LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-13-2015, 08:13 PM   #1
mabo1
Member
 
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62

Rep: Reputation: Disabled
OpenVPN and Obfsproxy network problems.


Hi,

I am trying to setup my OpenVPN client/server to use the obfsproxy and I have run into a few problems.

I have reached a point where I can connect to my server through the obfsproxy but then unable to connect to outside addresses, example unable to ping 8.8.8.8 ...

The connection will then disconnect after about a minute "Inactivity timeout", which is weird because "--inactive" is off by default, I also tried explicitly set "--inactive 0" but still it times out, presumably this won't be a problem when I am able to connect to external addresses.

The DNS server IP's are pushed and updated as expected, checked /etc/resolv.conf is changing as expected.

I think maybe I have routing problem, but not sure how to test the theory ...

Any suggestions how to check routing is setup correctly would be very much appreciated ...

Server side setup ---

VPN_Server_IP = A.B.C.D

tried both of these ...
Code:
obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 --dest=127.0.0.1:1194 server 0.0.0.0:21194 &
Code:
obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 --dest=127.0.0.1:1194 server A.B.C.D:21194 &
firewall setup
Code:
iptables -A INPUT -i eth0 -p tcp -m --dport 21194 -j ACCEPT
tcp.conf
Code:
port 1194
server netstat -rn
Code:
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         A.B.C.254       0.0.0.0         UG        0 0          0 eth0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun1
A.B.C.0         0.0.0.0         255.255.255.0   U         0 0          0 eth0
Client side setup ---

Code:
obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 socks 127.0.0.1:10194 &
client.conf, changes ...

Code:
remote  VPN_Server_IP 21194
proto tcp
socks-proxy 127.0.0.1 10194
socks-proxy-retry
Code:
client netstat -rn
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.8.0.34       0.0.0.0         UG        0 0          0 tun0
0.0.0.0         172.31.8.1      0.0.0.0         UG        0 0          0 wlan0
10.8.0.1        10.8.0.34       255.255.255.255 UGH       0 0          0 tun0
10.8.0.33       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.8.0.34       0.0.0.0         255.255.255.255 UH        0 0          0 tun0
127.0.0.1       172.31.8.1      255.255.255.255 UGH       0 0          0 wlan0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 wlan0
client ifconfig
Code:
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether ec:f4:bb:65:ea:ad  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 20  memory 0xf7800000-f7820000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 4297  bytes 501861 (490.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4297  bytes 501861 (490.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.33  netmask 255.255.255.255  destination 10.8.0.34
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 36  bytes 2649 (2.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.31.8.210  netmask 255.255.248.0  broadcast 172.31.15.255
        inet6 fe80::3ea9:f4ff:fea7:da8c  prefixlen 64  scopeid 0x20<link>
        ether 3c:a9:f4:a7:da:8c  txqueuelen 1000  (Ethernet)
        RX packets 28206  bytes 4168156 (3.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4505  bytes 688565 (672.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
Old 09-15-2015, 10:51 PM   #2
mabo1
Member
 
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62

Original Poster
Rep: Reputation: Disabled
This route in the client side routing table looks odd ...

Code:
127.0.0.1       172.31.8.1      255.255.255.255 UGH       0 0          0 wlan0
So, I deleted this static route but still unable to ping 8.8.8.8.

Not sure if I should have also flushed the route cache before testing?
 
Old 09-18-2015, 07:13 PM   #3
mabo1
Member
 
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62

Original Poster
Rep: Reputation: Disabled
Additional information ...

After the VPN connects and before it times out ...

I issued this command;
Code:
mabo@debian:~$ ip route get 8.8.8.8
8.8.8.8 via 10.8.0.34 dev tun0  src 10.8.0.33 
    cache
It looks like the client routing is ok becuase packets are directed through the tunnel as expected.

This is my client iptable rules;
Code:
mabo@debian:~$ sudo iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  700  108K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    5   300 ACCEPT     all  --  lo     *       127.0.0.0/8          127.0.0.0/8         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
I have also changed the policy on the FORWARD chain to ACCEPT but it didn't fix the problem.

This my server iptables rules;
Code:
:~# iptables -vnL
Chain INPUT (policy DROP 691 packets, 107K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  445 32444 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 446K   81M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  125  6094 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194 limit: avg 3/min burst 3
  885 48724 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 limit: avg 3/min burst 3
   12   720 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1194 limit: avg 3/min burst 3
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:22 limit: avg 3/min burst 3
  302 18828 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 10
   26  1560 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21194
   26  1560 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  718 30284 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
1240K 1067M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
11782  755K ACCEPT     all  --  tun0   eth0    0.0.0.0/0            0.0.0.0/0            ctstate NEW
    0     0 ACCEPT     udp  --  *      tun0    0.0.0.0/0            0.0.0.0/0            udp dpt:3074
    0     0 ACCEPT     udp  --  *      tun0    0.0.0.0/0            0.0.0.0/0            udp dpt:88
    0     0 ACCEPT     tcp  --  *      tun0    0.0.0.0/0            0.0.0.0/0            tcp dpt:3074
    0     0 ACCEPT     tcp  --  *      tun0    0.0.0.0/0            0.0.0.0/0            tcp dpt:25565
    0     0 ACCEPT     udp  --  *      tun0    0.0.0.0/0            0.0.0.0/0            udp dpt:25565

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    40 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
 384K 1099M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      tun0    0.0.0.0/0            10.8.0.0/24         
  980 75128 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
   26  1560 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
And here is the server iptables nat table;
Code:
:~# iptables -t nat  -vnL
Chain PREROUTING (policy ACCEPT 98733 packets, 8361K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            VPN_Server_IP        udp dpt:3074 to:10.8.0.13:3074
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            VPN_Server_IP        udp dpt:88 to:10.8.0.13:88
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            VPN_Server_IP        tcp dpt:3074 to:10.8.0.13:3074

Chain INPUT (policy ACCEPT 125 packets, 6907 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 63 packets, 4565 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 5 packets, 300 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   59  4316 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
I am wondering if the problem is connected with an address translation problem, any suggestions?
 
Old 09-19-2015, 02:30 AM   #4
mabo1
Member
 
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62

Original Poster
Rep: Reputation: Disabled
Additional information ...

After VPN is connected and before it times out;

Code:
ping 8.8.8.8
Code:
tcpdum -nvvv -i any
Code:
14:57:03.549653 IP (tos 0x0, ttl 64, id 52402, offset 0, flags [DF], proto ICMP (1), length 84)
    10.8.0.33 > 8.8.8.8: ICMP echo request, id 4693, seq 7, length 64
14:57:03.549729 IP (tos 0x0, ttl 64, id 54372, offset 0, flags [DF], proto TCP (6), length 187)
    127.0.0.1.48832 >  127.0.0.1.10194: Flags [P.], cksum 0xfeaf (incorrect -> 0x390e), seq 11096:11231, ack 6649, win 32748, options [nop,nop,TS val 358569 ecr 358488], length 135
14:57:03.549739 IP (tos 0x0, ttl 64, id 512, offset 0, flags [DF], proto TCP (6), length 52)
    127.0.0.1.10194 > 127.0.0.1.48832: Flags [.], cksum 0xfe28 (incorrect -> 0x420f), seq 6649, ack 11231, win 702, options [nop,nop,TS val 358569 ecr 358569], length 0
These same 3 output lines repeat while ping is executing.

The packets don't seem to be leaving the obfsproxy, and no packets are getting through to the wlan0 interface?
 
Old 09-21-2015, 11:20 PM   #5
mabo1
Member
 
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62

Original Poster
Rep: Reputation: Disabled
I have captured some packet traffic with tcpdump on my vpn server, see below.

VPN client and server connect and then I start ping 8.8.8.8 before the connection times out.

This portion shows packet traffic with host 8.8.8.8
Code:
21:43:54.292768 IP vpn_server_public_IP.21194 > client_public_IP.39644: Flags [P.], seq 12367:12438, ack 12931, win 2641, options [nop,nop,TS val 21111972 ecr 457710], length 71
21:43:55.505640 IP localhost.openvpn > localhost.45874: Flags [P.], seq 6641:6712, ack 6004, win 21679, options [nop,nop,TS val 21112275 ecr 21109731], length 71
21:43:55.505684 IP localhost.45874 > localhost.openvpn: Flags [.], ack 6712, win 2048, options [nop,nop,TS val 21112275 ecr 21112275], length 0
21:44:03.844758 IP vpn_server_public_IP.21194 > client_public_IP.39644: Flags [P.], seq 12367:12438, ack 12931, win 2641, options [nop,nop,TS val 21114360 ecr 457710], length 71
21:44:05.560356 IP localhost.openvpn > localhost.45874: Flags [P.], seq 6712:6783, ack 6004, win 21679, options [nop,nop,TS val 21114788 ecr 21112275], length 71
21:44:05.560406 IP localhost.45874 > localhost.openvpn: Flags [.], ack 6783, win 2048, options [nop,nop,TS val 21114788 ecr 21114788], length 0
21:44:08.852735 ARP, Request who-has vps_network.254 tell vpn_server_public_IP, length 28
21:44:08.853105 ARP, Reply vps_network.254 is-at 00:1f:c6:d0:56:3c (oui Unknown), length 46
21:44:15.159377 IP client_public_IP.39644 > vpn_server_public_IP.21194: Flags [P.], seq 12931:13249, ack 12438, win 814, options [nop,nop,TS val 467248 ecr 21114360], length 318
21:44:15.159429 IP vpn_server_public_IP.21194 > client_public_IP.39644: Flags [P.], seq 12438:12580, ack 13249, win 2641, options [nop,nop,TS val 21117188 ecr 467248], length 142
21:44:15.159759 IP localhost.45874 > localhost.openvpn: Flags [P.], seq 6004:6322, ack 6783, win 2048, options [nop,nop,TS val 21117188 ecr 21114788], length 318
21:44:15.159784 IP localhost.openvpn > localhost.45874: Flags [.], ack 6322, win 22261, options [nop,nop,TS val 21117188 ecr 21117188], length 0

21:44:15.159921 IP 10.8.0.33.43128 > google-public-dns-a.google.com.domain: 26744+ SOA? local. (23)
21:44:15.160836 IP vpn_server_public_IP.43128 > google-public-dns-a.google.com.domain: 26744+ SOA? local. (23)
21:44:15.160917 IP localhost.openvpn > localhost.45874: Flags [P.], seq 6783:6854, ack 6322, win 22261, options [nop,nop,TS val 21117189 ecr 21117188], length 71
21:44:15.160952 IP localhost.45874 > localhost.openvpn: Flags [.], ack 6854, win 2048, options [nop,nop,TS val 21117189 ecr 21117189], length 0
21:44:15.161049 IP vps_network.254 > vpn_server_public_IP: ICMP redirect google-public-dns-a.google.com to host XXXXXXXXXXXXXXXXX, length 59
21:44:15.162391 IP google-public-dns-a.google.com.domain > vpn_server_public_IP.43128: 26744 NXDomain 0/1/0 (98)
21:44:15.162616 IP google-public-dns-a.google.com.domain > 10.8.0.33.43128: 26744 NXDomain 0/1/0 (98)

21:44:15.162952 IP localhost.openvpn > localhost.45874: Flags [P.], seq 6854:7037, ack 6322, win 22261, options [nop,nop,TS val 21117189 ecr 21117189], length 183
21:44:15.162976 IP localhost.45874 > localhost.openvpn: Flags [.], ack 7037, win 2048, options [nop,nop,TS val 21117189 ecr 21117189], length 0
21:44:15.514692 IP localhost.45874 > localhost.openvpn: Flags [F.], seq 6322, ack 7037, win 2048, options [nop,nop,TS val 21117277 ecr 21117189], length 0
21:44:15.514972 IP localhost.openvpn > localhost.45874: Flags [F.], seq 7037, ack 6323, win 22261, options [nop,nop,TS val 21117277 ecr 21117277], length 0
21:44:15.514994 IP localhost.45874 > localhost.openvpn: Flags [.], ack 7038, win 2048, options [nop,nop,TS val 21117277 ecr 21117277], length 0
21:44:20.155865 ARP, Request who-has vpn_server_public_IP tell vps_network.250, length 46
21:44:20.155887 ARP, Reply vpn_server_public_IP is-at 52:54:00:3d:ee:15 (oui Unknown), length 28
21:44:20.157074 ARP, Request who-has vpn_server_public_IP tell vps_network.254, length 46
21:44:20.157084 ARP, Reply vpn_server_public_IP is-at 52:54:00:3d:ee:15 (oui Unknown), length 28
21:44:33.224228 IP client_public_IP.39575 > vpn_server_public_IP.ssh: Flags [P.], seq 1:41, ack 184, win 1444, options [nop,nop,TS val 471766 ecr 21100836], length 40
21:44:33.224410 IP vpn_server_public_IP.ssh > client_public_IP.39575: Flags [P.], seq 184:224, ack 41, win 2165, options [nop,nop,TS val 21121704 ecr 471766], length 40
21:44:33.224652 IP vps_network.254 > vpn_server_public_IP: ICMP redirect client_public_IP to host eqx5-96.syd1.networkpresence.com.au, length 100
21:44:33.614851 IP client_public_IP.39575 > vpn_server_public_IP.ssh: Flags [.], ack 224, win 1444, options [nop,nop,TS val 471865 ecr 21121704], length 0
Any comments or suggestions would be appreciated ...
 
Old 09-29-2015, 06:37 PM   #6
mabo1
Member
 
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62

Original Poster
Rep: Reputation: Disabled
[solved]

Solution to this problem continues under slightly different question.

http://www.linuxquestions.org/questi...rk-4175554444/

Last edited by mabo1; 09-29-2015 at 06:51 PM. Reason: Add SOLVED to title.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN Network karnac01 Linux - Networking 5 08-16-2011 09:58 AM
2nd tun network for openvpn? qwertyjjj Linux - Server 1 08-03-2010 08:48 AM
openvpn not able to ping my office network pawan_lal Linux - Server 1 06-16-2009 02:58 AM
OpenVPN cannot ping within network jwpat Linux - Networking 3 06-04-2009 06:52 PM
ip mapping in openvpn network ohcarol Linux - Networking 0 01-08-2009 04:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration