New on LowEndTalk? Please Register and read our Community Rules.
Client can connect to OpenVPN server but with no internet access
Hello everyone!
I'm trying to setup OpenVPN with static key authentication(instead of TLS) on TCP port 443; but the client cannot access the internet over the VPN after connecting to the server
The logs for the client/server show nothing useful.
Here's my current setup:
Server
It's a Debian VPS running on OpenVZ with TUN/TAP enabled.
Here's the configuration file:
dev tun proto tcp-server port 443 ifconfig 10.8.0.1 10.8.0.2 secret /etc/openvpn/static.key push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
And here's the iptables script that I applied too, it's the one provided by OpenVPN (firewall.sh) with minor modifications as I'm running on OpenVZ(venet0 instead of eth0, SNAT). Also I changed the protocol to TCP and the port to 443 to work accordingly with my configurations
#!/bin/bash # A Sample OpenVPN-aware firewall. # vetnet0 is connected to the internet. # eth1 is connected to a private subnet. # Change this subnet to correspond to your private # ethernet subnet. Home will use HOME_NET/24 and # Office will use OFFICE_NET/24. PRIVATE=10.0.0.0/24 # Loopback address LOOP=127.0.0.1 # Delete old iptables rules # and temporarily block all traffic. iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -F # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Prevent external packets from using loopback addr iptables -A INPUT -i vetnet0 -s $LOOP -j DROP iptables -A FORWARD -i vetnet0 -s $LOOP -j DROP iptables -A INPUT -i vetnet0 -d $LOOP -j DROP iptables -A FORWARD -i vetnet0 -d $LOOP -j DROP # Anything coming from the Internet should have a real Internet address iptables -A FORWARD -i vetnet0 -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i vetnet0 -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i vetnet0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i vetnet0 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i vetnet0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i vetnet0 -s 10.0.0.0/8 -j DROP # Block outgoing NetBios (if you have windows machines running # on the private subnet). This will not affect any NetBios # traffic that flows over the VPN tunnel, but it will stop # local windows machines from broadcasting themselves to # the internet. iptables -A FORWARD -p tcp --sport 137:139 -o vetnet0 -j DROP iptables -A FORWARD -p udp --sport 137:139 -o vetnet0 -j DROP iptables -A OUTPUT -p tcp --sport 137:139 -o vetnet0 -j DROP iptables -A OUTPUT -p udp --sport 137:139 -o vetnet0 -j DROP # Check source address validity on packets going out to internet iptables -A FORWARD -s ! $PRIVATE -i eth1 -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow incoming pings (can be disabled) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow services such as www and ssh (can be disabled) iptables -A INPUT -p tcp --dport http -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT # Allow incoming OpenVPN packets # Duplicate the line below for each # OpenVPN tunnel, changing --dport n # to match the OpenVPN UDP port. # # In OpenVPN, the port number is # controlled by the --port n option. # If you put this option in the config # file, you can remove the leading '--' # # If you taking the stateful firewall # approach (see the OpenVPN HOWTO), # then comment out the line below. iptables -A INPUT -p udp --dport 1194 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Allow packets from TUN/TAP devices. # When OpenVPN is run in a secure mode, # it will authenticate packets prior # to their arriving on a tun or tap # interface. Therefore, it is not # necessary to add any filters here, # unless you want to restrict the # type of packets which can flow over # the tunnel. iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A INPUT -i tap+ -j ACCEPT iptables -A FORWARD -i tap+ -j ACCEPT # Allow packets from private subnets iptables -A INPUT -i eth1 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT # Keep state of connections from local machine and private subnets iptables -A OUTPUT -m state --state NEW -o vetnet0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o vetnet0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #SNAT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o vetnet0 -j SNAT --to-source SERVER_IP # Masquerade local subnet #iptables -t nat -A POSTROUTING -s $PRIVATE -o vetnet0 -j MASQUERADE
Output of iptables -L -v -n
Chain INPUT (policy DROP 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- vetnet0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- vetnet0 * 0.0.0.0/0 127.0.0.1
0 0 DROP all -- vetnet0 * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- vetnet0 * 172.16.0.0/12 0.0.0.0/0
0 0 DROP all -- vetnet0 * 10.0.0.0/8 0.0.0.0/0
486 1016K ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 127.0.0.1
4 240 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
691 78432 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
1705 152K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
102 8054 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
9 756 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
40 5988 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- vetnet0 * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- vetnet0 * 0.0.0.0/0 127.0.0.1
0 0 DROP all -- vetnet0 * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- vetnet0 * 172.16.0.0/12 0.0.0.0/0
0 0 DROP all -- vetnet0 * 10.0.0.0/8 0.0.0.0/0
0 0 DROP tcp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 tcp spts:137:139
0 0 DROP udp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 udp spts:137:139
0 0 DROP all -- eth1 * !10.0.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * vetnet0 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 3046 packets, 2269K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 tcp spts:137:139
0 0 DROP udp -- * vetnet0 0.0.0.0/0 0.0.0.0/0 udp spts:137:139
0 0 ACCEPT all -- * vetnet0 0.0.0.0/0 0.0.0.0/0 state NEW
Output of ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:12007 errors:0 dropped:0 overruns:0 frame:0
TX packets:12007 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:21446320 (20.4 MiB) TX bytes:21446320 (20.4 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 
TX bytes:0 (0.0
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:25189 errors:0 dropped:0 overruns:0 frame:0
TX packets:27831 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2689401 (2.5 MiB) TX bytes:18616342 (17.7 MiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr: P-t-P: Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
Output of netstat -rn
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 venet0
Client
The client is a Windows 8.1 machine running OpenVPN 2.3
Here's the configuration file:
remote 443 dev tun proto tcp-client ifconfig 10.8.0.2 10.8.0.1 secret "C:\\Program Files\\OpenVPN\\config\\static.key" verb 6
Upon connecting the client, a connection is created on Windows for OpenVPN, but it doesn't have access to the internet(I also made sure it was on top of the connections list).
Comments
I use these iptables commands to get mine working when it has no net access. You can use the Masquerade for when you are using a vps or SNAT if the openvpn server is on a dedicated server. Also if its a vps your adapter might not be eth0 as in my example and make sure you have ipv4 forwarding set to 1
Edit: for yours use venet0 instead of eth0 in the above commands
Just noticed your firewall script is using adapter vetnet0 ??? Shouldn't that be venet0?
You can't push with static key
@sc754
I applied the iptables commands(I also substituted eth0 with vetent0). Still didn't work.
Do I have to replace the static key authentication method to get this to work?
Yes, that's the easiest way. Otherways set one /32 and two /1 routes manually.
Explain please?
Do iptables -F first to flush out your old rules then do it. Remeber to change eth0 to venet0 in my example. Also make sure you have sysctl ipv4 forwarding to one and then do sysctl -p to set it.
One route to the OpenVPN Server, 0.0.0.0/1 and 128.0.0.0/1 to the tunnel device and a route for "bypass-dhcp" to the client's local gateway if it has something like DHCP relay. You would need a script to do that ... or simply create certificates.
You could make it a lot easier for yourself by installing Nyr's script on a fresh copy of debian 6.
Run the below after reinstalling fresh debian:
wget http://git.io/vpn --no-check-certificate -O openvpn-install.sh; chmod +x openvpn-install.sh; ./openvpn-install.sh
Found at: https://github.com/Nyr/openvpn-install
Changed it, sadly that didn't fix the issue anyway.
I can't use SSL as the organization the client connects from uses DPI and interrupts the connection, it seems like static keys are the only way.
Can you please provide more insight or a resource to route internet traffic on static key authentication?
Does DPI also interrupt if you use:
1) tls-auth
2) https://github.com/clayface/openvpn_xorpatch
3) obfsproxy
?
Or you can manually set the routes as described in previous post. Type "route help" if you want to see how to do it in windows.
You can see which 3 routes I mean if you connect a OpenVPN client. See the routes before and after connect.
You can check if tun and tap are open.