[SOLVED] OpenVPN struggles

junkyhlm · 01-11-2013, 03:36 AM

I've got some problems with my OpenVPN setup.

The Setup:
-> Ubuntu Server 12.04
-> Two active NIC's: eth0 (default): 192.168.1.0/24
eth1: x.x.x.x (external ip)

I've managed to get the routing to work so i can connect to the outside world with the eth1 NIC.

Code:

holmen@filserver:~$ ping -I eth1 -c 3 www.linuxquestions.org
PING www.linuxquestions.org (75.126.162.205) from 192.168.1.2 eth1: 56(84) bytes of data.
64 bytes from www.linuxquestions.org (75.126.162.205): icmp_req=1 ttl=50 time=133 ms
64 bytes from www.linuxquestions.org (75.126.162.205): icmp_req=2 ttl=50 time=133 ms
64 bytes from www.linuxquestions.org (75.126.162.205): icmp_req=3 ttl=50 time=133 ms

--- www.linuxquestions.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 133.281/133.336/133.379/0.423 ms

One curious thing is that the "from ip #". It says "from 192.168.1.2 eth1" but that ip is the servers ip on the eth0 iface.

Netstat:

Code:

holmen@filserver:~$ netstat -anr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
x.x.x.x     0.0.0.0         255.255.128.0   U         0 0          0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

But here comes the real problem:
When setting up openvpn with the option "local x.x.x.x (eth1 ext ip)" it still tunnels the eth0 interface. And i cant understand why.

OpenVPN settings:

Code:

client

dev tap

proto udp

local x.x.x.x

remote openvpn.anonine.net 1194
remote openvpn.anonine.net 1195
remote openvpn-2.anonine.net 1196
remote openvpn-2.anonine.net 1197
remote openvpn-3.anonine.net 1198
remote openvpn-3.anonine.net 1199
remote openvpn-4.anonine.net 1200
remote openvpn-4.anonine.net 1201

remote-random

resolv-retry infinite

auth-user-pass

persist-key
persist-tun

ca anonine.ca.crt

ns-cert-type server

comp-lzo

reneg-sec 0

verb 3

Netstat (tunnel active):

Code:

holmen@filserver:~$ netstat -anr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         46.246.20.129   128.0.0.0       UG        0 0          0 tap0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
x.x.x.x     0.0.0.0         255.255.128.0   U         0 0          0 eth1
46.246.20.128   0.0.0.0         255.255.255.128 U         0 0          0 tap0
80.67.8.222     192.168.1.1     255.255.255.255 UGH       0 0          0 eth0
128.0.0.0       46.246.20.129   128.0.0.0       UG        0 0          0 tap0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

Anyone got any ideas?

nikmit · 01-14-2013, 09:01 AM

Ubuntu network manager is unreliable in my experience. Last I tried using it was about 18 months ago, so it might be fixed, but I was getting errors where an interface fails to come up or isn't seen. I am running with a manual setup since then, without any issues.

On a separate note, Ubuntu is a desktop distribution and to me Ubuntu Server is an oxymoron

I use Debian for servers, which is essentially the same OS but changed less often and more stable.

To help provide a better picture of your setup, run and post the output of:

(you might want to edit any public IP addresses, not a good idea to publish them)

ifconfig
ip route show table all
ip rule show
iptables -t nat -L -v -n

Nik

scheidel21 · 01-16-2013, 08:21 AM

A little confused by what is going on, but I think part of it has to do with the order that the NICs are being brought up. But on reconsideration looking at your routing table it appears your default route is set to go through that interface, which would explain why it is coming from there. You've got your routes all jugged up. I would go back to basics to start shutdown the OpenVPN connections, remove any routes you've added and add a default route , then being your OpenVPN connections back up and let them write their entries to the routing table then perhaps post the out put again and go from there.

junkyhlm · 01-17-2013, 03:30 AM

Thank you for your post but after consulting the community support of openvpn i've concluded that this is pretty much impossible.

scheidel21 · 01-17-2013, 06:57 AM

Sorry you couldn't accomplish what you wanted to do, however, I'm still not clear on what it was you wanted to do.

junkyhlm · 01-17-2013, 07:27 AM

Quote:

Originally Posted by scheidel21

Sorry you couldn't accomplish what you wanted to do, however, I'm still not clear on what it was you wanted to do.

This is what i tried to accomplish:
I have a server running with apache2, rtorrent and ssh as the main applications that need connection to the outside world. I have tried for some time now to separate my applications connections over 2 separe NIC's (eth0 and eth1). My main goal in this was to have a VPN tunnel to a anonymizer service (Anonine.com) running only at one NIC, eth1 to be exact. I get 2 separate external ip's from my ISP and i have got the two NIC's to work as they should.

So my setup would look something like attached image.

And then have only rtorrent running via the VPN tunnel on eth1 since i don't want to hide the ip of my apache2 and ssh servers.

And there's my problem..

scheidel21 · 01-17-2013, 07:35 AM

This can't be done in the OpenVPN configuration, but this might be able to be accomplished using either IPtables (prevent rtorrent traffic form going out the non VPN interface) or iproute2 (http://lartc.org/howto/lartc.iproute2.html) it's used for advanced routing, like ensuring traffic coming in on one interface goes out the same interface it came in, regardless of routing table. Also you might take a look at this http://libtorrent.rakshasa.no/ticket/1809 looks like someone created a way you could bind rtorrent to a specific interface, which would accomplish what you want as well.

junkyhlm · 01-17-2013, 07:52 AM

Quote:

Originally Posted by scheidel21

This can't be done in the OpenVPN configuration, but this might be able to be accomplished using either IPtables (prevent rtorrent traffic form going out the non VPN interface) or iproute2 (http://lartc.org/howto/lartc.iproute2.html) it's used for advanced routing, like ensuring traffic coming in on one interface goes out the same interface it came in, regardless of routing table. Also you might take a look at this http://libtorrent.rakshasa.no/ticket/1809 looks like someone created a way you could bind rtorrent to a specific interface, which would accomplish what you want as well.

Thank you for your input but thats not the problem. The problem is that the openvpn tunnel chooses the eth0 interface to be tunneled. When getting help from the community support @ #openvpn we tried many possible solutions with --up scripts and ip variables but nothing works.

Thank you on the tip of binding rtorrent to interface. I have used "bind x.x.x.x" (eth1 ip) in my .rtorrent.rc.

scheidel21 · 01-17-2013, 07:55 AM

Well if is binding to eth0 because it is the lower NIC you could try editing the udev rules and switch the interface names http://www.novell.com/support/kb/doc.php?id=3012993

junkyhlm · 01-17-2013, 08:00 AM

Quote:

Originally Posted by scheidel21

Well if is binding to eth0 because it is the lower NIC you could try editing the udev rules and switch the interface names http://www.novell.com/support/kb/doc.php?id=3012993

Thank you! I thiught of this way back but thaought it was to simple to be true

Will try this tonight!

scheidel21 · 01-17-2013, 08:00 AM

If you edit interface names and use static settigns you will need to edit those as well

junkyhlm · 01-17-2013, 08:21 AM

Quote:

Originally Posted by scheidel21

If you edit interface names and use static settigns you will need to edit those as well

Yeah ofc. But i'll just change eth0 -> 1 and vice versa in /etc/network/interfaces

junkyhlm · 01-17-2013, 02:01 PM

Quote:

Originally Posted by scheidel21

If you edit interface names and use static settigns you will need to edit those as well

Nope tested your solution and its no good. It still tunnels eth0 since the default route on the main table is the eth0 NIC.

scheidel21 · 01-17-2013, 09:23 PM

Take a look at this http://kindlund.wordpress.com/2007/1...utes-in-linux/ it's upper level stuff but I think it may be the key to getting it to work the way you want. It was referenced from this https://forums.openvpn.net/topic10922.html which seems to do what you are seeking to do.

junkyhlm · 01-18-2013, 12:22 AM

Quote:

Originally Posted by scheidel21

Take a look at this http://kindlund.wordpress.com/2007/1...utes-in-linux/ it's upper level stuff but I think it may be the key to getting it to work the way you want. It was referenced from this https://forums.openvpn.net/topic10922.html which seems to do what you are seeking to do.

I have tried this. It does'nt work. It still chooses the NIC#1 ip. I think it worked for the other guy because he is connecting to the same gateway.

Output when starting openvpn:

Quote:

Fri Jan 18 07:20:13 2013 ROUTE default_gateway=192.168.1.1

Thats is the NIC#1 gateway.