LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-05-2016, 03:10 PM   #1
end
Member
 
Registered: Aug 2016
Posts: 266

Rep: Reputation: Disabled
openvpn on kvm


hy,

does anyone set up openvpn on virtual machine virtualized with kvm.
if yes how did you set up routing on host machine.

i can connect to openvpn , my laptop is assigned addres of vpn 10.8.0.3, and in wireshark i see my traffic going throught vpn, but he still use router dns, and traffic to http site is not encrypted.
my guess is route to vpn is correct but when goes from vpn its broke somewhere and use defoult route.

iptables on host

Code:
#!/bin/bash
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#allow ssh
iptables -A OUTPUT -o enp2s0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.12 --dport 22 -j ACCEPT
iptables -A PREROUTING -t nat -d 192.168.0.15 -p udp --dport 1194 -j DNAT --to 192.168.122.20 
iptables -I FORWARD -i enp2s0 -o virbr0 -s 10.8.0.0/24 -d 192.168.122.0/24 -m conntrack --ctstate NEW -j ACCEPT
#iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.122.20-192.168.122.254 -o enp2s0 -j MASQUERADE 
#internet only from host
#iptables -A OUTPUT -o enp2s0 -p udp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i enp2s0 -p udp --sport 443 -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o enp2s0 -p udp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i enp2s0 -p udp --sport 80 -m state --state ESTABLISHED -j ACCEPT


#allow dns
#iptables -A OUTPUT -p udp -o enp2s0 --dport 53 -j ACCEPT
#iptables -A INPUT -p udp -i enp2s0 --sport 53 -j ACCEPT

iptables -A INPUT -i virbr0 -j ACCEPT
iptables -A OUTPUT -o virbr0  -j ACCEPT

#iptables -A PREROUTING -t nat -d 192.168.0.15 -p tcp --dport 80 -j DNAT --to 192.168.122.2
iptables -A FORWARD -i enp2s0 -o virbr0 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i virbr0 -o enp2s0 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#iptables -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE 
 
#iptables -A PREROUTING -t nat -d 192.168.0.15 -p udp --dport 1194 -j DNAT --to-destination 10.8.0.0/24
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.122.20 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o enp2s0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.122.0/24 -o enp2s0 -j MASQUERADE

#iptables -I FORWARD -i virbr0 -o enp2s0 -s 192.168.122.0/24 -d 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

#iptables -I FORWARD -i virbr0 -o enp2s0 -s 192168.122.0/24 -m conntrack --ctstate NEW -j ACCEPT

#iptables -I FORWARD -i enp2s0 -o virbr0 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT

#iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#iptables -t nat -I POSTROUTING -o enp2s0  -s 192.168.122.0/24 -j MASQUERADE

#iptables -t nat -I POSTROUTING -o enp2s0 -s 192.168.0.0/24 -j MASQUERADE
route beafor vpn

default via 192.168.0.15 dev eth0 proto static metric 100
192.168.0.15 dev eth0 proto static scope link metric 100
192.168.122.0/24 dev eth0 proto kernel scope link scr 192.168.122.20 metric 100

route with vpn

default via 192.168.0.15 dev eth0 proto static metric 100
10.8.0.0/24 dev tun0 proto kernel scope link scr 10.8.0.1
192.168.0.15 dev eth0 proto static scope link metric 100
192.168.122.0/24 dev eth0 proto kernel scope link scr 192.168.122.20 metric 100

what i see from this is that vpn didnt change defoult gateway.
if i change defoult gateway with ip route add default via 10.8.0.1. my client canot connect.
i try with iptables -A PREROUTING -t nat -d 192.168.0.15 -p udp --dport 1194 -j DNAT --to 10.8.0.1

router(192.168.0.1)------->----cent7host------------->centvmvpn(192.168.122.20)
(enp2s0 192.168.0.15)
(virbr0 192.168.122.1)

i changed dns manualy on vm and host system but client still use his dns.

wireshark

source destination
10.8.0.4 83.139.x.x

source is openvpn ip so routing to vpn is correct but destination is dns of client not vpn.
so routing from vpn isnt correct and i dont know how to solve this. today i remove nat from kvm and put in bridge mode same problem.

last three days i spent trayng all combinations of routing for solve this and im out of ideas.

UPDATE

i try now setup openvpn on my laptop and connect to it from another laptop.
on my openvpn laptop default gateway is still 192.168.0.1 not changed to openvpn ip. i add push redirect gateway def1. so the real problem here is way openvpn server dont change default routing table.

Last edited by end; 10-06-2016 at 05:08 PM. Reason: update
 
Old 10-07-2016, 11:10 AM   #2
end
Member
 
Registered: Aug 2016
Posts: 266

Original Poster
Rep: Reputation: Disabled
re

ok i think i know where is a problem.

when i generated server certificate i didnt notice he create 01.pem file. this is something new. i only add this in my server config:

ca ca.crt
cert server.cert
key server.key
dh dh2048.pem

now how to add 01.pem in cconfig file.
 
Old 10-10-2016, 12:13 PM   #3
end
Member
 
Registered: Aug 2016
Posts: 266

Original Poster
Rep: Reputation: Disabled
re

solved

how:

after unable to get client(linux) to use openvpn dns, i try from windowns client and from windows everything worked client use openvpn dns.

on linux client i need isnstall update-resolv-conf script. i installed it from AUR.
he installed script in /etc/openvpn.
after that add these lines to client.conf (only linux).

Code:
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
after this i got
Code:
error which: no resolvconf in ((null))
/etc/openvpn/update-resolv-conf: line 56: -x: command not found
how to solve

open update-resolv-conf

find RESOLVCONF=$(which resolvconf)
and change to
RESOLVCONF=$(type -p resolvconf)

and that is it.

what about not encrypting what i was thinking that openvpn not encrypting.
i captured packages on tun0 interface and when packets are in tun interface the are unencrypted untill they leave interface.

if you capture on your real interface you will see everything is going over openvpn ip an protocol.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] openvpn starts on startup but X windows fails to start after adding openvpn to /etc/rc.d/rc.local nitecrawler Slackware 4 08-28-2016 08:58 AM
[SOLVED] "No KVM, No qemu-kvm" Available error while trying to install KVM on CentOS 6.3 sriramdas Linux - Virtualization and Cloud 5 01-01-2013 11:46 AM
[Debian/Qemu/KVM] Why qemu --enable-kvm works but not kvm directly? gb2312 Linux - Virtualization and Cloud 2 03-21-2011 03:05 PM
OpenVPN assigning public & static IPs to pcs/devices behind an OpenVPN client dgonzalezh Linux - Networking 6 07-18-2010 10:50 AM
How does OpenVPN Linux server issues IP and netmask to OpenVPN clients on Windows XP pssompura Linux - Networking 0 12-24-2009 03:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration