#StackBounty: #linux #networking #openvpn #iptables #raspberry-pi Using Raspberry PI as OpenVPN router for Asterisk

Bounty: 100

So, I’ve been banging my head with this for quite some time.

I have the following configuration:

  • OpenVPN server, IP 1.2.3.1
  • Asterisk server, connected to OpenVPN server, IP 1.2.3.3
  • Raspberry PI, local interface 192.168.0.17, connected to OpenVPN IP 1.2.3.6
  • IP Telephone in the same local network as Raspberry PI, local ip 192.168.0.81

Networks are configured as follows:

  • Local connection on raspberry is eth0
  • Raspberry has additional virtual interface eth0:1 with ip 192.168.0.91
  • OpenVPN connection on raspberry is tun0
  • Telephone has local ip 192.168.0.81 and gateway set to 192.168.0.91 (raspberry)

On the raspberry, iptables is as follows:

#Empty all routing tables
sudo iptables -t nat -F
sudo iptables -F

#Masquerade all traffic leaving tun0 as if coming from 1.2.3.6
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

#redirect all traffic coming from eth0:1 to tun0
sudo iptables -A FORWARD -i eth0:1 -o tun0 -j ACCEPT

#redirect all traffic coming from tun0 to eth0:1
sudo iptables -A FORWARD -i tun0 -o eth0:1 -j ACCEPT

#Modify all packets coming to tun0 to forward then to the IP telephone
sudo iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination 192.168.0.81

So, I can call and I can receive calls (I have another laptop that is connected directly to VPN server and uses Zoiper for test). I can call the telephone and from telephone and audio from telephone to laptop works, but there is no incoming audio on the telephone whatsoever.

What am I doing wrong?


Get this bounty!!!

#StackBounty: #vpn #openvpn #strongswan VPN with different rules for different users

Bounty: 50

I am configuring a VPN with different kinds of rules.
However, I need different sets of rules for different users.

i.e.

User A will have XX.XXX.XX.XXX IP blocked

User B will have YY.YYY.YY.YYY IP blocked

And after some actions, I will have to dynamically change this restriction, or add a new rule to user A.

I am trying to use strongswan VPN
Our clients will be using iOS. We can configure the VPN there.

If the client is blocked, he won’t be able to access the site. i.e. (facebook.com).

The VPN is not working right now, I want to set it up and want to know the best way to achieve my objectives.

So far I have configured StrongSwan in my iphone and it’s working fine, but it’s tunnelling all the traffic to Internet.

Any help?


Get this bounty!!!

#StackBounty: #16.04 #networking #android #openvpn #intel-wireless OpenVPN is connected and changes IP, but can't reach ISP blocked…

Bounty: 50

I managed to download an OpenVPN file from VPN Gate, imported it and connected it. The VPN was connected and my IP was changed, but I couldn’t access certain page (which I believe it’s blocked by my ISP) as it would like when using my local wireless network. So far as I know, reaching ISP-blocked is possible when using VPN.

I tried, using DNS and direct IP address (also using both TCP and UDP method), but none of them works. I also tried connecting with both wireless and USB wired from my Android phone but none works, too. (wireless is tethered from Android phone)

Though, with same VPN configuration, I can reach the page with my phone.

I’m connected from a phone with LTE connection, and it’s my only source of internet until this post edited.

Here’s the output of lsusb and lspci :

$ lsusb && lspci
Bus 001 Device 004: ID 8087:0a2a Intel Corp. 
Bus 001 Device 003: ID 046d:c534 Logitech, Inc. Unifying Receiver
Bus 001 Device 002: ID 0438:7900 Advanced Micro Devices, Inc. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 007: ID 0b05:7782 ASUSTek Computer, Inc. 
Bus 002 Device 002: ID 04f2:b56c Chicony Electronics Co., Ltd 
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
00:00.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 1576
00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD] Device 1577
00:01.0 VGA compatible controller: Advanced Micro Devices, Inc.
[AMD/ATI] Carrizo (rev c9)
00:01.1 Audio device: Advanced Micro Devices, Inc. [AMD/ATI] Kabini 
HDMI/DP Audio
00:02.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 157b
00:02.2 PCI bridge: Advanced Micro Devices, Inc. [AMD] Device 157c
00:02.4 PCI bridge: Advanced Micro Devices, Inc. [AMD] Device 157c
00:03.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 157b
00:03.1 PCI bridge: Advanced Micro Devices, Inc. [AMD] Device 157c
00:08.0 Encryption controller: Advanced Micro Devices, Inc. [AMD] 
Device 1578
00:09.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 157d
00:09.2 Audio device: Advanced Micro Devices, Inc. [AMD] Device 157a
00:10.0 USB controller: Advanced Micro Devices, Inc. [AMD] FCH USB 
XHCI Controller (rev 20)
00:11.0 SATA controller: Advanced Micro Devices, Inc. [AMD] FCH SATA 
Controller [AHCI mode] (rev 49)
00:12.0 USB controller: Advanced Micro Devices, Inc. [AMD] FCH USB 
EHCI Controller (rev 49)
00:14.0 SMBus: Advanced Micro Devices, Inc. [AMD] FCH SMBus Controller 
(rev 4a)
00:14.3 ISA bridge: Advanced Micro Devices, Inc. [AMD] FCH LPC Bridge 
(rev 11)
00:14.7 SD Host controller: Advanced Micro Devices, Inc. [AMD] FCH SD 
Flash Controller (rev 01)
00:18.0 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 1570
00:18.1 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 1571
00:18.2 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 1572
00:18.3 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 1573
00:18.4 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 1574
00:18.5 Host bridge: Advanced Micro Devices, Inc. [AMD] Device 1575
01:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. 
RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller (rev 07)
02:00.0 Network controller: Intel Corporation Wireless 3165 (rev 81)

How do I reach the blocked page, then?


Get this bounty!!!

#StackBounty: #openvpn OpenVPN stops after a couple of minutes, seems to hang all system networking

Bounty: 100

I’m trying to create an OpenVPN connection. My colleagues using Windows have received a self-extracting executable
that sets up everything, but I could recover the .ovpn and key files from their configuration.

The .opvn says:

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote aaa.bbb.ccc.ddd 1194 udp
verify-x509-name "Bad_VPN" name
auth-user-pass
pkcs12 SomeKey.p12
tls-auth SomeKey-tls.key 1
ns-cert-type server
comp-lzo adaptive

With an adequate password, the connection starts and I can ping systems. However, if I start the VPN,
and immeditley start a ping that I leave running:

  • after roughly one minute, there are no longer any ping answers (no seq>57)
  • after roughly a second minute, I get one last ping answer (one for seq=118) and a message that ‘tun0’ was deactivated.

Also, while the VPN is up, I can only ping the network it connects to.

While the VPN is up, ip route says:

default via 192.168.30.1 dev tun0  proto static  metric 50 
default via xxx.143.182.1 dev wlp4s0  proto static  metric 600 
xxx.0.136.31 via xxx.143.182.1 dev wlp4s0  proto dhcp  metric 600 
xxx.143.182.0/23 dev wlp4s0  proto kernel  scope link  src xxx.143.182.197  metric 600 
10.101.54.0/24 via 192.168.30.1 dev tun0  proto static  metric 50 
aaa.bbb.ccc.ddd via xxx.143.182.1 dev wlp4s0  proto static  metric 600 
192.168.30.0/24 dev tun0  proto kernel  scope link  src 192.168.30.3  metric 50 

For comparison, without VPN:

default via xxx.143.182.1 dev wlp4s0  proto static  metric 600 
xxx.0.136.31 via xxx.143.182.1 dev wlp4s0  proto dhcp  metric 600 
xxx.143.182.0/23 dev wlp4s0  proto kernel  scope link  src xxx.143.182.197  metric 600 

(xxx.*.*.* is my usual network, aaa.bbb.ccc.ddd is the VPN gateway).

/var/log/syslog says:

Jan  2 15:41:51 Xenoid NetworkManager[1102]: <info>  [1514904111.3023] audit: op="connection-activate" uuid="46cde9dc-b96e-4a27-92f2-980856086015" name="ProblemVPN" pid=18679 uid=1000 result="success"
Jan  2 15:41:51 Xenoid NetworkManager[1102]: <info>  [1514904111.3124] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",0]: Started the VPN service, PID 14000
Jan  2 15:41:51 Xenoid NetworkManager[1102]: <info>  [1514904111.3289] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",0]: Saw the service appear; activating connection
Jan  2 15:41:51 Xenoid NetworkManager[1102]: nm-openvpn-Message: openvpn[14003] started
Jan  2 15:41:51 Xenoid NetworkManager[1102]: <info>  [1514904111.3433] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",0]: VPN plugin: state changed: starting (3)
Jan  2 15:41:51 Xenoid nm-openvpn[14003]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Jan  2 15:41:51 Xenoid nm-openvpn[14003]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Jan  2 15:41:51 Xenoid nm-openvpn[14003]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan  2 15:41:51 Xenoid nm-openvpn[14003]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  2 15:41:51 Xenoid nm-openvpn[14003]: Control Channel Authentication: using '/home/me/.local/share/networkmanagement/certificates/SomeKey-tls.key' as a OpenVPN static key file
Jan  2 15:41:51 Xenoid nm-openvpn[14003]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Jan  2 15:41:51 Xenoid nm-openvpn[14003]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jan  2 15:41:51 Xenoid nm-openvpn[14003]: UDPv4 link local: [undef]
Jan  2 15:41:51 Xenoid nm-openvpn[14003]: UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Jan  2 15:41:51 Xenoid nm-openvpn[14003]: [Bad_VPN] Peer Connection Initiated with [AF_INET]aaa.bbb.ccc.ddd:1194
Jan  2 15:41:54 Xenoid nm-openvpn[14003]: TUN/TAP device tun0 opened
Jan  2 15:41:54 Xenoid nm-openvpn[14003]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --bus-name org.freedesktop.NetworkManager.openvpn.Connection_113 --tun -- tun0 1500 1558 192.168.30.3 255.255.255.0 init
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0624] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/57)
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0688] devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0688] device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0733] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",0]: VPN connection: (IP Config Get) reply received.
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0752] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: VPN connection: (IP4 Config Get) reply received
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0758] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data: VPN Gateway: aaa.bbb.ccc.ddd
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0758] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data: Tunnel Device: "tun0"
Jan  2 15:41:54 Xenoid nm-openvpn[14003]: chroot to '/var/lib/openvpn/chroot' and cd to '/' succeeded
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0759] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data: IPv4 configuration:
Jan  2 15:41:54 Xenoid nm-openvpn[14003]: GID set to nm-openvpn
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0759] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data:   Internal Gateway: 192.168.30.1
Jan  2 15:41:54 Xenoid nm-openvpn[14003]: UID set to nm-openvpn
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0759] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data:   Internal Address: 192.168.30.3
Jan  2 15:41:54 Xenoid nm-openvpn[14003]: Initialization Sequence Completed
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0759] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data:   Internal Prefix: 24
Jan  2 15:41:54 Xenoid acvpnagent[1851]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1723 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0759] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data:   Internal Point-to-Point Address: 192.168.30.3
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0759] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data:   Maximum Segment Size (MSS): 0
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0760] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data:   Static Route: 10.101.54.0/24   Next Hop: 192.168.30.1
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0760] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data:   Forbid Default Route: no
Jan  2 15:41:54 Xenoid acvpnagent[1851]: A new network interface has been detected.
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0760] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data:   DNS Domain: '(none)'
Jan  2 15:41:54 Xenoid acvpnagent[1851]: Function: logInterfaces File: RouteMgr.cpp Line: 2105 Invoked Function: logInterfaces Return Code: 0 (0x00000000) Description: IP Address Interface List: xxx.143.163.90 FE80:0:0:0:8F3A:7426:4E4E:ADBC FE80:0:0:0:BE55:25A5:1450:A479
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0760] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: Data: No IPv6 configuration
Jan  2 15:41:54 Xenoid acvpnagent[1851]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1723 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0761] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: VPN plugin: state changed: started (4)
Jan  2 15:41:54 Xenoid acvpnagent[1851]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1723 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown
Jan  2 15:41:54 Xenoid acvpnagent[1851]: A new network interface has been detected.
Jan  2 15:41:54 Xenoid acvpnagent[1851]: Function: logInterfaces File: RouteMgr.cpp Line: 2105 Invoked Function: logInterfaces Return Code: 0 (0x00000000) Description: IP Address Interface List: xxx.143.163.90 192.168.30.3 FE80:0:0:0:8F3A:7426:4E4E:ADBC FE80:0:0:0:BE55:25A5:1450:A479
Jan  2 15:41:54 Xenoid acvpnagent[1851]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1723 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0790] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: VPN connection: (IP Config Get) complete
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0792] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
Jan  2 15:41:54 Xenoid acvpnagent[1851]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1723 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0823] manager: NetworkManager state is now CONNECTED_LOCAL
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0824] manager: NetworkManager state is now CONNECTED_GLOBAL
Jan  2 15:41:54 Xenoid dbus[1080]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Jan  2 15:41:54 Xenoid systemd[1]: Starting Network Manager Script Dispatcher Service...
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0857] keyfile: add connection in-memory (e354d75d-c20c-49d7-ab96-8dc25ebc53d2,"tun0")
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0863] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.0891] device (tun0): Activation: starting connection 'tun0' (e354d75d-c20c-49d7-ab96-8dc25ebc53d2)
Jan  2 15:41:54 Xenoid kernel: [1062318.614395] IPv4: martian source xxx.143.163.90 from xxx.0.136.50, on dev enp0s31f6
Jan  2 15:41:54 Xenoid kernel: [1062318.614398] ll header: 00000000: c8 5b 76 df 39 d9 0c 85 25 c0 64 c0 08 00        .[v.9...%.d...

[... repeated three times total ...] 

Jan  2 15:41:54 Xenoid dbus[1080]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jan  2 15:41:54 Xenoid systemd[1]: Started Network Manager Script Dispatcher Service.
Jan  2 15:41:54 Xenoid nm-dispatcher: req:1 'vpn-up' [tun0]: new request (1 scripts)
Jan  2 15:41:54 Xenoid nm-dispatcher: req:1 'vpn-up' [tun0]: start running ordered scripts...
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.1088] device (tun0): state change: disconnected -> prepare (reason 'none') [30 40 0]
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.1094] device (tun0): state change: prepare -> config (reason 'none') [40 50 0]
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.1097] device (tun0): state change: config -> ip-config (reason 'none') [50 70 0]
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.1099] device (tun0): state change: ip-config -> ip-check (reason 'none') [70 80 0]
Jan  2 15:41:54 Xenoid acvpnagent[1851]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1723 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.1110] device (tun0): state change: ip-check -> secondaries (reason 'none') [80 xxx. 0]
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.1113] device (tun0): state change: secondaries -> activated (reason 'none') [90 100 0]
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.1138] manager: NetworkManager state is now CONNECTED_LOCAL
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.1139] manager: NetworkManager state is now CONNECTED_GLOBAL
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.1139] policy: set 'tun0' (tun0) as default for IPv4 routing and DNS
Jan  2 15:41:54 Xenoid NetworkManager[1102]: <info>  [1514904114.1140] device (tun0): Activation: successful, device activated.
Jan  2 15:41:54 Xenoid kernel: [1062318.640875] IPv4: martian source xxx.143.163.90 from 54.230.92.116, on dev enp0s31f6
Jan  2 15:41:54 Xenoid kernel: [1062318.640878] ll header: 00000000: c8 5b 76 df 39 d9 0c 85 25 c1 6b 40 08 00        .[v.9...%.k@..
Jan  2 15:41:54 Xenoid nm-dispatcher: req:2 'up' [tun0]: new request (1 scripts)
Jan  2 15:41:54 Xenoid org.kde.kdeconnect[18558]: kdeconnect.core: Broadcasting identity packet
Jan  2 15:41:54 Xenoid kernel: [1062318.654094] IPv4: martian source xxx.143.163.90 from xxx.0.136.50, on dev enp0s31f6
Jan  2 15:41:54 Xenoid kernel: [1062318.654096] ll header: 00000000: c8 5b 76 df 39 d9 0c 85 25 c0 64 c0 08 00        .[v.9...%.d...

[... More "martian source" and "ll header" messages ...]

Jan  2 15:41:59 Xenoid kernel: [1062323.619584] net_ratelimit: 14 callbacks suppressed

[... More "martian source" and "ll header" messages ...]

Jan  2 15:42:01 Xenoid org.kde.kdeconnect[18558]: kdeconnect.core: Broadcasting identity packet
Jan  2 15:42:04 Xenoid kernel: [1062328.625257] net_ratelimit: 6 callbacks suppressed

[... More "martian source" and "ll header" messages ...]

Jan  2 15:42:04 Xenoid nm-dispatcher: req:2 'up' [tun0]: start running ordered scripts...

[... More "martian source", "ll header", and "net_ratelimit" messages ...]

Jan  2 15:43:51 Xenoid nm-openvpn[14003]: [Bad_VPN] Inactivity timeout (--ping-restart), restarting
Jan  2 15:43:51 Xenoid nm-openvpn[14003]: SIGUSR1[soft,ping-restart] received, process restarting
Jan  2 15:43:52 Xenoid kernel: [1062436.606725] IPv4: martian source xxx.143.163.90 from xxx.0.136.50, on dev enp0s31f6
Jan  2 15:43:52 Xenoid kernel: [1062436.606750] ll header: 00000000: c8 5b 76 df 39 d9 0c 85 25 c0 64 c0 08 00        .[v.9...%.d...
Jan  2 15:43:52 Xenoid kernel: [1062436.610871] IPv4: martian source xxx.143.163.90 from xxx.0.138.50, on dev enp0s31f6
Jan  2 15:43:52 Xenoid kernel: [1062436.610894] ll header: 00000000: c8 5b 76 df 39 d9 0c 85 25 c0 64 c0 08 00        .[v.9...%.d...
Jan  2 15:43:53 Xenoid nm-openvpn[14003]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jan  2 15:43:53 Xenoid nm-openvpn[14003]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan  2 15:43:53 Xenoid nm-openvpn[14003]: UDPv4 link local: [undef]
Jan  2 15:43:53 Xenoid nm-openvpn[14003]: UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Jan  2 15:43:53 Xenoid nm-openvpn[14003]: [Bad_VPN] Peer Connection Initiated with [AF_INET]aaa.bbb.ccc.ddd:1194
Jan  2 15:43:53 Xenoid kernel: [1062438.330281] IPv4: martian source xxx.143.163.90 from xxx.57.61.80, on dev enp0s31f6
Jan  2 15:43:53 Xenoid kernel: [1062438.330286] ll header: 00000000: c8 5b 76 df 39 d9 0c 85 25 c1 6b 40 08 00        .[v.9...%.k@..
Jan  2 15:43:55 Xenoid nm-openvpn[14003]: Preserving previous TUN/TAP instance: tun0
Jan  2 15:43:55 Xenoid nm-openvpn[14003]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --bus-name org.freedesktop.NetworkManager.openvpn.Connection_113 --tun -- tun0 1500 1558 192.168.30.3 255.255.255.0 restart
Jan  2 15:43:55 Xenoid nm-openvpn[14003]: WARNING: Failed running command (--up/--down): could not execute external program
Jan  2 15:43:55 Xenoid nm-openvpn[14003]: Exiting due to fatal error
Jan  2 15:43:55 Xenoid acvpnagent[1851]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1723 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown
Jan  2 15:43:55 Xenoid acvpnagent[1851]: A network interface has gone down.
Jan  2 15:43:55 Xenoid acvpnagent[1851]: Function: logInterfaces File: RouteMgr.cpp Line: 2105 Invoked Function: logInterfaces Return Code: 0 (0x00000000) Description: IP Address Interface List: xxx.143.163.90 FE80:0:0:0:8F3A:7426:4E4E:ADBC
Jan  2 15:43:55 Xenoid acvpnagent[1851]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1723 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <error> [1514904235.1882] platform-linux: do-add-ip4-route[24: 0.0.0.0/0 50]: failure 101 (Network is unreachable)
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <warn>  [1514904235.1883] default-route: failed to add default route 0.0.0.0/0 via 192.168.30.1 dev 24 metric 50 mss 0 src vpn with effective metric 50
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <info>  [1514904235.1883] manager: NetworkManager state is now CONNECTED_LOCAL
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <info>  [1514904235.1884] manager: NetworkManager state is now CONNECTED_GLOBAL
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <info>  [1514904235.1885] policy: set 'ProblemVPN' (tun0) as default for IPv4 routing and DNS
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <info>  [1514904235.1898] device (tun0): state change: activated -> unmanaged (reason 'unmanaged') [100 10 3]
Jan  2 15:43:55 Xenoid dbus[1080]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <info>  [1514904235.1956] devices removed (path: /sys/devices/virtual/net/tun0, iface: tun0)
Jan  2 15:43:55 Xenoid systemd[1]: Starting Network Manager Script Dispatcher Service...
Jan  2 15:43:55 Xenoid dbus[1080]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Jan  2 15:43:55 Xenoid systemd[1]: Started Network Manager Script Dispatcher Service.
Jan  2 15:43:55 Xenoid nm-dispatcher: req:1 'down' [tun0]: new request (1 scripts)
Jan  2 15:43:55 Xenoid nm-dispatcher: req:1 'down' [tun0]: start running ordered scripts...
Jan  2 15:43:55 Xenoid NetworkManager[1102]: (nm-openvpn-service:14000): nm-openvpn-WARNING **: openvpn[14003] exited with error code 1
Jan  2 15:43:55 Xenoid whoopsie[1562]: [15:43:55] The default IPv4 route is: /org/freedesktop/NetworkManager/ActiveConnection/113
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <warn>  [1514904235.2272] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: VPN plugin: failed: connect-failed (1)
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <info>  [1514904235.2272] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: VPN plugin: state changed: stopping (5)
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <info>  [1514904235.2272] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: VPN plugin: state changed: stopped (6)
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <info>  [1514904235.2278] vpn-connection[0x1c2e630,46cde9dc-b96e-4a27-92f2-980856086015,"ProblemVPN",24:(tun0)]: VPN plugin: state change reason: unknown (0)
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <info>  [1514904235.2278] manager: NetworkManager state is now CONNECTED_LOCAL
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <info>  [1514904235.2303] manager: NetworkManager state is now CONNECTED_GLOBAL
Jan  2 15:43:55 Xenoid NetworkManager[1102]: <error> [1514904235.2309] platform-linux: do-change-link[24]: failure changing link: failure 19 (No such device)
Jan  2 15:43:55 Xenoid acvpnagent[1851]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1723 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown
Jan  2 15:43:55 Xenoid nm-dispatcher: req:2 'vpn-down' [tun0]: new request (1 scripts)
Jan  2 15:43:55 Xenoid acvpnagent[1851]: Function: tableCallbackHandler File: RouteMgr.cpp Line: 1723 Invoked Function: recv Return Code: 11 (0x0000000B) Description: unknown
Jan  2 15:43:55 Xenoid nm-dispatcher: req:2 'vpn-down' [tun0]: start running ordered scripts...

With the NM gui, I tried to remove the automating routing, but couldn’t get a valid configuration that way. I also tries several variants of ip route del default via 192.168.30.1 dev tun0 but although I didn’t see any error messages the route remained.

Any ideas (besides starting a Windows VM…)?

Running (K)ubuntu 16.04

Update: OK, I lied:) I also have docker, and removed docker0 from the ip route outputs… And using the NM GUI to disconnect from docker0 seems to fix the problem. Ran for 20mn and only lost a few packets (10/1261). However, I cannot find any hint that OpenVPN and docker don’t like each other.

Update “2: The working tests above were from home, on Ethernet via PLC. So it works whith a wire connection to my simple home LAN, but doesn’t work with:

  • the company’s internal network (wifi or ethernet)
  • the company’s “guests” wifi
  • my home wifi
  • my phone (as Wifi hostspot)
  • my phone (with USB cable)


Get this bounty!!!

#StackBounty: #networking #windows-10 #vpn #openvpn #windows-server-2012-r2 Windows using VPN even when using IP address to access share

Bounty: 100

I’m connecting from my Windows 10 machine to a Windows Server 2012 R2 machine in the same subnet. I also have an OpenVPN connection that goes to the office and the server also has its own connection.

When I’m accessing files on the server sometimes the connection goes through the VPN without me noticing. Of course this is not what I want since I have a gigabit connection to it in the local network and a lot slower through the VPN.

The strange thing about this is that I have set the server name in the hosts file to point to the local IP. And even stranger: even if I write \192.168.23.45share to Explorer address line the connection will actually go through the VPN!

The only way I can get it to work properly is to disable the VPN, access files and then maybe enable VPN.

Is there some way to tell Windows that it should never attempt to use the VPN address for that server and always use the local network address?

The metrics for both routes are 276, this might make for it not to favor the local route but won’t explain why it doesn’t use the IP address I tell it to use. I have also tried to set the metric in OpenVPN configuration to lower or higher but this doesn’t change anything.

Local network is 192.168.23.0/24 and VPN network is 10.12.34.0/24 so they are completely separate. No IPv6 on the VPN, local network has the local IPv6 addresses.

I can also stop OpenVPN while transfering files or doing whatever with the file shares. The Windows 10 machine will just wait a moment, then switch to the non-VPN connection and continue. And if I restart it the transfers will switch to the VPN connection.

The server has also now been upgraded to 2016 but that hasn’t changed anything. The problem is somehow in the Windows 10 machine. This also doesn’t happen at all from another Windows 10 machine in the same subnet, same domain with the same OpenVPN configuration.


Get this bounty!!!

#StackBounty: #networking #vpn #routing #openvpn OpenVPN: Allow server to reach client without redirecting all client traffic over VPN?

Bounty: 200

So I’ve set up a reasonably basic tun OpenVPN server, and am having trouble getting it so that the server can communicate with all of the connected clients.

I currently have two sets of clients, some that don’t use the VPN to connect to the internet (just to talk to the other clients), and some that use redirect-gateway to send all of their traffic over the VPN.

With how I have it set up, all of the connected clients can communicate with the server, and with the other clients. However, from the server, I can only reach (e.g. ping) the clients that are using redirect-gateway to send all of their traffic through the VPN. The clients not using that config can ping the server, but the server cannot ping back (they don’t respond to it and it times out).

How can I set up the routing so that the server can still communicate with clients even if they don’t use the VPN as their default gateway?

Here’s the relevant server config:

port 1194
proto udp
dev tun
topology subnet
push "topology subnet"
server 10.7.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
client-config-dir /etc/openvpn/ccd
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
explicit-exit-notify 1

In the client config directory on the server, each client has a file like this (just to give each a static IP):

ifconfig-push 10.7.0.10 255.255.255.0

The relevant bits of the local client config:

client
dev tun
proto udp
remote {server's public ip} 1194
float
keepalive 15 60
ns-cert-type server
key-direction 1
tun-mtu 1500
cipher AES-256-CBC
keysize 256
comp-lzo yes
nobind

The clients that are using the VPN for internet access add redirect-gateway def1 bypass-dhcp to their config.

I’m using ufw for my server’s firewall – here’s the relevant config (in /etc/ufw/before.rules):

*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.7.0.0/8 -j SNAT --to-source {server's public ip}

As this is running on an OpenVZ VPS, I cannot use MASQUERADE, but the above seems to work just as well.

Any ideas on how to set this up properly? Thanks in advance. If it matters, the server is running CentOS.


Get this bounty!!!

#StackBounty: #networking #ssh #vpn #openvpn #client SSH disconnects after OpenVPN connection using PureVpn

Bounty: 50

I’ve been trying to install PureVPN using OpenVPN on my DigitalOcean VPS.
I’m configuring the VPS using SSH.

However, when I start the VPN I get disconnected from my VPS and I can’t log into it any more using SSH.

I’ve used this following tutorial before for setting up a privateinternetaccess VPN on my VPS before:

https://serverfault.com/questions/659955/allowing-ssh-on-a-server-with-an-active-openvpn-client

Answer summary:

ip rule add from x.x.x.x table 128
ip route add table 128 to y.y.y.y/y dev ethX
ip route add table 128 default via z.z.z.z

Where x.x.x.x is your public IP, y.y.y.y/y should be the subnet of
your public IP address, ethX should be your public Ethernet interface,
and z.z.z.z should be the default gateway.

This works fine when I try to connect to privateinternetaccess using OpenVPN.

However, when I do the same above steps for PureVPN,
I get the following error:

RTNETLINK answers: File exists
Thu Aug 17 12:25:09 2017 ERROR: Linux route add command failed: external program exited with error status: 2

I feel that the the problem exists in my *.ovpn files.

Here’s an example of my PureVPN config file:

client
dev tun
proto udp
remote cav1-ovpn-udp.pointtoserver.com 53
persist-key
persist-tun
ca ca.crt
tls-auth Wdc.key 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0
auth-user-pass pass.txt
auth-retry interact
explicit-exit-notify 2
ifconfig-nowarn
auth-nocache

If I comment out the route 0.0.0.0 0.0.0.0 part, the connection goes through but then I can’t access any site on the internet anymore.
curl ifconfig.co times out without being able to return my VPN’s IP.

I want to be able to connect to SSH to my VPS’s public IP.

Here’s my whole connection log:

root@open-vpn:/etc/openvpn# openvpn London2-udp.ovpn 
Thu Aug 17 12:38:27 2017 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Thu Aug 17 12:38:27 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Thu Aug 17 12:38:27 2017 WARNING: file 'pass.txt' is group or others accessible
Thu Aug 17 12:38:27 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Thu Aug 17 12:38:27 2017 WARNING: file 'Wdc.key' is group or others accessible
Thu Aug 17 12:38:27 2017 Control Channel Authentication: using 'Wdc.key' as a OpenVPN static key file
Thu Aug 17 12:38:27 2017 UDPv4 link local (bound): [undef]
Thu Aug 17 12:38:27 2017 UDPv4 link remote: [AF_INET]172.94.3.130:53
Thu Aug 17 12:38:28 2017 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1558', remote='link-mtu 64858'
Thu Aug 17 12:38:28 2017 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 64800'
Thu Aug 17 12:38:28 2017 [PureVPN] Peer Connection Initiated with [AF_INET]172.94.3.130:53
Thu Aug 17 12:38:31 2017 TUN/TAP device tun0 opened
Thu Aug 17 12:38:31 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Aug 17 12:38:31 2017 /sbin/ip link set dev tun0 up mtu 1500
Thu Aug 17 12:38:31 2017 /sbin/ip addr add dev tun0 local 172.94.3.242 peer 172.94.3.241
RTNETLINK answers: File exists
Thu Aug 17 12:38:33 2017 ERROR: Linux route add command failed: external program exited with error status: 2
Thu Aug 17 12:38:33 2017 Initialization Sequence Completed

How can I get the same result with PureVPN?


Get this bounty!!!

#StackBounty: #ssh #openvpn Linux (Ubuntu) OpenVPN Client – Do not Tunnel SSH

Bounty: 50

I would like to run OpenVPN in client mode on my cloud VM (EC2 instance), so that traffic that exits the VM in general goes through the VPN. But I would still like the existing IP Address to be available for SSH connections (so it doesn’t break the SSH connection that I’m currently connected to the machine on).

Here are the current .ovpn settings file that I’m using:

client
dev tun
proto udp
remote xxx.yyy.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ


Get this bounty!!!

#StackBounty: #networking #openvpn #remote-access #subnet Connect to connected OpenVPN client from different subnet

Bounty: 50

I have a machine running Xubuntu 17.04 that is connected as a client to a VPN via OpenVPN (2.3.11). When I have the client connected, I can access the machine remotely via SSH and VNC if I am on the same subnet (my LAN subnet, 192.168.1.0/24). I can not access it from my wireless subnet, 192.168.2.1/24. If I disconnect from OpenVPN I can connect from the wireless subnet. I do not have access to the server to make config changes as this is a paid VPN service. Is there a way to allow the incoming connection from multiple subnets while OpenVPN is running?


Get this bounty!!!

#StackBounty: #networking #virtualbox #vpn #routing #openvpn Route VM traffic through VPN, but not host traffic

Bounty: 50

I have a VPN service that I pay for, and I would like to route traffic for a (virtual box) virtual machine thorough it, but not traffic from the (linux) host.

The VPN service uses openvpn. I have a bunch of configuration files to let me connect to different servers. I can change the type of interface (tun/tap).

From what I’ve read, it seems that I need to create a bridge between tap0 and vboxnet0 (the host-only virtualbox interface). I tried a few solutions for this, but nothing seems to have worked. I fear some iptables foo might be necessary, but I don’t even know where to start with that.

Any help or even a prod in the right direction will be very much appreciated.


Get this bounty!!!