Announcement

**SteveRiley** · Feb 04, 2013, 02:27 AM

A diagram showing devices and labeled interfaces would be very helpful. Draw something, take a pic, and post here.

One question: since you said your phone works fine, I suspect access from any device outside your home network would succeed. Your description of the rest of your test configuration could use more detail. What does "navigate using the home connection" mean? Are you testing with another client behind your router, and trying to hairpin the connection?

**timonoj** · Feb 04, 2013, 02:49 AM

Ok, so here goes...I'm not the best at sketching of my home setup.

So the phone test was done remotely, using its 3G connection. If that works, I'll asume it will work also while being in China, since it's an external connection. By navigate using the home connection, what I mean is I want use the 3G connection but to connect to a tunnel going to my home (I had some success on that), and then redirect all the internet traffic from the client so it goes out to the internet using the home connection. I'm not sure if I made myself any more clearer...Please let me know if you have any doubt!

**SteveRiley** · Feb 04, 2013, 03:27 PM

This is helpful, thanks.

Since your phone is using its 3G connection, you're correct in thinking that your phone lives outside your home network. It's on the public side of your cable modem. Your desire is to establish a VPN connection from the phone (or any device, anywhere in the world, really) to the OpenVPN server running behind your cable modem, and then surf the Internet via that tunnel. Correct?

**timonoj** · Feb 04, 2013, 06:12 PM

Yes, indeed. That´s exactly what I want. The server is located in Hong Kong, hence no censorship, and I intend to travel to China this friday (no facebook, youtube, maps, blogspot, etc...). Do you know how could redirect the traffic that is already arriving to the server, so it reaches the internet, from the server side? Right now it gets stuck in the server throwing these bad source address errors.
Thanks!

**SteveRiley** · Feb 04, 2013, 08:19 PM

The error message you quoted has two IP addresses. What devices own those?

* 203.145.92.114
* 10.192.56.221

Also, please send me your OpenVPN configuration file in a private message here at KFN.

**timonoj** · Feb 04, 2013, 09:22 PM

Replied!
So, the first address, 203.145.92.114, is my phone's IP, which is also dynamic (changed by now, still close to that one). The other one... I have no idea. It's an internal IP, right? But the server is in 10.8.0.1, so I don't know where did this one come from.

As a sidenote, I believe the last changes I made to the VPN server makes the PC go offline as soon as I enable openvpn (big ****up).

**SteveRiley** · Feb 07, 2013, 03:58 AM

I set up an OpenVPN server at home and successfully duplicated your desired scenario.

Here's a comparison of the sample server configuration (on left) with the one I created (on right):

Code:

root@mini2140:~# diff --side-by-side --suppress-common-lines server.conf /etc/openvpn/server.conf 
cert server.crt                                     | cert mini2140.crt
key server.key  # This file should be kept secret   | key mini2140.key  # This file should be kept secret
;push "redirect-gateway def1 bypass-dhcp"           | push "redirect-gateway def1 bypass-dhcp"
                                                    > push "dhcp-option DNS 4.2.2.1"
;client-to-client                                   | client-to-client
;tls-auth ta.key 0 # This file is secret            | tls-auth ta.key 0 # This file is secret
;user nobody                                        | user nobody
;group nogroup                                      | group nogroup
verb 3                                              | verb 4
;mute 20                                            | mute 20

Of note, I:

uncommented the redirect-gateway option so that all connected VPN clients will have their default gateways changed to the local tunnel adapter
pushed Verizon's DNS server to the clients. I probably could have used my own but I wanted to eliminate variables from the test
allowed client-to-client visibility
generated the additional TLS authentication key to protect the logon sequence more strongly
reduced the service's permissions
increased the logging level and muted log redundancies

Also of note, I do not have a push route because that is unnecessary when all the resources behind the VPN server are on the same subnet as the VPN server's physical NIC. In my setup, this is indeed the case.

To get the server to route Internet traffic back to the Internet, the following commands were necessary. Note that I log into my server as root, so I'm not prefacing the commands with sudo.

Code:

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

These settings will not persist across reboots. To remedy that, first change a sysctl variable to enable always-on IP forwarding. Edit the file /etc/sysctl.conf, find the line containing net.ipv4.ip_forward=1, and remove the comment sign at the beginning of the line.

Next, install the packge iptables-persistent. This creates the file /etc/iptables/rules.v4 which will always be loaded at startup:

Code:

sudo apt-get install iptables-persistent

Answer yes when asked about IPv4; answer no when asked about IPv6.

If, at some point in the future, you add more rules to iptables, you'll need to run the package configuration script to update the rules file:

Code:

sudo dpkg-reconfigure iptables-persistent

Finally, reboot your server to make sure everything still works:

Code:

sysctl -a | grep net.ipv4.ip_forward

should show that the variable remains set to 1.

Code:

cat /proc/net/ip_tables_names | xargs -L 1 iptables -L -t

should display the MASQUERADE rule in the POSTROUTING chain in the nat table, and the two ACCEPT rules in the FORWARD chain in the filter table.

**timonoj** · Feb 07, 2013, 07:31 AM

...You are the man!! Now it really worked. This configuration looks almost like what I had. When I tried to make look my server.conf to look like yours, it still crashed (as in losing completely the connection, and having to manually go restart the linux PC). Then I started from scratch from a sample like you, and added the mentioned changes (used google´s DNS instead), and now it worked beautifully well!
I´ll add a second client setting to my gf´s phone and see if it holds the two properly.
I´m really thankful for all your effort!

Now onto looking for an automatic reboot script in case the network crashes for any reason

**timonoj** · Feb 07, 2013, 08:17 AM

I have another issue! How do I launch the openvpn as a daemon? Up until now I was doing it manually just in case, but now it's time to settle it. I copied the openvpn-startup.sh from the example into the /etc/init.d folder, but with no luck...it seems not to be launching.

Also... sysctl -a | grep net.ipv4.ip_forward returns:

root@Timo-EEEPC:/etc/openvpn# sysctl -a | grep net.ipv4.ip_forward
error: permission denied on key 'vm.compact_memory'
error: "Invalid argument" reading key "fs.binfmt_misc.register"
error: permission denied on key 'net.ipv4.route.flush'
net.ipv4.ip_forward = 0
error: permission denied on key 'net.ipv6.route.flush'

...any idea of why?

**SteveRiley** · Feb 08, 2013, 01:10 AM

Originally posted by timonoj View Post

When I tried to make look my server.conf to look like yours, it still crashed (as in losing completely the connection, and having to manually go restart the linux PC). Then I started from scratch from a sample like you, and added the mentioned changes (used google´s DNS instead), and now it worked beautifully well!

Hm, the crash is a mystery. Anything interesting in your syslog at the time of the crash?

In my example I enabled TLS authentication protection. Did you? If so, did you generate the extra certificate required for that?

I've found that Verizon's DNS is consistently faster than Google's. Whowouldathunk?

Originally posted by timonoj View Post

How do I launch the openvpn as a daemon? Up until now I was doing it manually just in case, but now it's time to settle it. I copied the openvpn-startup.sh from the example into the /etc/init.d folder, but with no luck...it seems not to be launching.

You don't need to perform this step in Ubuntu, because it happens automatically when you install OpenVPN from the repository. The package configuration script creates all the necessary Upstart links, as you can see:

Code:

root@mini2140:~# [B]ll /etc/*/*openvpn[/B]
-rw-r--r-- 1 root root   553 Mar 30  2012 /etc/bash_completion.d/openvpn
-rw-r--r-- 1 root root   880 Mar 30  2012 /etc/default/openvpn
-rwxr-xr-x 1 root root 10029 Mar 30  2012 /etc/init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc0.d/K80openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc1.d/K80openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc2.d/S16openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc3.d/S16openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc4.d/S16openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc5.d/S16openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc6.d/K80openvpn -> ../init.d/openvpn*

To verify operation, I rebooted my server and then checked for the running process. It's there:

Code:

root@mini2140:~# [B]ps -ef | grep openvpn[/B]
nobody     985     1  0 22:53 ?        00:00:00 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf

Originally posted by timonoj View Post

Also... sysctl -a | grep net.ipv4.ip_forward returns:

Code:

root@Timo-EEEPC:/etc/openvpn# sysctl -a | grep net.ipv4.ip_forward
error: permission denied on key 'vm.compact_memory'
error: "Invalid argument" reading key "fs.binfmt_misc.register"
error: permission denied on key 'net.ipv4.route.flush'
net.ipv4.ip_forward = 0
error: permission denied on key 'net.ipv6.route.flush'

...any idea of why?

The command sysctl -a displays contents of the variables in /proc/sys. Some variables are write-only, which explains the error messages. Now as to why your net.ipv4.ip_forward variable is zero...are you sure you edited the correct line in /etc/sysctl.conf?

Also, remember that editing the file only affects what happens to the sysctl variables after the next boot. Did you reboot after editing the file?

**timonoj** · Feb 08, 2013, 02:00 AM

Hi SteveRiley,

Thanks so much for all your help! Sadly, I tried to reboot to see if the VPN daemon started after setting up manually a script on the init.d (that was before your reply), and the server didn't come back. It's weird, yesterday I saw this behavior: The server doesn't take SSH connections anymore, doesn't even respond to ping, but if I manually check it, it's fine and can connect and ping anywhere...Just won't take any incoming connection. I have something rather wrong in my network settings.

Originally posted by SteveRiley View Post

Hm, the crash is a mystery. Anything interesting in your syslog at the time of the crash?

In my example I enabled TLS authentication protection. Did you? If so, did you generate the extra certificate required for that?

I've found that Verizon's DNS is consistently faster than Google's. Whowouldathunk?

I'm afraid I won't have time to get logs. AS soon as I leave the office, it's a countdown to get back home, fetch the luggage and go fetch the plane to China. I'll barely have enough time to reboot the PC and restart the VPN manually (and hope it won't crash during a whole week). I'd get it remotely, but I can't seem to connect to it until I restart it.

Regarding the Verizon, I'll give them a test, but I'd assume them to be more responsive...If you're within the US

Originally posted by SteveRiley View Post

You don't need to perform this step in Ubuntu, because it happens automatically when you install OpenVPN from the repository. The package configuration script creates all the necessary Upstart links, as you can see:

Code:

root@mini2140:~# [B]ll /etc/*/*openvpn[/B]
-rw-r--r-- 1 root root   553 Mar 30  2012 /etc/bash_completion.d/openvpn
-rw-r--r-- 1 root root   880 Mar 30  2012 /etc/default/openvpn
-rwxr-xr-x 1 root root 10029 Mar 30  2012 /etc/init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc0.d/K80openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc1.d/K80openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc2.d/S16openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc3.d/S16openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc4.d/S16openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc5.d/S16openvpn -> ../init.d/openvpn*
lrwxrwxrwx 1 root root    17 Feb  5 15:18 /etc/rc6.d/K80openvpn -> ../init.d/openvpn*

Hm...I think there wasn't any script named openvpn in /etc/init.d, from what I checked this morning (before rebooting and completely losing it, that is). I'm not sure my installation worked as expected, although I did indeed install it with apt-get install. So far I was starting the VPN process manually by sudo openvpn /etc/openvpn/server.conf

Originally posted by SteveRiley View Post

To verify operation, I rebooted my server and then checked for the running process. It's there:

Code:

root@mini2140:~# [B]ps -ef | grep openvpn[/B]
nobody     985     1  0 22:53 ?        00:00:00 /usr/sbin/openvpn --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf

I wish I could check it, but I'm afraid it won't work. Next stop, let's see if in China I can get to connect using SSH and see.

Originally posted by SteveRiley View Post

The command sysctl -a displays contents of the variables in /proc/sys. Some variables are write-only, which explains the error messages. Now as to why your net.ipv4.ip_forward variable is zero...are you sure you edited the correct line in /etc/sysctl.conf?

Also, remember that editing the file only affects what happens to the sysctl variables after the next boot. Did you reboot after editing the file?

[/quote]
Yeah, I only found that line mentioning net.ipv4.ip_forward. And yeah, I rebooted quite a bunch of times, mainly due to this nuisance where the PC decides to reject all connections whenever it feels like.

So again, thanks a lot for all your help! I'm afraid I'll have to run manually the VPN for the moment, and if I can connect from China, maybe I'll do some testing. Worst case, I'll start annoying you again about this in 10 days. Cheers!

**SteveRiley** · Feb 08, 2013, 02:41 AM

Ah, your attempt at manually creating the init scripts may have borked the ones the package automatically sets up. Purging the package, removing all of /etc/openvpn, reinstalling the package, recreating the certificate authority, and finally building the server.conf file should get you to where you need to be. But, alas, you appear out of time.

Enjoy your trip to China. Don't die from the toxic soup that is the air in Beijing, such as this specimen captured by a resident of the 30th floor of an apartment building in Guomao, near the CBD:

**timonoj** · Feb 08, 2013, 07:39 AM

Hahaha, actually Sichuan is not add bad as Beijing, although it's not like it's healthy. At least I'll enjoy some damn spicy meals, cute pandas, and like anywhere else in China, incredibly delayed flights.

Sent from my GT-I9100 using Tapatalk

**SteveRiley** · Feb 08, 2013, 10:18 PM

My last trip to China was Bejing just after the new Terminal 3 opened. I got in the taxi at the Hilton at 10:05 AM, and by 10:50 AM, my butt was in seat 2A on the United flight home. We even departed early, too. The efficiency rivaled Singapore!

Announcement

Redirect traffic in OpenVPN

Redirect traffic in OpenVPN

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment