TUTORIAL Easy OpenVPN

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
thank you for all the information

i have
Which seems correct but ALL traffic is routed to the to openvpn machine and not the machine it's destined for so for example when i ssh to 10.1.1.12 i get connection refused from 10.1.1.16 when i vist a web page also it's being routed the the openvpn machine and not the page requested.

any idea's about this

I dont think your routing is correct. Is this a client on a remote network? Why does 0.0.0.0 point to your VPN network and not the local 192.168.1.0 network? Also I updated the PDF last night, please make sure to download the newest copy.

sircolin@thunderchild:~$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
18*.165.2*7.1*0 192.168.1.1 255.255.255.255 UGH 0 0 0 eth0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.8.0.5 0.0.0.0 UG 0 0 0 tun0
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
#push "redirect-gateway"
was left uncommented in server.conf file, this has of course been commented out now.
The reason i have been trying to figure this out is on my openvpn-as i have it pushing dhcp to the clients and routing all traffic for one client only, but thats commented out now i shouldnt have posted it.

Kernel IP routing table for openvpn server
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 eth0
sircolin@thunderchild:~$ netstat -nr
Kernel IP routing for table for Desktop
Destination Gateway Genmask Flags MSS Window irtt Iface
10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.1.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
sircolin@thunderchild:~$
i am still seeing all traffic sent to the wrong machine ie the openvpn server.

sircolin@thunderchild:~$ ping 10.1.1.16 << openvpn server
PING 10.1.1.16 (10.1.1.16) 56(84) bytes of data.
64 bytes from 10.1.1.16: icmp_seq=1 ttl=64 time=77.6 ms
64 bytes from 10.1.1.16: icmp_seq=2 ttl=64 time=111 ms
64 bytes from 10.1.1.16: icmp_seq=3 ttl=64 time=114 ms
^C
--- 10.1.1.16 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 77.632/101.277/114.732/16.777 ms
sircolin@thunderchild:~$ ping 10.1.1.2 << webserver
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
64 bytes from 10.1.1.2: icmp_seq=1 ttl=64 time=118 ms
64 bytes from 10.1.1.2: icmp_seq=2 ttl=64 time=122 ms
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 118.324/120.367/122.411/2.072 ms
sircolin@thunderchild:~$ ssh [email protected]
ssh: connect to host 10.1.1.2 port 22: Connection refused << webserver
sircolin@thunderchild:~$ ssh [email protected]
ssh: connect to host 10.1.1.16 port 22: Connection refused << openvpn server
sircolin@thunderchild:~$
any idea's ??
Btw my account has still not be made could you check that for me pls.

Thanks

Col
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Can you ping both directions (client - server AND server - client)? How about a firewall issue? Also, check your log files on the servers of more info.

Did you setup the static route in your router?
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
just tested yes im able to ping in both directions, my firewall config should be fine 1194 udp forwarded to 10.1.1.16 (and is working ok with as server). there's nothing in the logs of any importance i can spot.

I haven't set-up a static route as yet, we should be able to get a route added when our vpn goes up on the local machine not the client side router ( as i may not have access to a internet cafes router for example)

i will setup a packet sniffer on eth0 and have a look.

Col
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Sounds like your routing is working. You might try running nmap against your server(s). Also, if your want to push DNS info to just one client, checkout the static IP notes at the bottom of the PDF. I believe you can push a address and DNS to a single client.
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
i have looked into passing dhcp and will leave that until i have this working correctly first as it's per user configs etc etc..

this is intresting from tcpdump
20:55:06.091874 arp who-has 10.1.1.1 tell 10.1.1.16
20:55:06.091871 arp who-has 10.1.1.16 tell 10.1.1.1
20:55:06.091901 arp reply 10.1.1.16 is-at 02:00:00:b9:d0:95 (oui Unknown)
20:55:06.091908 arp reply 10.1.1.1 is-at 00:18:51:19:7c:08 (oui Unknown)

Routing is working only to openvpn server via the tunnel atm
the traffic never go back out eth0 to the 10.1.1.0 subnet where my servers live it seems.

Col
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
Bingo :eek: solved

This was needed
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
for the Proxmox container not to sure about your

iptables -t nat -A PREROUTING -i tun0 -j DNAT --to VM.ip" (where VM.ip is the ipaddress of eth0)
If this was needed or not now ???

i will test later i also understand your
if ['cat /proc/sys/net/ipv4/ip_forward' !=0]; then
action $"Disabling IPv4 packet
forwarding:" sysctl -w net.ipv4.ip_forward=0
Wont stick on network service restart
/etc/init.d/network contains
if ['cat /proc/sys/net/ipv4/ip_forward' !=0]; then
action $"Disabling IPv4 packet
forwarding:" sysctl -w net.ipv4.ip_forward=0
So we change that to read
if ['cat /proc/sys/net/ipv4/ip_forward' !=1]; then
action $"Enabling IPv4 packet
forwarding:" sysctl -w net.ipv4.ip_forward=1
also add the line
echo "1" > /proc/sys/net/ipv4/ip_forward
to
/etc/rc.local
Col
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Congrads!

Dont know why you needed a extra iptables command, I didnt need it for routing. Also all my settings stick after a reboot. Strange you required more IPv4 edits. Oh well hope you took notes.
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
yer i have taken some notes i will reinstall from the beginning tomorrow and write up the notes.

I think your running your proxmox box at home ? mine is hosted and has more than likely different network settings im guessing.

to be honest the whole thing was very easy to install i knew that the traffic wasn't going to the correct place ,it was just a matter of figuring out why now we know.

dhcp was a piece of cake to get working as was redirecting the default client gateway, works perfectly on my Ubuntu desktop

i can throw openvpn-as in the bin now :)
 

sircolin

Guru
Joined
Mar 6, 2009
Messages
172
Reaction score
0
Starting to see why we recommend Hamachi? :rolleyes:

open source rocks, and we like the punishment :lol:

hmm Centos based system, ... pbxiaf_silver-openvpn-integrated.tar

any things possible :eek:
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
I setup a second Easy OpenVPN server last night, less that 10 minutes A-Z. I now have a VPN for friends & family and one for clients.

Two VPNs, both running in a OpenVZ container, each using less that 40 meg of memory. So cool.
 

ghurty

Senior Member
Joined
Jan 13, 2009
Messages
852
Reaction score
4
Hi,

Just wondering if this can be configured for what I need:

I want to be able to install something on a clients box, so that no matter its IP, it will connect into mine, allowing me to control their box.

However, two clients should not be able to see each others.

Thanks
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Hi,

Just wondering if this can be configured for what I need:

I want to be able to install something on a clients box, so that no matter its IP, it will connect into mine, allowing me to control their box.

However, two clients should not be able to see each others.

Thanks


Yes, all my clients have dynamic IPs and auto connect. By default clients can not see each other. Once connected you can ssh, VNC, etc into the remote client.
 

ghurty

Senior Member
Joined
Jan 13, 2009
Messages
852
Reaction score
4
Thanks. Once I have all the clients connecting to my vpn server, how do I get my windows machine to join it, and allow that machine to see all the clients?

Also anyway of using this with vmware?

Thanks
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Thanks. Once I have all the clients connecting to my vpn server, how do I get my windows machine to join it, and allow that machine to see all the clients?

Also anyway of using this with vmware?

Thanks

Easy OpenVPN will have scripts to create the client config files for all clients (Linux, Windoz and Mac).

To setup a windows client see this link.

As for the one windows client seeing all other clients, but other clients not see each other. By default all clients are treated equally (all seeing or all not seeing). Most likely this could be done with a firewall setting.

As for Vmware, I have no idea. I don't use Vmware.
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
If you have installed the proxmox version of Easy OpenVPN, please note that "service openvpn restart" will not work. If you need to restart openvpn, just reboot the VM. After running steps 1,2 & 3 of the install, you will need to reboot.

This is a issue with tun0 and Proxmox. If anyone has a fix for this please let me know.
 

TonyN

New Member
Joined
Dec 11, 2010
Messages
14
Reaction score
0
Can this OpenVPN or any open source VPN serve as an Internet Connection Sharing machine or a proxy server (which allows remote machines to use host's Internet IP)? I tried with OpenVPN but remote machines still use their Internet IP instead of preferred host's Internet IP. I could easily get this work when using Windows VPN Connection (Windows OS on host & client) but this allows only ONE remote machine to connect at one time.

Any thoughts on how to achieve that goal?
 

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
Are you referring to routing ALL (VPN and internet) traffic though your server VPN? If you are, then yes you can. See here for the how-to.
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top