search

angristan / openvpn-install

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
https://stanislas.blog
MIT License
13.05k stars 2.88k forks source link

Debian 8 SSH and VPN Connection Problem after reboot. #326

Closed laresma closed 5 years ago

laresma commented 5 years ago

Debian 8 Steps:

Do you want to enable IPv6 support (NAT)? [y/n]: n Port choice [1-3]: 1 Protocol [1-2]: 1 DNS [1-10]: 3 Enable compression? [y/n]: n Customize encryption settings? [y/n]: n

Works without restarting SSH and VPN do not connect when you restart.

ayton commented 5 years ago

Debian 8 Steps:

Do you want to enable IPv6 support (NAT)? [y/n]: n Port choice [1-3]: 1 Protocol [1-2]: 1 DNS [1-10]: 3 Enable compression? [y/n]: n Customize encryption settings? [y/n]: n

Works without restarting SSH and VPN do not connect when you restart.

I had the same problem, it was decided to change the operating system from Debian 8 to any version of Ubuntu or Centos.

laresma commented 5 years ago

I try Centos 7. The problem continues.

angristan commented 5 years ago

What provider are you using?

laresma commented 5 years ago

What provider are you using?

https://clients.gestiondbi.com/index.php?/cart/deepnet-solutions-vps/

angristan commented 5 years ago

OK, can you try again by running systemctl disable iptables-openvpn before the reboot?

laresma commented 5 years ago

What provider are you using?

DigitalOcean is the same.

laresma commented 5 years ago

OK, can you try again by running systemctl disable iptables-openvpn before the reboot?

I've tried.The problem has changed. I can connect to SSH and VPN. But I can't access the internet when VPN is open.

angristan commented 5 years ago

Yes that's normal since the rules enable NAT.

Can you show me the output of iptables -nvL ?

FYI I tested the script on DO dozens of times on all supported OS and never encountered the issue.

laresma commented 5 years ago

Chain INPUT (policy ACCEPT 206 packets, 21760 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- tun0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- eth0 0.0.0.0/0 0.0.0.0/0 udp dpt:1194

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 tun0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 257 packets, 40165 bytes) pkts bytes target prot opt in out source destination

angristan commented 5 years ago

And before?

laresma commented 5 years ago

this.

angristan commented 5 years ago

Do you connect to the instance using its public IP?

laresma commented 5 years ago

I am rebooting after installation. I can not connect. (VPN/SSH)

laresma commented 5 years ago 
root@debian:~# ./openvpn-install.sh
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: 167.99.37.30

Checking for IPv6 connectivity...

Your host does not appear to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: n

What port do you want OpenVPN to listen to?
   1) Default: 1194
   2) Custom
   3) Random [49152-65535]
Port choice [1-3]: 1

What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
   1) UDP
   2) TCP
Protocol [1-2]: 1

What DNS resolvers do you want to use with the VPN?
   1) Current system resolvers (from /etc/resolv.conf)
   2) Self-hosted DNS Resolver (Unbound)
   3) Cloudflare (Anycast: worldwide)
   4) Quad9 (Anycast: worldwide)
   5) Quad9 uncensored (Anycast: worldwide)
   6) FDN (France)
   7) DNS.WATCH (Germany)
   8) OpenDNS (Anycast: worldwide)
   9) Google (Anycast: worldwide)
   10) Yandex Basic (Russia)
   11) AdGuard DNS (Russia)
DNS [1-10]: 3

Do you want to use compression? It is not recommended since the VORACLE attack make use of it.
Enable compression? [y/n]: n

Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.

Customize encryption settings? [y/n]: n

Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Hit http://security.debian.org jessie/updates InRelease
Ign http://mirrors.digitalocean.com jessie InRelease
Hit http://mirrors.digitalocean.com jessie-updates InRelease
Hit http://mirrors.digitalocean.com jessie Release.gpg
Hit http://mirrors.digitalocean.com jessie Release
Hit http://security.debian.org jessie/updates/main Sources
Hit http://mirrors.digitalocean.com jessie-updates/main Sources
Hit http://security.debian.org jessie/updates/main amd64 Packages
Get:1 http://mirrors.digitalocean.com jessie-updates/main amd64 Packages/DiffIndex [11.8 kB]
Get:2 http://mirrors.digitalocean.com jessie-updates/main Translation-en/DiffIndex [3,688 B]
Hit http://security.debian.org jessie/updates/main Translation-en
Hit http://mirrors.digitalocean.com jessie/main Sources
Hit http://mirrors.digitalocean.com jessie/main amd64 Packages
Hit http://mirrors.digitalocean.com jessie/main Translation-en
Fetched 15.5 kB in 2s (5,910 B/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
gnupg is already the newest version.
ca-certificates is already the newest version.
ca-certificates set to manually installed.
The following package was automatically installed and is no longer required:
  libuuid-perl
Use 'apt-get autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.
--2018-10-08 10:36:07--  https://swupdate.openvpn.net/repos/repo-public.gpg
Resolving swupdate.openvpn.net (swupdate.openvpn.net)... 104.20.195.50, 104.20.194.50
Connecting to swupdate.openvpn.net (swupdate.openvpn.net)|104.20.195.50|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1806 (1.8K) [binary/octet-stream]
Saving to: ‘STDOUT’

-                                         100%[======================================================================================>]   1.76K  --.-KB/s   in 0s

2018-10-08 10:36:07 (39.6 MB/s) - written to stdout [1806/1806]

OK
Hit http://security.debian.org jessie/updates InRelease
Hit http://security.debian.org jessie/updates/main Sources
Ign http://build.openvpn.net jessie InRelease
Ign http://mirrors.digitalocean.com jessie InRelease
Hit http://security.debian.org jessie/updates/main amd64 Packages
Hit http://security.debian.org jessie/updates/main Translation-en
Get:1 http://build.openvpn.net jessie Release.gpg [512 B]
Hit http://mirrors.digitalocean.com jessie-updates InRelease
Get:2 http://build.openvpn.net jessie Release [2,653 B]
Hit http://mirrors.digitalocean.com jessie Release.gpg
Get:3 http://build.openvpn.net jessie/main amd64 Packages [1,445 B]
Hit http://mirrors.digitalocean.com jessie-updates/main Sources
Get:4 http://mirrors.digitalocean.com jessie-updates/main amd64 Packages/DiffIndex [11.8 kB]
Get:5 http://mirrors.digitalocean.com jessie-updates/main Translation-en/DiffIndex [3,688 B]
Hit http://mirrors.digitalocean.com jessie Release
Hit http://mirrors.digitalocean.com jessie/main Sources
Hit http://mirrors.digitalocean.com jessie/main amd64 Packages
Hit http://mirrors.digitalocean.com jessie/main Translation-en
Ign http://build.openvpn.net jessie/main Translation-en_US
Ign http://build.openvpn.net jessie/main Translation-en
Fetched 20.1 kB in 3s (6,246 B/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
iptables is already the newest version.
wget is already the newest version.
ca-certificates is already the newest version.
curl is already the newest version.
openssl is already the newest version.
openssl set to manually installed.
The following package was automatically installed and is no longer required:
  libuuid-perl
Use 'apt-get autoremove' to remove it.
The following NEW packages will be installed:
  easy-rsa liblzo2-2 libpkcs11-helper1 opensc opensc-pkcs11 openvpn
0 upgraded, 6 newly installed, 0 to remove and 1 not upgraded.
Need to get 1,589 kB of archives.
After this operation, 4,847 kB of additional disk space will be used.
Get:1 http://mirrors.digitalocean.com/debian/ jessie/main liblzo2-2 amd64 2.08-1.2 [54.6 kB]
Get:2 http://mirrors.digitalocean.com/debian/ jessie/main libpkcs11-helper1 amd64 1.11-2 [45.4 kB]
Get:3 http://mirrors.digitalocean.com/debian/ jessie/main opensc-pkcs11 amd64 0.14.0-2 [687 kB]
Get:4 http://mirrors.digitalocean.com/debian/ jessie/main easy-rsa all 2.2.2-1 [17.1 kB]
Get:5 http://mirrors.digitalocean.com/debian/ jessie/main opensc amd64 0.14.0-2 [219 kB]
Get:6 http://build.openvpn.net/debian/openvpn/stable/ jessie/main openvpn amd64 2.4.6-jessie0 [566 kB]
Fetched 1,589 kB in 1s (1,485 kB/s)
Preconfiguring packages ...
Selecting previously unselected package liblzo2-2:amd64.
(Reading database ... 39162 files and directories currently installed.)
Preparing to unpack .../liblzo2-2_2.08-1.2_amd64.deb ...
Unpacking liblzo2-2:amd64 (2.08-1.2) ...
Selecting previously unselected package libpkcs11-helper1:amd64.
Preparing to unpack .../libpkcs11-helper1_1.11-2_amd64.deb ...
Unpacking libpkcs11-helper1:amd64 (1.11-2) ...
Selecting previously unselected package opensc-pkcs11:amd64.
Preparing to unpack .../opensc-pkcs11_0.14.0-2_amd64.deb ...
Unpacking opensc-pkcs11:amd64 (0.14.0-2) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../openvpn_2.4.6-jessie0_amd64.deb ...
Unpacking openvpn (2.4.6-jessie0) ...
Selecting previously unselected package easy-rsa.
Preparing to unpack .../easy-rsa_2.2.2-1_all.deb ...
Unpacking easy-rsa (2.2.2-1) ...
Selecting previously unselected package opensc.
Preparing to unpack .../opensc_0.14.0-2_amd64.deb ...
Unpacking opensc (0.14.0-2) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u7) ...
Setting up liblzo2-2:amd64 (2.08-1.2) ...
Setting up libpkcs11-helper1:amd64 (1.11-2) ...
Setting up opensc-pkcs11:amd64 (0.14.0-2) ...
Setting up openvpn (2.4.6-jessie0) ...
[ ok ] Restarting virtual private network daemon.:.
Setting up easy-rsa (2.2.2-1) ...
Setting up opensc (0.14.0-2) ...
Processing triggers for libc-bin (2.19-18+deb8u10) ...
Processing triggers for systemd (215-17+deb8u7) ...
--2018-10-08 10:36:16--  https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.5/EasyRSA-nix-3.0.5.tgz
Resolving github.com (github.com)... 192.30.253.112, 192.30.253.113
Connecting to github.com (github.com)|192.30.253.112|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/4519663/58c8b380-b876-11e8-9aee-14f04d342c9e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20181008%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20181008T103618Z&X-Amz-Expires=300&X-Amz-Signature=d9b4ec4d69931de1a32e2278327ba0e8daab45cb0f2391585dc799aba000ddd1&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-nix-3.0.5.tgz&response-content-type=application%2Foctet-stream [following]
--2018-10-08 10:36:17--  https://github-production-release-asset-2e65be.s3.amazonaws.com/4519663/58c8b380-b876-11e8-9aee-14f04d342c9e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20181008%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20181008T103618Z&X-Amz-Expires=300&X-Amz-Signature=d9b4ec4d69931de1a32e2278327ba0e8daab45cb0f2391585dc799aba000ddd1&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3DEasyRSA-nix-3.0.5.tgz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.161.251
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.161.251|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 50270 (49K) [application/octet-stream]
Saving to: ‘/root/EasyRSA-nix-3.0.5.tgz’

/root/EasyRSA-nix-3.0.5.tgz               100%[======================================================================================>]  49.09K   284KB/s   in 0.2s

2018-10-08 10:36:18 (284 KB/s) - ‘/root/EasyRSA-nix-3.0.5.tgz’ saved [50270/50270]

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.1t  3 May 2016

init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/easy-rsa/pki

read EC key
writing EC key

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.1t  3 May 2016
Generating a 256 bit EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/private/server_CetKspcjpbe11lwp.key.hQZqDamm5A'
-----
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server_CetKspcjpbe11lwp'
Certificate is to be certified until Sep 22 10:36:18 2021 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.1t  3 May 2016
Using configuration from ./safessl-easyrsa.cnf

An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

* Applying /etc/sysctl.d/20-openvpn.conf ...
net.ipv4.ip_forward = 1
* Applying /etc/sysctl.d/99-digitalocean-ipv6.conf ...
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /etc/systemd/system/openvpn@.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/iptables-openvpn.service to /etc/systemd/system/iptables-openvpn.service.

Tell me a name for the client.
Use one word only, no special characters.
Client name: debian

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 1

Note: using Easy-RSA configuration from: ./vars

Using SSL: openssl OpenSSL 1.0.1t  3 May 2016
Generating a 256 bit EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/private/debian.key.tkdmIFmPt7'
-----
Using configuration from ./safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'debian'
Certificate is to be certified until Sep 22 10:36:23 2021 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Client debian added, the configuration file is available at /root/debian.ovpn.
Download the .ovpn file and import it in your OpenVPN client.
If you want to add more clients, you simply need to run this script another time!
root@debian:~# iptables -nvL
Chain INPUT (policy ACCEPT 87 packets, 4232 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0   tun0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  tun0   eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 132 packets, 14028 bytes)
 pkts bytes target     prot opt in     out     source               destination
root@debian:~#
laresma commented 5 years ago

Centos 7 and Debian 9 are fine. There's a problem with Debian 8. (DigitalOcean)

angristan commented 5 years ago

OK, I will try with Debian 8

angristan commented 5 years ago

I can reproduce. I will look at it later

angristan commented 5 years ago

Ok so this is not caused by the rules but by the service.

While booting, I noticed this error in DO's VNC console:

... network.service/stop deleted to break ordering cycle start

I also noticed the network-pre.service wasn't enabled:

root@debian-s-1vcpu-1gb-lon1-01:~# systemctl status network-pre.target
● network-pre.target - Network (Pre)
   Loaded: loaded (/lib/systemd/system/network-pre.target; static)
   Active: inactive (dead)
     Docs: man:systemd.special(7)
           http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget
root@debian-s-1vcpu-1gb-lon1-01:~# systemctl status network-online.target
● network-online.target - Network is Online
   Loaded: loaded (/lib/systemd/system/network-online.target; static)
   Active: active since Mon 2018-10-08 18:21:35 UTC; 48min ago
     Docs: man:systemd.special(7)
           http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget

Oct 08 18:21:35 debian-s-1vcpu-1gb-lon1-01.localdomain systemd[1]: Starting Network is Onl...
Oct 08 18:21:35 debian-s-1vcpu-1gb-lon1-01.localdomain systemd[1]: Reached target Network ...
Hint: Some lines were ellipsized, use -l to show in full.

Fixed in https://github.com/angristan/openvpn-install/commit/0d19b57e7ffd874aa5d04a3ed53560882450fcbb

angristan commented 5 years ago

Thanks for reporting