Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
09-13-2015, 08:13 PM
#1
Member
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62
Rep:
OpenVPN and Obfsproxy network problems.
Hi,
I am trying to setup my OpenVPN client/server to use the obfsproxy and I have run into a few problems.
I have reached a point where I can connect to my server through the obfsproxy but then unable to connect to outside addresses, example unable to ping 8.8.8.8 ...
The connection will then disconnect after about a minute "Inactivity timeout", which is weird because "--inactive" is off by default, I also tried explicitly set "--inactive 0" but still it times out, presumably this won't be a problem when I am able to connect to external addresses.
The DNS server IP's are pushed and updated as expected, checked /etc/resolv.conf is changing as expected.
I think maybe I have routing problem, but not sure how to test the theory ...
Any suggestions how to check routing is setup correctly would be very much appreciated ...
Server side setup ---
VPN_Server_IP = A.B.C.D
tried both of these ...
Code:
obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 --dest=127.0.0.1:1194 server 0.0.0.0:21194 &
Code:
obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 --dest=127.0.0.1:1194 server A.B.C.D:21194 &
firewall setup
Code:
iptables -A INPUT -i eth0 -p tcp -m --dport 21194 -j ACCEPT
tcp.conf
server netstat -rn
Code:
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 A.B.C.254 0.0.0.0 UG 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
A.B.C.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Client side setup ---
Code:
obfsproxy --log-file=obfsproxy.log --log-min-severity=info obfs3 socks 127.0.0.1:10194 &
client.conf, changes ...
Code:
remote VPN_Server_IP 21194
proto tcp
socks-proxy 127.0.0.1 10194
socks-proxy-retry
Code:
client netstat -rn
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.8.0.34 0.0.0.0 UG 0 0 0 tun0
0.0.0.0 172.31.8.1 0.0.0.0 UG 0 0 0 wlan0
10.8.0.1 10.8.0.34 255.255.255.255 UGH 0 0 0 tun0
10.8.0.33 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.8.0.34 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
127.0.0.1 172.31.8.1 255.255.255.255 UGH 0 0 0 wlan0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 wlan0
client ifconfig
Code:
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether ec:f4:bb:65:ea:ad txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf7800000-f7820000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 4297 bytes 501861 (490.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4297 bytes 501861 (490.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.33 netmask 255.255.255.255 destination 10.8.0.34
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 36 bytes 2649 (2.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.31.8.210 netmask 255.255.248.0 broadcast 172.31.15.255
inet6 fe80::3ea9:f4ff:fea7:da8c prefixlen 64 scopeid 0x20<link>
ether 3c:a9:f4:a7:da:8c txqueuelen 1000 (Ethernet)
RX packets 28206 bytes 4168156 (3.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4505 bytes 688565 (672.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
09-15-2015, 10:51 PM
#2
Member
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62
Original Poster
Rep:
This route in the client side routing table looks odd ...
Code:
127.0.0.1 172.31.8.1 255.255.255.255 UGH 0 0 0 wlan0
So, I deleted this static route but still unable to ping 8.8.8.8.
Not sure if I should have also flushed the route cache before testing?
09-18-2015, 07:13 PM
#3
Member
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62
Original Poster
Rep:
Additional information ...
After the VPN connects and before it times out ...
I issued this command;
Code:
mabo@debian:~$ ip route get 8.8.8.8
8.8.8.8 via 10.8.0.34 dev tun0 src 10.8.0.33
cache
It looks like the client routing is ok becuase packets are directed through the tunnel as expected.
This is my client iptable rules;
Code:
mabo@debian:~$ sudo iptables -vnL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
700 108K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
5 300 ACCEPT all -- lo * 127.0.0.0/8 127.0.0.0/8
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
I have also changed the policy on the FORWARD chain to ACCEPT but it didn't fix the problem.
This my server iptables rules;
Code:
:~# iptables -vnL
Chain INPUT (policy DROP 691 packets, 107K bytes)
pkts bytes target prot opt in out source destination
445 32444 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
446K 81M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
125 6094 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 limit: avg 3/min burst 3
885 48724 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 limit: avg 3/min burst 3
12 720 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194 limit: avg 3/min burst 3
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:22 limit: avg 3/min burst 3
302 18828 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 10
26 1560 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21194
26 1560 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
718 30284 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
1240K 1067M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
11782 755K ACCEPT all -- tun0 eth0 0.0.0.0/0 0.0.0.0/0 ctstate NEW
0 0 ACCEPT udp -- * tun0 0.0.0.0/0 0.0.0.0/0 udp dpt:3074
0 0 ACCEPT udp -- * tun0 0.0.0.0/0 0.0.0.0/0 udp dpt:88
0 0 ACCEPT tcp -- * tun0 0.0.0.0/0 0.0.0.0/0 tcp dpt:3074
0 0 ACCEPT tcp -- * tun0 0.0.0.0/0 0.0.0.0/0 tcp dpt:25565
0 0 ACCEPT udp -- * tun0 0.0.0.0/0 0.0.0.0/0 udp dpt:25565
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1 40 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
384K 1099M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * tun0 0.0.0.0/0 10.8.0.0/24
980 75128 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
26 1560 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
And here is the server iptables nat table;
Code:
:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 98733 packets, 8361K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 VPN_Server_IP udp dpt:3074 to:10.8.0.13:3074
0 0 DNAT udp -- * * 0.0.0.0/0 VPN_Server_IP udp dpt:88 to:10.8.0.13:88
0 0 DNAT tcp -- * * 0.0.0.0/0 VPN_Server_IP tcp dpt:3074 to:10.8.0.13:3074
Chain INPUT (policy ACCEPT 125 packets, 6907 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 63 packets, 4565 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 5 packets, 300 bytes)
pkts bytes target prot opt in out source destination
59 4316 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
I am wondering if the problem is connected with an address translation problem, any suggestions?
09-19-2015, 02:30 AM
#4
Member
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62
Original Poster
Rep:
Additional information ...
After VPN is connected and before it times out;
Code:
tcpdum -nvvv -i any
Code:
14:57:03.549653 IP (tos 0x0, ttl 64, id 52402, offset 0, flags [DF], proto ICMP (1), length 84)
10.8.0.33 > 8.8.8.8: ICMP echo request, id 4693, seq 7, length 64
14:57:03.549729 IP (tos 0x0, ttl 64, id 54372, offset 0, flags [DF], proto TCP (6), length 187)
127.0.0.1.48832 > 127.0.0.1.10194: Flags [P.], cksum 0xfeaf (incorrect -> 0x390e), seq 11096:11231, ack 6649, win 32748, options [nop,nop,TS val 358569 ecr 358488], length 135
14:57:03.549739 IP (tos 0x0, ttl 64, id 512, offset 0, flags [DF], proto TCP (6), length 52)
127.0.0.1.10194 > 127.0.0.1.48832: Flags [.], cksum 0xfe28 (incorrect -> 0x420f), seq 6649, ack 11231, win 702, options [nop,nop,TS val 358569 ecr 358569], length 0
These same 3 output lines repeat while ping is executing.
The packets don't seem to be leaving the obfsproxy, and no packets are getting through to the wlan0 interface?
09-21-2015, 11:20 PM
#5
Member
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62
Original Poster
Rep:
I have captured some packet traffic with tcpdump on my vpn server, see below.
VPN client and server connect and then I start ping 8.8.8.8 before the connection times out.
This portion shows packet traffic with host 8.8.8.8
Code:
21:43:54.292768 IP vpn_server_public_IP.21194 > client_public_IP.39644: Flags [P.], seq 12367:12438, ack 12931, win 2641, options [nop,nop,TS val 21111972 ecr 457710], length 71
21:43:55.505640 IP localhost.openvpn > localhost.45874: Flags [P.], seq 6641:6712, ack 6004, win 21679, options [nop,nop,TS val 21112275 ecr 21109731], length 71
21:43:55.505684 IP localhost.45874 > localhost.openvpn: Flags [.], ack 6712, win 2048, options [nop,nop,TS val 21112275 ecr 21112275], length 0
21:44:03.844758 IP vpn_server_public_IP.21194 > client_public_IP.39644: Flags [P.], seq 12367:12438, ack 12931, win 2641, options [nop,nop,TS val 21114360 ecr 457710], length 71
21:44:05.560356 IP localhost.openvpn > localhost.45874: Flags [P.], seq 6712:6783, ack 6004, win 21679, options [nop,nop,TS val 21114788 ecr 21112275], length 71
21:44:05.560406 IP localhost.45874 > localhost.openvpn: Flags [.], ack 6783, win 2048, options [nop,nop,TS val 21114788 ecr 21114788], length 0
21:44:08.852735 ARP, Request who-has vps_network.254 tell vpn_server_public_IP, length 28
21:44:08.853105 ARP, Reply vps_network.254 is-at 00:1f:c6:d0:56:3c (oui Unknown), length 46
21:44:15.159377 IP client_public_IP.39644 > vpn_server_public_IP.21194: Flags [P.], seq 12931:13249, ack 12438, win 814, options [nop,nop,TS val 467248 ecr 21114360], length 318
21:44:15.159429 IP vpn_server_public_IP.21194 > client_public_IP.39644: Flags [P.], seq 12438:12580, ack 13249, win 2641, options [nop,nop,TS val 21117188 ecr 467248], length 142
21:44:15.159759 IP localhost.45874 > localhost.openvpn: Flags [P.], seq 6004:6322, ack 6783, win 2048, options [nop,nop,TS val 21117188 ecr 21114788], length 318
21:44:15.159784 IP localhost.openvpn > localhost.45874: Flags [.], ack 6322, win 22261, options [nop,nop,TS val 21117188 ecr 21117188], length 0
21:44:15.159921 IP 10.8.0.33.43128 > google-public-dns-a.google.com.domain: 26744+ SOA? local. (23)
21:44:15.160836 IP vpn_server_public_IP.43128 > google-public-dns-a.google.com.domain: 26744+ SOA? local. (23)
21:44:15.160917 IP localhost.openvpn > localhost.45874: Flags [P.], seq 6783:6854, ack 6322, win 22261, options [nop,nop,TS val 21117189 ecr 21117188], length 71
21:44:15.160952 IP localhost.45874 > localhost.openvpn: Flags [.], ack 6854, win 2048, options [nop,nop,TS val 21117189 ecr 21117189], length 0
21:44:15.161049 IP vps_network.254 > vpn_server_public_IP: ICMP redirect google-public-dns-a.google.com to host XXXXXXXXXXXXXXXXX, length 59
21:44:15.162391 IP google-public-dns-a.google.com.domain > vpn_server_public_IP.43128: 26744 NXDomain 0/1/0 (98)
21:44:15.162616 IP google-public-dns-a.google.com.domain > 10.8.0.33.43128: 26744 NXDomain 0/1/0 (98)
21:44:15.162952 IP localhost.openvpn > localhost.45874: Flags [P.], seq 6854:7037, ack 6322, win 22261, options [nop,nop,TS val 21117189 ecr 21117189], length 183
21:44:15.162976 IP localhost.45874 > localhost.openvpn: Flags [.], ack 7037, win 2048, options [nop,nop,TS val 21117189 ecr 21117189], length 0
21:44:15.514692 IP localhost.45874 > localhost.openvpn: Flags [F.], seq 6322, ack 7037, win 2048, options [nop,nop,TS val 21117277 ecr 21117189], length 0
21:44:15.514972 IP localhost.openvpn > localhost.45874: Flags [F.], seq 7037, ack 6323, win 22261, options [nop,nop,TS val 21117277 ecr 21117277], length 0
21:44:15.514994 IP localhost.45874 > localhost.openvpn: Flags [.], ack 7038, win 2048, options [nop,nop,TS val 21117277 ecr 21117277], length 0
21:44:20.155865 ARP, Request who-has vpn_server_public_IP tell vps_network.250, length 46
21:44:20.155887 ARP, Reply vpn_server_public_IP is-at 52:54:00:3d:ee:15 (oui Unknown), length 28
21:44:20.157074 ARP, Request who-has vpn_server_public_IP tell vps_network.254, length 46
21:44:20.157084 ARP, Reply vpn_server_public_IP is-at 52:54:00:3d:ee:15 (oui Unknown), length 28
21:44:33.224228 IP client_public_IP.39575 > vpn_server_public_IP.ssh: Flags [P.], seq 1:41, ack 184, win 1444, options [nop,nop,TS val 471766 ecr 21100836], length 40
21:44:33.224410 IP vpn_server_public_IP.ssh > client_public_IP.39575: Flags [P.], seq 184:224, ack 41, win 2165, options [nop,nop,TS val 21121704 ecr 471766], length 40
21:44:33.224652 IP vps_network.254 > vpn_server_public_IP: ICMP redirect client_public_IP to host eqx5-96.syd1.networkpresence.com.au, length 100
21:44:33.614851 IP client_public_IP.39575 > vpn_server_public_IP.ssh: Flags [.], ack 224, win 1444, options [nop,nop,TS val 471865 ecr 21121704], length 0
Any comments or suggestions would be appreciated ...
09-29-2015, 06:37 PM
#6
Member
Registered: Jul 2015
Location: Nanjing, China
Distribution: Debian
Posts: 62
Original Poster
Rep:
[solved]
Solution to this problem continues under slightly different question.
http://www.linuxquestions.org/questi...rk-4175554444/
Last edited by mabo1; 09-29-2015 at 06:51 PM .
Reason: Add SOLVED to title.
All times are GMT -5. The time now is 06:30 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News