My vpn no longer works - Githubissues

angristan / openvpn-install

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.

https://stanislas.blog

MIT License

13.49k stars 2.95k forks source link

My vpn no longer works #55

Closed Patlol closed 7 years ago

Patlol commented 7 years ago

Hello, I have installed openVpn with Angristan's script on a ovh vps server under debian 8.7 (same thing on Ubuntu 16.04.2 LTS) After launching the client locally (linux mint 18), I no longer have access from the local post to the url, only to IP ie ping google.com don't work ping 79.137.33.190 work (ip of google.com) My ip is not modified by the vpn I have an error in running openvpn client1.ovpn : Unrecognized option or missing parameter(s) in client1.ovpn:15: block-outside-dns (2.3.10) but in the end i have Initialization Sequence Completed

ping 10.8.0.1 on local works, ping 10.8.0.2 on the server does not receive any packets. ok vu #17 On remote It's ok for both ping. And i have

ps aux | grep openvpn
nobody     593  0.0  0.2  42488  5620 ?        Ss   avril18   0:01 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf

local firewall cut, is ok on the server on the filter and nat tables:

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  10.8.0.0/24          anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
....
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.8.0.0/24          0.0.0.0/0            to:xx.xxx.xx.xxx

This script worked perfectly a few weeks ago on my previous tests.

DrXala commented 7 years ago

Salut Patlol ;)

ping google.com don't work ping 79.137.33.190 work (ip of google.com)

If think you have a problem with your DNS resolver. You can check the servers set on your client (Mint) in /etc/resolv.conf.

I have an error in running openvpn client1.ovpn : Unrecognized option or missing parameter(s) in client1.ovpn:15: block-outside-dns (2.3.10)

Can you paste line 15 of your client1.ovpn ?

You can use -vn option of iptables for more visibility and if your rules match, -v for verbose and -n for numeric. Look like this exemple:

# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             /* loopback */
ACCEPT     icmp --  anywhere             anywhere             /* ping */
[...]
ACCEPT     tcp  --  AMontsouris-652-1-152-129.w86-212.abo.wanadoo.fr  anywhere             tcp dpt:8083 /* toshi influxdb */
[...]
# iptables -L INPUT -vn --line
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    3087M 1479G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2    5866K  311M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* loopback */
3    3139K  110M ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            /* ping */
[...]
12       0     0 ACCEPT     tcp  --  *      *       86.212.15.129        0.0.0.0/0            tcp dpt:8083 /* toshi influxdb */
[...]

My ICMP (ping) rule have accepted 3139K packets and 0 for "toshi influxdb".

And if you want to verify that there is traffic on your vpn tunnel, use the tcpdump tool.

mint $ ping 79.137.33.190
debian # tcpdump -ni tun0 src 10.8.0.0/24

Patlol commented 7 years ago

Bonjour Doc. Thank for your reply.

If think you have a problem with your DNS resolver.

I use a box "free box v6". Cat of the local file:

$ cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1

On my box I have that

serveur DNS 1 : 80.67.169.12
serveur DNS 2 : 80.67.169.40

Can you paste line 15 of your client1.ovpn ?
$ sed -n "15 p" client.ovpn
setenv opt block-outside-dns
And if you want to verify that there is traffic on your vpn tunnel, use the tcpdump tool.

local:

sudo openvpn --config client.ovpn
ping 79.137.33.190
# end of the test:
98 packets transmitted, 98 received, 0% packet loss, time 97141ms

remote:

$ sudo tcpdump -ni tun0 src 10.8.0.0/24
tcpdump: Mask syntax for networks only
$ sudo tcpdump -ni tun0 src 10.8.0.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes

^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
$

This is not surprising

DrXala commented 7 years ago

Patlol,

Replace your nameserver IP by your freebox lan IP ;)

nameserver 192.168.1.1

Comment setenv opt block-outside-dns and add this line block-outside-dns. Restart your client and tell me if you have error.

Try this ;)

$ sudo tcpdump -ni tun0 net 10.8.0.0/24
$ # or
$ sudo tcpdump -ni tun0 icmp

DrXala commented 7 years ago

Bonjour Patlol,

After up your tunnel, can you check route table on your client?

$ sudo route -n

I think your default route is not set for use openvpn server in next hop.

Patlol commented 7 years ago

Comment setenv opt block-outside-dns and add this line block-outside-dns. Restart your client and tell me if you have error.

# setenv opt block-outside-dns There is no longer an error message, but the problem is still there

Replace your nameserver IP by your freebox lan IP ;)

By modifying resolv.conf it works !!! The great mystery is that I do not remember modified this file ...

sudo nohup openvpn --config pat.ovpn & :+1:

Uncommenting the line setenv opt block-outside-dns I have the error message in nohup.out, but the vpn is working

Thank you very much DrXala With all the tests that you have given me, I hope I can fend for myself next time !!! :)

DrXala commented 7 years ago

J'ai bon espoir! Si besoin, n'hésites pas à me demander en mp ;)

PS: tu peux fermer cet issue :)

Patlol commented 7 years ago

The right procedure for posterity I remind you that these manipulations are on the local station

If I modify the file /etc/resolv.conf manually, I lose the changes to the reboot! It is also specified in comment on the file :)

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

and resolvconf does not change anything in my case

The correct procedure is as follows (on root or with sudo): # ifconfig To find the right network interface, for me enp5s0 Add or edit in /etc/network/interfaces

auto lo
iface lo inet loopback

auto enp5s0
iface enp5s0 inet dhcp
dns-nameservers 192.168.0.254

with 192.168.0.254 the box lan ip on my config, to adapt to your configuration Cut and then restart the interface

# ifdown --force enp5s0
# ifup --force enp5s0

The file resolv.conf is always the same, but the vpn work. After a reboot we have:

# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.0.254
nameserver 80.67.169.12
nameserver 80.67.169.40

Where do the ip 80.67.169.xx come from? ~~I do not know ..~~ It is the dns servers parameterized on my box And the vpn work !!!!