Ubuntu 10.04.4 LTS+OpenVPN, won't persist

sdkseusx

Hi all. I'm using a bit of a different setup. I want to be using AirVPN at all times on my Linux box. Unfortunately OpenVPN will not cooperate.

/etc/issue

Ubuntu 10.04.4 LTS \n \l

/etc/openvpn/airvpn.conf

remote 69.163.36.66 443
proto tcp
client
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/client.crt
key /etc/openvpn/certs/client.key
down /etc/openvpn/scripts/downscript.sh
up /etc/openvpn/scripts/upscript.sh
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher AES-256-CBC
comp-lzo
verb 3
keepalive 5 30

/etc/openvpn/scripts/downscript.sh

#!/bin/bash
logger OpenVPN tunnel DOWN: Device=[$1] TunMTU=[$2] LinkMTU=[$3] LocalIP=[$4] RemoteIPOrNetmask=[$5] Call=[$6]
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -I OUTPUT -d 69.163.36.66    -p udp -j ACCEPT
iptables -I OUTPUT -d 69.163.36.66    -p tdp -j ACCEPT
iptables -I INPUT  -s 69.163.36.66    -p ucp -j ACCEPT
iptables -I INPUT  -s 69.163.36.66    -p tcp -j ACCEPT
iptables -A INPUT -d 192.168.1.0/24 -p tcp -j ACCEPT
iptables -A INPUT -d 192.168.1.0/24 -p udp -j ACCEPT
iptables -I INPUT REJECT
iptables -I OUTPUT REJECT
sleep 15s
service openvpn restart

/etc/openvpn/scripts/upscript.sh

#!/bin/bash
logger OpenVPN tunnel UP: Device=[$1] TunMTU=[$2] LinkMTU=[$3] LocalIP=[$4] RemoteIPOrNetmask=[$5] Call=[$6]
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -j ACCEPT -d 192.168.1.0/24 -p tcp
iptables -A INPUT -j ACCEPT -d 192.168.1.0/24 -p udp
iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24 -p tcp
iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24 -p udp
iptables -A INPUT -j REJECT -p tcp --destination-port 139
iptables -A INPUT -j REJECT -p tcp --destination-port 445
iptables -A INPUT -j REJECT -p tcp --destination-port 631
iptables -A INPUT -j REJECT -p udp --destination-port 139
iptables -A INPUT -j REJECT -p udp --destination-port 445
iptables -A INPUT -j REJECT -p udp --destination-port 631
iptables -A INPUT -j REJECT -p tcp --destination-port 5800
iptables -A INPUT -j REJECT -p tcp --destination-port 5900
/usr/sbin/ddclient -syslog -use=web

Problem is, it just... drops out. Doesn't reconnect despite my down directive to restart the service. I used to have it ping out once every 5 minutes, and after any failure, reboot. That got annoying fast. Any ideas? I don't want tun0 to drop and leave me exposed without notice.

Note - not using networkmanager because it always seems to cause more problems than it's worth. Just straight openvpn.

Staff

Hello!

Please check your iptables rules. In the downscript.sh the line "iptables -I OUTPUT -d 69.163.36.66 -p tdp -j ACCEPT" is wrong (replace "tdp" with "tcp").

Furthermore, apparently no proper masquerading is foreseen in your rules.

Please compare your rules with:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&limit=6&limitstart=30&Itemid=142#2010

Once you have fixed iptables, please send us the connection logs. Also, please try different servers.

Kind regards

sdkseusx

I've not yet tried another server, about to try one now. Here's the tail of my daemon.log showing drops.

Jul 23 13:26:53 vpnbox ovpn-airvpn[20845]: Socket Buffers: R=[87380->131072] S=[16384->131072]

Jul 23 13:26:53 vpnbox ovpn-airvpn[20845]: Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]

Jul 23 13:26:53 vpnbox ovpn-airvpn[20845]: Local Options hash (VER=V4): '958c5492'

Jul 23 13:26:53 vpnbox ovpn-airvpn[20845]: Expected Remote Options hash (VER=V4): '79ef4284'

Jul 23 13:26:53 vpnbox ovpn-airvpn[20845]: Attempting to establish TCP connection with [AF_INET]69.163.36.66:443 [nonblock]

Jul 23 13:26:54 vpnbox ovpn-airvpn[20845]: TCP connection established with [AF_INET]69.163.36.66:443

Jul 23 13:26:54 vpnbox ovpn-airvpn[20845]: TCPv4_CLIENT link local: [undef]

Jul 23 13:26:54 vpnbox ovpn-airvpn[20845]: TCPv4_CLIENT link remote: [AF_INET]69.163.36.66:443

Jul 23 13:26:54 vpnbox ovpn-airvpn[20845]: TLS: Initial packet from [AF_INET]69.163.36.66:443, sid=f1750e67 904f9dae

Jul 23 13:26:54 vpnbox ovpn-airvpn[20845]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Jul 23 13:26:54 vpnbox ovpn-airvpn[20845]: VERIFY OK: nsCertType=SERVER

Jul 23 13:26:54 vpnbox ovpn-airvpn[20845]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

Jul 23 13:26:57 vpnbox ovpn-airvpn[20845]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jul 23 13:26:57 vpnbox ovpn-airvpn[20845]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jul 23 13:26:57 vpnbox ovpn-airvpn[20845]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jul 23 13:26:57 vpnbox ovpn-airvpn[20845]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jul 23 13:26:57 vpnbox ovpn-airvpn[20845]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Jul 23 13:26:57 vpnbox ovpn-airvpn[20845]: [server] Peer Connection Initiated with [AF_INET]69.163.36.66:443

Jul 23 13:26:59 vpnbox ovpn-airvpn[20845]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Jul 23 13:27:00 vpnbox ovpn-airvpn[20845]: AUTH: Received AUTH_FAILED control message

Jul 23 13:27:00 vpnbox ovpn-airvpn[20845]: TCP/UDP: Closing socket

Jul 23 13:27:00 vpnbox ovpn-airvpn[20845]: /sbin/route del -net 10.5.0.1 netmask 255.255.255.255

Jul 23 13:27:00 vpnbox ovpn-airvpn[20845]: /sbin/route del -net 69.163.36.66 netmask 255.255.255.255

Jul 23 13:27:00 vpnbox ovpn-airvpn[20845]: /sbin/route del -net 0.0.0.0 netmask 128.0.0.0

Jul 23 13:27:00 vpnbox ovpn-airvpn[20845]: /sbin/route del -net 128.0.0.0 netmask 128.0.0.0

Jul 23 13:27:00 vpnbox ovpn-airvpn[20845]: Closing TUN/TAP interface

Jul 23 13:27:00 vpnbox ovpn-airvpn[20845]: /sbin/ifconfig tun0 0.0.0.0

Jul 23 13:27:00 vpnbox ovpn-airvpn[20845]: /etc/openvpn/scripts/downscript.sh tun0 1500 1560 10.5.3.6 10.5.3.5 init

Jul 23 13:27:17 vpnbox ovpn-airvpn[21031]: OpenVPN 2.1.3 x86_64-pc-linux-gnu [sSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 29 2011

Jul 23 13:27:17 vpnbox ovpn-airvpn[21031]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

Jul 23 13:27:17 vpnbox ovpn-airvpn[21031]: /usr/bin/openssl-vulnkey -q -b 2048 -m <modulus omitted>

Jul 23 13:27:17 vpnbox ovpn-airvpn[21031]: LZO compression initialized

Jul 23 13:27:17 vpnbox ovpn-airvpn[21031]: Control Channel MTU parms [ L:1560 D:140 EF:40 EB:0 ET:0 EL:0 ]

Jul 23 13:27:17 vpnbox ovpn-airvpn[21031]: Socket Buffers: R=[87380->131072] S=[16384->131072]

Jul 23 13:27:17 vpnbox ovpn-airvpn[21031]: Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]

Jul 23 13:27:17 vpnbox ovpn-airvpn[21031]: Local Options hash (VER=V4): '958c5492'

Jul 23 13:27:17 vpnbox ovpn-airvpn[21031]: Expected Remote Options hash (VER=V4): '79ef4284'

Jul 23 13:27:17 vpnbox ovpn-airvpn[21033]: Attempting to establish TCP connection with [AF_INET]69.163.36.66:443 [nonblock]

Jul 23 13:27:17 vpnbox ovpn-airvpn[20845]: SIGTERM[soft,auth-failure] received, process exiting

Jul 23 13:27:18 vpnbox ovpn-airvpn[21033]: TCP connection established with [AF_INET]69.163.36.66:443

Jul 23 13:27:18 vpnbox ovpn-airvpn[21033]: TCPv4_CLIENT link local: [undef]

Jul 23 13:27:18 vpnbox ovpn-airvpn[21033]: TCPv4_CLIENT link remote: [AF_INET]69.163.36.66:443

Jul 23 13:27:18 vpnbox ovpn-airvpn[21033]: TLS: Initial packet from [AF_INET]69.163.36.66:443, sid=9c3ea07e 31f37e01

Jul 23 13:27:19 vpnbox ovpn-airvpn[21033]: VERIFY OK: depth=1, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=airvpn.org_CA/emailAddress=info@airvpn.org

Jul 23 13:27:19 vpnbox ovpn-airvpn[21033]: VERIFY OK: nsCertType=SERVER

Jul 23 13:27:19 vpnbox ovpn-airvpn[21033]: VERIFY OK: depth=0, /C=IT/ST=IT/L=Perugia/O=airvpn.org/CN=server/emailAddress=info@airvpn.org

Jul 23 13:27:20 vpnbox ovpn-airvpn[21033]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jul 23 13:27:20 vpnbox ovpn-airvpn[21033]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jul 23 13:27:20 vpnbox ovpn-airvpn[21033]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Jul 23 13:27:20 vpnbox ovpn-airvpn[21033]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Jul 23 13:27:20 vpnbox ovpn-airvpn[21033]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Jul 23 13:27:20 vpnbox ovpn-airvpn[21033]: [server] Peer Connection Initiated with [AF_INET]69.163.36.66:443

Jul 23 13:27:23 vpnbox ovpn-airvpn[21033]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Jul 23 13:27:23 vpnbox ovpn-airvpn[21033]: AUTH: Received AUTH_FAILED control message

Jul 23 13:27:23 vpnbox ovpn-airvpn[21033]: TCP/UDP: Closing socket

Jul 23 13:27:23 vpnbox ovpn-airvpn[21033]: SIGTERM[soft,auth-failure] received, process exiting

It never came back from that drop, never called my downscript back, etc. I'm about to reboot that box, and test at another server now.

Sign In

Ubuntu 10.04.4 LTS+OpenVPN, won't persist

Recommended Posts

sdkseusx 0

Share this post

Link to post

Staff 9770

Share this post

Link to post

sdkseusx 0

Share this post

Link to post

Join the conversation

Home

Community