#StackBounty: #openvpn OpenVPN Modify incoming traffic or payload with custom script

Bounty: 50

I recently setup OpenVPN with Dnsmasq as DNS and wanna do something I can’t seem to find any info about.

Here’s my current understanding based also on what I’ve currently setup on my server.

A. Client connects to OpenVPN, say from a phone

B. Clients sends traffic i.e opens a website, say YouTube

C. OpenVPN server takes the request.
D. Forwards the request to destination server i.e YouTube.

E. YouTube responds back.

F. OpenVPN forwards response to client from A

Of course the above is oversimplified.

What I want to do?

In between the stages C and D, as in after OpenVPN takes the request (or gets a response from destination server i.e D->C), I want to process the actual data.

For example, a typical use case.

In between D and C, I want to pass the payload to, for example, a Python script, change all "I love you" text in the webpage html to "I hate you" before the payload is wrapped up and sent to client.

Question

Are there any form of "Life Cycle Hooks" with OpenVPN where I can basically listen to and alter the payload of a request?

I understand any inbound or outbound connection from OpenVPN is ‘fort knox’ secured. I’m interested in the point where the response payload is sitting naked on the server.

What are my available options? Do I need to use a different package/software to advice achieve such results?


Get this bounty!!!

#StackBounty: #networking #server #vpn #iptables #openvpn OPENVPN: MULTI: bad source address from client

Bounty: 50

I struggled this problem for two days, but the problem is still here. Hope someone can provide suggestion or the way how to diagnose it.

What i want is let all client visit Internet over the OpenVPN server. Therefore, I first follow instructions Routing all client traffic (including web-traffic) through the VPN. After configuration, and setup iptables, the connection between VPN server and client succeeds, but the client can not visit any website (the brower is hang there). The ping from server and client are OK.

I checked log at the server, and there are some records like:

   Oct  3 09:16:21 iZbp15fejv9adv7o3izfm1Z ovpn-delta[1827]: laptop/131.202.XX.XX:59701 UDPv4 READ [93] from [AF_INET]131.202.XX.XX:59701: P_DATA_V1 kid=0 DATA len=92
    Oct  3 09:16:21 iZbp15fejv9adv7o3izfm1Z ovpn-delta[1827]: laptop/131.202.XX.XX:59701 MULTI: bad source address from client [131.202.XX.XX], packet dropped

where the IP: 131.202.XX.XX is my laptop IP address. This record is explained in “MULTI: bad source address from client , packet dropped” or “GET INST BY VIRT: [failed]”, why this IP is not 10.8.0.6 (tun0) at my laptop, and the detail implementation for the problem? My laptop connects to Internet using WIFI, and it is a device that runs openvpn --config client.conf.

As this is very simple example, Do I have a way to avoid this error, or any sample to config client-config-dir and create a ccd file

the /etc/openvpn/delta.conf at the server:

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

port 1194

proto udp

dev tun

;dev-node MyTap

ca ca.crt
cert delta.crt
key delta.key  # This file should be kept secret

dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;server-bridge

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script

;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20

while the client.conf is:

   client
dev tun
proto udp
remote 116.62.193.49 1194
;remote my-server-2 1194
;remote-random

resolv-retry infinite

nobind

persist-key
persist-tun
ca ca.crt
cert laptop.crt
key laptop.key
ns-cert-type server

;tls-auth ta.key 1
comp-lzo

verb 3
;mute 20

For IP router configuration, I added the iptables to /etc/rc.local, so that iptables can be changed at server startup.

root@iZbp15fejv9adv7o3izfm1Z:/var/log# cat /etc/rc.local 
#!/bin/sh -e
#
# rc.local
#I also tried comment out first three instructions, but still does not work 
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

service dnsmasq restart

exit 0

and the /etc/sysctl.conf

net.ipv4.ip_forward=1

telnet serverIP 80 is OK. In the server: /var/logs/syslog:

Is there any solution?


Get this bounty!!!

#StackBounty: #iptables #openvpn #route #iproute2 #dante Two instances of Dante proxy server with two interfaces

Bounty: 50

I’m running 2 instances of Dante server on my Linux machine, one of them is called danted which is supposed to connect me to the internet through the ethernet cable and the other is sockd which is supposed to connect me through an OpenVPN connection..

The first one, danted is configured to use my ethernet cable (ens33):

internal: ens33 port=1080
external: ens33

The second one, sockd is configured to use the OpenVPN interface (tun0):

internal: ens33 port=2080
external: tun0

The Dante servers are configured properly and when OpenVPN is not connected, danted works fine but when OpenVPN connects, danted doesn’t work anymore. When I check it’s logs, I just see that the connection times out.

My routing table when OpenVPN is not connected looks like this:

default via 192.168.1.1 dev ens33 src 192.168.1.10 metric 202 
default via 192.168.1.1 dev ens33 proto dhcp metric 20001 
169.254.0.0/16 dev ens33 scope link metric 1000 
192.168.1.0/24 dev ens33 proto kernel scope link src 192.168.1.10 metric 1 
192.168.1.0/24 dev ens33 proto dhcp scope link src 192.168.1.10 metric 202 

And when OpenVPN connects, it looks like this:

0.0.0.0/1 via 10.123.58.1 dev tun0 
default via 192.168.1.1 dev ens33 src 192.168.1.10 metric 202 
default via 192.168.1.1 dev ens33 proto dhcp metric 20001 
10.123.58.0/23 dev tun0 proto kernel scope link src 10.123.58.65 
128.0.0.0/1 via 10.123.58.1 dev tun0 
169.254.0.0/16 dev ens33 scope link metric 1000 
openvpn.server.wan.ipaddress via 192.168.1.1 dev ens33 
192.168.1.0/24 dev ens33 proto kernel scope link src 192.168.1.10 metric 1 
192.168.1.0/24 dev ens33 proto dhcp scope link src 192.168.1.10 metric 202

So OpenVPN adds 4 new routes to my table. I’ve tried individually deleting each of these rules or also did ip route flush dev tun0 or deleted the 0/1 rule and added a default rule for the tun0 interface; but when I try these, and test the sockd proxy server, my IP is my ethernet cable’s IP, not OpenVPN’s server IP.

I have no idea how to fix this, I’ve been Googling this a lot, I thought this was an easy task since Dante proxy server just binds to external connections.

Summary for the bounty:

I’ve tried using my interface’s IPv4 addresses instead of the interface names, for example I used 192.168.1.10 instead of ens33 and used 10.123.58.1 instead of tun0, but didn’t fix the issue (I know that OpenVPN’s internal address changes every time we reconnect).

I am specifying the external (outgoing) interface in Dante configs, so from my understanding, it really shouldn’t be using the Ubuntu’s routing table, doesn’t it just listen to incoming connections and forward them to the external interface? I don’t understand why the OpenVPN added routes causes me issues, even thought I can easily ping computers on my local network, I’ve checked there are no firewall rules added to my iptables (iptables -n -v -L).

Here are the logs when I test the SOCKS server:

[18:18] Testing Started.
    Proxy Server
    Address:    192.168.1.10:1080
    Protocol:   SOCKS 5
    Authentication: NO

[18:18] Starting: Test 1: Connection to the Proxy Server
[18:18] IP Address: 192.168.1.10
[18:18] Connection established
[18:18] Test passed.
[18:18] Starting: Test 2: Connection through the Proxy Server
[18:18] Authentication was successful.
[18:49] Error : the proxy server cannot establish connection to www.google.com:80
    Error = 0x06 (Timeout).
    Please confirm that the target host address is correct.
    The error may also indicate that the proxy server is not operating properly.
[18:49] Test failed.
[18:49] Testing Finished.

The target host address is correct, I’ve checked dante-server’s logs as I’ve said above, and I can see google.com’s IP address:

Aug 26 19:01:11 (1629988271.706256) danted[106897]: info: pass(2): tcp/connect ]: 0 -> 192.168.1.15.9786 192.168.1.10.1080 -> 0, 0 -> 192.168.1.10.9786 142.250.186.174.443 -> 0: connect timeout.  Session duration: 31s

When OpenVPN is disconnected, a successful connection looks like this:

Aug 26 19:06:18 (1629988578.802869) danted[106897]: info: pass(2): tcp/connect ]: 0 -> 192.168.1.15.9796 192.168.1.10.1080 -> 0, 0 -> 192.168.1.129.9796 142.250.185.238.443 -> 0: local client closed.  Session duration: 10s

My question is specific about Dante-SOCKS5-Server, although I have tried Squid-HTTPS-Server and I had the same issue with it:

My question is specific about Dante-SOCKS5-Server, although I have tried Squid-HTTPS-Server and I had the same issue with it:
[05:40] Starting: Test 1: Connection to the Proxy Server
[05:40] IP Address: 192.168.1.10
[05:40] Connection established
[05:40] Test passed.
[05:40] Starting: Test 2: Connection through the Proxy Server
[06:40] Error : the proxy server cannot establish connection with 142.250.186.174:443
    The error indicates that the target host is down or unreachable.
    Please try to use another host and/or port as a test target.
    The proxy server reply header is:
        HTTP/1.1 503 Service Unavailable
        Server: squid/4.10
        Mime-Version: 1.0
        Date: Thu, 26 Aug 2021 16:36:40 GMT
        Content-Type: text/html;charset=utf-8
        Content-Length: 3438
        X-Squid-Error: ERR_CONNECT_FAIL 110
        Vary: Accept-Language
        Content-Language: en
[06:40] Test failed.
[06:40] Testing Finished.


Get this bounty!!!

#StackBounty: #docker #openvpn #docker-compose "Multiple –up scripts defined" when running OpenVPN inside a Docker container

Bounty: 100

I’m using binhex/arch-rtorrentvpn and the contents of my docker-compose.yml are as follows:

version: "2"
services:
  rtorrent:
    image: binhex/arch-rtorrentvpn
    container_name: rtorrent
    cap_add:
      - NET_ADMIN
    environment:
      - VPN_ENABLED=yes
      - VPN_USER=<myusername>
      - VPN_PASS=<mypassword>
      - VPN_PROV=custom
      - VPN_OPTIONS=--script-security 2 --up /config/persists/tun_up.sh
      - VPN_CLIENT=openvpn
      - STRICT_PORT_FORWARD=no
      - ENABLE_AUTODL_IRSSI=yes
      - ENABLE_RPC2=yes
      - ENABLE_RPC2_AUTH=no
      - ENABLE_WEBUI_AUTH=no
      - LAN_NETWORK=192.168.1.0/24
      - NAME_SERVERS=1.1.1.1,1.0.0.1
      - DEBUG=true
      - PHP_TZ=Europe/London
      - UMASK=000
      - PUID=1000
      - PGID=1000
    volumes:
      - ./config:/config
      - ./downloads:/downloads
      - /etc/localtime:/etc/localtime:ro
    ports:
      - 9080:9080
      - 9443:9443
      - 8118:8118
    restart: unless-stopped

The issue I have is that, according to the [debug] output, my OpenVPN command line is as follows:

[debug] OpenVPN command line:- /usr/bin/openvpn 
--reneg-sec 0 
--mute-replay-warnings 
--auth-nocache 
--setenv VPN_PROV 'custom' 
--setenv VPN_CLIENT 'openvpn' 
--setenv DEBUG 'true' 
--setenv VPN_DEVICE_TYPE 'tun0' 
--setenv VPN_ENABLED 'yes' 
--setenv VPN_REMOTE_SERVER '213.152.188.3' 
--setenv APPLICATION 'rtorrent' 
--script-security 2 
--writepid /root/openvpn.pid 
--remap-usr1 SIGHUP 
--log-append /dev/stdout 
--pull-filter ignore 'up' 
--pull-filter ignore 'down' 
--pull-filter ignore 'route-ipv6' 
--pull-filter ignore 'ifconfig-ipv6' 
--pull-filter ignore 'tun-ipv6' 
--pull-filter ignore 'dhcp-option DNS6' 
--pull-filter ignore 'persist-tun' 
--pull-filter ignore 'reneg-sec' 
--up /root/openvpnup.sh 
--up-delay 
--up-restart 
--auth-user-pass credentials.conf 
--script-security 2 
--up /config/persists/tun_up.sh 
--cd /config/openvpn 
--config '/config/openvpn/nl910.nordvpn.com.tcp443.ovpn' 
--remote 213.152.188.3 443 tcp-client 
--remote-random

This throws the error: Multiple --up scripts defined. The previously configured script is overridden and the container will not start

I have tried calling the script by the below two methods, both of which resulted in the same error.

  • Calling the /root/openvpnup.sh script via using the ; separator. e.g.: VPN_OPTIONS=--script-security 2 --up /config/persists/tun_up.sh;/root/openvpnup.sh
  • Calling the /root/openvpnup.sh script by adding /root/openvpnup.sh to the end of my tun_up.sh script.

How can I get this to work?


Get this bounty!!!

#StackBounty: #windows #networking #openvpn OpenVPN UDP error 10051 on Windows 10 clients

Bounty: 100

I am running an OpenVPN 2.4.9 server (without Access web interface) on a CentOS 7 machine for ~30 employees using Windows 10 laptops.

Recently, I noticed some people were disconnecting with UDP error 10051 after a few minutes of being connected. This error only occurs once in a while and always at the same clients and disappears after rebooting the operating system or after waiting an undefined amount of time.

According to Microsoft’s documentation this error is indicating that it cannot reach the network.

The clients can still use other networking functions (i.e. browsing the web) so general internet connectivity is available and the windows firewall is not configured to block the port I am using (otherwise the connection couldn’t have been established in the first place,right?). There are no firewalls or other middleboxes other than the windows firewall between the server and it’s clients.

Is there any advice that can be given to solve this riddle?

Server config:

user nobody
group nobody    
persist-key
persist-tun
port 1094   
proto udp
proto udp6
dev tun

ca easy-rsa/pki/ca.crt
cert c.crt
key c.key
dh dh.pem

cipher AES-256-CBC
auth SHA512
comp-lzo
reneg-sec 0
inactive 0
keepalive 10 36000

Client config:

client 

dev tun
remote vpn.domain.tld 1094
comp-lzo

ca a/ca.crt
cert a/d.crt # EasyRSA generated
key a/d.key

auth-nocache
auth-user-pass
cipher AES-256-CBC
auth SHA512
remote-cert-tls server
reneg-sec 36000


Get this bounty!!!

#StackBounty: #routing #openvpn #route #ip-routing Multi hop routing

Bounty: 150

Multi-hop routing
I’m trying to communicate from the tx.py program to send packets (UDP) down to device 1 and device 2 shown in the picture. Currently we have OpenVPN clients running on 2 of our VMs and if I run tx.py on those vms I can communicate fine to each device that is connected to that vpn tunnel (so from vm2 I can reach device 1, but not device 2).

I want to be able to route from vm1 so that I can send to device 1 or device 2 from this central location. I tried adding a route on vm1 to device 1 (via VM 2) like route add -net 100.64.226.0 netmask 255.255.255.0 gw 10.2.6.20 dev eth0 but was still not able to receive packets on Device 1. Also tried toggling ip forwarding on for both vm1 and vm2 but this didn’t fix it.

What is the way to do this?

Note that I don’t need to communicate back up from the devices to vm1.

Note: I don’t control the openVPN servers and cannot change configs there.


Get this bounty!!!

#StackBounty: #vpn #routing #openvpn Route subnet through a VPN gateway with OpenVPN

Bounty: 50

A small company I work at is getting rid of an office soon and it has fallen onto me to migrate the currently
on-prem-hosted VPN (just a Zyxel Zywall 110 device) into a cloud-based VM. I am not that experienced in networking (backend-dev-turned-ops)
so I would like to validate if the following approach will work.


I have a dedicated VM where I’ve set up OpenVPN Access Server and the basics are working well, people can connect,
all good.

There is one catch though, the current VPN forwards a certain IP range through a "tunnel" into a client’s internal network.
It looks like this:

if addr in '172.30.239.0/25':
    route through gw 194.xxx.xxx.xxx
else:
    route through gw 0.0.0.0

Where the connection from our router to the client’s VPN GW is done via IKEv1 with pre-shared key (judging from the router’s web UI).

Some ascii art depicting the setup below. I am replacing Router with a VM.

            +-----------------+           [     Client infra, this has to stay the same     ]
            | Router          |           194.xxx.xxx.xxx            e.g. 172.30.239.75
            | --------------- |   IKEv1   +-------------+       +-------------------------+
User -----> | 172.30.239.0/25-| --------> | VPN gateway |-----> | Internal network server |
            |     default     |           +-------------+       +-------------------------+
            |        |        |
            +--------+--------+
                     |
                     |
                 internet

The OpenVPN Access Server does not support anything like this by itself (or I haven’t been able to find that config), so I thought I could do it on the VM level.
If I connect the OS to the VPN gateway with something like Strongswan and configure appropriate routing in iptables, could
this work? Would the traffic of users connected to the OpenVPN server going to the 172.30.239.0/25 range get routed
through to the Strongswan’s connection, or is this approach fundamentally wrong? What are my options?

Thanks!


Get this bounty!!!

#StackBounty: #linux #nginx #mysql #php #openvpn How to debug an unreachable (from the wan side) lemp server tunneling through an AWS b…

Bounty: 100

Ive been wracking my brains out for weeks trying to debug a once perfectly functioning LEMP web server.
I’m using a relatively complicated setup. Lets start with my setup from the beginning when things were working perfectly.

Step 1 (Working setup):
lemp server/nginx > Raspberry Pi > Secondary router w forwarded ports > Primary router with forwarded ports > Public Internet serving web pages

I’m running a Lemp server off of Raspian OS on a Raspberry Pi 4.
Nginx is running a reverse proxy, through my secondary router which is connected to my primary router/modem.
The primary router/modem is forwarding https and http ports to the secondary router, which then forwards
those same ports to the raspberry pi. The raspberry pi successfully obtains certificates from certbot, and
runs a fully functioning website accessible from the public internet.

Step 2a (Working setup):
lemp server/nginx > Raspberry Pi > Secondary router > EC2 Openvpn-AS tunnel > Primary router with forwarded ports > Public Amazon Internet serving web pages
Next, I have created an AWS EC2 OpenVPN-AS instance, and I run it as a server.
From there, I install openvpn on my raspberry pi lemp server, change my domains dns
to point to the ip address of my OpanVPN-AS instance instead of my home ip, and then
run openvpn as a client on my lemp server, sucessfully tunneling my web server through
the OpenVPN AWS instance, out to the public internet. This setup works.

Until….

I do something to completely stop all connections to the server through the vpn.
The problem is, I have absolutely no idea what I did to alter this once working
setup. I know i updated the pi, and I think i might have changed the internal
hostname, but that is as much as i can remember before my pi became a dead server.

On the internal network, the webserver still works using the local ip when using the EC2 tunnel.

The odditiy that I have noticed, is that although the AWS tunnel setup stopped my webserver
from working, once i plug my server back into my home router without the tunner, and repoint my
dns back to my home router, the server starts to work publicly again. I just can not pinpoint,
what exactly has changed since my server was working after being tunneled through AWS OVPN,
and now, it doesnt resolve, yet, it somehow resolves on my home ip with minimal settings altered.
The only things I really change when switching from aws to the home router, is what ip the domains
dns points to, and weather or not the vpn tunnel should be up or down.

As for the amazon ovpn tunnel, that also properly resolves and the server properly obtains the new
amazon IP address.

I know how to build servers, however, I am litereally a superman-noob when it comes to debugging
them and figuring out where there connection is going bad. So my question is…

Could someone please try to walk me through some steps to debug this, and get my websever back up
and running through my openvpn instance using an amazon ip address? I havent the slightest idea where
to even start aside from my succesfull pings through the amazon tunnel, as well as a healthy looking
traceroute.

My EC2 ports are open on 443 and 80, and I have even tried with all firewalls down, to no avail.

Any advice, tips, walkthroughs, or beginner friendly stepping stones to help me debug this an pinpoint
where the connection is dropping would be appreciated!


Get this bounty!!!

#StackBounty: #networking #openvpn #vnc #tightvncserver Can't connect local network VNC server when OpenVPN client is connected on …

Bounty: 100

Hardware A: Ubuntu 20.04 (192.168.1.61):
Installed VNC server and added OpenVPN client config to some remote server C.

Hardware B: MacOS 11.1 (192.168.1.51): standart preinstalled VNC client.

From B to A i have perfect VNC connections when OpenVPN is disconnected. But when connect from A (as client) to OpenVPN server, VNC connection is immediately down. At the same time smb, ping (A <-> B) and traceroute (A <-> B) works perfect and with same behaviour like with disconnected OpenVPN (down only VNC).

From B to A (with and without VPN):

% traceroute 192.168.1.61
traceroute to 192.168.1.61 (192.168.1.61), 64 hops max, 52 byte packets
 1  192.168.1.61 (192.168.1.61)  27.855 ms  2.296 ms  35.563 ms

From A to B (with and without VPN):

$ traceroute 192.168.1.51
traceroute to 192.168.1.51 (192.168.1.51), 64 hops max, 52 byte packets
 1  192.168.1.51 (192.168.1.51)  27.855 ms  2.296 ms  35.563 ms

Why VNC isn’t work when OpenVPN client connected on VNC server and how to bypass this behaviour? I need connect VNC server to OpenVPN network and don’t lost VNC connection in same time.


Get this bounty!!!

#StackBounty: #networking #openvpn #vnc #tightvncserver Can't connect local network VNC server when OpenVPN client is connected on …

Bounty: 100

Hardware A: Ubuntu 20.04 (192.168.1.61):
Installed VNC server and added OpenVPN client config to some remote server C.

Hardware B: MacOS 11.1 (192.168.1.51): standart preinstalled VNC client.

From B to A i have perfect VNC connections when OpenVPN is disconnected. But when connect from A (as client) to OpenVPN server, VNC connection is immediately down. At the same time smb, ping (A <-> B) and traceroute (A <-> B) works perfect and with same behaviour like with disconnected OpenVPN (down only VNC).

From B to A (with and without VPN):

% traceroute 192.168.1.61
traceroute to 192.168.1.61 (192.168.1.61), 64 hops max, 52 byte packets
 1  192.168.1.61 (192.168.1.61)  27.855 ms  2.296 ms  35.563 ms

From A to B (with and without VPN):

$ traceroute 192.168.1.51
traceroute to 192.168.1.51 (192.168.1.51), 64 hops max, 52 byte packets
 1  192.168.1.51 (192.168.1.51)  27.855 ms  2.296 ms  35.563 ms

Why VNC isn’t work when OpenVPN client connected on VNC server and how to bypass this behaviour? I need connect VNC server to OpenVPN network and don’t lost VNC connection in same time.


Get this bounty!!!