ANSWERED Use Raspberry Pi as VPN Server (local) and VPN Client (AirVPN)

[Nadrino 0]

Hi,

 

I'm trying to use my Raspberry Pi as a VPN Server and Client at the same time. The goal of this is to make my devices connected to the RBPi using VPN, all appearing under a given AirVPN server IP.

 

To do this I first installed the VPN Server on RBPi. I use PiVPN which do the job. Then I use OpenVPN to connect on AirVPN server.

 

The problem is that when both server and client are connected, I can't connect on the VPN Server (local device -> RBPi).

 

Here is some of logs that may give clues :

 

 

Log : VPN Server log when I try to connect my device (RBPi Client and Server both enabled) -> Does not work

Wed Aug 23 13:35:03 2017 77.136.86.115:49747 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1503495294) Wed Aug 23 13:34:54 2017 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Wed Aug 23 13:35:03 2017 77.136.86.115:49747 TLS Error: incoming packet authentication failed from [AF_INET]77.136.86.115:49747
Wed Aug 23 13:35:54 2017 77.136.86.115:49747 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Aug 23 13:35:54 2017 77.136.86.115:49747 TLS Error: TLS handshake failed

 

Log : VPN Server log when I try to connect my device (RBPi Server only enabled) -> Works

Wed Aug 23 13:24:44 2017 77.136.86.107:64233 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.1.1-212
Wed Aug 23 13:24:44 2017 77.136.86.107:64233 peer info: IV_VER=3.1.2
Wed Aug 23 13:24:44 2017 77.136.86.107:64233 peer info: IV_PLAT=ios
Wed Aug 23 13:24:44 2017 77.136.86.107:64233 peer info: IV_NCP=2
Wed Aug 23 13:24:44 2017 77.136.86.107:64233 peer info: IV_TCPNL=1
Wed Aug 23 13:24:44 2017 77.136.86.107:64233 peer info: IV_PROTO=2
Wed Aug 23 13:24:44 2017 77.136.86.107:64233 peer info: IV_LZO=1
Wed Aug 23 13:24:44 2017 77.136.86.107:64233 peer info: IV_AUTO_SESS=1
Wed Aug 23 13:24:44 2017 77.136.86.107:64233 [iPhone] Peer Connection Initiated with [AF_INET]<HERE IS MY ORIGINAL IP>:64233
Wed Aug 23 13:24:44 2017 iPhone/<HERE IS MY ORIGINAL IP>:64233 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)

 

 

Log : VPN Cient log (RBPi Server already enabled) -> Works (IP changed before and after)

Wed Aug 23 13:32:42 2017 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Wed Aug 23 13:32:42 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Wed Aug 23 13:32:42 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 23 13:32:42 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 23 13:32:42 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]62.102.148.141:443
Wed Aug 23 13:32:42 2017 Socket Buffers: R=[163840->327680] S=[163840->327680]
Wed Aug 23 13:32:42 2017 UDP link local: (not bound)
Wed Aug 23 13:32:42 2017 UDP link remote: [AF_INET]62.102.148.141:443
Wed Aug 23 13:32:42 2017 TLS: Initial packet from [AF_INET]62.102.148.141:443, sid=a2fe95d1 7479b0c0
Wed Aug 23 13:32:42 2017 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org
Wed Aug 23 13:32:42 2017 Validating certificate key usage
Wed Aug 23 13:32:42 2017 ++ Certificate has key usage  00a0, expects 00a0
Wed Aug 23 13:32:42 2017 VERIFY KU OK
Wed Aug 23 13:32:42 2017 Validating certificate extended key usage
Wed Aug 23 13:32:42 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Aug 23 13:32:42 2017 VERIFY EKU OK
Wed Aug 23 13:32:42 2017 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org
Wed Aug 23 13:32:44 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Wed Aug 23 13:32:44 2017 [server] Peer Connection Initiated with [AF_INET]62.102.148.141:443
Wed Aug 23 13:32:45 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Aug 23 13:32:45 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.4.0.1,comp-lzo no,route-gateway 10.4.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.4.12.8 255.255.0.0'
Wed Aug 23 13:32:45 2017 OPTIONS IMPORT: timers and/or timeouts modified
Wed Aug 23 13:32:45 2017 OPTIONS IMPORT: compression parms modified
Wed Aug 23 13:32:45 2017 OPTIONS IMPORT: --ifconfig/up options modified
Wed Aug 23 13:32:45 2017 OPTIONS IMPORT: route options modified
Wed Aug 23 13:32:45 2017 OPTIONS IMPORT: route-related options modified
Wed Aug 23 13:32:45 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Aug 23 13:32:45 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Aug 23 13:32:45 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 23 13:32:45 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Aug 23 13:32:45 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Aug 23 13:32:45 2017 ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=enxb827eb138633 HWADDR=b8:27:eb:13:86:33
Wed Aug 23 13:32:45 2017 TUN/TAP device tun1 opened
Wed Aug 23 13:32:45 2017 TUN/TAP TX queue length set to 100
Wed Aug 23 13:32:45 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Aug 23 13:32:45 2017 /sbin/ip link set dev tun1 up mtu 1500
Wed Aug 23 13:32:45 2017 /sbin/ip addr add dev tun1 10.4.12.8/16 broadcast 10.4.255.255
Wed Aug 23 13:32:45 2017 /sbin/ip route add 62.102.148.141/32 via 192.168.1.254
Wed Aug 23 13:32:45 2017 /sbin/ip route add 0.0.0.0/1 via 10.4.0.1
Wed Aug 23 13:32:45 2017 /sbin/ip route add 128.0.0.0/1 via 10.4.0.1
Wed Aug 23 13:32:45 2017 Initialization Sequence Completed

 

Is there a way to make this work ?

Thanks in advance !

[zhang888 1065]

You need to forward ports and choose a high port for the OpenVPN server to listen on.

[Nadrino 0]

So for example if I choose the port 1195 for OpenVPN server, how can I forward ports ?

[NaDre 154]

I think zhang888 is assuming that you are willing to connect to the VPN server on your RBPi through AirVPN. But I suspect you want to connect directly? Look at this:

 

https://airvpn.org/topic/12274-ubuntu-vm-cant-connect-through-openvpn/?p=44812

 

If you let the VPN client on the RBPi make AirVPN the default gateway, you will not be able to connect directly to the RBPi without some additional steps.

 

EDIT: I assumed that you are trying to connect to your RBPi from outside your local LAN. From within your LAN, the RBPi should already have routing table entries to deal with connections from the LAN.

[Nadrino 0]

Not sure I was clear, but in other words what I want is :

 

Devices (Local or Internet using DNS) -> Router -> RBP -> Router -> AirVPN server.

 

I want to redirect RBP VPN server stream into the OpenVPN Client to AirVPN servers.

 

EDIT: I assumed that you are trying to connect to your RBPi from outside your local LAN. From within your LAN, the RBPi should already have routing table entries to deal with connections from the LAN.

 

Actually I can't connect to the RBP server even in LAN.

 

https://airvpn.org/topic/12274-ubuntu-vm-cant-connect-through-openvpn/?p=44812
 
If you let the VPN client on the RBPi make AirVPN the default gateway, you will not be able to connect directly to the RBPi without some additional steps.

 

After reading the post you sent me, I couldnt find out what I was supposed to do in my case. Theres a lot of details and I don't understand everything. Could you help me to clear out the path I'm supposed to take ?

 

Or do anyone knows which ports I need to forward to get the thing working ?

[Nadrino 0]

Ok I finally found out how to make it !

 

First we need to make sure ip forwarding is enabled :

sudo nano /etc/sysctl.conf

Then make sure the following option is uncommented :

net.ipv4.ip_forward = 1 

Then do :

sudo sysctl -p 

 

Then we need to identify which interface is the RBPi VPN server and which one is the Client (make sure the VPN server and client are ON) :

ip link show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enxb827eb138633: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether b8:27:eb:13:86:33 brd ff:ff:ff:ff:ff:ff
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DORMANT group default qlen 1000
    link/ether b8:27:eb:46:d3:66 brd ff:ff:ff:ff:ff:ff
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
    link/none
7: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
    link/none

Here I got :

    - tun0 for VPN server

    - tun1 for VPN client

*If you're not sure which one is for what, just turn off the VPN client. The interface should disappear.

 

 

Next we want the data flowing thru the interface of the RBPi VPN Server to be forwarded to the VPN Client interface.

sudo iptables -t nat -A POSTROUTING --out-interface tun1 -j MASQUERADE
sudo iptables -A FORWARD --in-interface tun0 -j ACCEPT 

 

Done !