OpenVpn connects, but does not let through any traffic.

Message

dellarovere · #1 Post by **dellarovere** » 2023-12-04 22:21

Looking for advice on how to handle the following problem. I am able to run OpenVpn server and connect to it, but when connected client does not get any traffic. Client running on the phone cannot load any page in the browser.

I am able to connect to the server through SSH. Pings and traceroutes from the server go fine.

First,

Code: Select all

$ uname -a
Linux freedombox 6.1.0-13-armmp-lpae #1 SMP Debian 6.1.55-1 (2023-09-29) armv7l GNU/Linux

System is running on a Raspberyy Pi.

OpenVpn configuration

Code: Select all

$ cat /etc/openvpn/server/freedombox.conf

port 1194
proto udp
# proto udp6
dev tun

# client-to-client

ca /etc/openvpn/freedombox-keys/pki/ca.crt
cert /etc/openvpn/freedombox-keys/pki/issued/server.crt
key /etc/openvpn/freedombox-keys/pki/private/server.key

dh none

server 10.91.0.0 255.255.255.0
keepalive 10 120
verb 3

log-append openvpn.log

tls-server
tls-version-min 1.2
cipher AES-256-CBC
script-security 2

I have explicitly turned off udp6 to keep things simple. Also, I tried dev tun and dev tun0 to match the interface name, but neither seem to be working.

Interfaces

Code: Select all

$ cat  /etc/NetworkManager/system-connections/tun0.nmconnection 
[connection]
id=tun0
uuid=6aef5d32-b9a2-476a-9e84-c5b93a499c98
type=tun
autoconnect=false
interface-name=tun0
timestamp=1699982689

[tun]

[ipv4]
method=auto

[ipv6]
addr-gen-mode=default
method=disabled

[proxy]

I have tried to explicitly disable ipv6 and turn on DHCP on ipv4, but I think this might not be correctly working:

Code: Select all

$ nmcli device show tun0
GENERAL.DEVICE:                         tun0
GENERAL.TYPE:                           tun
GENERAL.HWADDR:                         (unknown)
GENERAL.MTU:                            1500
GENERAL.STATE:                          100 (connected (externally))
GENERAL.CONNECTION:                     tun0
GENERAL.CON-PATH:                       /org/freedesktop/NetworkManager/ActiveConnection/33
IP4.ADDRESS[1]:                         10.91.0.1/32
IP4.GATEWAY:                            --
IP4.ROUTE[1]:                           dst = 10.91.0.2/32, nh = 0.0.0.0, mt = 0
IP4.ROUTE[2]:                           dst = 10.91.0.0/24, nh = 10.91.0.2, mt = 0
IP6.ADDRESS[1]:                         fe80::cc20:a4fd:7603:7dd0/64
IP6.GATEWAY:                            --
IP6.ROUTE[1]:                           dst = fe80::/64, nh = ::, mt = 256

Firewall

Code: Select all

$ sudo firewall-cmd --zone=internal --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: tun1 tun2 tun3 tun4 tun5 tun6 tun7
  sources: 
  services: dhcp dhcpv6-client dns http https mdns samba-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
$ sudo firewall-cmd --zone=external --list-all
external (active)
  target: default
  icmp-block-inversion: no
  interfaces: end0 tun0
  sources: 
  services: http https openvpn ssh
  ports: 
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I have explicitly removed tun0 and openvpn from internal zone.

Any suggestion on what else to look for is greatly appreciated.

#2 Post by **Aki** » 2023-12-09 07:41

Hello,

dellarovere wrote: ↑2023-12-04 22:21 I am able to run OpenVpn server and connect to it, but when connected client does not get any traffic. Client running on the phone cannot load any page in the browser. I am able to connect to the server through SSH. Pings and traceroutes from the server go fine.

Do you connect from the client (phone) to the openvpn server (debian) with ssh using or not using the openvpn connection ?

dellarovere · #3 Post by **dellarovere** » 2023-12-10 01:42

No, connection through SSH is done separately. It just indicates that the machine is online and I can connect to it. But once I am connected to the VPN server I do not use SSH. After that I expect the traffic to all internet be tunneled through VPN and it does not happen.

#4 Post by **Aki** » 2023-12-13 07:36

dellarovere wrote: ↑2023-12-10 01:42 No, connection through SSH is done separately. It just indicates that the machine is online and I can connect to it. But once I am connected to the VPN server I do not use SSH. After that I expect the traffic to all internet be tunneled through VPN and it does not happen.

Did you test that the openvpn server established a working connection with the remote server (before trying to connect your phone to that openvpn working connection) ?

dellarovere · #5 Post by **dellarovere** » 2023-12-14 15:32

No, I did not. How can I test that?

#6 Post by **Aki** » 2023-12-14 18:50

dellarovere wrote: ↑2023-12-14 15:32 No, I did not. How can I test that?

Perhaps you can configure and test a VPN client (as test bed) in the Debian installation the offers the openvpn server services; see:

Step 2 – Connecting to a VPN Server with OpenVPN Client

dellarovere · #7 Post by **dellarovere** » 2023-12-20 00:03

I have followed your suggestion and have set up a separate Ubuntu box on which I have installed OpenVPN client. The problem exists for it as well. Here is the log:

Code: Select all

# Without VPN
$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max
  1   192.168.86.1  0.406ms  0.283ms  0.230ms 
  2   10.1.10.1  2.236ms  1.607ms  1.572ms 
  3   96.120.88.109  17.730ms  10.713ms  10.102ms 
  4   24.124.159.25  10.808ms  11.969ms  11.267ms 
  5   162.151.79.153  11.272ms  10.399ms  13.010ms 
  6   68.87.193.177  10.515ms  16.465ms  10.561ms 
  7   68.86.143.89  11.086ms  15.176ms  11.349ms 
  8   76.96.96.234  18.379ms  13.449ms  15.535ms 
  9   *  *  * 
 10   8.8.8.8  18.550ms  20.007ms  17.629ms 

# Bringing up VPN client 
$ sudo openvpn --config ~/config.ovpn 
Tue Dec 19 14:32:51 2023 OpenVPN 2.4.12 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Aug 21 2023
Tue Dec 19 14:32:51 2023 library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10
Tue Dec 19 14:32:51 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]XX.X.XXX.XXX:1194
Tue Dec 19 14:32:51 2023 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Dec 19 14:32:51 2023 UDP link local: (not bound)
Tue Dec 19 14:32:51 2023 UDP link remote: [AF_INET]XX.X.XXX.XXX:1194
Tue Dec 19 14:32:51 2023 TLS: Initial packet from [AF_INET]XX.X.XXX.XXX:1194, sid=c1d2bb0d d3b3d992
Tue Dec 19 14:32:51 2023 VERIFY OK: depth=1, CN=Easy-RSA CA
Tue Dec 19 14:32:51 2023 VERIFY KU OK
Tue Dec 19 14:32:51 2023 Validating certificate extended key usage
Tue Dec 19 14:32:51 2023 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Dec 19 14:32:51 2023 VERIFY EKU OK
Tue Dec 19 14:32:51 2023 VERIFY OK: depth=0, CN=server
Tue Dec 19 14:32:51 2023 WARNING: 'cipher' is present in local config but missing in remote config, local='cipher AES-256-CBC'
Tue Dec 19 14:32:51 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 384 bit EC, curve: secp384r1
Tue Dec 19 14:32:51 2023 [server] Peer Connection Initiated with [AF_INET]XX.X.XXX.XXX:1194
Tue Dec 19 14:32:52 2023 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Dec 19 14:32:52 2023 PUSH: Received control message: 'PUSH_REPLY,route 10.91.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.91.0.6 10.91.0.5,peer-id 1,cipher AES-256-GCM'
Tue Dec 19 14:32:52 2023 OPTIONS IMPORT: timers and/or timeouts modified
Tue Dec 19 14:32:52 2023 OPTIONS IMPORT: --ifconfig/up options modified
Tue Dec 19 14:32:52 2023 OPTIONS IMPORT: route options modified
Tue Dec 19 14:32:52 2023 OPTIONS IMPORT: peer-id set
Tue Dec 19 14:32:52 2023 OPTIONS IMPORT: adjusting link_mtu to 1624
Tue Dec 19 14:32:52 2023 OPTIONS IMPORT: data channel crypto options modified
Tue Dec 19 14:32:52 2023 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Dec 19 14:32:52 2023 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec 19 14:32:52 2023 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Dec 19 14:32:52 2023 ROUTE_GATEWAY 192.168.86.1/255.255.255.0 IFACE=enp6s0 HWADDR=e8:40:f2:73:25:1b
Tue Dec 19 14:32:52 2023 TUN/TAP device tun0 opened
Tue Dec 19 14:32:52 2023 TUN/TAP TX queue length set to 100
Tue Dec 19 14:32:52 2023 /sbin/ip link set dev tun0 up mtu 1500
Tue Dec 19 14:32:52 2023 /sbin/ip addr add dev tun0 local 10.91.0.6 peer 10.91.0.5
Tue Dec 19 14:32:52 2023 /sbin/ip route add XX.X.XXX.XXX/32 via 192.168.86.1
Tue Dec 19 14:32:52 2023 /sbin/ip route del 0.0.0.0/0
Tue Dec 19 14:32:52 2023 /sbin/ip route add 0.0.0.0/0 via 10.91.0.5
Tue Dec 19 14:32:52 2023 /sbin/ip route add 10.91.0.0/24 via 10.91.0.5
Tue Dec 19 14:32:52 2023 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Dec 19 14:32:52 2023 Initialization Sequence Completed
^Z
[1]+  Stopped                 sudo openvpn --config ~/config.ovpn

# Putting the client in background mode
$ bg
[1]+ sudo openvpn --config ~/config.ovpn &

# Traceroute through VPN connection
$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max
  1   *  *  * 
  2   *  *  * 
  3   *  *  * 
  4   *  *  * 
  5   *  *  * 
  6   *  *  * 
  7   *  *  * 
  8   *  *  * 
  9   * ^C
$

So, after I bring up the VPN connection traceroute stops working. Is there anything I should be looking for on the server? Any logs I can enable to see what is wrong? Like firewall logs? Anything to check in network interfaces? Routing?

#8 Post by **Aki** » 2023-12-23 09:03

Hello,

dellarovere wrote: ↑2023-12-20 00:03 Is there anything I should be looking for on the server? Any logs I can enable to see what is wrong? Like firewall logs? Anything to check in network interfaces? Routing?

I'm not an OpenVPN expert, but I think this might be a good place to start:

Troubleshooting client VPN tunnel connectivity

dellarovere · #9 Post by **dellarovere** » 2024-01-09 04:36

I looked at the page, but unfortunately, it talks about problems connecting to the server and I do not have those. I can connect successfully.

I am still looking for the solution and will update if I find one.

dlu2021 · #10 Post by **dlu2021** » 2024-01-09 17:54

Have you tried reducing the size of the MTU of the OpenVpn connection? Maybe it doesn't like fragmented packets.

dellarovere · #11 Post by **dellarovere** » 2024-01-15 04:26

Ok, so I found this: https://wiki.debian.org/OpenVPN#Forward ... e_Internet, which made it work for me.

I ran those commands, checked the connection and it worked. But so far I was not able to get the nftables to load those tables/chains/rules on boot. Even if I copy the configuration into /etc/nftables.conf the configuration does not come up after reboot and I have to manually run systemctl start nftables.service after which everything works. I have done systemctl enable nftables.service but that did not seem to help.

Anyway, this is probably a different problem now, but if anyone has any suggestions, I appreciate them. I will update once I solve that.

Debian User Forums

OpenVpn connects, but does not let through any traffic.

OpenVpn connects, but does not let through any traffic.

Re: OpenVpn connects, but does not let through any traffic.

Re: OpenVpn connects, but does not let through any traffic.

Re: OpenVpn connects, but does not let through any traffic.

Re: OpenVpn connects, but does not let through any traffic.

Re: OpenVpn connects, but does not let through any traffic.

Re: OpenVpn connects, but does not let through any traffic.

Re: OpenVpn connects, but does not let through any traffic.

Re: OpenVpn connects, but does not let through any traffic.

Re: OpenVpn connects, but does not let through any traffic.

Re: OpenVpn connects, but does not let through any traffic.