Closed laresma closed 5 years ago
Debian 8 Steps:
Do you want to enable IPv6 support (NAT)? [y/n]: n Port choice [1-3]: 1 Protocol [1-2]: 1 DNS [1-10]: 3 Enable compression? [y/n]: n Customize encryption settings? [y/n]: n
Works without restarting SSH and VPN do not connect when you restart.
I had the same problem, it was decided to change the operating system from Debian 8 to any version of Ubuntu or Centos.
I try Centos 7. The problem continues.
What provider are you using?
What provider are you using?
https://clients.gestiondbi.com/index.php?/cart/deepnet-solutions-vps/
OK, can you try again by running systemctl disable iptables-openvpn
before the reboot?
What provider are you using?
DigitalOcean is the same.
OK, can you try again by running
systemctl disable iptables-openvpn
before the reboot?
I've tried.The problem has changed. I can connect to SSH and VPN. But I can't access the internet when VPN is open.
Yes that's normal since the rules enable NAT.
Can you show me the output of iptables -nvL
?
FYI I tested the script on DO dozens of times on all supported OS and never encountered the issue.
Chain INPUT (policy ACCEPT 206 packets, 21760 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- tun0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 257 packets, 40165 bytes) pkts bytes target prot opt in out source destination
And before?
this.
Do you connect to the instance using its public IP?
I am rebooting after installation. I can not connect. (VPN/SSH)
root@debian:~# ./openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.
I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 167.99.37.30
Checking for IPv6 connectivity...
Your host does not appear to have IPv6 connectivity.
Do you want to enable IPv6 support (NAT)? [y/n]: n
What port do you want OpenVPN to listen to?
1) Default: 1194
2) Custom
3) Random [49152-65535]
Port choice [1-3]: 1
What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
1) UDP
2) TCP
Protocol [1-2]: 1
What DNS resolvers do you want to use with the VPN?
1) Current system resolvers (from /etc/resolv.conf)
2) Self-hosted DNS Resolver (Unbound)
3) Cloudflare (Anycast: worldwide)
4) Quad9 (Anycast: worldwide)
5) Quad9 uncensored (Anycast: worldwide)
6) FDN (France)
7) DNS.WATCH (Germany)
8) OpenDNS (Anycast: worldwide)
9) Google (Anycast: worldwide)
10) Yandex Basic (Russia)
11) AdGuard DNS (Russia)
DNS [1-10]: 3
Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n
Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
Customize encryption settings? [y/n]: n
Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Hit http://security.debian.org jessie/updates InRelease
Ign http://mirrors.digitalocean.com jessie InRelease
Hit http://mirrors.digitalocean.com jessie-updates InRelease
Hit http://mirrors.digitalocean.com jessie Release.gpg
Hit http://mirrors.digitalocean.com jessie Release
Hit http://security.debian.org jessie/updates/main Sources
Hit http://mirrors.digitalocean.com jessie-updates/main Sources
Hit http://security.debian.org jessie/updates/main amd64 Packages
Get:1 http://mirrors.digitalocean.com jessie-updates/main amd64 Packages/DiffIndex [11.8 kB]
Get:2 http://mirrors.digitalocean.com jessie-updates/main Translation-en/DiffIndex [3,688 B]
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://mirrors.digitalocean.com jessie/main Sources
Hit http://mirrors.digitalocean.com jessie/main amd64 Packages
Hit http://mirrors.digitalocean.com jessie/main Translation-en
Fetched 15.5 kB in 2s (5,910 B/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
gnupg is already the newest version.
ca-certificates is already the newest version.
ca-certificates set to manually installed.
The following package was automatically installed and is no longer required:
libuuid-perl
Use 'apt-get autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
--2018-10-08 10:36:07-- https://swupdate.openvpn.net/repos/repo-public.gpg
Resolving swupdate.openvpn.net (swupdate.openvpn.net)... 104.20.195.50, 104.20.194.50
Connecting to swupdate.openvpn.net (swupdate.openvpn.net)|104.20.195.50|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1806 (1.8K) [binary/octet-stream]
Saving to: ‘STDOUT’
- 100%[======================================================================================>] 1.76K --.-KB/s in 0s
2018-10-08 10:36:07 (39.6 MB/s) - written to stdout [1806/1806]
OK
Hit http://security.debian.org jessie/updates InRelease
Hit http://security.debian.org jessie/updates/main Sources
Ign http://build.openvpn.net jessie InRelease
Ign http://mirrors.digitalocean.com jessie InRelease
Hit http://security.debian.org jessie/updates/main amd64 Packages
Hit http://security.debian.org jessie/updates/main Translation-en
Get:1 http://build.openvpn.net jessie Release.gpg [512 B]
Hit http://mirrors.digitalocean.com jessie-updates InRelease
Get:2 http://build.openvpn.net jessie Release [2,653 B]
Hit http://mirrors.digitalocean.com jessie Release.gpg
Get:3 http://build.openvpn.net jessie/main amd64 Packages [1,445 B]
Hit http://mirrors.digitalocean.com jessie-updates/main Sources
Get:4 http://mirrors.digitalocean.com jessie-updates/main amd64 Packages/DiffIndex [11.8 kB]
Get:5 http://mirrors.digitalocean.com jessie-updates/main Translation-en/DiffIndex [3,688 B]
Hit http://mirrors.digitalocean.com jessie Release
Hit http://mirrors.digitalocean.com jessie/main Sources
Hit http://mirrors.digitalocean.com jessie/main amd64 Packages
Hit http://mirrors.digitalocean.com jessie/main Translation-en
Ign http://build.openvpn.net jessie/main Translation-en_US
Ign http://build.openvpn.net jessie/main Translation-en
Fetched 20.1 kB in 3s (6,246 B/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
iptables is already the newest version.
wget is already the newest version.
ca-certificates is already the newest version.
curl is already the newest version.
openssl is already the newest version.
openssl set to manually installed.
The following package was automatically installed and is no longer required:
libuuid-perl
Use 'apt-get autoremove' to remove it.
The following NEW packages will be installed:
easy-rsa liblzo2-2 libpkcs11-helper1 opensc opensc-pkcs11 openvpn
0 upgraded, 6 newly installed, 0 to remove and 1 not upgraded.
Need to get 1,589 kB of archives.
After this operation, 4,847 kB of additional disk space will be used.
Get:1 http://mirrors.digitalocean.com/debian/ jessie/main liblzo2-2 amd64 2.08-1.2 [54.6 kB]
Get:2 http://mirrors.digitalocean.com/debian/ jessie/main libpkcs11-helper1 amd64 1.11-2 [45.4 kB]
Get:3 http://mirrors.digitalocean.com/debian/ jessie/main opensc-pkcs11 amd64 0.14.0-2 [687 kB]
Get:4 http://mirrors.digitalocean.com/debian/ jessie/main easy-rsa all 2.2.2-1 [17.1 kB]
Get:5 http://mirrors.digitalocean.com/debian/ jessie/main opensc amd64 0.14.0-2 [219 kB]
Get:6 http://build.openvpn.net/debian/openvpn/stable/ jessie/main openvpn amd64 2.4.6-jessie0 [566 kB]
Fetched 1,589 kB in 1s (1,485 kB/s)
Preconfiguring packages ...
Selecting previously unselected package liblzo2-2:amd64.
(Reading database ... 39162 files and directories currently installed.)
Preparing to unpack .../liblzo2-2_2.08-1.2_amd64.deb ...
Unpacking liblzo2-2:amd64 (2.08-1.2) ...
Selecting previously unselected package libpkcs11-helper1:amd64.
Preparing to unpack .../libpkcs11-helper1_1.11-2_amd64.deb ...
Unpacking libpkcs11-helper1:amd64 (1.11-2) ...
Selecting previously unselected package opensc-pkcs11:amd64.
Preparing to unpack .../opensc-pkcs11_0.14.0-2_amd64.deb ...
Unpacking opensc-pkcs11:amd64 (0.14.0-2) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../openvpn_2.4.6-jessie0_amd64.deb ...
Unpacking openvpn (2.4.6-jessie0) ...
Selecting previously unselected package easy-rsa.
Preparing to unpack .../easy-rsa_2.2.2-1_all.deb ...
Unpacking easy-rsa (2.2.2-1) ...
Selecting previously unselected package opensc.
Preparing to unpack .../opensc_0.14.0-2_amd64.deb ...
Unpacking opensc (0.14.0-2) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u7) ...
Setting up liblzo2-2:amd64 (2.08-1.2) ...
Setting up libpkcs11-helper1:amd64 (1.11-2) ...
Setting up opensc-pkcs11:amd64 (0.14.0-2) ...
Setting up openvpn (2.4.6-jessie0) ...
[ ok ] Restarting virtual private network daemon.:.
Setting up easy-rsa (2.2.2-1) ...
Setting up opensc (0.14.0-2) ...
Processing triggers for libc-bin (2.19-18+deb8u10) ...
Processing triggers for systemd (215-17+deb8u7) ...
--2018-10-08 10:36:16-- https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz
Resolving github.com (github.com)... 192.30.253.112, 192.30.253.113
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/4519663/58c8b380-b876-11e8-9aee-14f04d342c9e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20181008%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20181008T103618Z&X-Amz-Expires=300&X-Amz-Signature=d9b4ec4d69931de1a32e2278327ba0e8daab45cb0f2391585dc799aba000ddd1&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-nix-3.0.5.tgz&response-content-type=application%2Foctet-stream [following]
--2018-10-08 10:36:17-- https://github-production-release-asset-2e65be.s3.amazonaws.com/4519663/58c8b380-b876-11e8-9aee-14f04d342c9e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20181008%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20181008T103618Z&X-Amz-Expires=300&X-Amz-Signature=d9b4ec4d69931de1a32e2278327ba0e8daab45cb0f2391585dc799aba000ddd1&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-nix-3.0.5.tgz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.161.251
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.161.251|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 50270 (49K) [application/octet-stream]
Saving to: ‘/root/EasyRSA-nix-3.0.5.tgz’
/root/EasyRSA-nix-3.0.5.tgz 100%[======================================================================================>] 49.09K 284KB/s in 0.2s
2018-10-08 10:36:18 (284 KB/s) - ‘/root/EasyRSA-nix-3.0.5.tgz’ saved [50270/50270]
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.1t 3 May 2016
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki
read EC key
writing EC key
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.1t 3 May 2016
Generating a 256 bit EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server_CetKspcjpbe11lwp.key.hQZqDamm5A'
-----
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'server_CetKspcjpbe11lwp'
Certificate is to be certified until Sep 22 10:36:18 2021 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.1t 3 May 2016
Using configuration from ./safessl-easyrsa.cnf
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
* Applying /etc/sysctl.d/20-openvpn.conf ...
net.ipv4.ip_forward = 1
* Applying /etc/sysctl.d/99-digitalocean-ipv6.conf ...
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /etc/systemd/system/openvpn@.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/iptables-openvpn.service to /etc/systemd/system/iptables-openvpn.service.
Tell me a name for the client.
Use one word only, no special characters.
Client name: debian
Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
1) Add a passwordless client
2) Use a password for the client
Select an option [1-2]: 1
Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.0.1t 3 May 2016
Generating a 256 bit EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/private/debian.key.tkdmIFmPt7'
-----
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'debian'
Certificate is to be certified until Sep 22 10:36:23 2021 GMT (1080 days)
Write out database with 1 new entries
Data Base Updated
Client debian added, the configuration file is available at /root/debian.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
If you want to add more clients, you simply need to run this script another time!
root@debian:~# iptables -nvL
Chain INPUT (policy ACCEPT 87 packets, 4232 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 132 packets, 14028 bytes)
pkts bytes target prot opt in out source destination
root@debian:~#
Centos 7 and Debian 9 are fine. There's a problem with Debian 8. (DigitalOcean)
OK, I will try with Debian 8
I can reproduce. I will look at it later
Ok so this is not caused by the rules but by the service.
While booting, I noticed this error in DO's VNC console:
... network.service/stop deleted to break ordering cycle start
I also noticed the network-pre.service
wasn't enabled:
root@debian-s-1vcpu-1gb-lon1-01:~# systemctl status network-pre.target
● network-pre.target - Network (Pre)
Loaded: loaded (/lib/systemd/system/network-pre.target; static)
Active: inactive (dead)
Docs: man:systemd.special(7)
http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget
root@debian-s-1vcpu-1gb-lon1-01:~# systemctl status network-online.target
● network-online.target - Network is Online
Loaded: loaded (/lib/systemd/system/network-online.target; static)
Active: active since Mon 2018-10-08 18:21:35 UTC; 48min ago
Docs: man:systemd.special(7)
http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget
Oct 08 18:21:35 debian-s-1vcpu-1gb-lon1-01.localdomain systemd[1]: Starting Network is Onl...
Oct 08 18:21:35 debian-s-1vcpu-1gb-lon1-01.localdomain systemd[1]: Reached target Network ...
Hint: Some lines were ellipsized, use -l to show in full.
Fixed in https://github.com/angristan/openvpn-install/commit/0d19b57e7ffd874aa5d04a3ed53560882450fcbb
Thanks for reporting
Debian 8 Steps:
Do you want to enable IPv6 support (NAT)? [y/n]: n Port choice [1-3]: 1 Protocol [1-2]: 1 DNS [1-10]: 3 Enable compression? [y/n]: n Customize encryption settings? [y/n]: n
Works without restarting SSH and VPN do not connect when you restart.