Jump to content


Photo

ubuntu vm can't connect through openVPN

ubuntu linux airvpn VM openvpn

  • Please log in to reply
5 replies to this topic

#1 fletch007

fletch007

    Newbie

  • New Members
  • Pip
  • 1 posts

Posted 23 September 2014 - 11:50 AM

Hi everyone,
 
I would like to have my digital ocean VM use a VPN for its outgoing http requests. I am using openVPN on Ubuntu 14.04.1 LTS (GNU/Linux 3.5.0-48-generic x86_64). 
 
Got the files AirVPN_Europe_TCP-53.ovpn  ca.crt  ta.key  user.crt  user.key in one directory.
VPN is using TCP protocol on port 53. Also tried with UDP, same problem
 
also copied the files to /etc/openvpn/ to try to run it via openvpn start.
 
If I do that, I get the output:
 
    root@tr:/home# sudo service openvpn start  * Starting virtual private
    network daemon(s)...
 
..but nothing happens. curl http://www.ipchicken.com still reveals the servers ip
 
If I directly run
 
    root@tr:/etc/openvpn# sudo openvpn AirVPN_Europe_TCP-53.ovpn 
    Thu Sep 18 09:42:35 2014 OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
    Thu Sep 18 09:42:35 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Thu Sep 18 09:42:35 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Sep 18 09:42:35 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Sep 18 09:42:35 2014 Socket Buffers: R=[87380->131072] S=[87380->131072]
    Thu Sep 18 09:42:35 2014 Attempting to establish TCP connection with [AF_INET]95.211.186.65:53 [nonblock]
    Thu Sep 18 09:42:36 2014 TCP connection established with [AF_INET]95.211.186.65:53
    Thu Sep 18 09:42:36 2014 TCPv4_CLIENT link local: [undef]
    Thu Sep 18 09:42:36 2014 TCPv4_CLIENT link remote: [AF_INET]95.211.186.65:53
    Thu Sep 18 09:42:36 2014 TLS: Initial packet from [AF_INET]95.211.186.65:53, sid=d5ee74c0 46f1dcfd
    Thu Sep 18 09:42:36 2014 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
    Thu Sep 18 09:42:36 2014 Validating certificate key usage
    Thu Sep 18 09:42:36 2014 ++ Certificate has key usage  00a0, expects 00a0
    Thu Sep 18 09:42:36 2014 VERIFY KU OK
    Thu Sep 18 09:42:36 2014 Validating certificate extended key usage
    Thu Sep 18 09:42:36 2014 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Thu Sep 18 09:42:36 2014 VERIFY EKU OK
    Thu Sep 18 09:42:36 2014 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
    Thu Sep 18 09:42:37 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Thu Sep 18 09:42:37 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Sep 18 09:42:37 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Thu Sep 18 09:42:37 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Sep 18 09:42:37 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
    Thu Sep 18 09:42:37 2014 [server] Peer Connection Initiated with [AF_INET]95.211.186.65:53
    Thu Sep 18 09:42:39 2014 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Thu Sep 18 09:42:40 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.9.0.1,comp-lzo no,route 10.9.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.9.0.254 10.9.0.253'
    Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: timers and/or timeouts modified
    Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: LZO parms modified
    Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: --ifconfig/up options modified
    Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: route options modified
    Thu Sep 18 09:42:40 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Thu Sep 18 09:42:40 2014 ROUTE_GATEWAY 178.62.192.1/255.255.192.0 IFACE=eth0 HWADDR=04:01:28:70:e1:01
    Thu Sep 18 09:42:40 2014 TUN/TAP device tun0 opened
    Thu Sep 18 09:42:40 2014 TUN/TAP TX queue length set to 100
    Thu Sep 18 09:42:40 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Thu Sep 18 09:42:40 2014 /sbin/ip link set dev tun0 up mtu 1500
    Thu Sep 18 09:42:40 2014 /sbin/ip addr add dev tun0 local 10.9.0.254 peer 10.9.0.253
    Thu Sep 18 09:42:40 2014 /sbin/ip route add 95.211.186.65/32 via 178.62.192.1
    Thu Sep 18 09:42:40 2014 /sbin/ip route add 0.0.0.0/1 via 10.9.0.253
    Thu Sep 18 09:42:40 2014 /sbin/ip route add 128.0.0.0/1 via 10.9.0.253
    Write failed: Broken pipe
 
 
After that the VM is just completely down / frozen and I need to restart it. Really no clue on whats going wrong here and have been on this for hours. Any idea?
 


#2 vpnSafety

vpnSafety

    Newbie

  • New Members
  • Pip
  • 2 posts

Posted 14 July 2016 - 07:22 AM

I'm having the same scenario with my Digital Ocean droplet. 

 

Upon successfully connecting to AirVPN (via TCP:443), my terminal session would hang and I can no longer SSH back into the box (port 22 and 443) using the original IP or the AirVPN IP.

 

I would have to power cycle the droplet to disconnect VPN and SSH again via the original IP.

 

What is the best way to have the target droplet/server be running VPN, but still SSH into it?



#3 NaDre

NaDre

    Advanced Member

  • Members
  • PipPipPip
  • 415 posts

Posted 14 July 2016 - 02:52 PM

I'm having the same scenario with my Digital Ocean droplet. 
 
Upon successfully connecting to AirVPN (via TCP:443), my terminal session would hang and I can no longer SSH back into the box (port 22 and 443) using the original IP or the AirVPN IP.
 
I would have to power cycle the droplet to disconnect VPN and SSH again via the original IP.
 
What is the best way to have the target droplet/server be running VPN, but still SSH into it?

 
If you can live with the VPN not being the default route, you can do it like this:

https://airvpn.org/topic/14634-problems-using-air-vpn-as-non-default-route/?p=29391

https://airvpn.org/topic/14158-question-run-airvpn-as-non-primary-network-adapter/?p=27398

On a VPS (rather than a VirtualBox VM on your PC) it may make more sense to replace the contents of myroute.ovpni described there with this:
script-security 2
up ./common/up.sh
route-nopull
redirect-private
You will need to bind whatever programs you want to use the VPN to the VPN interface.

===

UPDATE:
 
For completeness, the comments below may help demonstrate what the issue is.

As quick and dirty way to sustain the SSH connection, add a routing table entry to direct traffic to your SSH client over the original gateway. Something like this:
sudo route add -host 111.222.333.444 gw 555.666.777.1
 
There, "111.222.333.444" would be the address you connected from (as shown when you do "echo $SSH_CLIENT"), and "555.666.777.1" is the original default gateway (the entry with a "Genmask" of "0.0.0.0" when you do "/sbin/route -n").
 
SSH connections from anywhere else will still fail.

===

UPDATE 2:
 
I did not actually explain the problem above. The problem is that the default gateway gets changed by OpenVPN, and that breaks your current SSH connection unless you set up appropriate routes before you start OpenVPN.

Here is a more general purpose solution than what was in "UPDATE" above.
 
It is assumed here that the default gateway interface before OpenVPN is started is "eth0". This is the usual convention
for Linux systems.
 
It should ensure that when a connection to eth0 is made, even if eth0 is not the default gateway interface anymore, response packets for the connection back on eth0 again.
# set "connection" mark of connection from eth0 when first packet of connection arrives
sudo iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

# set "firewall" mark for response packets in connection with our connection mark
sudo iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

# our routing table with eth0 as gateway interface
sudo ip route add default dev eth0 table 3412

# route packets with our firewall mark using our routing table
sudo ip rule add fwmark 4321 table 3412
UPDATE to UPDATE 2:

The above works fine for me on Debian Jessie. But on an older Wheezy system I have just found that I need to add "via" to the routing table entry:
# our routing table with eth0 as gateway interface
sudo ip route add default dev eth0 via 12.345.67.89 table 3412
There "12.345.67.89" must be the original non-VPN gateway.

#4 vpnSafety

vpnSafety

    Newbie

  • New Members
  • Pip
  • 2 posts

Posted 15 July 2016 - 07:09 AM

This temporary workaround was BEYOND helpful. I can't begin to tell you how many additional hours this has saved me!

 

Thank you, thank you, thank you!



#5 pandapandachan

pandapandachan

    Newbie

  • New Members
  • Pip
  • 4 posts

Posted 28 November 2017 - 10:46 PM

I'm not understanding. I have a vps I'm using as a seedbox. I want to be able to use public trackers, but this is disallowed by the host and therefore need my vpn

The goal:

-all other traffic goes through (one of my clients can spoof my IP to the tracker, preserving the functionality of my private trackers)

- can still connect from anywhere via FTP and SSH to manage the box

I'm not an admin. I can follow clear step-by-step directions.

vps is running Ubuntu 16.04 LTS and I have full sudo access

The above posts are only temporary and for the working ip?



#6 NaDre

NaDre

    Advanced Member

  • Members
  • PipPipPip
  • 415 posts

Posted 05 December 2017 - 05:18 PM

I hesitate to do this because I do not want to promise to help troubleshoot or maintain these scripts. Or even explain them (I have probably forgotten details myself). But here are two scripts I have in my "~/bin" folder on a VPS.

They determine the name of the gateway interface and its IP address for you. And there is optional code at the end (avoided by "exit") to show IPTABLES entries for troubleshooting.

You need to make these files executable:
chmod uog+x ~/bin/native_if_return_on
chmod uog+x ~/bin/native_if_return_off
===> native_if_return_on:
#!/bin/bash

ROUTE=`ip route show table main | grep default -`
#echo ROUTE=$ROUTE
TOK=($ROUTE)
#GW=${TOK[2]}
#echo GW=$GW
IF=${TOK[4]}
#echo IF=$IF

sudo iptables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234
sudo iptables -t mangle -A PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

sudo iptables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321
sudo iptables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

sudo ip route del all table 3412
#sudo ip route add default via $GW dev $IF table 3412
sudo ip route add $ROUTE table 3412

sudo ip rule del fwmark 4321
sudo ip rule add fwmark 4321 table 3412

# no IPv6
exit

ROUTE=`ip -6 route show table main | grep default -`
#echo ROUTE=$ROUTE
TOK=($ROUTE)
#GW=${TOK[2]}
#echo GW=$GW
IF=${TOK[4]}
#echo IF=$IF

sudo ip6tables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234
sudo ip6tables -t mangle -A PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

sudo ip6tables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321
sudo ip6tables -t mangle -A OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

sudo ip -6 route del all table 3412
#sudo ip -6 route add default via $GW dev $IF table 3412
sudo ip -6 route add $ROUTE table 3412

sudo ip -6 rule del fwmark 4321
sudo ip -6 rule add fwmark 4321 table 3412

exit

sudo iptables -t mangle -L -v
ip rule show
ip route list table 3412

sudo ip6tables -t mangle -L -v
ip -6 rule show
ip -6 route list table 3412
===> native_if_return_off:
#!/bin/bash

ROUTE=`ip route show table main | grep default -`
#echo ROUTE=$ROUTE
TOK=($ROUTE)
IF=${TOK[4]}
#echo IF=$IF

sudo iptables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

sudo iptables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

sudo ip route del all table 3412

sudo ip rule del fwmark 4321

# no IPv6
exit

ROUTE=`ip -6 route show table main | grep default -`
#echo ROUTE=$ROUTE
TOK=($ROUTE)
IF=${TOK[4]}
#echo IF=$IF

sudo ip6tables -t mangle -D PREROUTING -i $IF -m conntrack --ctstate NEW -j CONNMARK --set-mark 1234

sudo ip6tables -t mangle -D OUTPUT -m connmark --mark 1234 -j MARK --set-mark 4321

sudo ip -6 route del all table 3412

sudo ip -6 rule del fwmark 4321

exit

sudo iptables -t mangle -L -v
ip rule show
ip route list table 3412

sudo ip6tables -t mangle -L -v
ip -6 rule show
ip -6 route list table 3412






Similar Topics Collapse


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Servers online. Online Sessions: 13443 - BW: 39152 Mbit/sYour IP: 54.224.11.137Guest Access.