drugo
Posts: 10
Joined: Sun Sep 22, 2019 9:02 pm

[SOLVED]-Unable to connect to VPN server where there's another VPN client active

Tue Dec 10, 2019 5:17 pm

I have a network so configured: a router and a RPI that acts as wifi access point, dhcp and dns servers, firewall and gateway. The RPI is also connected with a OpenVpn client to a payed VPN service (NordVPN) so all the WiFi clients use the VPN connection.

I'm trying to create a private VPN so I can connect to the RPI also from outside. I run a VPN server on the RPI for this use. NordVPN does not provide port forwarding so I cannot connect to the RPI through the NordVPN IP address and I'm tryint to reach the RPI from the ISP public IP. I configured the port forwarding from the router to the RPI local IP address.

I'm able to connect with the private VPN to the RPI when the NordVPN connection is off but I cannot connect when the NordVPN connection is running.

I read the problem is the routing so I configured it and the maximum result reached is that I can do SSH from outside to the RPI when the NordVPN connection is runnging but I'm not able to connect with my OpenVPN client (with running NordVPN). The problem is that client and server do not complete the handshake. The server receive the first packet (I thing the firewall could be ok) but it is not able to send the reply (or it send through the wrong route). But it seems this problem there is not with SSH connection because it works from out (and I guess the server reply to the client handshake).

Other info:

- 192.168.4.0/24 is the local client's network (rpi's wifi)
- 192.168.1.0/24 is the local router's network
- 192.168.1.1 is the router
- 192.168.1.117 is the RPI eht0
- 10.8.0.0/16 is the NordVPN tun0 network
- the payed VPN runs on standard OpenVPN port but the private VPN runs on different port

First, following https://gist.github.com/Shourai/1088f78 ... a6045c477b, I tried to forward from router to 192.168.1.117 with these routes on RPI.

Code: Select all

ip rule add fwmark 65 table novpn
ip route add default via 192.168.1.1 dev eth0 table novpn
iptables -t mangle -A OUTPUT -p udp --sport 1234567 -j MARK --set-mark 65
In this case I was able to connect via private VPN only without NordVPN running.

Second, following https://superuser.com/questions/1399079 ... s-running/, I created a virtual eth0 interface (192.168.1.118). I forwarded from router to this new address and I configured the routes like this:

Code: Select all

ip addr add 192.168.1.118 dev eth0:0
ip rule add from 192.168.1.118 table 1234
ip route add default via 192.168.1.1 dev eth0:0 table 1234
So I can connect via SSH from outside also when NordVPN connections is active but when I launch the private VPN client it is not able to complete handshake with these errors:

Code: Select all

XXX.XXX.XXX.XXX:53347 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:53347, sid=5138c564 319ce197
Dec 08 23:02:55 rpi ovpn-server[19950]: XXX.XXX.XXX.XXX:53347 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Dec 08 23:02:55 rpi ovpn-server[19950]: XXX.XXX.XXX.XXX:53347 TLS Error: TLS handshake failed
I am on this problem since 2 weeks and I have definetly no other idea.
Maybe someone could help me?

Thanks in advance.

PS: I do not write my iptables rules because they are a lot.
Last edited by drugo on Mon Dec 23, 2019 10:07 pm, edited 1 time in total.

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Unable to connect to VPN server where there's another VPN client active

Tue Dec 10, 2019 7:52 pm

Ordinarily, I believe, you can't easily have one machine act as client and server.

The solution, I think, is to use policy-based routing - search this forum, I'm sure I saw something on this earlier this week.
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

drugo
Posts: 10
Joined: Sun Sep 22, 2019 9:02 pm

Re: Unable to connect to VPN server where there's another VPN client active

Wed Dec 11, 2019 9:19 am

castletonroad wrote: Ordinarily, I believe, you can't easily have one machine act as client and server.

The solution, I think, is to use policy-based routing - search this forum, I'm sure I saw something on this earlier this week.
Why is it not possible to have OpenVPN client and server in the same machine? Is it not only a routing problem?
I thought maybe something like "the packets that arrive from the router 192.168.1.1 and directed to the IP 192.168.1.118 have to be replied and sent through the RPI interface eth0 to the gateway 192.168.1.1 and not through the tun0 interface".
SSH from outside works in this way but not OpenVPN....

User avatar
OO-Dragon
Posts: 31
Joined: Sat Jun 02, 2018 3:09 pm
Contact: Website

Re: Unable to connect to VPN server where there's another VPN client active

Fri Dec 13, 2019 4:23 pm

I might be wrong, but I'm pretty sure the IP used to connect to OpenVPN has to be the same IP that responds. But since you have NordVPN enabled, you connect to IP A but get a response from IP B.

Unfortunately, I'm not sure how to resolve that... Most likely it involves creating a separate network for the OpenVPN connections and then creating fancy iptables rules so only connected VPN clients from that network getting re-directed through the NordVPN.

I hope that at least points you in the right direction.
OO-Dragon

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Unable to connect to VPN server where there's another VPN client active

Fri Dec 13, 2019 8:13 pm

Do some 'Googling' and report back your solution when you find one...

E.g. does this help: https://unix.stackexchange.com/question ... ctions-whe
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

drugo
Posts: 10
Joined: Sun Sep 22, 2019 9:02 pm

Re: Unable to connect to VPN server where there's another VPN client active

Fri Dec 13, 2019 9:49 pm

Thanks but I googled very a lot, maybe for more than 2 weeks and I also read the link you posted me.
As you can see from my first post I applied in this way the commands written in the post:

Code: Select all

ip addr add 192.168.1.118 dev eth0:0
ip rule add from 192.168.1.118 table 1234
ip route add default via 192.168.1.1 dev eth0:0 table 1234


but the OpenVPN does not work.
This new route is probably right and good because, after applied, I can connect via SSH (and I can't connect without it).
There should be something else, some other route or maybe iptables rule....

drugo
Posts: 10
Joined: Sun Sep 22, 2019 9:02 pm

Re: Unable to connect to VPN server where there's another VPN client active

Fri Dec 13, 2019 9:50 pm

castletonroad wrote:
Fri Dec 13, 2019 8:13 pm
Do some 'Googling' and report back your solution when you find one...

E.g. does this help: https://unix.stackexchange.com/question ... ctions-whe
Thanks but I googled very a lot, maybe for more than 2 weeks and I also read the link you posted me.
As you can see from my first post I applied in this way the commands written in the post:

Code: Select all

ip addr add 192.168.1.118 dev eth0:0
ip rule add from 192.168.1.118 table 1234
ip route add default via 192.168.1.1 dev eth0:0 table 1234


but the OpenVPN does not work.
This new route is probably right and good because, after applied, I can connect via SSH (and I can't connect without it).
There should be something else, some other route or maybe iptables rule....

EDIT: sorry for the double post...

drugo
Posts: 10
Joined: Sun Sep 22, 2019 9:02 pm

Re: Unable to connect to VPN server where there's another VPN client active

Fri Dec 13, 2019 9:56 pm

OO-Dragon wrote:
Fri Dec 13, 2019 4:23 pm
I might be wrong, but I'm pretty sure the IP used to connect to OpenVPN has to be the same IP that responds. But since you have NordVPN enabled, you connect to IP A but get a response from IP B.

Unfortunately, I'm not sure how to resolve that... Most likely it involves creating a separate network for the OpenVPN connections and then creating fancy iptables rules so only connected VPN clients from that network getting re-directed through the NordVPN.

I hope that at least points you in the right direction.
I'm trying to connect from outside through my public ISP address (and not the NordVPN address) and I think the right thing to do should be to route correctly the packets received from outside to the eth0/router gw and not from tun0/NordVPN.
The problem is that there is something wrong in my config and I can't understand what...

drugo
Posts: 10
Joined: Sun Sep 22, 2019 9:02 pm

Re: Unable to connect to VPN server where there's another VPN client active

Tue Dec 17, 2019 9:39 pm

Please, anyone can help me?

drugo
Posts: 10
Joined: Sun Sep 22, 2019 9:02 pm

Re: Unable to connect to VPN server where there's another VPN client active

Mon Dec 23, 2019 5:30 pm

I solved.

The problem, in this case, is this line missing in OpenVPN server configuration.

Code: Select all

    local 192.168.1.117
So the right routing for me is:

Code: Select all

ip rule add from 192.168.1.117 table novpn
    ip route add default via 192.168.1.1 dev eth0 table novpn

castletonroad
Posts: 135
Joined: Sat Jul 25, 2015 11:23 pm

Re: Unable to connect to VPN server where there's another VPN client active

Mon Dec 23, 2019 6:56 pm

Thanks for reporting the solution.

Glad you got it working :D
Raspberry Pi 4 Model B | Raspberry Pi 3 Model B | Raspberry Pi 2 Model B

Return to “Networking and servers”