fletch007 1 Posted ... Hi everyone, I would like to have my digital ocean VM use a VPN for its outgoing http requests. I am using openVPN on Ubuntu 14.04.1 LTS (GNU/Linux 3.5.0-48-generic x86_64). Got the files AirVPN_Europe_TCP-53.ovpn ca.crt ta.key user.crt user.key in one directory.VPN is using TCP protocol on port 53. Also tried with UDP, same problem also copied the files to /etc/openvpn/ to try to run it via openvpn start. If I do that, I get the output: root@tr:/home# sudo service openvpn start * Starting virtual private network daemon(s)... ..but nothing happens. curl http://www.ipchicken.com still reveals the servers ip If I directly run root@tr:/etc/openvpn# sudo openvpn AirVPN_Europe_TCP-53.ovpn Thu Sep 18 09:42:35 2014 OpenVPN 2.3.2 i686-pc-linux-gnu [sSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [iPv6] built on Feb 4 2014 Thu Sep 18 09:42:35 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Thu Sep 18 09:42:35 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Sep 18 09:42:35 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Sep 18 09:42:35 2014 Socket Buffers: R=[87380->131072] S=[87380->131072] Thu Sep 18 09:42:35 2014 Attempting to establish TCP connection with [AF_INET]95.211.186.65:53 [nonblock] Thu Sep 18 09:42:36 2014 TCP connection established with [AF_INET]95.211.186.65:53 Thu Sep 18 09:42:36 2014 TCPv4_CLIENT link local: [undef] Thu Sep 18 09:42:36 2014 TCPv4_CLIENT link remote: [AF_INET]95.211.186.65:53 Thu Sep 18 09:42:36 2014 TLS: Initial packet from [AF_INET]95.211.186.65:53, sid=d5ee74c0 46f1dcfd Thu Sep 18 09:42:36 2014 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org Thu Sep 18 09:42:36 2014 Validating certificate key usage Thu Sep 18 09:42:36 2014 ++ Certificate has key usage 00a0, expects 00a0 Thu Sep 18 09:42:36 2014 VERIFY KU OK Thu Sep 18 09:42:36 2014 Validating certificate extended key usage Thu Sep 18 09:42:36 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Thu Sep 18 09:42:36 2014 VERIFY EKU OK Thu Sep 18 09:42:36 2014 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org Thu Sep 18 09:42:37 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Thu Sep 18 09:42:37 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Sep 18 09:42:37 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Thu Sep 18 09:42:37 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Thu Sep 18 09:42:37 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Thu Sep 18 09:42:37 2014 [server] Peer Connection Initiated with [AF_INET]95.211.186.65:53 Thu Sep 18 09:42:39 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Thu Sep 18 09:42:40 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,comp-lzo no,route 10.9.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.9.0.254 10.9.0.253' Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: timers and/or timeouts modified Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: LZO parms modified Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: --ifconfig/up options modified Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: route options modified Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Thu Sep 18 09:42:40 2014 ROUTE_GATEWAY 178.62.192.1/255.255.192.0 IFACE=eth0 HWADDR=04:01:28:70:e1:01 Thu Sep 18 09:42:40 2014 TUN/TAP device tun0 opened Thu Sep 18 09:42:40 2014 TUN/TAP TX queue length set to 100 Thu Sep 18 09:42:40 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Thu Sep 18 09:42:40 2014 /sbin/ip link set dev tun0 up mtu 1500 Thu Sep 18 09:42:40 2014 /sbin/ip addr add dev tun0 local 10.9.0.254 peer 10.9.0.253 Thu Sep 18 09:42:40 2014 /sbin/ip route add 95.211.186.65/32 via 178.62.192.1 Thu Sep 18 09:42:40 2014 /sbin/ip route add 0.0.0.0/1 via 10.9.0.253 Thu Sep 18 09:42:40 2014 /sbin/ip route add 128.0.0.0/1 via 10.9.0.253 Write failed: Broken pipe After that the VM is just completely down / frozen and I need to restart it. Really no clue on whats going wrong here and have been on this for hours. Any idea? 1 vpnSafety reacted to this Quote Share this post Link to post
vpnSafety 0 Posted ... I'm having the same scenario with my Digital Ocean droplet. Upon successfully connecting to AirVPN (via TCP:443), my terminal session would hang and I can no longer SSH back into the box (port 22 and 443) using the original IP or the AirVPN IP. I would have to power cycle the droplet to disconnect VPN and SSH again via the original IP. What is the best way to have the target droplet/server be running VPN, but still SSH into it? Quote Share this post Link to post
NaDre 157 Posted ... I'm having the same scenario with my Digital Ocean droplet. Upon successfully connecting to AirVPN (via TCP:443), my terminal session would hang and I can no longer SSH back into the box (port 22 and 443) using the original IP or the AirVPN IP. I would have to power cycle the droplet to disconnect VPN and SSH again via the original IP. What is the best way to have the target droplet/server be running VPN, but still SSH into it? If you can live with the VPN not being the default route, you can do it like this: https://airvpn.org/topic/14634-problems-using-air-vpn-as-non-default-route/?p=29391 https://airvpn.org/topic/14158-question-run-airvpn-as-non-primary-network-adapter/?p=27398 On a VPS (rather than a VirtualBox VM on your PC) it may make more sense to replace the contents of myroute.ovpni described there with this:script-security 2 up ./common/up.sh route-nopull redirect-privateYou will need to bind whatever programs you want to use the VPN to the VPN interface. === UPDATE: For completeness, the comments below may help demonstrate what the issue is. As quick and dirty way to sustain the SSH connection, add a routing table entry to direct traffic to your SSH client over the original gateway. Something like this:sudo route add -host 111.222.333.444 gw 555.666.777.1 There, "111.222.333.444" would be the address you connected from (as shown when you do "echo $SSH_CLIENT"), and "555.666.777.1" is the original default gateway (the entry with a "Genmask" of "0.0.0.0" when you do "/sbin/route -n"). SSH connections from anywhere else will still fail. === UPDATE 2: I did not actually explain the problem above. The problem is that the default gateway gets changed by OpenVPN, and that breaks your current SSH connection unless you set up appropriate routes before you start OpenVPN. Here is a more general purpose solution than what was in "UPDATE" above. It is assumed here that the default gateway interface before OpenVPN is started is "eth0". This is the usual conventionfor Linux systems. It should ensure that when a connection to eth0 is made, even if eth0 is not the default gateway interface anymore, response packets for the connection back on eth0 again.# set "connection" mark of connection from eth0 when first packet of connection arrives sudo iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234 # set "firewall" mark for response packets in connection with our connection mark sudo iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321 # our routing table with eth0 as gateway interface sudo ip route add default dev eth0 table 3412 # route packets with our firewall mark using our routing table sudo ip rule add fwmark 4321 table 3412 UPDATE to UPDATE 2: The above works fine for me on Debian Jessie. But on an older Wheezy system I have just found that I need to add "via" to the routing table entry:# our routing table with eth0 as gateway interface sudo ip route add default dev eth0 via 12.345.67.89 table 3412There "12.345.67.89" must be the original non-VPN gateway. Quote Share this post Link to post
vpnSafety 0 Posted ... This temporary workaround was BEYOND helpful. I can't begin to tell you how many additional hours this has saved me! Thank you, thank you, thank you! Quote Share this post Link to post
pandapandachan 0 Posted ... I'm not understanding. I have a vps I'm using as a seedbox. I want to be able to use public trackers, but this is disallowed by the host and therefore need my vpnThe goal:-all other traffic goes through (one of my clients can spoof my IP to the tracker, preserving the functionality of my private trackers)- can still connect from anywhere via FTP and SSH to manage the boxI'm not an admin. I can follow clear step-by-step directions.vps is running Ubuntu 16.04 LTS and I have full sudo accessThe above posts are only temporary and for the working ip? Quote Share this post Link to post
NaDre 157 Posted ... EDIT: There is an updated version of these scripts here:https://github.com/tool-maker/VPN_just_for_torrents/wiki/Maintaining-SSH-Access-Using-a-VPN-on-a-Remote-Linux-Server --- I hesitate to do this because I do not want to promise to help troubleshoot or maintain these scripts. Or even explain them (I have probably forgotten details myself). But here are two scripts I have in my "~/bin" folder on a VPS. They determine the name of the gateway interface and its IP address for you. And there is optional code at the end (avoided by "exit") to show IPTABLES entries for troubleshooting. You need to make these files executable: chmod uog+x ~/bin/native_if_return_on chmod uog+x ~/bin/native_if_return_off ===> native_if_return_on: #!/bin/bash ROUTE=`ip route show table main | grep default -` #echo ROUTE=$ROUTE TOK=($ROUTE) #GW=${TOK[2]} #echo GW=$GW IF=${TOK[4]} #echo IF=$IF sudo iptables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234 sudo iptables -t mangle -A PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234 sudo iptables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321 sudo iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321 sudo ip route del all table 3412 #sudo ip route add default via $GW dev $IF table 3412 sudo ip route add $ROUTE table 3412 sudo ip rule del fwmark 4321 sudo ip rule add fwmark 4321 table 3412 # no IPv6 exit ROUTE=`ip -6 route show table main | grep default -` #echo ROUTE=$ROUTE TOK=($ROUTE) #GW=${TOK[2]} #echo GW=$GW IF=${TOK[4]} #echo IF=$IF sudo ip6tables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234 sudo ip6tables -t mangle -A PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234 sudo ip6tables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321 sudo ip6tables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321 sudo ip -6 route del all table 3412 #sudo ip -6 route add default via $GW dev $IF table 3412 sudo ip -6 route add $ROUTE table 3412 sudo ip -6 rule del fwmark 4321 sudo ip -6 rule add fwmark 4321 table 3412 exit sudo iptables -t mangle -L -v ip rule show ip route list table 3412 sudo ip6tables -t mangle -L -v ip -6 rule show ip -6 route list table 3412 ===> native_if_return_off: #!/bin/bash ROUTE=`ip route show table main | grep default -` #echo ROUTE=$ROUTE TOK=($ROUTE) IF=${TOK[4]} #echo IF=$IF sudo iptables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234 sudo iptables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321 sudo ip route del all table 3412 sudo ip rule del fwmark 4321 # no IPv6 exit ROUTE=`ip -6 route show table main | grep default -` #echo ROUTE=$ROUTE TOK=($ROUTE) IF=${TOK[4]} #echo IF=$IF sudo ip6tables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234 sudo ip6tables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321 sudo ip -6 route del all table 3412 sudo ip -6 rule del fwmark 4321 exit sudo iptables -t mangle -L -v ip rule show ip route list table 3412 sudo ip6tables -t mangle -L -v ip -6 rule show ip -6 route list table 3412 Quote Share this post Link to post
Not connected, Your IP: 3.144.89.42
Online: 25457 users - 295295 Mbit/s total BW