#StackBounty: #networking #server #vpn #iptables #openvpn OPENVPN: MULTI: bad source address from client

Bounty: 50

I struggled this problem for two days, but the problem is still here. Hope someone can provide suggestion or the way how to diagnose it.

What i want is let all client visit Internet over the OpenVPN server. Therefore, I first follow instructions Routing all client traffic (including web-traffic) through the VPN. After configuration, and setup iptables, the connection between VPN server and client succeeds, but the client can not visit any website (the brower is hang there). The ping from server and client are OK.

I checked log at the server, and there are some records like:

   Oct  3 09:16:21 iZbp15fejv9adv7o3izfm1Z ovpn-delta[1827]: laptop/131.202.XX.XX:59701 UDPv4 READ [93] from [AF_INET]131.202.XX.XX:59701: P_DATA_V1 kid=0 DATA len=92
    Oct  3 09:16:21 iZbp15fejv9adv7o3izfm1Z ovpn-delta[1827]: laptop/131.202.XX.XX:59701 MULTI: bad source address from client [131.202.XX.XX], packet dropped

where the IP: 131.202.XX.XX is my laptop IP address. This record is explained in “MULTI: bad source address from client , packet dropped” or “GET INST BY VIRT: [failed]”, why this IP is not 10.8.0.6 (tun0) at my laptop, and the detail implementation for the problem? My laptop connects to Internet using WIFI, and it is a device that runs openvpn --config client.conf.

As this is very simple example, Do I have a way to avoid this error, or any sample to config client-config-dir and create a ccd file

the /etc/openvpn/delta.conf at the server:

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

port 1194

proto udp

dev tun

;dev-node MyTap

ca ca.crt
cert delta.crt
key delta.key  # This file should be kept secret

dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

;server-bridge

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script

;push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"

;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nogroup
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20

while the client.conf is:

   client
dev tun
proto udp
remote 116.62.193.49 1194
;remote my-server-2 1194
;remote-random

resolv-retry infinite

nobind

persist-key
persist-tun
ca ca.crt
cert laptop.crt
key laptop.key
ns-cert-type server

;tls-auth ta.key 1
comp-lzo

verb 3
;mute 20

For IP router configuration, I added the iptables to /etc/rc.local, so that iptables can be changed at server startup.

root@iZbp15fejv9adv7o3izfm1Z:/var/log# cat /etc/rc.local 
#!/bin/sh -e
#
# rc.local
#I also tried comment out first three instructions, but still does not work 
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

service dnsmasq restart

exit 0

and the /etc/sysctl.conf

net.ipv4.ip_forward=1

telnet serverIP 80 is OK. In the server: /var/logs/syslog:

Is there any solution?


Get this bounty!!!

#StackBounty: #network-manager #vpn How do I set a network device to be managed?

Bounty: 150

My ProtonVPN connection keeps breaking. I’m using Ubuntu 18.04. ProtonVPN informs me that the issue is with Ubuntu, they won’t help me fix it, and that I should post here. This is a cross-post of this Unix SE question.

Right now, in the broken state, the two ProtonVPN device profiles proton0 and ipv6leakintrf0 are listed as "unmanaged" and "disconnected", respectively, by nmcli:

$ nmcli d
DEVICE          TYPE      STATE         CONNECTION 
wlp3s0          wifi      connected     WifiAP
ipv6leakintrf0  dummy     disconnected  --         
enp2s0          ethernet  unavailable   --         
lo              loopback  unmanaged     --         
proton0         tun       unmanaged     --

ProtonVPN support has not been able to resolve the issue after working on it for nearly two months, but they did inform me they don’t support unmanaged connections. So, I’m struggling on my own to make both proton0 and ipv6leakintrf0 be "managed".

From what I can piece together from the NetworkManager configuration documentation, NetworkManager configures devices from the following sources, in order:

  1. /usr/lib/NetworkManager/conf.d/
  2. /run/NetworkManager/conf.d/
  3. /etc/NetworkManager/conf.d/
  4. /etc/NetworkManager.conf
  5. /var/lib/NetworkManager/NetworkManager-intern.conf

Within the three directories, files are parsed in their listed order. On my system, the file /usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf exists and contains the following directive:

[keyfile]
unmanaged-devices=*,except:type:wifi,except:type:wwan

This appears to set all non-wifi and non-wan network devices to "unmanaged", which would explain why proton0 and probably ipv6leakintrf0 are unmanaged. However, given how poorly-designed the NetworkManager UX is, there’s no way for me to be certain that subsequent configuration I don’t understand isn’t overriding this directive.

I searched the above configuration list for another unmanaged-devices directive and found none, so I can only assume the one in 10-globally-managed-devices.conf is the only one. In that case, it seems like I could correct the problem and make proton0 a managed device by creating a file /usr/lib/NetworkManager/conf.d/80-proton-vpn.conf with the following contents:

[device]
match-device=interface-name:proton0
managed=true

[device]
match-device=interface-name:ipv6leakintrf0
managed=true

where I’ve pieced the syntax together as best I can from the poor documentation linked above. I restarted network-manager. ProtonVPN worked for several days before breaking again, giving the $ nmcli d output shown above that indicates proton0 (and probably ipv6leakintrf0) are still unmanaged, despite my best efforts at changing the config.

This AskUbuntu answer indicates that the listing of a device in /etc/network/interfaces will cause it to be unmanaged by NetworkManager. In my case that does not apply, the only contents of that file are

$ cat /etc/network/interfaces
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

I’ve also tried explicitly excepting the ProtonVPN devices in 10-globally-managed-devices.conf as suggested by a comment on the Unix SE post I linked above:

[keyfile]
unmanaged-devices=*,except:type:wifi,except:type:wwan,except:interface-name:proton*,except:interface-name:ipv6leakintrf*

After restarting network-manager, this config made no change in the problem.

What else do I have to do to make these device profiles be managed by NetworkManager?


Get this bounty!!!

#StackBounty: #networking #vpn #split-tunnel Networking problems using free version of ProtonVPN

Bounty: 50

I am using the free version of ProtonVPN on my Windows 10 Laptop. I connect the laptop to the internet using Wifi from Cable Internet.

My ProtonVPN is configured for split tunneling – Only the Brave Browser on my laptop is to use the VPN & all other applications would be excluded from the VPN tunnel.

Proton VPN Settings

I have 2 problems

  1. My problem is that my native connection (the one that is used by the other browsers) behaves differently when my VPN tunnel is on. This is an occasional problem doesn’t happen all time. I am unable to reach several sites on my other browsers (unable to connect to the site). If I shut down the VPN, the same sites now start opening through my excluded browsers. Sometimes just shutting down the VPN works, sometimes, I also need to run "ipconfig /renew" before it starts working – even this is not foolproof, sometimes it just doesn’t work for a long time.

  2. When I startup my ProtonVPN, while it’s connecting to the VPN server & tunneling my laptop has now internet connection till the time it’s done establishing the tunnel. No other browser (the ones excluded from the VPN) can connect to anything till then.

The 2nd issue is not a big one (it’s just for a few seconds usually), I mentioned it just in can help in trouble shooting the issue. But the 1st one is almost making me consider giving up using VPN at all.

Are there any solutions for this?


Get this bounty!!!

#StackBounty: #vpn #http-proxy Use KeepSolid (VPN Unlimited) proxies from curl

Bounty: 100

It seems KeepSolid’s servers run Squid (https://89.45.7.90:3129), and that the Firefox plugin somehow authenticates, so that Firefox can use it.

I want to use curl with KeepSolid’s servers (aka. VPN Unlimited).

(Analyticshub.link seems to be the CN of the TLS certificate).

$ curl -v --proxy https://analyticshub.link:3129 --proxy-digest --proxy-user $user:$pass --location https://www.google.com/
*   Trying 89.45.7.90:3129...
* TCP_NODELAY set
* Connected to analyticshub.link (89.45.7.90) port 3129 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Proxy certificate:
*  subject: CN=analyticshub.link
*  start date: Jul  5 08:11:25 2021 GMT
*  expire date: Oct  3 08:11:24 2021 GMT
*  subjectAltName: host "analyticshub.link" matched cert's "analyticshub.link"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
* Proxy auth using Digest with user 'keepsolid.com@tange.dk'
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 407 Proxy Authentication Required
< Server: squid/3.5.23
< Mime-Version: 1.0
< Date: Sun, 01 Aug 2021 19:02:51 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3557
< X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0
< Vary: Accept-Language
< Content-Language: en
< Proxy-Authenticate: Basic realm="Web-Proxy"
< X-Cache: MISS from vpnunlimitedapp.com
< X-Cache-Lookup: NONE from vpnunlimitedapp.com:4129
< Connection: close
< 
* Ignore 3557 bytes of response-body
* Received HTTP code 407 from proxy after CONNECT
* CONNECT phase completed!
* Closing connection 0
curl: (56) Received HTTP code 407 from proxy after CONNECT

As you can see the above does not work. What should I do instead?


Get this bounty!!!

#StackBounty: #command-line #vpn #openconnect Connect to openconnect server from the command line?

Bounty: 50

I tried finding a similar question and did but there’s a caveat though, older questions use --no-cert-check option which is removed due to security reasons and I don’t know the exact fingerprint for the server as it will change from time to time. I need to pass two inputs to the openconnect command using something like echo -e "arg1narg2" but was not successful.

How can I do it? (below is the command I used):

echo -e "yesnmypassword" | openconnect serveraddress --user="myuser" --passwd-on-stdin


Get this bounty!!!

#StackBounty: #vpn #docker #containers #wireguard #routes site2site wireguard with docker : routing problems

Bounty: 100

Disclaimer: repost from stackoverflow: https://stackoverflow.com/questions/67917278/site2site-wireguard-with-docker-routing-problems

I am trying to have two containers, running on two RPI, act as a site-to-site VPN between Network 1 and Network 2.

With the setup below, I am able to ping from within the container each other network:

  • from docker container 1 I can ping an address 192.168.1.1
  • from docker container 2 I can ping the address 192.168.10.1

But if I try to ping 192.168.1.1 from the System1 host (192.168.10.100) I have errors (see below image to visualize what I am trying to do).

I understand I have to add a static route on system1 host (192.168.10.100) to direct the traffic for 192.168.1.0/24 through the wireguard container (172.17.0.5), thus I run:

$i p route add 192.168.1.0/24 via 172.17.0.5
$ ip route
default via 192.168.10.1 dev eth0 proto dhcp src 192.168.10.100 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
172.18.0.0/16 dev br-e19a4f1b7646 proto kernel scope link src 172.18.0.1 linkdown 
172.19.0.0/16 dev br-19684dacea29 proto kernel scope link src 172.19.0.1 
172.20.0.0/16 dev br-446863cf7cef proto kernel scope link src 172.20.0.1 
172.21.0.0/16 dev br-6800ed9b4dd6 proto kernel scope link src 172.21.0.1 linkdown 
172.22.0.0/16 dev br-8f8f439a7a28 proto kernel scope link src 172.22.0.1 linkdown 
192.168.1.0/24 via 172.17.0.5 dev docker0 
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.100 
192.168.10.1 dev eth0 proto dhcp scope link src 192.168.10.100 metric 100 

but the ping to 192.168.1.1 still fails.

by running tcpdump on the container 2 I see that some packets are indeed reaching the container :

root@936de7c0d7eb:/# tcpdump -n -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:11:19.885845 IP [publicIPsystem1].56200 > 172.17.0.6.56100: UDP, length 128
10:11:30.440764 IP 172.17.0.6.56100 > [publicIPsystem1].56200: UDP, length 32
10:11:35.480625 ARP, Request who-has 172.17.0.1 tell 172.17.0.6, length 28
10:11:35.480755 ARP, Reply 172.17.0.1 is-at 02:42:24:e5:ac:38, length 28

so I guess it is not a routing problem on system 1.

Can anyone tell me how to diagnose this further?


EDIT 1:
I have done the following test:

  1. run ‘tcpdump -ni any’ on container 2
  2. sent a ping from System 1 (from the host system) ‘ping -c 1 192.168.1.1 .
    On container 2 tcpdump records the following:
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
    15:04:47.495066 IP [publicIPsystem1].56200 > 172.17.0.3.56100: UDP, length 128
    15:04:58.120761 IP 172.17.0.3.56100 > [publicIPsystem1].56200: UDP, length 32
  1. sent a ping from container (within the container) ‘ping -c 1 192.168.1.1 .
    On container 2 tcpdump records the following:
# tcpdump -ni any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:05:48.120717 IP [publicIPsystem1].56200 > 172.17.0.3.56100: UDP, length 128
15:05:48.120871 IP 10.13.18.2 > 192.168.1.1: ICMP echo request, id 747, seq 1, length 64
15:05:48.120963 IP 172.17.0.3 > 192.168.1.1: ICMP echo request, id 747, seq 1, length 64
15:05:48.121955 IP 192.168.1.1 > 172.17.0.3: ICMP echo reply, id 747, seq 1, length 64
15:05:48.122054 IP 192.168.1.1 > 10.13.18.2: ICMP echo reply, id 747, seq 1, length 64
15:05:48.122246 IP 172.17.0.3.56100 > [publicIPsystem1].56200: UDP, length 128
15:05:53.160617 ARP, Request who-has 172.17.0.1 tell 172.17.0.3, length 28
15:05:53.160636 ARP, Request who-has 172.17.0.3 tell 172.17.0.1, length 28
15:05:53.160745 ARP, Reply 172.17.0.3 is-at 02:42:ac:11:00:03, length 28
15:05:53.160738 ARP, Reply 172.17.0.1 is-at 02:42:24:e5:ac:38, length 28
15:05:58.672032 IP [publicIPsystem1].56200 > 172.17.0.3.56100: UDP, length 32

so, It seems that packets are treated differently from container 2 depending on something that I am currently missing.. could it be an iptables problem?


enter image description here

Site 1 Site 2
Network 1 IP range 192.168.10.0/24 192.168.1.0/24
host system address 192.168.10.100 192.168.1.100
bridge docker0 range 172.17.0.0/16 172.17.0.0/16
container address 172.17.0.5 172.17.0.6

System 1 – wg0.conf

[Interface]
Address = 10.13.18.2
PrivateKey = *privatekey*
ListenPort = 56200
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = *publickey*
Endpoint = *system2address*:56100
AllowedIPs = 10.13.18.1/32 , 192.168.1.0/24

System 2 – wg0.conf

[Interface]
Address = 10.13.18.1
ListenPort = 56100
PrivateKey = *privatekey*
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# peer_casaleuven
PublicKey = *publickey*
AllowedIPs = 10.13.18.2/32 , 192.168.10.0/24
Endpoint = *system1address*:56200


Get this bounty!!!

#StackBounty: #linux #vpn #routing #strongswan #libreswan VPN traffic routing issue between two VPN connections – AWS and Generic IKEv2…

Bounty: 500

Have several sites, one of them acts as intermediary router between two:

  1. AWS VPC (10.10.0.0/24)
  2. Libreswan VPN Server (10.20.0.0/24)
  3. Mikrotik VPN Router (10.30.0.0/24)

host1 resides at AWS VPC, host2 is connected to Mikrotik

VPN’s are up, each connection is working separately, statuses look fine.

host2 pings host1, packets arrive through libreswan to host1, host1 replies, all packets arrive at libreswan, but are not passed to host2. Also, packets initiated from host2 are able to reach libreswan, but are not passed to host1. I suppose, that all is stateless for ipsec and is the same problem.

iptables nat (manual config):

-A POSTROUTING -j ACCEPT -d 10.10.0.0/24
-A POSTROUTING -j ACCEPT -d 10.20.0.0/24

iptables filter (manual config):

-A FORWARD -j ACCEPT

routing table @ libreswan (ip route, added by libreswan):

10.10.0.0/24 dev eth0 scope link mtu 1436
10.20.0.0/24 dev eth0 scope link mtu 1436

Similar connections with many combinations to other sites works fine in any way – difference is in AWS-Libreswan VPN connection.

Is there something i am missing? Where should i look?


Get this bounty!!!

#StackBounty: #python #windows #vpn #ping How to route internet traffic via VPN Client (Ping from Python code is not working)

Bounty: 100

from os import system
system("ping www.twitter.com")
system("ping www.yahoo.com")
system("ping www.facebook.com")

I am in China, and Twitter and Facebook are banned here. I can open them in the browser using VPN Client software.

I have to download tweets from Twitter. So I need to ping the websites using Python to get tweets. I cannot ping the websites though.

How do I make my Python code use the VPN.

Output of the above code:

Pinging www.twitter.com [108.160.169.186] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 108.160.169.186:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Pinging new-fp-shed.wg1.b.yahoo.com [180.222.102.201] with 32 bytes of data:
Reply from 180.222.102.201: bytes=32 time=258ms TTL=42
Reply from 180.222.102.201: bytes=32 time=229ms TTL=42
Reply from 180.222.102.201: bytes=32 time=230ms TTL=42
Request timed out.

Ping statistics for 180.222.102.201:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 229ms, Maximum = 258ms, Average = 239ms

Pinging www.facebook.com [69.63.184.14] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 69.63.184.14:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

OS: Windows 10 (updated to latest edition). Using PyCharm as my IDE.


Get this bounty!!!

#StackBounty: #windows-10 #vpn #sstp VPN adapter settings keep reverting on Windows 10

Bounty: 50

A few times a day, my VPN connection will disconnect. When I attempt to reconnect I get an error that says my username and password is not recognized.

VPN Error Message

To resolve this, I need to go into the settings for my VPN adapter, and uncheck the box that says "Automatically use my Windows logon name and password". I also change the VPN type from Automatic to SSTP.

enter image description here

After making these changes, I am able to connect to the VPN again. (I have to reeneter my credentials). A few hours later, my VPN will disconnect, and I have to repeat this process all over again.

What is making Windows revert these settings? Is there anything I can do to fix this.

My IT department insists this is a problem with my PC, and not a problem with the VPN service.

I am using Windows 10 Pro 20H2. I am not connected to a domain.


Get this bounty!!!

#StackBounty: #vpn #routing #openvpn Route subnet through a VPN gateway with OpenVPN

Bounty: 50

A small company I work at is getting rid of an office soon and it has fallen onto me to migrate the currently
on-prem-hosted VPN (just a Zyxel Zywall 110 device) into a cloud-based VM. I am not that experienced in networking (backend-dev-turned-ops)
so I would like to validate if the following approach will work.


I have a dedicated VM where I’ve set up OpenVPN Access Server and the basics are working well, people can connect,
all good.

There is one catch though, the current VPN forwards a certain IP range through a "tunnel" into a client’s internal network.
It looks like this:

if addr in '172.30.239.0/25':
    route through gw 194.xxx.xxx.xxx
else:
    route through gw 0.0.0.0

Where the connection from our router to the client’s VPN GW is done via IKEv1 with pre-shared key (judging from the router’s web UI).

Some ascii art depicting the setup below. I am replacing Router with a VM.

            +-----------------+           [     Client infra, this has to stay the same     ]
            | Router          |           194.xxx.xxx.xxx            e.g. 172.30.239.75
            | --------------- |   IKEv1   +-------------+       +-------------------------+
User -----> | 172.30.239.0/25-| --------> | VPN gateway |-----> | Internal network server |
            |     default     |           +-------------+       +-------------------------+
            |        |        |
            +--------+--------+
                     |
                     |
                 internet

The OpenVPN Access Server does not support anything like this by itself (or I haven’t been able to find that config), so I thought I could do it on the VM level.
If I connect the OS to the VPN gateway with something like Strongswan and configure appropriate routing in iptables, could
this work? Would the traffic of users connected to the OpenVPN server going to the 172.30.239.0/25 range get routed
through to the Strongswan’s connection, or is this approach fundamentally wrong? What are my options?

Thanks!


Get this bounty!!!