Am looking for some help with with OPENVpn and hoping theres a few experts about who have done this before.
So I followed the BT Click article and have setup up my vpn.
http://www.bbc.co.uk/news/technology-33548728
So far so good, iphone can connect fine to my VPN and can access my raspi by pinging 192.168.0.5 (its ip on home network) and 10.8.0.1 for the vpn side. However I cannot connect to anything beyond the raspi and indeed I am unable to reach the internet.
So that says to me this is a routing issue, but i am stumped as to where the issue is, the guide is pretty much the same as most of the setup guides for OPENVPN and have read a few but cant spot the error.
Here is my config detail.
server.conf
Code: Select all
local 192.168.0.5 # SWAP THIS NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/orangepi.crt # SWAP XX WITH YOUR SERVER NAME
key /etc/openvpn/easy-rsa/keys/orangepi.key # SWAP XX WITH YOUR SERVER NAME
dh /etc/openvpn/easy-rsa/keys/dh2048.pem # IF YOU CHANGED YOUR ENCRYPTION TO 2048, CHANGE THAT HERE
server 10.8.0.0 255.255.255.0
# server and remote endpoints
ifconfig 10.8.0.1 10.8.0.2
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
# your local subnet
push "route 192.168.0.5 255.255.255.0" # SWAP THE IP NUMBER WITH YOUR RASPBERRY PI IP ADDRESS
# Set primary domain name server address to the SOHO Router
# If your router does not do DNS, you can use Google DNS 8.8.8.8
push "dhcp-option DNS 192.168.0.1" # THIS SHOULD ALREADY MATCH YOUR OWN ROUTER ADDRESS AND SHOULD NOT NEED TO BE CHANGED
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
duplicate-cn
keepalive 10 120
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher AES-128-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log 20
log /var/log/openvpn.log
verb 3
Code: Select all
Mon Feb 8 09:58:05 2016 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
Mon Feb 8 09:58:05 2016 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Mon Feb 8 09:58:05 2016 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Feb 8 09:58:06 2016 Diffie-Hellman initialized with 2048 bit key
Mon Feb 8 09:58:06 2016 Control Channel Authentication: using '/etc/openvpn/easy-rsa/keys/ta.key' as a OpenVPN static key file
Mon Feb 8 09:58:06 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 8 09:58:06 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 8 09:58:06 2016 Socket Buffers: R=[163840->131072] S=[163840->131072]
Mon Feb 8 09:58:06 2016 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:17:8b:ae
Mon Feb 8 09:58:06 2016 TUN/TAP device tun0 opened
Mon Feb 8 09:58:06 2016 TUN/TAP TX queue length set to 100
Mon Feb 8 09:58:06 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Feb 8 09:58:06 2016 /sbin/ip link set dev tun0 up mtu 1500
Mon Feb 8 09:58:06 2016 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Mon Feb 8 09:58:06 2016 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mon Feb 8 09:58:06 2016 GID set to nogroup
Mon Feb 8 09:58:06 2016 UID set to nobody
Mon Feb 8 09:58:06 2016 UDPv4 link local (bound): [AF_INET]192.168.0.5:1194
Mon Feb 8 09:58:06 2016 UDPv4 link remote: [undef]
Mon Feb 8 09:58:06 2016 MULTI: multi_init called, r=256 v=256
Mon Feb 8 09:58:06 2016 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Mon Feb 8 09:58:06 2016 Initialization Sequence Completed
Code: Select all
Mon Feb 8 09:58:58 2016 x.x.x.x:54483 TLS: Initial packet from [AF_INET]x.x.x.x:54483, sid=8abd1c5a 1751b87d
Mon Feb 8 09:58:59 2016 x.x.x.x:54483 VERIFY OK: depth=1, C=UK, ST=SUSSEX, L=Uckfield, O=Ben, OU=MyOrganizationalUnit, CN=orangepi, name=EasyRSA, emailAddress=ben.gillam@gmail.com
Mon Feb 8 09:58:59 2016 x.x.x.x:54483 VERIFY OK: depth=0, C=UK, ST=SUSSEX, L=Uckfield, O=Ben, OU=MyOrganizationalUnit, CN=bengiphone, name=EasyRSA, emailAddress=ben.gillam@gmail.com
Mon Feb 8 09:59:00 2016 x.x.x.x:54483 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Feb 8 09:59:00 2016 x.x.x.x:54483 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 8 09:59:00 2016 x.x.x.x:54483 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Mon Feb 8 09:59:00 2016 x.x.x.x:54483 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 8 09:59:00 2016 x.x.x.x:54483 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Feb 8 09:59:00 2016 x.x.x.x:54483 [bengiphone] Peer Connection Initiated with [AF_INET]x.x.x.x:54483
Mon Feb 8 09:59:00 2016 bengiphone/x.x.x.x:54483 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Mon Feb 8 09:59:00 2016 bengiphone/x.x.x.x:54483 MULTI: Learn: 10.8.0.6 -> bengiphone/x.x.x.x:54483
Mon Feb 8 09:59:00 2016 bengiphone/x.x.x.x:54483 MULTI: primary virtual IP for bengiphone/x.x.x.x:54483: 10.8.0.6
Mon Feb 8 09:59:00 2016 bengiphone/x.x.x.x:54483 PUSH: Received control message: 'PUSH_REQUEST'
Mon Feb 8 09:59:00 2016 bengiphone/x.x.x.x:54483 send_push_reply(): safe_cap=940
Mon Feb 8 09:59:00 2016 bengiphone/x.x.x.x:54483 SENT CONTROL [bengiphone]: 'PUSH_REPLY,route 10.8.0.1 255.255.255.255,route 10.8.0.0 255.255.255.0,route 192.168.0.5 255.255.255.0,dhcp-option DNS 192.168.0.1,redirect-gateway def1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Mon Feb 8 09:59:38 2016 bengiphone/x.x.x.x:54483 SIGTERM[soft,remote-exit] received, client-instance exitingCode: Select all
2016-02-08 09:58:57 ----- OpenVPN Start -----
OpenVPN core 3.0 ios arm64 64-bit
2016-02-08 09:58:57 UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [nobind]
6 [persist-key]
7 [persist-tun]
8 [mute-replay-warnings]
13 [verb] [1]
14 [mute] [20]
2016-02-08 09:58:57 LZO-ASYM init swap=0 asym=0
2016-02-08 09:58:57 EVENT: RESOLVE
2016-02-08 09:58:58 Contacting x.x.x.x:1194 via UDP
2016-02-08 09:58:58 EVENT: WAIT
2016-02-08 09:58:58 SetTunnelSocket returned 1
2016-02-08 09:58:58 Connecting to ???.raspctl.com:1194 (x.x.x.x) via UDPv4
2016-02-08 09:58:58 EVENT: CONNECTING
2016-02-08 09:58:58 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2016-02-08 09:58:58 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.5-177
IV_VER=3.0
IV_PLAT=ios
IV_NCP=1
IV_LZO=1
2016-02-08 09:58:59 VERIFY OK: depth=1
cert. version : 3
serial number : E0:1A:24:66:78:A3:D8:52
issuer name : C=UK, ST=SUSSEX, L=Uckfield, O=Ben, OU=MyOrganizationalUnit, CN=orangepi, ??=EasyRSA, emailAddress=email@domain.com
subject name : C=UK, ST=SUSSEX, L=Uckfield, O=Ben, OU=MyOrganizationalUnit, CN=orangepi, ??=EasyRSA, emailAddress=email@domain.com
issued on : 2016-02-07 19:42:43
expires on : 2026-02-04 19:42:43
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
2016-02-08 09:58:59 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : C=UK, ST=SUSSEX, L=Uckfield, O=Ben, OU=MyOrganizationalUnit, CN=orangepi, ??=EasyRSA, emailAddress=email@domain.com
subject name : C=UK, ST=SUSSEX, L=Uckfield, O=Ben, OU=MyOrganizationalUnit, CN=orangepi, ??=EasyRSA, emailAddress=email@domain.com
issued on : 2016-02-07 19:43:15
expires on : 2026-02-04 19:43:15
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name : orangepi
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
2016-02-08 09:59:00 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2016-02-08 09:59:00 Session is ACTIVE
2016-02-08 09:59:00 EVENT: GET_CONFIG
2016-02-08 09:59:00 Sending PUSH_REQUEST to server...
2016-02-08 09:59:00 OPTIONS:
0 [route] [10.8.0.1] [255.255.255.255]
1 [route] [10.8.0.0] [255.255.255.0]
2 [route] [192.168.0.5] [255.255.255.0]
3 [dhcp-option] [DNS] [192.168.0.1]
4 [redirect-gateway] [def1]
5 [route] [10.8.0.0] [255.255.255.0]
6 [topology] [net30]
7 [ping] [10]
8 [ping-restart] [120]
9 [ifconfig] [10.8.0.6] [10.8.0.5]
2016-02-08 09:59:00 LZO-ASYM init swap=0 asym=0
2016-02-08 09:59:00 EVENT: ASSIGN_IP
[b]2016-02-08 09:59:00 Error parsing IPv4 route: [route] [192.168.0.5] [255.255.255.0] : tun_prop_error: route is not canonical[/b]
2016-02-08 09:59:00 Connected via tun
2016-02-08 09:59:00 EVENT: CONNECTED @???.raspctl.com:1194 (x.x.x.x) via /UDPv4 on tun/10.8.0.6/
2016-02-08 09:59:00 SetStatus Connected- ALMOST FORGOT my ip tables rules which are run from the /etc/network/iterfaces files
Code: Select all
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.0.5If anyone is able to help me here I would be most greatful