Jump to content
Not connected, Your IP: 54.234.227.202
Sign in to follow this  
V4bgbEeq

ANSWERED Ubuntu 16,04.2 LTS on VPS - can not connect (openvpn or airvpn --cli)

Recommended Posts

I am experiencing something strange when I try to connect my Ubuntu server to the service.

Log:

user@ubuntu:~$ sudo openvpn --config AirVPN_GB-London_Bellatrix_UDP-443.ovpn
[sudo] password for user:
Sun Jun 25 20:37:13 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Sun Jun 25 20:37:13 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Sun Jun 25 20:37:13 2017 Control Channel Authentication: tls-auth using INLINE static key file
Sun Jun 25 20:37:13 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jun 25 20:37:13 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jun 25 20:37:13 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Jun 25 20:37:13 2017 UDPv4 link local: [undef]
Sun Jun 25 20:37:13 2017 UDPv4 link remote: [AF_INET]88.150.240.7:443
Sun Jun 25 20:37:13 2017 TLS: Initial packet from [AF_INET]88.150.240.7:443, sid=43e3bb88 272c22d6
Sun Jun 25 20:37:13 2017 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Sun Jun 25 20:37:13 2017 Validating certificate key usage
Sun Jun 25 20:37:13 2017 ++ Certificate has key usage  00a0, expects 00a0
Sun Jun 25 20:37:13 2017 VERIFY KU OK
Sun Jun 25 20:37:13 2017 Validating certificate extended key usage
Sun Jun 25 20:37:13 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Jun 25 20:37:13 2017 VERIFY EKU OK
Sun Jun 25 20:37:13 2017 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Sun Jun 25 20:37:13 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Jun 25 20:37:13 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jun 25 20:37:13 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Jun 25 20:37:13 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jun 25 20:37:13 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Sun Jun 25 20:37:13 2017 [server] Peer Connection Initiated with [AF_INET]88.150.240.7:443
Sun Jun 25 20:37:15 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Jun 25 20:37:15 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.4.110 255.255.0.0'
Sun Jun 25 20:37:15 2017 OPTIONS IMPORT: timers and/or timeouts modified
Sun Jun 25 20:37:15 2017 OPTIONS IMPORT: LZO parms modified
Sun Jun 25 20:37:15 2017 OPTIONS IMPORT: --ifconfig/up options modified
Sun Jun 25 20:37:15 2017 OPTIONS IMPORT: route options modified
Sun Jun 25 20:37:15 2017 OPTIONS IMPORT: route-related options modified
Sun Jun 25 20:37:15 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Jun 25 20:37:15 2017 ROUTE_GATEWAY 94.23.43.254
Sun Jun 25 20:37:15 2017 TUN/TAP device tun1 opened
Sun Jun 25 20:37:15 2017 TUN/TAP TX queue length set to 100
Sun Jun 25 20:37:15 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Jun 25 20:37:15 2017 /sbin/ip link set dev tun1 up mtu 1500
Sun Jun 25 20:37:15 2017 /sbin/ip addr add dev tun1 10.4.4.110/16 broadcast 10.4.255.255
Sun Jun 25 20:37:20 2017 /sbin/ip route add 88.150.240.7/32 via 94.23.43.254
RTNETLINK answers: Network is unreachable
Sun Jun 25 20:37:20 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Jun 25 20:37:20 2017 /sbin/ip route add 0.0.0.0/1 via 10.4.0.1
Sun Jun 25 20:37:20 2017 /sbin/ip route add 128.0.0.0/1 via 10.4.0.1
 
Here I lose my connection with the machine via SSH. 
The only error what I see is something with the routing. 
 
If I log in to the machine with a kvm extender I can run commands. If I try to run the command "route" it is extremely slow. I toke 20-30s to show anything after the headlines. (see the attached picture, please)
Ping outside doesn't work but the interface addresses are pingable. 
 
When I check here how many client connected - this connection is not on the list. (not even for a second)
 
I tried to connect using this method from my Ubuntu laptop and I could connect without problem. I tried to sniffing around in the /etc/openvpn folder but I found nothing what can help at the first look.
 
I believe that something around the routing cause the problem but I am afraid I am not experienced enough to spot the problem.
 
See the attached pictures for the interface information. 
 
I am really appreciate any help

Share this post


Link to post

OVH requires a special 1:1 NAT setup on their failover IPs, so if your gateway is 94.23 and your failover is 51.254 you need to run:

 

iptables -t nat -A POSTROUTING -s 10.4.0.0/16 -j SNAT --to-source [FAILOVER IP]

 


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Thank you for the help but I'm afraid I still miss something. 

You are mentioned my gateway in your comment - do I need to do something with it with iptables?

 

My command was: 

iptables -t nat -A POSTROUTING -s 10.4.0.0/16 -j SNAT --to-source 51.254.xxx.yyy

 

I tried run this iptables command before and after the vpn connection attend but booth times I had the same result.

 

When I run this script with my ip address on the end (what I use to connect via ssh) I have no any error msg. 

 

Where should I collect useful logs / outputs about my problem?

Share this post


Link to post

You may have some additional problem, but you should be aware that in order to start OpenVPN on a VPS, and not lose your SSH connection, you need to make some configuration changes so that you can maintain the SSH connection on the real interface of the VPS, once the VPN becomes the default gateway. See this:
 
https://airvpn.org/topic/12274-ubuntu-vm-cant-connect-through-openvpn/?p=44812

Share this post


Link to post

Thanks for the good start.

I think this cause the problem but I have no idea why. 

/sbin/ip route add 88.150.240.7/32 via 94.23.43.254

RTNETLINK answers: Network is unreachable

I think I need to find out how can I fix this route problem... on my Ubuntu laptop it just goes fine.

If any idea, please let me know

Share this post


Link to post

after boot:

user@ubuntu:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         94.23.43.254    0.0.0.0         UG    0      0        0 ens18
51.254.79.0     0.0.0.0         255.255.255.0   U     0      0        0 ens18
 
Other tests (ip route, ping)
user@ubuntu:~$ ip route
default via 94.23.43.254 dev ens18 onlink
51.254.79.0/24 dev ens18  proto kernel  scope link  src 51.254.79.xxx
 
ser@ubuntu:~$ ping 94.23.43.254
PING 94.23.43.254 (94.23.43.254) 56(84) bytes of data.
64 bytes from 94.23.43.254: icmp_seq=1 ttl=255 time=75.6 ms
64 bytes from 94.23.43.254: icmp_seq=2 ttl=255 time=0.502 ms
64 bytes from 94.23.43.254: icmp_seq=3 ttl=255 time=0.513 ms
^C
--- 94.23.43.254 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.502/25.539/75.604/35.401 ms
 
ser@ubuntu:~$ ping 88.150.240.7
PING 88.150.240.7 (88.150.240.7) 56(84) bytes of data.
64 bytes from 88.150.240.7: icmp_seq=1 ttl=55 time=4.85 ms
64 bytes from 88.150.240.7: icmp_seq=2 ttl=55 time=4.93 ms
64 bytes from 88.150.240.7: icmp_seq=3 ttl=55 time=4.89 ms
^C
--- 88.150.240.7 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 4.852/4.896/4.939/0.088 ms

 

And it just doesn't work:

user@ubuntu:~$ sudo /sbin/ip route add 88.150.240.7/32 via 94.23.43.254
RTNETLINK answers: Network is unreachable
 
What do I miss? It looks like my default gw is pingable and the AirVPN server also avaiable... 

 

Share this post


Link to post

On another Ubuntu machine (laptop, not VPS) I did the same and went without error. 

On an other VPS from the same provider I had the same problem with the route add cmd

Share this post


Link to post

I have a strange feeling about this VPS setup.
My IP and the default GW IP are coming from two totally different subnets (IP 51.254.xxx.yyy and GW 94.23.43.254). Can it cause the trouble?

Share this post


Link to post

I have a strange feeling about this VPS setup.

My IP and the default GW IP are coming from two totally different subnets (IP 51.254.xxx.yyy and GW 94.23.43.254). Can it cause the trouble?

 

Try adding "dev ens18" to the "ip" command then. Perhaps it cannot guess what device to use because of your config.

Share this post


Link to post

Try adding "dev ens18" to the "ip" command then. Perhaps it cannot guess what device to use because of your config.

user@ubuntu:~$ ifconfig
ens18     Link encap:Ethernet  HWaddr 00:50:56:06:06:9a
          inet addr:51.254.79.xxx  Bcast:51.254.79.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:xxxx:xxx/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:143723 errors:0 dropped:254 overruns:0 frame:0
          TX packets:33591 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15126899 (15.1 MB)  TX bytes:2459052 (2.4 MB)


lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:165 errors:0 dropped:0 overruns:0 frame:0
          TX packets:165 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:12225 (12.2 KB)  TX bytes:12225 (12.2 KB)
 
user@ubuntu:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         94.23.43.254    0.0.0.0         UG    0      0        0 ens18
51.254.79.0     0.0.0.0         255.255.255.0   U     0      0        0 ens18
 
user@ubuntu:~$ sudo /sbin/ip route add 88.150.240.7 via 94.23.43.254 dev ens18
RTNETLINK answers: Network is unreachable
 

Thank you for your idea but still no success. 

I think the different subnet cause the trouble but I couldn't find any workaround yet. I saw a post where somebody complained about a VPS provider that how unacceptable this addressing policy and sombody refered a FreeBSD forum but the forum is down so I can not check it. I keep digging

Share this post


Link to post

I found a solution to my routing problem - it may help to others:

https://www.adminsehow.com/2011/09/gateway-on-a-different-subnet-on-linux/

 

So here are the assumptions :
 
a.b.c.d is the host IP
e.f.g.h is the gateway IP
a.b.c.d & e.f.g.h are on different subnets.
 
by default if you try to set gateway by following command :
route add default gw e.f.g.h 

 

you will get this error :
SIOCADDRT: No such process 

 

the trick is simple , first add a route to default gateway itself and then set the default gateway , like this :
route add e.f.g.h/32 dev eth0
route add default gw e.f.g.h 

 

remember you may need to change eth0 to your device name , it may be eth1 or wlan0 or anything.

 

In my case:

 

user@ubuntu:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         94.23.43.254    0.0.0.0         UG    0      0        0 ens18
user@ubuntu:~$ sudo route add 94.23.43.254/32 dev ens18
user@ubuntu:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         94.23.43.254    0.0.0.0         UG    0      0        0 ens18
94.23.43.254    0.0.0.0         255.255.255.255 UH    0      0        0 ens18
user@ubuntu:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=4.25 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=4.67 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=4.29 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 4.254/4.410/4.678/0.197 ms
 
 
So the trick was: route add 94.23.43.254/32 dev ens18 where I could told the system how can we get to our lovely gw
After this extra route cmd I am able to connect to the VPN server and the scripts can adjust the route table. 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...