| View previous topic :: View next topic |
| Author |
Message |
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1606
Location: Fayetteville, NC, USA
|
 Posted: Tue Aug 18, 2020 4:41 pm Post subject: [SOLVED] OpenVPN server not routing traffic? |
 |
|
I am setting up a shell-only box to do BTRFS RAID10 for file sharing and OpenVPN for remote access. Everything is up, but the VPN server is not routing data. In other words, it connects instantly and I can ping and SSH into the box, but I cannot access any IP other than the LAN IP of the server. For example, I cannot ping the router at the VPN server location or RDP into boxes at that location.
OpenVPN server config:
| Code: |
ocal 192.168.111.201
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/sv01.crt
key /etc/openvpn/server/sv01.key
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0
topology subnet
server 192.168.110.0 255.255.255.0
push "route 192.168.111.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
persist-key
persist-tun
|
Client config:
| Code: |
client
dev tun
proto udp
port 1194
remote host.name.hidden 1194 udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
|
I hid the certificates since they are there and working on my end. Why can't I route data?
_________________
Ever picture systemd as what runs "The Borg"?
Last edited by The_Great_Sephiroth on Fri Aug 28, 2020 5:42 pm; edited 1 time in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3948
|
| Posted: Tue Aug 18, 2020 5:13 pm Post subject: |
|
|
Hi
In server config I also have
| Code: |
push "redirect-gateway def1 bypass-dhcp"
|
Also other things that come to mind is not enabled ip forwarding and proper iptables on the server.
| Code: |
iptables -I FORWARD -i tun0 -o <server-ethernet-iface> -s <vpn-network> -d <server-network> -j ACCEPT
iptables -t nat -I POSTROUTING -o <server-eth> -s <server-network> -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
|
Or possibly missing iptables functionality in the kernel?........
 |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23055
|
| Posted: Tue Aug 18, 2020 7:00 pm Post subject: |
|
|
| If you still need help after checking the settings that alamahant suggested, please post the output of ip route ; iptables-save -c from the VPN server. Also, please describe the way in which clients fail. Do they get no response? Do they get a "No route to host" error? If you run tcpdump on the VPN server with appropriate parameters, can you see the client traffic arriving on the VPN virtual NIC? If yes, do you see it trying to leave via the physical NIC that leads to the intended destination host? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1606
Location: Fayetteville, NC, USA
|
| Posted: Tue Aug 18, 2020 7:05 pm Post subject: |
|
|
I am not redirecting the default gateway on purpose. They only use the tunnel for RDP to a system or accessing a remote share. No need to route all traffic through it, though I know for a fact I have not enabled forwarding (or syncookies) yet. That is likely my missing step! Will report back soon.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1606
Location: Fayetteville, NC, USA
|
| Posted: Mon Aug 24, 2020 5:53 pm Post subject: |
|
|
OK, been working on this and no go. I enabled forwarding and while some things forward, others do not. For example, I can ping an address using ping, but using nmap shows nothing. I believe I found out why though. I have the box setup as a static IP on the LAN but it is pulling dynamic and using the static.
| Code: |
2: enp3s0: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether e0:69:95:9a:36:d9 brd ff:ff:ff:ff:ff:ff
inet 192.168.111.201/24 brd 192.168.111.255 scope global enp3s0
valid_lft forever preferred_lft forever
inet 192.168.111.4/24 brd 192.168.111.255 scope global secondary enp3s0
valid_lft forever preferred_lft forever
inet6 2606:a000:5193:f500:e269:95ff:fe9a:36d9/64 scope global dynamic mngtmpaddr
valid_lft 604796sec preferred_lft 604796sec
inet6 fe80::e269:95ff:fe9a:36d9/64 scope link
valid_lft forever preferred_lft forever
|
Here is the configuration.
| Code: |
[sv01 ~]# cat /etc/conf.d/net
config_enp3s0="192.168.111.201/24"
routes_enp3s0="default via 192.168.111.254"
dns_servers_enp3s0="192.168.111.254 8.8.8.8"
[sv01 ~]# ls -lA /etc/init.d/net.*
lrwxrwxrwx 1 root root 18 Jul 29 14:19 /etc/init.d/net.enp3s0 -> /etc/init.d/net.lo
-rwxr-xr-x 1 root root 19791 Jul 28 07:21 /etc/init.d/net.lo
[sv01 ~]# ls -lA /etc/runlevels/default/ | grep net
lrwxrwxrwx 1 root root 22 Jul 29 14:20 net.enp3s0 -> /etc/init.d/net.enp3s0
lrwxrwxrwx 1 root root 20 May 24 07:09 netmount -> /etc/init.d/netmount
|
What am I doing wrong? This is a shell only server.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1606
Location: Fayetteville, NC, USA
|
| Posted: Fri Aug 28, 2020 5:26 pm Post subject: |
|
|
OK, still struggling with this. Here is the info you requested. No firewall exists at all.
| Code: |
[sv01 ~]# ip route
default via 192.168.111.254 dev enp3s0
127.0.0.0/8 via 127.0.0.1 dev lo
192.168.110.0/24 dev tun0 proto kernel scope link src 192.168.110.1
192.168.111.0/24 dev enp3s0 proto kernel scope link src 192.168.111.201
192.168.111.254 dev enp3s0 scope link
209.18.47.61 via 192.168.111.254 dev enp3s0
209.18.47.63 via 192.168.111.254 dev enp3s0
[sv01 ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
[sv01 ~]# iptables-save -c
# Generated by iptables-save v1.8.5 on Fri Aug 28 13:24:28 2020
*filter
:INPUT ACCEPT [116884:10852389]
:FORWARD ACCEPT [8862:394652]
:OUTPUT ACCEPT [54344:4963538]
COMMIT
# Completed on Fri Aug 28 13:24:28 2020
|
The VPN connects and I can SSH into the server, but that is it. If I try NoMachine or Remote Desktop, both time out. If I attempt to ping any systems on the remote network it times out, EXCEPT for the default gateway (192.168.111.254). I can ping that and the server only from a remote connection.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1606
Location: Fayetteville, NC, USA
|
| Posted: Fri Aug 28, 2020 5:42 pm Post subject: |
|
|
I figured it out. This system is NOT a gateway device. I had to add a line to iptables.
| Code: |
iptables -t nat -A POSTROUTING -s 192.168.110.0/24 -o enp3s0 -j MASQUERADE
|
Everything works flawlessly now. Sometimes I can be braindead...
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
|
|
Networking & Security
