iptables – OpenVPN icmp doesn’t go all the way back

I have

  • server : 192.168.5.77
  • openServerVPN : 192.168.5.202
  • client1 : 10.8.1.2
  • client2 : 10.8.0.3

When I ping server from client2 to server :

server: tcpdump  icmp -n -q
14:41:32.689212 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 12, seq 1, length 64
14:41:32.689257 IP 192.168.5.77 > 192.168.5.202: ICMP echo reply, id 12, seq 1, length 64
14:41:33.704333 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 12, seq 2, length 64
14:41:33.704378 IP 192.168.5.77 > 192.168.5.202: ICMP echo reply, id 12, seq 2, length 64
openServerVPN tcpdump  icmp -n -q
16:41:32.691194 IP 10.8.0.3 > 192.168.5.77: ICMP echo request, id 12, seq 1, length 64
16:41:32.691573 IP 192.168.5.77 > 10.8.0.3: ICMP echo reply, id 12, seq 1, length 64
16:41:32.960443 IP 192.168.5.202 > 10.8.0.3: ICMP 192.168.5.202 udp port 53 unreachable, length 67
16:41:32.996227 IP 192.168.5.202 > 10.8.0.3: ICMP 192.168.5.202 udp port 53 unreachable, length 67
16:41:33.706305 IP 10.8.0.3 > 192.168.5.77: ICMP echo request, id 12, seq 2, length 64
16:41:33.706710 IP 192.168.5.77 > 10.8.0.3: ICMP echo reply, id 12, seq 2, length 64

The ping reply is coming back to client2

But when I ping from client1 the server doesnt seem to know where openServerVPN is :

server: tcpdump  icmp -n -q
14:39:04.889226 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 11, seq 48, length 64
14:39:04.889252 IP 192.168.5.77 > 192.168.5.202: ICMP echo reply, id 11, seq 48, length 64
14:39:05.912198 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 11, seq 49, length 64
14:39:05.912238 IP 192.168.5.77 > 192.168.5.202: ICMP echo reply, id 11, seq 49, length 64
14:39:06.911324 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 11, seq 50, length 64
14:39:06.911370 IP 192.168.5.77 > 192.168.5.202: ICMP echo reply, id 11, seq 50, length 64
14:39:07.496717 IP 192.168.5.202 > 192.168.5.77: ICMP host 192.168.5.202 unreachable, length 92
14:39:07.496739 IP 192.168.5.202 > 192.168.5.77: ICMP host 192.168.5.202 unreachable, length 92
14:39:07.496744 IP 192.168.5.202 > 192.168.5.77: ICMP host 192.168.5.202 unreachable, length 92
14:39:07.889982 IP 192.168.5.202 > 192.168.5.77: ICMP echo request, id 11, seq 51, length 64

openServerVPN tcpdump  icmp -n -q
16:38:59.879419 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 43, length 64
16:39:00.902542 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 44, length 64
16:39:01.879307 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 45, length 64
16:39:02.888641 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 46, length 64
16:39:03.880365 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 47, length 64
16:39:04.890346 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 48, length 64
16:39:05.913296 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 49, length 64
16:39:06.912412 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 50, length 64
16:39:07.891099 IP 10.8.1.2 > 192.168.5.77: ICMP echo request, id 11, seq 51, length 64

he got the good IP to reply to but the ping reply doesnt reach the openServerVPN.

IPTABLE openServerVPN :

    Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.8.0.0/24          anywhere             ctstate NEW
ACCEPT     all  --  10.8.1.0/24          anywhere             ctstate NEW
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.8.1.0/24         !10.8.1.0/24          to:192.168.5.202
SNAT       all  --  10.8.0.0/24         !10.8.0.0/24          to:192.168.5.202
MASQUERADE  all  --  10.8.0.0/24          anywhere
MASQUERADE  all  --  10.8.1.0/24          anywhere

(edit)

Also When I ping from client2 to openServerVPN it works

17:13:58.857825 IP 10.8.0.1 > 10.8.0.3: ICMP echo reply, id 16, seq 8, length 64
17:13:59.654237 IP 192.168.5.202 > 10.8.0.3: ICMP 192.168.5.202 udp port 53 unreachable, length 73
17:13:59.654300 IP 192.168.5.202 > 10.8.0.3: ICMP 192.168.5.202 udp port 53 unreachable, length 73
17:13:59.837156 IP 10.8.0.3 > 10.8.0.1: ICMP echo request, id 16, seq 9, length 64
17:13:59.837206 IP 10.8.0.1 > 10.8.0.3: ICMP echo reply, id 16, seq 9, length 64

but on client 1 to openServerVPN it fails :

17:07:43.889960 IP 10.8.1.2 > 192.168.5.202: ICMP echo request, id 14, seq 17, length 64
17:07:44.897419 IP 10.8.1.2 > 192.168.5.202: ICMP echo request, id 14, seq 18, length 64
17:07:45.898396 IP 10.8.1.2 > 192.168.5.202: ICMP echo request, id 14, seq 19, length 64
17:07:46.900194 IP 10.8.1.2 > 192.168.5.202: ICMP echo request, id 14, seq 20, length 64
17:07:47.910821 IP 10.8.1.2 > 192.168.5.202: ICMP echo request, id 14, seq 21, length 64

(/edit)

Do you know what/where I should look/try ?

openvpn – Can a hacker get through a VPN by way a IPhone ? Are there programs that can simply shut down a hacker that is known?

openvpn – Can a hacker get through a VPN by way a IPhone ? Are there programs that can simply shut down a hacker that is known? – Information Security Stack Exchange

debian – OpenVPN MULTI: bad source address from client [192.168.0.x], packet dropped

I have a problem with the openVPN server (Debian 10), I know this question has already been asked, but nothing helped me.

I connect to my openVPN server on the local network, everything works fine, but SOMETIMES I get this message from the openVPN server:

MULTI: bad source address from client (192.168.0.x), packet dropped

When such a message is received, nothing happens, the connection to the server remains, only some packets are dropped.

192.168.0.x – This is the ip address of my local device from which I connect (android).

I am using an .ovpn file to connect to openVPN.
And now I want to ask, since this message only appears occasionally, should I be worried about this? Can this be somehow solved?

server.conf:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway autolocal"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
tls-auth ta.key 
cipher AES-256-CBC
auth SHA256
max-clients 2
user nobody
group nogroup
persist-key
persist-tun
satus /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 4
explicit-exit-notify 1

client.ovpn:

client
dev tun
proto udp
remote 192.168.0.x 1194 
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3

#CERTIFICATES...

In /etc/ufw/before.rules:

*nat
:POSTROUTING ACCEPT (0:0)
-A POSTROUTING -s 10.8.0.0/8 -o enp0s3 -j MASQUERADE
COMMIT

Sorry for my English, and thanks in advance 🙂 !!!

Running Your Own OpenVPN VPN Server

Running Your Own OpenVPN VPN ServerSetting up your own OpenVPN VPN on both server and client is very easy to do.  In this tutorial, we’ll walk through setting up an OpenVPN server on a VPS you own, and then configuring Windows and macOS to connect to it.

I’ll be using a Debian 10 VPS on Linode (1GB Nanode to be precise) which is vpn.lowend.party.  The VPS you choose does not need hardly any RAM, so a small VPS is perfect.  You should be able to get a VPN VPS for $15-20 a year. There are plenty of great OpenVZ options available on LowEndBox, which should be your most affordable option. 

We’re going to use Nyr’s OpenVPN Road Warrior script.  It makes setting up OpenVPN on the server side dead simple.

Get the script and execute it:

wget https://git.io/vpn -O openvpn-install.sh && bash openvpn-install.sh

Now run it.  You can take the defaults for most things.  I’ll use Google’s DNS and name my VPN connection “vpn.lowend.party”.  My responses are bolded.

Welcome to this OpenVPN road warrior installer!
I need to ask you a few questions before starting setup.
You can use the default options and just press enter if you are ok with them.

Which protocol do you want for OpenVPN connections?
   1) UDP (recommended)
   2) TCP
Protocol (1): 1

What port do you want OpenVPN listening to?
Port (1194): <return>

Which DNS do you want to use with the VPN?
   1) Current system resolvers
   2) 1.1.1.1
   3) Google
   4) OpenDNS
   5) NTT
   6) AdGuard
DNS (1): 3

Finally, tell me a name for the client certificate.
Client name (client): vpn.lowend.party

We are ready to set up your OpenVPN server now.
Press any key to continue...

Get:1 http://mirrors.linode.com/debian buster InRelease (121 kB)
Get:2 http://mirrors.linode.com/debian-security buster/updates InRelease (65.4 kB)
Get:3 http://mirrors.linode.com/debian buster-updates InRelease (49.3 kB)
Get:4 http://mirrors.linode.com/debian buster/main Sources (7,831 kB)
Get:5 http://mirrors.linode.com/debian buster/main amd64 Packages (7,905 kB)
Get:6 http://mirrors.linode.com/debian buster/main Translation-en (5,969 kB)
Get:7 http://mirrors.linode.com/debian-security buster/updates/main Sources (119 kB)
Get:8 http://mirrors.linode.com/debian-security buster/updates/main amd64 Packages (197 kB)
Get:9 http://mirrors.linode.com/debian-security buster/updates/main Translation-en (106 kB)
Get:10 http://mirrors.linode.com/debian buster-updates/main Sources.diff/Index (2,212 B)
Get:11 http://mirrors.linode.com/debian buster-updates/main amd64 Packages.diff/Index (2,212 B)
Get:12 http://mirrors.linode.com/debian buster-updates/main Translation-en.diff/Index (2,212 B)
Get:13 http://mirrors.linode.com/debian buster-updates/main Sources 2020-02-23-2017.41.pdiff (924 B)
Get:14 http://mirrors.linode.com/debian buster-updates/main amd64 Packages 2020-02-23-2017.41.pdiff (2,162 B)
Get:13 http://mirrors.linode.com/debian buster-updates/main Sources 2020-02-23-2017.41.pdiff (924 B)
Get:15 http://mirrors.linode.com/debian buster-updates/main Translation-en 2020-02-23-2017.41.pdiff (1,700 B)
Get:15 http://mirrors.linode.com/debian buster-updates/main Translation-en 2020-02-23-2017.41.pdiff (1,700 B)
Get:14 http://mirrors.linode.com/debian buster-updates/main amd64 Packages 2020-02-23-2017.41.pdiff (2,162 B)
Fetched 22.4 MB in 6s (4,067 kB/s)                                             
Reading package lists... Done
N: Repository 'http://mirrors.linode.com/debian buster InRelease' changed its 'Version' value from '10.3' to '10.4'
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version (20190110).
ca-certificates set to manually installed.
The following additional packages will be installed:
  easy-rsa libccid libglib2.0-0 libglib2.0-data liblzo2-2 libpcsclite1
  libpkcs11-helper1 libusb-1.0-0 opensc opensc-pkcs11 pcscd shared-mime-info
  xdg-user-dirs
Suggested packages:
  pcmciautils resolvconf openvpn-systemd-resolved
The following NEW packages will be installed:
  easy-rsa libccid libglib2.0-0 libglib2.0-data liblzo2-2 libpcsclite1
  libpkcs11-helper1 libusb-1.0-0 opensc opensc-pkcs11 openvpn pcscd
  shared-mime-info xdg-user-dirs
The following packages will be upgraded:
  openssl
1 upgraded, 14 newly installed, 0 to remove and 22 not upgraded.

Need to get 6,337 kB of archives.
After this operation, 24.3 MB of additional disk space will be used.
Get:1 http://mirrors.linode.com/debian buster/main amd64 openssl amd64 1.1.1d-0+deb10u3 (844 kB)
Get:2 http://mirrors.linode.com/debian buster/main amd64 easy-rsa all 3.0.6-1 (37.9 kB)
Get:3 http://mirrors.linode.com/debian buster/main amd64 libusb-1.0-0 amd64 2:1.0.22-2 (55.3 kB)
Get:4 http://mirrors.linode.com/debian buster/main amd64 libccid amd64 1.4.30-1 (334 kB)
Get:5 http://mirrors.linode.com/debian buster/main amd64 libglib2.0-0 amd64 2.58.3-2+deb10u2 (1,258 kB)
Get:6 http://mirrors.linode.com/debian buster/main amd64 libglib2.0-data all 2.58.3-2+deb10u2 (1,110 kB)
Get:7 http://mirrors.linode.com/debian buster/main amd64 liblzo2-2 amd64 2.10-0.1 (56.1 kB)
Get:8 http://mirrors.linode.com/debian buster/main amd64 libpcsclite1 amd64 1.8.24-1 (58.5 kB)
Get:9 http://mirrors.linode.com/debian buster/main amd64 libpkcs11-helper1 amd64 1.25.1-1 (47.6 kB)
Get:10 http://mirrors.linode.com/debian buster/main amd64 opensc-pkcs11 amd64 0.19.0-1 (826 kB)
Get:11 http://mirrors.linode.com/debian buster/main amd64 opensc amd64 0.19.0-1 (305 kB)
Get:12 http://mirrors.linode.com/debian buster/main amd64 openvpn amd64 2.4.7-1 (490 kB)
Get:13 http://mirrors.linode.com/debian buster/main amd64 pcscd amd64 1.8.24-1 (95.3 kB)
Get:14 http://mirrors.linode.com/debian buster/main amd64 shared-mime-info amd64 1.10-1 (766 kB)
Get:15 http://mirrors.linode.com/debian buster/main amd64 xdg-user-dirs amd64 0.17-2 (53.8 kB)
Fetched 6,337 kB in 0s (78.0 MB/s)   
apt-listchanges: Reading changelogs...
Preconfiguring packages ...
(Reading database ... 29490 files and directories currently installed.)
Preparing to unpack .../00-openssl_1.1.1d-0+deb10u3_amd64.deb ...
Unpacking openssl (1.1.1d-0+deb10u3) over (1.1.1d-0+deb10u2) ...
Selecting previously unselected package easy-rsa.
Preparing to unpack .../01-easy-rsa_3.0.6-1_all.deb ...
Unpacking easy-rsa (3.0.6-1) ...
Selecting previously unselected package libusb-1.0-0:amd64.
Preparing to unpack .../02-libusb-1.0-0_2%3a1.0.22-2_amd64.deb ...
Unpacking libusb-1.0-0:amd64 (2:1.0.22-2) ...
Selecting previously unselected package libccid.
Preparing to unpack .../03-libccid_1.4.30-1_amd64.deb ...
Unpacking libccid (1.4.30-1) ...
Selecting previously unselected package libglib2.0-0:amd64.
Preparing to unpack .../04-libglib2.0-0_2.58.3-2+deb10u2_amd64.deb ...
Unpacking libglib2.0-0:amd64 (2.58.3-2+deb10u2) ...
Selecting previously unselected package libglib2.0-data.
Preparing to unpack .../05-libglib2.0-data_2.58.3-2+deb10u2_all.deb ...
Unpacking libglib2.0-data (2.58.3-2+deb10u2) ...
Selecting previously unselected package liblzo2-2:amd64.
Preparing to unpack .../06-liblzo2-2_2.10-0.1_amd64.deb ...
Unpacking liblzo2-2:amd64 (2.10-0.1) ...
Selecting previously unselected package libpcsclite1:amd64.
Preparing to unpack .../07-libpcsclite1_1.8.24-1_amd64.deb ...
Unpacking libpcsclite1:amd64 (1.8.24-1) ...
Selecting previously unselected package libpkcs11-helper1:amd64.
Preparing to unpack .../08-libpkcs11-helper1_1.25.1-1_amd64.deb ...
Unpacking libpkcs11-helper1:amd64 (1.25.1-1) ...
Selecting previously unselected package opensc-pkcs11:amd64.
Preparing to unpack .../09-opensc-pkcs11_0.19.0-1_amd64.deb ...
Unpacking opensc-pkcs11:amd64 (0.19.0-1) ...
Selecting previously unselected package opensc.
Preparing to unpack .../10-opensc_0.19.0-1_amd64.deb ...
Unpacking opensc (0.19.0-1) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../11-openvpn_2.4.7-1_amd64.deb ...
Unpacking openvpn (2.4.7-1) ...
Selecting previously unselected package pcscd.
Preparing to unpack .../12-pcscd_1.8.24-1_amd64.deb ...
Unpacking pcscd (1.8.24-1) ...
Selecting previously unselected package shared-mime-info.
Preparing to unpack .../13-shared-mime-info_1.10-1_amd64.deb ...
Unpacking shared-mime-info (1.10-1) ...
Selecting previously unselected package xdg-user-dirs.
Preparing to unpack .../14-xdg-user-dirs_0.17-2_amd64.deb ...
Unpacking xdg-user-dirs (0.17-2) ...
Setting up xdg-user-dirs (0.17-2) ...
Setting up libglib2.0-0:amd64 (2.58.3-2+deb10u2) ...
No schema files found: doing nothing.
Setting up liblzo2-2:amd64 (2.10-0.1) ...
Setting up libpkcs11-helper1:amd64 (1.25.1-1) ...
Setting up opensc-pkcs11:amd64 (0.19.0-1) ...
Setting up libglib2.0-data (2.58.3-2+deb10u2) ...
Setting up shared-mime-info (1.10-1) ...
Setting up libpcsclite1:amd64 (1.8.24-1) ...
Setting up libusb-1.0-0:amd64 (2:1.0.22-2) ...
Setting up openssl (1.1.1d-0+deb10u3) ...
Setting up easy-rsa (3.0.6-1) ...
Setting up openvpn (2.4.7-1) ...
(....) Restarting virtual private network daemon.:.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service.
Setting up libccid (1.4.30-1) ...
Setting up opensc (0.19.0-1) ...
Setting up pcscd (1.8.24-1) ...
Created symlink /etc/systemd/system/sockets.target.wants/pcscd.socket → /lib/systemd/system/pcscd.socket.
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for mime-support (3.62) ...
Processing triggers for libc-bin (2.28-10) ...
Processing triggers for systemd (241-7~deb10u3) ...
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /etc/openvpn/server/easy-rsa/pki
Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
........................+++++
e is 65537 (0x010001)
Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Generating a RSA private key
.......................+++++
.........+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1668.z4zqJY/tmp.3jy9Ii'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1668.z4zqJY/tmp.cHab1S
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server'
Certificate is to be certified until May  9 23:29:57 2030 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Generating a RSA private key
.............+++++
.................................................................................................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1743.QRDcVj/tmp.siHTEx'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1743.QRDcVj/tmp.87s9ot
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'vpn_lowend_party'
Certificate is to be certified until May  9 23:29:57 2030 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Using SSL: openssl OpenSSL 1.1.1d  10 Sep 2019
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1799.N6ujtN/tmp.PLjftX
An updated CRL has been created.
CRL file: /etc/openvpn/server/easy-rsa/pki/crl.pem
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-iptables.service → /etc/systemd/system/openvpn-iptables.service.
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /lib/systemd/system/openvpn-server@.service.
Finished!
Your client configuration is available at: /root/vpn_lowend_party.ovpn
If you want to add more clients, just run this script again!

Wow, that was a lot.  The system has been completely configured for OpenVPN.

Now look in your root directory:

root@vpn:~# ls -l /root
total 32
-rw-r--r-- 1 root root 23043 May 11 23:27 openvpn-install.sh
-rw-r--r-- 1 root root  5007 May 11 23:29 vpn_lowend_party.ovpn

That .ovpn file is what we need to configure on the client side.  It is a text file.  You can either scp it from your server, or just cat it (cat *.ovpn), copy the text, and paste it in a file on your client side.  But make sure the file you save it as ends in .ovpn (not .txt).

To configure for Windows, we’ll use the official OpenVPN client.  Go to OpenVPN.net and select the appropriate installer.  We’re using Windows 10 in this example.  Downloading the .exe and installing it is the usual next, next, next Windows process.

Once installed, either double-click the OpenVPN icon on your desktop or select it from the start menu.

You’ll get an error that there are no config files.  Click OK.

Now find the OpenVPN GUI icon in your tray (lower right hand corner).

Right click and select “Import file…”

In the file selector, browse to the .ovpn file you copied from your VPN server:

Once you’ve clicked OK, you’ll get a message that it has been successfully imported:

Now right-click on the OpenVPN GUI icon in your tray again and select Connect:

OpenVPN will dazzle you with some fast-scrolling log info to show you how hard it’s working.

You’ll get a notification that you’re connected:

And if you look in your tray, you’ll see the OpenVPN icon has now turned green:

At this point, if you go to something like What’s My IP, your browser will display the IP of your VPN server, not your home Internet, verifying that you’re VPN’d to your server.

To disconnect, right-click on the OpenVPN GUI and select Disconnect.

Configuring Your Mac (with Viscosity)

For Mac, I’m going to show you how to use SparkLab’s Viscosity, which is my favorite VPN client.  It’s not free, so if you are looking for a free client, skip forward to the next section which uses an alternate client, Tunnelblick.

Installing Viscosity is the usual .dmg mount and click.  Once it’s installed, run it from Applications.  You’ll find a new icon (circle and padlock) on your menu bar:

Click it and select Preferences to setup your connection:

In the Preferences pane, hit the plus button in the lower left corner, and select Import Connection and then From File.

Browse to the .ovpn file you copied from your server earlier:

Once you’ve selected it and clicked OK, you’ll get a successful import message from Viscosity:

Click OK, then go back to your menu bar.  Click the circle-and-padlock Viscosity icon again.  your connection will show as “Disconnected”.  Click it to connect.

After a moment, you’ll get a macOS notification that you’ve been connected:

At this point, if you go to something like What’s My IP, your browser will display the IP of your VPN server, not your home Internet, verifying that you’re VPN’d to your server.

To disconnect, click the Viscosity menu bar icon again and click on your connection name:

You’ll get a macOS notification that you’ve bene disconnected:

Tunnelblick is a free OpenVPN-compatible client for macOS.  To obtain a copy, head over to tunnelblick.net.  Installing it is the usual .dmg mount & click.

Once run, Tunnelblick will display its opening welcome:

Click “I have configuration files”.  Tunnelblick will then tell you it doesn’t care.  OK, not exactly, but it’ll tell you this isn’t the place to enter configuration files.  Close the window.

In the menu bar, click the new Tunnelblick icon and select Add a VPN…

The Configurations pane that comes up.  In Finder, browse to where you saved the .ovpn file, click it, and drag it to Configurations.

You’ll be asked if you want to install it for all users or just you.  Make your choice:

Tunnelblick will then show it under Configurations.  Close this window.

Back in your menu bar, click the Tunnelblick icon and select the Connect entry for your VPN:

After working for a bit, Tunnelblick will give you a nice bright green acknowledgement that you’re connected:

At this point, if you go to something like What’s My IP, your browser will display the IP of your VPN server, not your home Internet, verifying that you’re VPN’d to your server.

To disconnect, simply click the TunnelBlick menu bar icon again and click Disconnect:

 

 

 

raindog308

I’m Andrew, techno polymath and long-time LowEndTalk community Moderator. My technical interests include all things Unix, perl, python, shell scripting, and relational database systems. I enjoy writing technical articles here on LowEndBox to help people get more out of their VPSes.

windows – Openvpn TAP client different gateway than local network / How to allign

I have a openvpn client setup on my local accessible media server and it is mainly functioning as it should.

However some LAN clients have problems with accessing the media server locally, as they try to connect to the TAP connections ip (10.8.2.10) instead of the servers actual lan ip (192.168.0.111).

What can I do to align the gateways or tell my clients to find the servers actual lan ip_

Media server with openvpn client is running windows
Local clients which needs to access the media server is android clients and the like.

Router is running OpenWRT

IPconfig Tap adapter

       Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-45-2F-41-74
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::3863:63cf:9e1c:48d2%7(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.8.2.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, 11 March 2021 19.06.04
   Lease Expires . . . . . . . . . . : Friday, 11 March 2022 19.06.03
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.8.2.254
   DHCPv6 IAID . . . . . . . . . . . : 302055237
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-8B-3E-A9-94-C6-91-10-EA-FF
   DNS Servers . . . . . . . . . . . : 103.86.96.100
                                       103.86.99.100
   NetBIOS over Tcpip. . . . . . . . : Enabled

Local ethernet adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection (4) I219-V
   Physical Address. . . . . . . . . : 94-C6-91-10-EA-FF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.111(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, 11 March 2021 19.05.53
   Lease Expires . . . . . . . . . . : Monday, 18 April 2157 02.05.42
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Bridging a remote site through OpenVPN with broadcast traffic

I am trying to set up a VPN connection between two sites.

  • The remote site has a camera running that broadcasts video using TCP, and additionally advertises itself on the network using mDNS/Bonjour.
  • The local site has a laptop that should be able to connect to the camera and receive the broadast.
  • In the middle there is a Linux server running on a cloud provider, hosting an OpenVPN server

Here’s a diagram of the architecture:

So far I’ve used this script to set up OpenVPN and the client configurations. Both the router on the remote site as well as the laptop on the local site can connect to the VPN. In the default setup, both VPN-connected devices could talk to the server, but the laptop was not able to ping the camera. That was expected; no route was configured for that.

So, additionally, I’ve followed this guide to set up the route, setting the following:

# in the client-specific configuration
iroute 192.168.100.0 255.255.255.0
# in the server configuration
client-to-client
route 192.168.100.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0"

This enabled me to reach the IP address of the camera from the laptop. However, I do not see the mDNS/Bonjour advertisement, which also is somewhat expected.

What do I have to do to make sure I see the broadcast traffic locally?

I see there is the option to convert the whole setup to a TAP bridge. Would that be the solution? I fail to understand how exactly to apply it to my scenario. I do not want to risk losing connectivity to the VPN server by messing with its default Ethernet adapter (which has a public IP configured).

Looking at the guide for bridging: can I use the script provided? If so, which values do I need to use? If not, what do I need to change? I thought about doing the following:

  • Removing the client-specific configuration again
  • Changing the server configuration to use the dev tap
  • Specifying server-bridge – should I remove the server-bridge parameters completely to let the router take over the DHCP part, or should the VPN server provide it? The router may not always be connected…

I’ve tried starting the bridge_start.sh script with these values:

eth="eth0"
eth_ip="192.168.100.254"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.100.255"

And once I do that, the server has no incoming or outgoing Internet connectivity anymore. All without even starting the VPN service.

vpn – openvpn over wireguard (Multi-cloud Plan)

I am an SRE engineer, currently working on building a hybrid cloud network and its management. Through research, I have been able to use openvpn and wireguard topology combination network proficiently. Because wireguard can combine VPC well, and openvpn combines LDAP well(It’s means we can easily achieve Large-scale management of people).So last week I have successfully used these two to implement an architecture that is easy to access control and personnel management. However, there was an error in restarting the relocation server, and it has been stagnant for a long time. I don’t know if I can ask you to help determine the cause of the problem. This is my email cyg0504@outlook.com. Thank you very much, I really want to complete this idea!

Here is the Topology:

Multi-cloud topology

And here is the proof of success:

enter image description here

enter image description here

But now there is a little error, the wireguard server transmits the data packet from the openvpn server to the wireguard client, but the UDP port of the wireguard client caught the data packet, but it did not return. I currently have no ideas.Here is the packet capture situation

# openvpn server tun0
1 0.000000000 10.11.254.254 -> 192.168.5.121 ICMP 60 Echo (ping) request  id=0x0001, seq=2825/2315, ttl=128
2 4.821120726 10.11.254.254 -> 192.168.5.121 ICMP 60 Echo (ping) request  id=0x0001, seq=2826/2571, ttl=128
3 9.812869195 10.11.254.254 -> 192.168.5.121 ICMP 60 Echo (ping) request  id=0x0001, seq=2827/2827, ttl=128
4 14.825211662 10.11.254.254 -> 192.168.5.121 ICMP 60 Echo (ping) request  id=0x0001, seq=2828/3083, ttl=128

# wireguard server wg0
1 0.000000000 10.11.254.254 -> 192.168.5.121 ICMP 60 Echo (ping) request  id=0x0001, seq=2825/2315, ttl=127
2 4.821113913 10.11.254.254 -> 192.168.5.121 ICMP 60 Echo (ping) request  id=0x0001, seq=2826/2571, ttl=127
3 9.812859921 10.11.254.254 -> 192.168.5.121 ICMP 60 Echo (ping) request  id=0x0001, seq=2827/2827, ttl=127
4 14.825202064 10.11.254.254 -> 192.168.5.121 ICMP 60 Echo (ping) request  id=0x0001, seq=2828/3083, ttl=127

wireguard client

1 0.000000000 192.168.5.121 -> 121.37.167.91 UDP 74 Source port: 48470  Destination port: 51820
2 0.464589965 121.37.167.91 -> 192.168.5.121 DCERPC 138 Request: seq: 2300299977 opnum: 17002 len: 42386
3 5.285677737 121.37.167.91 -> 192.168.5.121 DCERPC 138 Request: seq: 1918514171 opnum: 30046 len: 11687
4 10.277351697 121.37.167.91 -> 192.168.5.121 DCERPC 138 Request: seq: 1517697561 opnum: 54814 len: 58132
5 10.495953715 192.168.5.121 -> 121.37.167.91 UDP 74 Source port: 48470  Destination port: 51820
6 15.289722767 121.37.167.91 -> 192.168.5.121 DCERPC 138 Request: seq: 2427251217 opnum: 41946 len: 34829
7 25.311986345 192.168.5.121 -> 121.37.167.91 UDP 74 Source port: 48470  Destination port: 51820

enter image description here

e_udp.txt is the result of packet capture from the openvpn client PING wireguard client; udp.txt is the normal reply packet captured from the wireguard server PING wireguard client.
Hope that interested friends can give any insights! 0.0

networking – OpenVPN Routing – Super User

I have an environment where we have have two locations connected through a site to site VPN using two NETGEAR UTM150 appliances.

I have an OpenVPN server at Site A.
I have a web server located at Site B.

I would like clients who VPN to the OpenVPN Server at Site A to be able to access the web server at Site B.

Site A Lan: 10.0.1.0/24
Site A NETGEAR Appliance: 10.0.1.1
Site A OpenVPN Server: 10.0.1.10
Site A Test Computer: 10.0.1.101

Site B Lan: 10.0.2.0/24
Site B NETGEAR Appliance: 10.0.2.1
Site B Web Server: 10.0.2.50
Site B Test Computer: 10.0.2.101

OpenVPN LAN: 10.0.200.0/24
OpenVPN Server Lan Address 10.0.200.1
OpenVPN Client: 10.0.200.2

I am able to ping and access the Site B Web Server from the Site A and B Test computers.
I am able to ping the Site B Web Server from the OpenVPN Server.
I am able to ping the Site A Test Computer from the OpenVPN Server.
I am able to ping the Site A Test Computer from the OpenVPN Client.
I am able to ping the Site A NETGEAR Appliance from the Site B Web Server.
I am able to ping the Site A OpenVPN Server from the Site B Web Server.

I am NOT able to ping the Site B Test Computer or the Site B Web Server from the OpenVPN Client.

When performing a traceroute from OpenVPN Client to Site B Web Server the following occurs:

  1. It hits the OpenVPN Server at 10.0.200.1
  2. It hits the SITE A NETGEAR UTM150 at 10.0.1.1
  3. It then does not go over the NETGEAR Appliances Site to Site VPN Link, but tries to find 10.0.2.50 over the internet.
  4. The requests then timeout.

I know there is a route I am missing somewhere. But I cannot figure out where it should go and what it should look like.

I would be happy to provide additional information if requested.

Thank you in advance.

vpn – Using iptables to set up a killswitch for openvpn: DNS requests are blocked but they shouldn’t

I bought a subscription to a VPN service and I am using the openvpn 2.5.1 client to connect to it. I am using Ubuntu 20.10.

I now want to emulate the “kill switch” feature of most proprietary VPN client.

That is, I want to block any connection that is not tunneled through the VPN. Said otherwise, if the VPN connection drops for some reason (eg. server unreachable), I want all internet connection to be blocked.

To achieve this result, I am following this tutorial.

I have come up with the following iptables rules:

*filter

# Drop all packets
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP

# Allow incoming packets only for related and established connections
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Allow loopback and tunnel interface
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o tun0 -p icmp -j ACCEPT

# Allow local LAN
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT

# Allow VPN's DNS servers
# Gli indirizzi del server DNS di NordVPN sono 103.86.96.100 e 103.86.99.100
-A OUTPUT -d <DNS_SERVER_1> -j ACCEPT
-A OUTPUT -d <DNS_SERVER_2> -j ACCEPT

# Allow the VPN itself (both protocol/port and interface)
# We use TCP/443
#-A OUTPUT -p udp -m udp --dport 1194 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT

COMMIT

and I am importing it with sudo iptables-restore < ./vpn_iptables_killswitch_rules.ipv4.

After the import I am able to connect to the VPN successfully. That is, the openvpn client establishes the connection successfully.

However, I am unable to resolve domain name in IP addresses. In fact, ping google.com returns a temporary failure in name resolution, while traceroute 8.8.8.8 works without problems.

This should not happen since I have whitelisted the DNS servers on my rules.

A nmcli connection show <SSID> shows that the connection is using the DNS servers provided by my VPN provided and is ignoring the DNS servers provided by DHCP.

What I am doing wrong here?

dns – openvpn: Windows 10 incorrectly reports no internet access

I’m trying to configure openvpn to provide our staff with access to a private subnets in AWS.

In order to allow them to resolve private zone addresses, I have the config set to push the DNS server, like so…

push "block-outside-dns"
push "dhcp-option DNS 10.139.0.2"

Where 10.139.0.2 is the default DNS server for the VPC in which the openvpn server is running.

This seems to work fine. After connecting, I’m able to resolve private AWS hostnames etc.

However after being connected for a couple of minutes, Windows 10 network status icon starts reporting that it has no internet access.

However, internet access is working fine.

While it seems the status warning could just be ignored, I’m not happy about handing this over to our staff, and telling them to ignore the warnings.

What can I do to have Windows 10 correctly detect that it has internet access, when it’s using the openvpn provided DNS?

I tried removing the “block-outside-dns” option, however then the custom DNS was simply ignored, so I could no longer resolve private AWS hostnames.

DreamProxies - Cheapest USA Elite Private Proxies 100 Private Proxies 200 Private Proxies 400 Private Proxies 1000 Private Proxies 2000 Private Proxies ExtraProxies.com - Buy Cheap Private Proxies Buy 50 Private Proxies Buy 100 Private Proxies Buy 200 Private Proxies Buy 500 Private Proxies Buy 1000 Private Proxies Buy 2000 Private Proxies ProxiesLive Proxies-free.com New Proxy Lists Every Day Proxies123