Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] OpenVPN server not routing traffic?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1497
Location: Fayetteville, NC, USA

PostPosted: Tue Aug 18, 2020 4:41 pm    Post subject: [SOLVED] OpenVPN server not routing traffic? Reply with quote

I am setting up a shell-only box to do BTRFS RAID10 for file sharing and OpenVPN for remote access. Everything is up, but the VPN server is not routing data. In other words, it connects instantly and I can ping and SSH into the box, but I cannot access any IP other than the LAN IP of the server. For example, I cannot ping the router at the VPN server location or RDP into boxes at that location.

OpenVPN server config:
Code:

ocal 192.168.111.201
port 1194
proto udp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/sv01.crt
key /etc/openvpn/server/sv01.key
dh /etc/openvpn/server/dh.pem
tls-auth /etc/openvpn/server/ta.key 0
topology subnet
server 192.168.110.0 255.255.255.0
push "route 192.168.111.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
persist-key
persist-tun


Client config:
Code:

client
dev tun
proto udp
port 1194
remote host.name.hidden 1194 udp
remote-cert-tls server
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
cipher AES-256-CBC
auth SHA256
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

I hid the certificates since they are there and working on my end. Why can't I route data?
_________________
Ever picture systemd as what runs "The Borg"?


Last edited by The_Great_Sephiroth on Fri Aug 28, 2020 5:42 pm; edited 1 time in total
Back to top
View user's profile Send private message
alamahant
Guru
Guru


Joined: 23 Mar 2019
Posts: 551

PostPosted: Tue Aug 18, 2020 5:13 pm    Post subject: Reply with quote

Hi
In server config I also have
Code:

push "redirect-gateway def1 bypass-dhcp"

Also other things that come to mind is not enabled ip forwarding and proper iptables on the server.
Code:

iptables -I FORWARD -i tun0 -o <server-ethernet-iface> -s <vpn-network> -d <server-network> -j ACCEPT
iptables -t nat -I POSTROUTING -o <server-eth> -s <server-network> -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Or possibly missing iptables functionality in the kernel?........
:D
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16021

PostPosted: Tue Aug 18, 2020 7:00 pm    Post subject: Reply with quote

If you still need help after checking the settings that alamahant suggested, please post the output of ip route ; iptables-save -c from the VPN server. Also, please describe the way in which clients fail. Do they get no response? Do they get a "No route to host" error? If you run tcpdump on the VPN server with appropriate parameters, can you see the client traffic arriving on the VPN virtual NIC? If yes, do you see it trying to leave via the physical NIC that leads to the intended destination host?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1497
Location: Fayetteville, NC, USA

PostPosted: Tue Aug 18, 2020 7:05 pm    Post subject: Reply with quote

I am not redirecting the default gateway on purpose. They only use the tunnel for RDP to a system or accessing a remote share. No need to route all traffic through it, though I know for a fact I have not enabled forwarding (or syncookies) yet. That is likely my missing step! Will report back soon.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1497
Location: Fayetteville, NC, USA

PostPosted: Mon Aug 24, 2020 5:53 pm    Post subject: Reply with quote

OK, been working on this and no go. I enabled forwarding and while some things forward, others do not. For example, I can ping an address using ping, but using nmap shows nothing. I believe I found out why though. I have the box setup as a static IP on the LAN but it is pulling dynamic and using the static.
Code:

2: enp3s0: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether e0:69:95:9a:36:d9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.111.201/24 brd 192.168.111.255 scope global enp3s0
       valid_lft forever preferred_lft forever
    inet 192.168.111.4/24 brd 192.168.111.255 scope global secondary enp3s0
       valid_lft forever preferred_lft forever
    inet6 2606:a000:5193:f500:e269:95ff:fe9a:36d9/64 scope global dynamic mngtmpaddr
       valid_lft 604796sec preferred_lft 604796sec
    inet6 fe80::e269:95ff:fe9a:36d9/64 scope link
       valid_lft forever preferred_lft forever

Here is the configuration.
Code:

[sv01 ~]# cat /etc/conf.d/net
config_enp3s0="192.168.111.201/24"
routes_enp3s0="default via 192.168.111.254"
dns_servers_enp3s0="192.168.111.254 8.8.8.8"

[sv01 ~]# ls -lA /etc/init.d/net.*
lrwxrwxrwx 1 root root    18 Jul 29 14:19 /etc/init.d/net.enp3s0 -> /etc/init.d/net.lo
-rwxr-xr-x 1 root root 19791 Jul 28 07:21 /etc/init.d/net.lo

[sv01 ~]# ls -lA /etc/runlevels/default/ | grep net
lrwxrwxrwx 1 root root 22 Jul 29 14:20 net.enp3s0 -> /etc/init.d/net.enp3s0
lrwxrwxrwx 1 root root 20 May 24 07:09 netmount -> /etc/init.d/netmount

What am I doing wrong? This is a shell only server.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1497
Location: Fayetteville, NC, USA

PostPosted: Fri Aug 28, 2020 5:26 pm    Post subject: Reply with quote

OK, still struggling with this. Here is the info you requested. No firewall exists at all.
Code:

[sv01 ~]# ip route
default via 192.168.111.254 dev enp3s0
127.0.0.0/8 via 127.0.0.1 dev lo
192.168.110.0/24 dev tun0 proto kernel scope link src 192.168.110.1
192.168.111.0/24 dev enp3s0 proto kernel scope link src 192.168.111.201
192.168.111.254 dev enp3s0 scope link
209.18.47.61 via 192.168.111.254 dev enp3s0
209.18.47.63 via 192.168.111.254 dev enp3s0
[sv01 ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
[sv01 ~]# iptables-save -c
# Generated by iptables-save v1.8.5 on Fri Aug 28 13:24:28 2020
*filter
:INPUT ACCEPT [116884:10852389]
:FORWARD ACCEPT [8862:394652]
:OUTPUT ACCEPT [54344:4963538]
COMMIT
# Completed on Fri Aug 28 13:24:28 2020

The VPN connects and I can SSH into the server, but that is it. If I try NoMachine or Remote Desktop, both time out. If I attempt to ping any systems on the remote network it times out, EXCEPT for the default gateway (192.168.111.254). I can ping that and the server only from a remote connection.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1497
Location: Fayetteville, NC, USA

PostPosted: Fri Aug 28, 2020 5:42 pm    Post subject: Reply with quote

I figured it out. This system is NOT a gateway device. I had to add a line to iptables.
Code:

iptables -t nat -A POSTROUTING -s 192.168.110.0/24 -o enp3s0 -j MASQUERADE

Everything works flawlessly now. Sometimes I can be braindead...
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum