Jump to content
Not connected, Your IP: 18.191.165.149

Recommended Posts

Hi everyone,

 

I would like to have my digital ocean VM use a VPN for its outgoing http requests. I am using openVPN on Ubuntu 14.04.1 LTS (GNU/Linux 3.5.0-48-generic x86_64). 

 

Got the files AirVPN_Europe_TCP-53.ovpn  ca.crt  ta.key  user.crt  user.key in one directory.

VPN is using TCP protocol on port 53. Also tried with UDP, same problem

 

also copied the files to /etc/openvpn/ to try to run it via openvpn start.

 

If I do that, I get the output:

 

    root@tr:/home# sudo service openvpn start  * Starting virtual private

    network daemon(s)...

 

..but nothing happens. curl http://www.ipchicken.com still reveals the servers ip

 

If I directly run

 

    root@tr:/etc/openvpn# sudo openvpn AirVPN_Europe_TCP-53.ovpn 

    Thu Sep 18 09:42:35 2014 OpenVPN 2.3.2 i686-pc-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [iPv6] built on Feb  4 2014

    Thu Sep 18 09:42:35 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file

    Thu Sep 18 09:42:35 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

    Thu Sep 18 09:42:35 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

    Thu Sep 18 09:42:35 2014 Socket Buffers: R=[87380->131072] S=[87380->131072]

    Thu Sep 18 09:42:35 2014 Attempting to establish TCP connection with [AF_INET]95.211.186.65:53 [nonblock]

    Thu Sep 18 09:42:36 2014 TCP connection established with [AF_INET]95.211.186.65:53

    Thu Sep 18 09:42:36 2014 TCPv4_CLIENT link local: [undef]

    Thu Sep 18 09:42:36 2014 TCPv4_CLIENT link remote: [AF_INET]95.211.186.65:53

    Thu Sep 18 09:42:36 2014 TLS: Initial packet from [AF_INET]95.211.186.65:53, sid=d5ee74c0 46f1dcfd

    Thu Sep 18 09:42:36 2014 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org

    Thu Sep 18 09:42:36 2014 Validating certificate key usage

    Thu Sep 18 09:42:36 2014 ++ Certificate has key usage  00a0, expects 00a0

    Thu Sep 18 09:42:36 2014 VERIFY KU OK

    Thu Sep 18 09:42:36 2014 Validating certificate extended key usage

    Thu Sep 18 09:42:36 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

    Thu Sep 18 09:42:36 2014 VERIFY EKU OK

    Thu Sep 18 09:42:36 2014 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org

    Thu Sep 18 09:42:37 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

    Thu Sep 18 09:42:37 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

    Thu Sep 18 09:42:37 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

    Thu Sep 18 09:42:37 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

    Thu Sep 18 09:42:37 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA

    Thu Sep 18 09:42:37 2014 [server] Peer Connection Initiated with [AF_INET]95.211.186.65:53

    Thu Sep 18 09:42:39 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

    Thu Sep 18 09:42:40 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,comp-lzo no,route 10.9.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.9.0.254 10.9.0.253'

    Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: timers and/or timeouts modified

    Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: LZO parms modified

    Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: --ifconfig/up options modified

    Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: route options modified

    Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified

    Thu Sep 18 09:42:40 2014 ROUTE_GATEWAY 178.62.192.1/255.255.192.0 IFACE=eth0 HWADDR=04:01:28:70:e1:01

    Thu Sep 18 09:42:40 2014 TUN/TAP device tun0 opened

    Thu Sep 18 09:42:40 2014 TUN/TAP TX queue length set to 100

    Thu Sep 18 09:42:40 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0

    Thu Sep 18 09:42:40 2014 /sbin/ip link set dev tun0 up mtu 1500

    Thu Sep 18 09:42:40 2014 /sbin/ip addr add dev tun0 local 10.9.0.254 peer 10.9.0.253

    Thu Sep 18 09:42:40 2014 /sbin/ip route add 95.211.186.65/32 via 178.62.192.1

    Thu Sep 18 09:42:40 2014 /sbin/ip route add 0.0.0.0/1 via 10.9.0.253

    Thu Sep 18 09:42:40 2014 /sbin/ip route add 128.0.0.0/1 via 10.9.0.253

    Write failed: Broken pipe

 

 

After that the VM is just completely down / frozen and I need to restart it. Really no clue on whats going wrong here and have been on this for hours. Any idea?

 

Share this post


Link to post

I'm having the same scenario with my Digital Ocean droplet. 

 

Upon successfully connecting to AirVPN (via TCP:443), my terminal session would hang and I can no longer SSH back into the box (port 22 and 443) using the original IP or the AirVPN IP.

 

I would have to power cycle the droplet to disconnect VPN and SSH again via the original IP.

 

What is the best way to have the target droplet/server be running VPN, but still SSH into it?

Share this post


Link to post

I'm having the same scenario with my Digital Ocean droplet. 

 

Upon successfully connecting to AirVPN (via TCP:443), my terminal session would hang and I can no longer SSH back into the box (port 22 and 443) using the original IP or the AirVPN IP.

 

I would have to power cycle the droplet to disconnect VPN and SSH again via the original IP.

 

What is the best way to have the target droplet/server be running VPN, but still SSH into it?

 

If you can live with the VPN not being the default route, you can do it like this:

 

https://airvpn.org/topic/14634-problems-using-air-vpn-as-non-default-route/?p=29391

 

https://airvpn.org/topic/14158-question-run-airvpn-as-non-primary-network-adapter/?p=27398

 

On a VPS (rather than a VirtualBox VM on your PC) it may make more sense to replace the contents of myroute.ovpni described there with this:

script-security 2
up ./common/up.sh
route-nopull
redirect-private
You will need to bind whatever programs you want to use the VPN to the VPN interface.

 

===

 

UPDATE:

 

For completeness, the comments below may help demonstrate what the issue is.

 

As quick and dirty way to sustain the SSH connection, add a routing table entry to direct traffic to your SSH client over the original gateway. Something like this:

sudo route add -host 111.222.333.444 gw 555.666.777.1
 

There, "111.222.333.444" would be the address you connected from (as shown when you do "echo $SSH_CLIENT"), and "555.666.777.1" is the original default gateway (the entry with a "Genmask" of "0.0.0.0" when you do "/sbin/route -n").

 

SSH connections from anywhere else will still fail.

 

===

 

UPDATE 2:

 

I did not actually explain the problem above. The problem is that the default gateway gets changed by OpenVPN, and that breaks your current SSH connection unless you set up appropriate routes before you start OpenVPN.

 

Here is a more general purpose solution than what was in "UPDATE" above.

 

It is assumed here that the default gateway interface before OpenVPN is started is "eth0". This is the usual convention

for Linux systems.

 

It should ensure that when a connection to eth0 is made, even if eth0 is not the default gateway interface anymore, response packets for the connection back on eth0 again.

# set "connection" mark of connection from eth0 when first packet of connection arrives
sudo iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

# set "firewall" mark for response packets in connection with our connection mark
sudo iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

# our routing table with eth0 as gateway interface
sudo ip route add default dev eth0 table 3412

# route packets with our firewall mark using our routing table
sudo ip rule add fwmark 4321 table 3412
UPDATE to UPDATE 2:

 

The above works fine for me on Debian Jessie. But on an older Wheezy system I have just found that I need to add "via" to the routing table entry:

# our routing table with eth0 as gateway interface
sudo ip route add default dev eth0 via 12.345.67.89 table 3412
There "12.345.67.89" must be the original non-VPN gateway.

Share this post


Link to post

This temporary workaround was BEYOND helpful. I can't begin to tell you how many additional hours this has saved me!

 

Thank you, thank you, thank you!

Share this post


Link to post

I'm not understanding. I have a vps I'm using as a seedbox. I want to be able to use public trackers, but this is disallowed by the host and therefore need my vpn

The goal:

-all other traffic goes through (one of my clients can spoof my IP to the tracker, preserving the functionality of my private trackers)

- can still connect from anywhere via FTP and SSH to manage the box

I'm not an admin. I can follow clear step-by-step directions.

vps is running Ubuntu 16.04 LTS and I have full sudo access

The above posts are only temporary and for the working ip?

Share this post


Link to post

EDIT: There is an updated version of these scripts here:

https://github.com/tool-maker/VPN_just_for_torrents/wiki/Maintaining-SSH-Access-Using-a-VPN-on-a-Remote-Linux-Server

---

I hesitate to do this because I do not want to promise to help troubleshoot or maintain these scripts. Or even explain them (I have probably forgotten details myself). But here are two scripts I have in my "~/bin" folder on a VPS.

 

They determine the name of the gateway interface and its IP address for you. And there is optional code at the end (avoided by "exit") to show IPTABLES entries for troubleshooting.

 

You need to make these files executable:

chmod uog+x ~/bin/native_if_return_on
chmod uog+x ~/bin/native_if_return_off
===> native_if_return_on:
#!/bin/bash

ROUTE=`ip route show table main | grep default -`
#echo ROUTE=$ROUTE
TOK=($ROUTE)
#GW=${TOK[2]}
#echo GW=$GW
IF=${TOK[4]}
#echo IF=$IF

sudo iptables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234
sudo iptables -t mangle -A PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

sudo iptables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321
sudo iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

sudo ip route del all table 3412
#sudo ip route add default via $GW dev $IF table 3412
sudo ip route add $ROUTE table 3412

sudo ip rule del fwmark 4321
sudo ip rule add fwmark 4321 table 3412

# no IPv6
exit

ROUTE=`ip -6 route show table main | grep default -`
#echo ROUTE=$ROUTE
TOK=($ROUTE)
#GW=${TOK[2]}
#echo GW=$GW
IF=${TOK[4]}
#echo IF=$IF

sudo ip6tables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234
sudo ip6tables -t mangle -A PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

sudo ip6tables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321
sudo ip6tables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

sudo ip -6 route del all table 3412
#sudo ip -6 route add default via $GW dev $IF table 3412
sudo ip -6 route add $ROUTE table 3412

sudo ip -6 rule del fwmark 4321
sudo ip -6 rule add fwmark 4321 table 3412

exit

sudo iptables -t mangle -L -v
ip rule show
ip route list table 3412

sudo ip6tables -t mangle -L -v
ip -6 rule show
ip -6 route list table 3412
===> native_if_return_off:
#!/bin/bash

ROUTE=`ip route show table main | grep default -`
#echo ROUTE=$ROUTE
TOK=($ROUTE)
IF=${TOK[4]}
#echo IF=$IF

sudo iptables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

sudo iptables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

sudo ip route del all table 3412

sudo ip rule del fwmark 4321

# no IPv6
exit

ROUTE=`ip -6 route show table main | grep default -`
#echo ROUTE=$ROUTE
TOK=($ROUTE)
IF=${TOK[4]}
#echo IF=$IF

sudo ip6tables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

sudo ip6tables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

sudo ip -6 route del all table 3412

sudo ip -6 rule del fwmark 4321

exit

sudo iptables -t mangle -L -v
ip rule show
ip route list table 3412

sudo ip6tables -t mangle -L -v
ip -6 rule show
ip -6 route list table 3412

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...