.255.255.0
;route 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
;duplicate-cn
;max-clients 30
;user nobody
;group nogroup
;mute 20
;explicit-exit-notify 1
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
;push "route 10.8.0.0 255.255.255.0"
This is my client OpenVPN configuration:
client
dev tun
proto udp
remote MY_SERVERS_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
auth-user-pass
This is what iptables --list looks like:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- ip-10-8-0-0.ec2.internal/24 anywhere ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
These iptables entries were created with:
iptables -I FORWARD -i tun0 -o eth0
-s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
iptables -t nat -I POSTROUTING -o eth0
-s 10.8.0.0/24 -j MASQUERADE
This is what ifconfig looks like on the OpenVPN Server:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.26.12.92 netmask 255.255.240.0 broadcast 172.26.15.255
inet6 fe80::89c:e4ff:feab:ccce prefixlen 64 scopeid 0x20<link>
ether 0a:9c:e4:ab:cc:ce txqueuelen 1000 (Ethernet)
RX packets 219194 bytes 218590052 (218.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 98397 bytes 11103942 (11.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4886 bytes 669299 (669.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4886 bytes 669299 (669.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::ef51:ccb3:ccc0:f02b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
IP Forwarding is enabled:
ubuntu@ip-172-26-2-31:~$ cat /proc/sys/net/ipv4/ip_forward
1
This is what I see if my client log:
Wed Jun 05 07:40:02 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Jun 05 07:40:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jun 05 07:40:02 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Wed Jun 05 07:40:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:02 2019 Need hold release from management interface, waiting...
Wed Jun 05 07:40:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'state on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'log all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'echo all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'bytecount 5'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold off'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold release'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'username "Auth" "dlogan"'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'password [...]'
Wed Jun 05 07:40:04 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 05 07:40:04 2019 MANAGEMENT: >STATE:1559734804,RESOLVE,,,,,,
Wed Jun 05 07:40:05 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
Wed Jun 05 07:40:05 2019 UDP link local: (not bound)
Wed Jun 05 07:40:05 2019 UDP link remote: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,WAIT,,,,,,
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,AUTH,,,,,,
Wed Jun 05 07:40:05 2019 TLS: Initial packet from [AF_INET]MY_SERVERS_PUBLIC_IP:1194, sid=ea2002fc a21451ed
Wed Jun 05 07:40:05 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=1, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=Cyber Ninjas CA, name=CyberNinjas, emailAddress=ethical-hacking@cyberninjas.com
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=0, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=remote2.cyberninjas.com, name=remote2.cyberninjas.com, emailAddress=ethical-hacking@cyberninjas.com
Wed Jun 05 07:40:32 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jun 05 07:40:32 2019 [remote2.cyberninjas.com] Peer Connection Initiated with [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,GET_CONFIG,,,,,,
Wed Jun 05 07:40:33 2019 SENT CONTROL [remote2.cyberninjas.com]: 'PUSH_REQUEST' (status=1)
Wed Jun 05 07:40:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: route options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: peer-id set
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Jun 05 07:40:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 05 07:40:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 interactive service msg_channel=832
Wed Jun 05 07:40:33 2019 ROUTE_GATEWAY 192.168.1.99/255.255.255.0 I=15 HWADDR=8c:ae:4c:f6:89:4d
Wed Jun 05 07:40:33 2019 open_tun
Wed Jun 05 07:40:33 2019 TAP-WIN32 device [Ethernet 3] opened: \.GlobalA4956E3A-C1FC-45BF-9857-31E5725E5011.tap
Wed Jun 05 07:40:33 2019 TAP-Windows Driver Version 9.21
Wed Jun 05 07:40:33 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface A4956E3A-C1FC-45BF-9857-31E5725E5011 [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jun 05 07:40:33 2019 Successful ARP Flush on interface [23] A4956E3A-C1FC-45BF-9857-31E5725E5011
Wed Jun 05 07:40:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,ASSIGN_IP,,10.8.0.6,,,,
Wed Jun 05 07:40:38 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD MY_SERVERS_PUBLIC_IP MASK 255.255.255.255 192.168.1.99
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,ADD_ROUTES,,,,,,
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 Initialization Sequence Completed
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,CONNECTED,SUCCESS,10.8.0.6,MY_SERVERS_PUBLIC_IP,1194,,
This is what I see in my server's OpenVPN Log:
Wed Jun 5 11:39:35 2019 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Wed Jun 5 11:39:35 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 9 2019
Wed Jun 5 11:39:35 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jun 5 11:39:35 2019 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_
VERIFY
Wed Jun 5 11:39:35 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jun 5 11:39:35 2019 ROUTE_GATEWAY 172.26.0.1/255.255.240.0 IFACE=eth0 HWADDR=0a:9c:e4:ab:cc:ce
Wed Jun 5 11:39:35 2019 TUN/TAP device tun0 opened
Wed Jun 5 11:39:35 2019 TUN/TAP TX queue length set to 100
Wed Jun 5 11:39:35 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 5 11:39:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun 5 11:39:35 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun 5 11:39:35 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun 5 11:39:35 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jun 5 11:39:35 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 5 11:39:35 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jun 5 11:39:35 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jun 5 11:39:35 2019 MULTI: multi_init called, r=256 v=256
Wed Jun 5 11:39:35 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun 5 11:39:35 2019 IFCONFIG POOL LIST
Wed Jun 5 11:39:35 2019 Initialization Sequence Completed
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Initial packet from [AF_INET]THE_CLIENT_PUBLIC_IP:50490, sid=80eafd2f b659fb60
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_VER=2.4.6
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PLAT=win
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PROTO=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_NCP=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4v2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZO=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUB=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUBv2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_TCPNL=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_GUI_VER=OpenVPN_GUI_11
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Username/Password authentication succeeded for username 'dlogan'
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 [] Peer Connection Initiated with [AF_INET]THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: Learn: 10.8.0.6 -> THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: primary virtual IP for THE_CLIENT_PUBLIC_IP:50490: 10.8.0.6
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 SENT CONTROL [UNDEF]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.
8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 [UNDEF] Inactivity timeout (--ping-restart), restarting
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 SIGUSR1[soft,ping-restart] received, client-instance restarting
I have looked at and tried to adopt / try settings from the following articles with no success:
https://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server/
How to force all traffic through VPN?
https://askubuntu.com/questions/462533/route-all-traffic-through-openvpn
https://openvpn.net/community-resources/how-to/#redirect
Most likely I just haven't put the right combination together, but I'm at a loss here and definitely looking for help.
It would be greatly appreciated if you are able to explain why a given setting might solve the issue, as that may help me figure this out if what you give isn't the complete solution.
iptables openvpn
asked Jun 4 at 20:07
DougDoug
247311
I'm trying to get all traffic to be routed through the VPN so that the OpenVPN Server's IP address is what shows up when I'm browsing the internet.
Not that it should matter, but we're using password based authentication via a PAM module. That PAM module makes an HTTP call to a website to validate things.
This is my OpenVPN Server Configuration:
port 1194
proto udp
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
;topology subnet
server 10.8.0.0 255.255.255.0
;route 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
;duplicate-cn
;max-clients 30
;user nobody
;group nogroup
;mute 20
;explicit-exit-notify 1
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
;push "route 10.8.0.0 255.255.255.0"
This is my client OpenVPN configuration:
client
dev tun
proto udp
remote MY_SERVERS_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
auth-user-pass
This is what iptables --list looks like:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- ip-10-8-0-0.ec2.internal/24 anywhere ctstate NEW
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
These iptables entries were created with:
iptables -I FORWARD -i tun0 -o eth0
-s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
iptables -t nat -I POSTROUTING -o eth0
-s 10.8.0.0/24 -j MASQUERADE
This is what ifconfig looks like on the OpenVPN Server:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172.26.12.92 netmask 255.255.240.0 broadcast 172.26.15.255
inet6 fe80::89c:e4ff:feab:ccce prefixlen 64 scopeid 0x20<link>
ether 0a:9c:e4:ab:cc:ce txqueuelen 1000 (Ethernet)
RX packets 219194 bytes 218590052 (218.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 98397 bytes 11103942 (11.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4886 bytes 669299 (669.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4886 bytes 669299 (669.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2
inet6 fe80::ef51:ccb3:ccc0:f02b prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 144 (144.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
IP Forwarding is enabled:
ubuntu@ip-172-26-2-31:~$ cat /proc/sys/net/ipv4/ip_forward
1
This is what I see if my client log:
Wed Jun 05 07:40:02 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Wed Jun 05 07:40:02 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Jun 05 07:40:02 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Wed Jun 05 07:40:02 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:02 2019 Need hold release from management interface, waiting...
Wed Jun 05 07:40:03 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'state on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'log all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'echo all on'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'bytecount 5'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold off'
Wed Jun 05 07:40:03 2019 MANAGEMENT: CMD 'hold release'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'username "Auth" "dlogan"'
Wed Jun 05 07:40:04 2019 MANAGEMENT: CMD 'password [...]'
Wed Jun 05 07:40:04 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Jun 05 07:40:04 2019 MANAGEMENT: >STATE:1559734804,RESOLVE,,,,,,
Wed Jun 05 07:40:05 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 Socket Buffers: R=[65536->65536] S=[64512->64512]
Wed Jun 05 07:40:05 2019 UDP link local: (not bound)
Wed Jun 05 07:40:05 2019 UDP link remote: [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,WAIT,,,,,,
Wed Jun 05 07:40:05 2019 MANAGEMENT: >STATE:1559734805,AUTH,,,,,,
Wed Jun 05 07:40:05 2019 TLS: Initial packet from [AF_INET]MY_SERVERS_PUBLIC_IP:1194, sid=ea2002fc a21451ed
Wed Jun 05 07:40:05 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=1, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=Cyber Ninjas CA, name=CyberNinjas, emailAddress=ethical-hacking@cyberninjas.com
Wed Jun 05 07:40:05 2019 VERIFY OK: depth=0, C=US, ST=FL, L=Sarasota, O=Cyber Ninjas, OU=Ethical Hacking, CN=remote2.cyberninjas.com, name=remote2.cyberninjas.com, emailAddress=ethical-hacking@cyberninjas.com
Wed Jun 05 07:40:32 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Jun 05 07:40:32 2019 [remote2.cyberninjas.com] Peer Connection Initiated with [AF_INET]MY_SERVERS_PUBLIC_IP:1194
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,GET_CONFIG,,,,,,
Wed Jun 05 07:40:33 2019 SENT CONTROL [remote2.cyberninjas.com]: 'PUSH_REQUEST' (status=1)
Wed Jun 05 07:40:33 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: route options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: peer-id set
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Jun 05 07:40:33 2019 OPTIONS IMPORT: data channel crypto options modified
Wed Jun 05 07:40:33 2019 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 05 07:40:33 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 05 07:40:33 2019 interactive service msg_channel=832
Wed Jun 05 07:40:33 2019 ROUTE_GATEWAY 192.168.1.99/255.255.255.0 I=15 HWADDR=8c:ae:4c:f6:89:4d
Wed Jun 05 07:40:33 2019 open_tun
Wed Jun 05 07:40:33 2019 TAP-WIN32 device [Ethernet 3] opened: \.GlobalA4956E3A-C1FC-45BF-9857-31E5725E5011.tap
Wed Jun 05 07:40:33 2019 TAP-Windows Driver Version 9.21
Wed Jun 05 07:40:33 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface A4956E3A-C1FC-45BF-9857-31E5725E5011 [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jun 05 07:40:33 2019 Successful ARP Flush on interface [23] A4956E3A-C1FC-45BF-9857-31E5725E5011
Wed Jun 05 07:40:33 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 05 07:40:33 2019 MANAGEMENT: >STATE:1559734833,ASSIGN_IP,,10.8.0.6,,,,
Wed Jun 05 07:40:38 2019 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD MY_SERVERS_PUBLIC_IP MASK 255.255.255.255 192.168.1.99
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,ADD_ROUTES,,,,,,
Wed Jun 05 07:40:38 2019 C:WINDOWSsystem32route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jun 05 07:40:38 2019 Route addition via service succeeded
Wed Jun 05 07:40:38 2019 Initialization Sequence Completed
Wed Jun 05 07:40:38 2019 MANAGEMENT: >STATE:1559734838,CONNECTED,SUCCESS,10.8.0.6,MY_SERVERS_PUBLIC_IP,1194,,
This is what I see in my server's OpenVPN Log:
Wed Jun 5 11:39:35 2019 WARNING: POTENTIALLY DANGEROUS OPTION --verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Wed Jun 5 11:39:35 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 9 2019
Wed Jun 5 11:39:35 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08
Wed Jun 5 11:39:35 2019 PLUGIN_INIT: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_
VERIFY
Wed Jun 5 11:39:35 2019 Diffie-Hellman initialized with 2048 bit key
Wed Jun 5 11:39:35 2019 ROUTE_GATEWAY 172.26.0.1/255.255.240.0 IFACE=eth0 HWADDR=0a:9c:e4:ab:cc:ce
Wed Jun 5 11:39:35 2019 TUN/TAP device tun0 opened
Wed Jun 5 11:39:35 2019 TUN/TAP TX queue length set to 100
Wed Jun 5 11:39:35 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jun 5 11:39:35 2019 /sbin/ip link set dev tun0 up mtu 1500
Wed Jun 5 11:39:35 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Wed Jun 5 11:39:35 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Wed Jun 5 11:39:35 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Jun 5 11:39:35 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Jun 5 11:39:35 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Jun 5 11:39:35 2019 UDPv4 link remote: [AF_UNSPEC]
Wed Jun 5 11:39:35 2019 MULTI: multi_init called, r=256 v=256
Wed Jun 5 11:39:35 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Jun 5 11:39:35 2019 IFCONFIG POOL LIST
Wed Jun 5 11:39:35 2019 Initialization Sequence Completed
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Initial packet from [AF_INET]THE_CLIENT_PUBLIC_IP:50490, sid=80eafd2f b659fb60
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_VER=2.4.6
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PLAT=win
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_PROTO=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_NCP=2
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZ4v2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_LZO=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUB=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_COMP_STUBv2=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_TCPNL=1
Wed Jun 5 11:40:04 2019 THE_CLIENT_PUBLIC_IP:50490 peer info: IV_GUI_VER=OpenVPN_GUI_11
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 TLS: Username/Password authentication succeeded for username 'dlogan'
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 [] Peer Connection Initiated with [AF_INET]THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: Learn: 10.8.0.6 -> THE_CLIENT_PUBLIC_IP:50490
Wed Jun 5 11:40:31 2019 THE_CLIENT_PUBLIC_IP:50490 MULTI: primary virtual IP for THE_CLIENT_PUBLIC_IP:50490: 10.8.0.6
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 SENT CONTROL [UNDEF]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.220.220,dhcp-option DNS 208.67.222.222,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.
8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:40:32 2019 THE_CLIENT_PUBLIC_IP:50490 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 [UNDEF] Inactivity timeout (--ping-restart), restarting
Wed Jun 5 11:46:32 2019 THE_CLIENT_PUBLIC_IP:50490 SIGUSR1[soft,ping-restart] received, client-instance restarting
I have looked at and tried to adopt / try settings from the following articles with no success:
https://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server/
How to force all traffic through VPN?
https://askubuntu.com/questions/462533/route-all-traffic-through-openvpn
https://openvpn.net/community-resources/how-to/#redirect
Most likely I just haven't put the right combination together, but I'm at a loss here and definitely looking for help.
It would be greatly appreciated if you are able to explain why a given setting might solve the issue, as that may help me figure this out if what you give isn't the complete solution.
iptables openvpn
iptables openvpn
asked Jun 4 at 20:07
DougDoug
247311
asked Jun 4 at 20:07
DougDoug
247311
edited Jun 5 at 13:56
Doug
asked Jun 4 at 20:07
DougDoug
247311
asked Jun 4 at 20:07
DougDoug
247311
asked Jun 4 at 20:07
DougDoug
247311
247311
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
1
It seems that a route is missing on the server config. The server have to tell the client the new route to join it and the overall VPN subnet. Look at something like this i guess :
push "route 10.8.0.0 255.255.255.0"
answered Jun 5 at 8:41
MeoffreyMeoffrey
712
1
Thank-you, but this was not enough to have it work :-(. I tried it with this and with out this and then looked closer at the client VPN logs. I am by no means a networking expert, but it looks to me like the routes are being created properly on the client side per the logs? I've updated my post to have those and the server logs in case they help; or if you look at them and say "No, its not adding the route right". It looks right to me, but clearly something is wrong.
– Doug
Jun 5 at 11:57
Just forgot, did you enable ip forwarding on your server ? linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux This is mandatory to enable forwarding on your iptables
– Meoffrey
Jun 5 at 13:44
I found that in another post a little bit earlier and tried it :-(. Still no dice.
– Doug
Jun 5 at 13:49
the "server" directive have to be the listenning address (interface) of your server I guess. It is correct ? Try also to permit udp 1194 in the INPUT chain of your iptables. Selinux disabled ?
– Meoffrey
Jun 5 at 14:14
I have this working now. I made a bunch of changes at once, so I'm looping back to isolate / confirm what it was. I will update here soon. It might have actually been the ip forwarding. Something else I had changed while trying to isolate the issue I think was preventing things from working.
– Doug
Jun 5 at 14:50
|
show 1 more comment
2
After a lot of trial and error, reading more resources, and some helpful comments (Thanks Meoffrey), this is what I ended up with as a working configuration.
Things that were wrong:
1) Initially I didn't have the IP forwarding enabled. This was the key issue.
2) The iptable rules I had were not needed, all I needed was:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
What follows is the working config.
OpenVPN Server Configuration:
port 1194
proto udp4
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
duplicate-cn
max-clients 30
user nobody
group nogroup
mute 20
explicit-exit-notify 3
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
OpenVPN Server /etc/sysctl.conf:
net.ipv4.ip_forward=1
Installed iptables-persistent and had the following /etc/iptables/rules.v4:
NOTE: I am running this on AWS Lightsail and as a result I already have the ports limited using the AWS Networking Firewall. If you were putting this bare on the internet without that you'd probably want more rules than I have.
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*mangle
:PREROUTING ACCEPT [51602:22128126]
:INPUT ACCEPT [26875:8155930]
:FORWARD ACCEPT [24727:13972196]
:OUTPUT ACCEPT [26848:13392260]
:POSTROUTING ACCEPT [51575:27364456]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*nat
:PREROUTING ACCEPT [737:43965]
:INPUT ACCEPT [28:1240]
:OUTPUT ACCEPT [510:38713]
:POSTROUTING ACCEPT [510:38713]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*filter
:INPUT ACCEPT [13001:3562550]
:FORWARD ACCEPT [18127:10646956]
:OUTPUT ACCEPT [13277:9043865]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
Finally, the OpenVPN Client Configuration:
client
dev tun
proto udp
remote OPENVPNSERVER_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
explicit-exit-notify 3
auth-user-pass
auth-nocache
remote-cert-tls server
answered Jun 5 at 15:31
DougDoug
247311
add a comment |
1
So it looks like you are forwarding to eth0, however, there does not appear to be a rule to allow input on that interface.
# Allow input on eth0
iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
References:
- https://unix.stackexchange.com/questions/283801/iptables-forward-traffic-to-vpn-tunnel-if-open
- https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state#108186
answered Jun 5 at 14:10
Lucas RamageLucas Ramage
1219
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970125%2fhow-to-tunnel-all-traffic-through-an-openvpn-server%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
1
It seems that a route is missing on the server config. The server have to tell the client the new route to join it and the overall VPN subnet. Look at something like this i guess :
push "route 10.8.0.0 255.255.255.0"
answered Jun 5 at 8:41
MeoffreyMeoffrey
712
1
Thank-you, but this was not enough to have it work :-(. I tried it with this and with out this and then looked closer at the client VPN logs. I am by no means a networking expert, but it looks to me like the routes are being created properly on the client side per the logs? I've updated my post to have those and the server logs in case they help; or if you look at them and say "No, its not adding the route right". It looks right to me, but clearly something is wrong.
– Doug
Jun 5 at 11:57
Just forgot, did you enable ip forwarding on your server ? linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux This is mandatory to enable forwarding on your iptables
– Meoffrey
Jun 5 at 13:44
I found that in another post a little bit earlier and tried it :-(. Still no dice.
– Doug
Jun 5 at 13:49
the "server" directive have to be the listenning address (interface) of your server I guess. It is correct ? Try also to permit udp 1194 in the INPUT chain of your iptables. Selinux disabled ?
– Meoffrey
Jun 5 at 14:14
I have this working now. I made a bunch of changes at once, so I'm looping back to isolate / confirm what it was. I will update here soon. It might have actually been the ip forwarding. Something else I had changed while trying to isolate the issue I think was preventing things from working.
– Doug
Jun 5 at 14:50
|
show 1 more comment
1
It seems that a route is missing on the server config. The server have to tell the client the new route to join it and the overall VPN subnet. Look at something like this i guess :
push "route 10.8.0.0 255.255.255.0"
answered Jun 5 at 8:41
MeoffreyMeoffrey
712
1
Thank-you, but this was not enough to have it work :-(. I tried it with this and with out this and then looked closer at the client VPN logs. I am by no means a networking expert, but it looks to me like the routes are being created properly on the client side per the logs? I've updated my post to have those and the server logs in case they help; or if you look at them and say "No, its not adding the route right". It looks right to me, but clearly something is wrong.
– Doug
Jun 5 at 11:57
Just forgot, did you enable ip forwarding on your server ? linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux This is mandatory to enable forwarding on your iptables
– Meoffrey
Jun 5 at 13:44
I found that in another post a little bit earlier and tried it :-(. Still no dice.
– Doug
Jun 5 at 13:49
the "server" directive have to be the listenning address (interface) of your server I guess. It is correct ? Try also to permit udp 1194 in the INPUT chain of your iptables. Selinux disabled ?
– Meoffrey
Jun 5 at 14:14
I have this working now. I made a bunch of changes at once, so I'm looping back to isolate / confirm what it was. I will update here soon. It might have actually been the ip forwarding. Something else I had changed while trying to isolate the issue I think was preventing things from working.
– Doug
Jun 5 at 14:50
|
show 1 more comment
1
1
1
It seems that a route is missing on the server config. The server have to tell the client the new route to join it and the overall VPN subnet. Look at something like this i guess :
push "route 10.8.0.0 255.255.255.0"
answered Jun 5 at 8:41
MeoffreyMeoffrey
712
It seems that a route is missing on the server config. The server have to tell the client the new route to join it and the overall VPN subnet. Look at something like this i guess :
push "route 10.8.0.0 255.255.255.0"
answered Jun 5 at 8:41
MeoffreyMeoffrey
712
answered Jun 5 at 8:41
MeoffreyMeoffrey
712
answered Jun 5 at 8:41
MeoffreyMeoffrey
712
answered Jun 5 at 8:41
MeoffreyMeoffrey
712
712
1
Thank-you, but this was not enough to have it work :-(. I tried it with this and with out this and then looked closer at the client VPN logs. I am by no means a networking expert, but it looks to me like the routes are being created properly on the client side per the logs? I've updated my post to have those and the server logs in case they help; or if you look at them and say "No, its not adding the route right". It looks right to me, but clearly something is wrong.
– Doug
Jun 5 at 11:57
Just forgot, did you enable ip forwarding on your server ? linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux This is mandatory to enable forwarding on your iptables
– Meoffrey
Jun 5 at 13:44
I found that in another post a little bit earlier and tried it :-(. Still no dice.
– Doug
Jun 5 at 13:49
the "server" directive have to be the listenning address (interface) of your server I guess. It is correct ? Try also to permit udp 1194 in the INPUT chain of your iptables. Selinux disabled ?
– Meoffrey
Jun 5 at 14:14
I have this working now. I made a bunch of changes at once, so I'm looping back to isolate / confirm what it was. I will update here soon. It might have actually been the ip forwarding. Something else I had changed while trying to isolate the issue I think was preventing things from working.
– Doug
Jun 5 at 14:50
|
show 1 more comment
1
Thank-you, but this was not enough to have it work :-(. I tried it with this and with out this and then looked closer at the client VPN logs. I am by no means a networking expert, but it looks to me like the routes are being created properly on the client side per the logs? I've updated my post to have those and the server logs in case they help; or if you look at them and say "No, its not adding the route right". It looks right to me, but clearly something is wrong.
– Doug
Jun 5 at 11:57
Just forgot, did you enable ip forwarding on your server ? linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux This is mandatory to enable forwarding on your iptables
– Meoffrey
Jun 5 at 13:44
I found that in another post a little bit earlier and tried it :-(. Still no dice.
– Doug
Jun 5 at 13:49
the "server" directive have to be the listenning address (interface) of your server I guess. It is correct ? Try also to permit udp 1194 in the INPUT chain of your iptables. Selinux disabled ?
– Meoffrey
Jun 5 at 14:14
I have this working now. I made a bunch of changes at once, so I'm looping back to isolate / confirm what it was. I will update here soon. It might have actually been the ip forwarding. Something else I had changed while trying to isolate the issue I think was preventing things from working.
– Doug
Jun 5 at 14:50
1
1
Thank-you, but this was not enough to have it work :-(. I tried it with this and with out this and then looked closer at the client VPN logs. I am by no means a networking expert, but it looks to me like the routes are being created properly on the client side per the logs? I've updated my post to have those and the server logs in case they help; or if you look at them and say "No, its not adding the route right". It looks right to me, but clearly something is wrong.
– Doug
Jun 5 at 11:57
Thank-you, but this was not enough to have it work :-(. I tried it with this and with out this and then looked closer at the client VPN logs. I am by no means a networking expert, but it looks to me like the routes are being created properly on the client side per the logs? I've updated my post to have those and the server logs in case they help; or if you look at them and say "No, its not adding the route right". It looks right to me, but clearly something is wrong.
– Doug
Jun 5 at 11:57
Just forgot, did you enable ip forwarding on your server ? linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux This is mandatory to enable forwarding on your iptables
– Meoffrey
Jun 5 at 13:44
Just forgot, did you enable ip forwarding on your server ? linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux This is mandatory to enable forwarding on your iptables
– Meoffrey
Jun 5 at 13:44
I found that in another post a little bit earlier and tried it :-(. Still no dice.
– Doug
Jun 5 at 13:49
I found that in another post a little bit earlier and tried it :-(. Still no dice.
– Doug
Jun 5 at 13:49
the "server" directive have to be the listenning address (interface) of your server I guess. It is correct ? Try also to permit udp 1194 in the INPUT chain of your iptables. Selinux disabled ?
– Meoffrey
Jun 5 at 14:14
the "server" directive have to be the listenning address (interface) of your server I guess. It is correct ? Try also to permit udp 1194 in the INPUT chain of your iptables. Selinux disabled ?
– Meoffrey
Jun 5 at 14:14
I have this working now. I made a bunch of changes at once, so I'm looping back to isolate / confirm what it was. I will update here soon. It might have actually been the ip forwarding. Something else I had changed while trying to isolate the issue I think was preventing things from working.
– Doug
Jun 5 at 14:50
I have this working now. I made a bunch of changes at once, so I'm looping back to isolate / confirm what it was. I will update here soon. It might have actually been the ip forwarding. Something else I had changed while trying to isolate the issue I think was preventing things from working.
– Doug
Jun 5 at 14:50
|
show 1 more comment
2
After a lot of trial and error, reading more resources, and some helpful comments (Thanks Meoffrey), this is what I ended up with as a working configuration.
Things that were wrong:
1) Initially I didn't have the IP forwarding enabled. This was the key issue.
2) The iptable rules I had were not needed, all I needed was:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
What follows is the working config.
OpenVPN Server Configuration:
port 1194
proto udp4
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
duplicate-cn
max-clients 30
user nobody
group nogroup
mute 20
explicit-exit-notify 3
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
OpenVPN Server /etc/sysctl.conf:
net.ipv4.ip_forward=1
Installed iptables-persistent and had the following /etc/iptables/rules.v4:
NOTE: I am running this on AWS Lightsail and as a result I already have the ports limited using the AWS Networking Firewall. If you were putting this bare on the internet without that you'd probably want more rules than I have.
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*mangle
:PREROUTING ACCEPT [51602:22128126]
:INPUT ACCEPT [26875:8155930]
:FORWARD ACCEPT [24727:13972196]
:OUTPUT ACCEPT [26848:13392260]
:POSTROUTING ACCEPT [51575:27364456]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*nat
:PREROUTING ACCEPT [737:43965]
:INPUT ACCEPT [28:1240]
:OUTPUT ACCEPT [510:38713]
:POSTROUTING ACCEPT [510:38713]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*filter
:INPUT ACCEPT [13001:3562550]
:FORWARD ACCEPT [18127:10646956]
:OUTPUT ACCEPT [13277:9043865]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
Finally, the OpenVPN Client Configuration:
client
dev tun
proto udp
remote OPENVPNSERVER_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
explicit-exit-notify 3
auth-user-pass
auth-nocache
remote-cert-tls server
answered Jun 5 at 15:31
DougDoug
247311
add a comment |
2
After a lot of trial and error, reading more resources, and some helpful comments (Thanks Meoffrey), this is what I ended up with as a working configuration.
Things that were wrong:
1) Initially I didn't have the IP forwarding enabled. This was the key issue.
2) The iptable rules I had were not needed, all I needed was:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
What follows is the working config.
OpenVPN Server Configuration:
port 1194
proto udp4
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
duplicate-cn
max-clients 30
user nobody
group nogroup
mute 20
explicit-exit-notify 3
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
OpenVPN Server /etc/sysctl.conf:
net.ipv4.ip_forward=1
Installed iptables-persistent and had the following /etc/iptables/rules.v4:
NOTE: I am running this on AWS Lightsail and as a result I already have the ports limited using the AWS Networking Firewall. If you were putting this bare on the internet without that you'd probably want more rules than I have.
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*mangle
:PREROUTING ACCEPT [51602:22128126]
:INPUT ACCEPT [26875:8155930]
:FORWARD ACCEPT [24727:13972196]
:OUTPUT ACCEPT [26848:13392260]
:POSTROUTING ACCEPT [51575:27364456]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*nat
:PREROUTING ACCEPT [737:43965]
:INPUT ACCEPT [28:1240]
:OUTPUT ACCEPT [510:38713]
:POSTROUTING ACCEPT [510:38713]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*filter
:INPUT ACCEPT [13001:3562550]
:FORWARD ACCEPT [18127:10646956]
:OUTPUT ACCEPT [13277:9043865]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
Finally, the OpenVPN Client Configuration:
client
dev tun
proto udp
remote OPENVPNSERVER_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
explicit-exit-notify 3
auth-user-pass
auth-nocache
remote-cert-tls server
answered Jun 5 at 15:31
DougDoug
247311
add a comment |
2
2
2
After a lot of trial and error, reading more resources, and some helpful comments (Thanks Meoffrey), this is what I ended up with as a working configuration.
Things that were wrong:
1) Initially I didn't have the IP forwarding enabled. This was the key issue.
2) The iptable rules I had were not needed, all I needed was:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
What follows is the working config.
OpenVPN Server Configuration:
port 1194
proto udp4
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
duplicate-cn
max-clients 30
user nobody
group nogroup
mute 20
explicit-exit-notify 3
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
OpenVPN Server /etc/sysctl.conf:
net.ipv4.ip_forward=1
Installed iptables-persistent and had the following /etc/iptables/rules.v4:
NOTE: I am running this on AWS Lightsail and as a result I already have the ports limited using the AWS Networking Firewall. If you were putting this bare on the internet without that you'd probably want more rules than I have.
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*mangle
:PREROUTING ACCEPT [51602:22128126]
:INPUT ACCEPT [26875:8155930]
:FORWARD ACCEPT [24727:13972196]
:OUTPUT ACCEPT [26848:13392260]
:POSTROUTING ACCEPT [51575:27364456]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*nat
:PREROUTING ACCEPT [737:43965]
:INPUT ACCEPT [28:1240]
:OUTPUT ACCEPT [510:38713]
:POSTROUTING ACCEPT [510:38713]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*filter
:INPUT ACCEPT [13001:3562550]
:FORWARD ACCEPT [18127:10646956]
:OUTPUT ACCEPT [13277:9043865]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
Finally, the OpenVPN Client Configuration:
client
dev tun
proto udp
remote OPENVPNSERVER_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
explicit-exit-notify 3
auth-user-pass
auth-nocache
remote-cert-tls server
answered Jun 5 at 15:31
DougDoug
247311
After a lot of trial and error, reading more resources, and some helpful comments (Thanks Meoffrey), this is what I ended up with as a working configuration.
Things that were wrong:
1) Initially I didn't have the IP forwarding enabled. This was the key issue.
2) The iptable rules I had were not needed, all I needed was:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
What follows is the working config.
OpenVPN Server Configuration:
port 1194
proto udp4
dev tun
dh keys/dh2048.pem
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
log-append /var/log/openvpn/openvpn.log
verb 3
duplicate-cn
max-clients 30
user nobody
group nogroup
mute 20
explicit-exit-notify 3
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verify-client-cert optional
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
OpenVPN Server /etc/sysctl.conf:
net.ipv4.ip_forward=1
Installed iptables-persistent and had the following /etc/iptables/rules.v4:
NOTE: I am running this on AWS Lightsail and as a result I already have the ports limited using the AWS Networking Firewall. If you were putting this bare on the internet without that you'd probably want more rules than I have.
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*mangle
:PREROUTING ACCEPT [51602:22128126]
:INPUT ACCEPT [26875:8155930]
:FORWARD ACCEPT [24727:13972196]
:OUTPUT ACCEPT [26848:13392260]
:POSTROUTING ACCEPT [51575:27364456]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*nat
:PREROUTING ACCEPT [737:43965]
:INPUT ACCEPT [28:1240]
:OUTPUT ACCEPT [510:38713]
:POSTROUTING ACCEPT [510:38713]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
# Generated by iptables-save v1.6.1 on Wed Jun 5 15:14:19 2019
*filter
:INPUT ACCEPT [13001:3562550]
:FORWARD ACCEPT [18127:10646956]
:OUTPUT ACCEPT [13277:9043865]
COMMIT
# Completed on Wed Jun 5 15:14:19 2019
Finally, the OpenVPN Client Configuration:
client
dev tun
proto udp
remote OPENVPNSERVER_PUBLIC_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cipher AES-256-CBC
comp-lzo
redirect-gateway def1
verb 3
explicit-exit-notify 3
auth-user-pass
auth-nocache
remote-cert-tls server
answered Jun 5 at 15:31
DougDoug
247311
answered Jun 5 at 15:31
DougDoug
247311
answered Jun 5 at 15:31
DougDoug
247311
answered Jun 5 at 15:31
DougDoug
247311
247311
add a comment |
add a comment |
1
So it looks like you are forwarding to eth0, however, there does not appear to be a rule to allow input on that interface.
# Allow input on eth0
iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
References:
- https://unix.stackexchange.com/questions/283801/iptables-forward-traffic-to-vpn-tunnel-if-open
- https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state#108186
answered Jun 5 at 14:10
Lucas RamageLucas Ramage
1219
add a comment |
1
So it looks like you are forwarding to eth0, however, there does not appear to be a rule to allow input on that interface.
# Allow input on eth0
iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
References:
- https://unix.stackexchange.com/questions/283801/iptables-forward-traffic-to-vpn-tunnel-if-open
- https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state#108186
answered Jun 5 at 14:10
Lucas RamageLucas Ramage
1219
add a comment |
1
1
1
So it looks like you are forwarding to eth0, however, there does not appear to be a rule to allow input on that interface.
# Allow input on eth0
iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
References:
- https://unix.stackexchange.com/questions/283801/iptables-forward-traffic-to-vpn-tunnel-if-open
- https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state#108186
answered Jun 5 at 14:10
Lucas RamageLucas Ramage
1219
So it looks like you are forwarding to eth0, however, there does not appear to be a rule to allow input on that interface.
# Allow input on eth0
iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
References:
- https://unix.stackexchange.com/questions/283801/iptables-forward-traffic-to-vpn-tunnel-if-open
- https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state#108186
answered Jun 5 at 14:10
Lucas RamageLucas Ramage
1219
answered Jun 5 at 14:10
Lucas RamageLucas Ramage
1219
answered Jun 5 at 14:10
Lucas RamageLucas Ramage
1219
answered Jun 5 at 14:10
Lucas RamageLucas Ramage
1219
1219
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f970125%2fhow-to-tunnel-all-traffic-through-an-openvpn-server%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
