LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-22-2021, 09:43 PM   #31
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,548
Blog Entries: 4

Rep: Reputation: 3436Reputation: 3436Reputation: 3436Reputation: 3436Reputation: 3436Reputation: 3436Reputation: 3436Reputation: 3436Reputation: 3436Reputation: 3436Reputation: 3436

When your computer is running an OpenVPN client, a virtual tun0 device will be created and the remote subnet's traffic will be routed through it: this is how traffic originating on your machine enters the tunnel. Your OpenVPN client software sets up all of the necessary routing rules for you. Anything that is sent through this virtual device winds up in the client process's hands, and vice-versa. ("It's magic ...")

Things become more complicated, routing-wise, when a single computer on the network is running the OpenVPN software in order to serve as a router to a remote network ... for use by other clients who do not have to care how the traffic actually gets there. As far as they're concerned, the remote subnet is "simply, available to me." They're not running any special software: they're just sending traffic to some IP-address and it just gets there. They neither know nor care how it gets there.

These are the scenarios that I was describing.

Last edited by sundialsvcs; 11-22-2021 at 09:46 PM.
 
1 members found this post helpful.
Old 11-22-2021, 11:49 PM   #32
lattimro
Member
 
Registered: Jul 2021
Distribution: SOLARIS-BSD-like, almost Linux-like, some Arch-like, some GENTO-like, some RH-like, some slacky-like
Posts: 176

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
Is the 192.168.1.17 a different physical or virtual machine from the server?

Now days most DHCP implementations will try to assign the same IP address so even though I don't have a reservation in my router all of my devices always have the same address.

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         ControlPanel.Ho 0.0.0.0         UG    600    0        0 wlp5s0
Since the metric is lower for tun0 then wlp5s0 traffic should be routed through the openvpn tunnel. Since you can ping over the 10.8.0.0 I would guess its working. On the same PC it would be hard to tell.
192.168.1.17 is physical but I tested VM's and same results, good.
I monitored the traffic with ifstat while sending packets through tun0/1/2 and there all good.
 
Old 11-23-2021, 04:36 AM   #33
michaelk
Moderator
 
Registered: Aug 2002
Posts: 22,310

Rep: Reputation: 4559Reputation: 4559Reputation: 4559Reputation: 4559Reputation: 4559Reputation: 4559Reputation: 4559Reputation: 4559Reputation: 4559Reputation: 4559Reputation: 4559
With ip forwarding you should be able to view cups web page via the 10.x.x.x address. cups needs to be enabled for lan access but would show you that the vpn is working. If a firewall is running you might to allow tun traffic.
 
Old 11-23-2021, 10:39 AM   #34
lattimro
Member
 
Registered: Jul 2021
Distribution: SOLARIS-BSD-like, almost Linux-like, some Arch-like, some GENTO-like, some RH-like, some slacky-like
Posts: 176

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
Since your public IP is in your client.conf for remote that is what openvpn client will use as the server address. Did you permanently set net.ipv4.ip_forward in your sysctl.conf or just via /proc. You need to set it in sysctl.conf for it to be configured at boot time. You might have to add some iptable rules to forward traffic through the tun interface.
persistent forwarding in sysctl.conf is turn off but /proc/sys/net/ipv4/ip_forward is on which leads me to the conclusion (and someone with more knowledge than me can confirm) that openvpn-server turns the bit to 1 at booting.
 
Old 11-24-2021, 05:29 PM   #35
lattimro
Member
 
Registered: Jul 2021
Distribution: SOLARIS-BSD-like, almost Linux-like, some Arch-like, some GENTO-like, some RH-like, some slacky-like
Posts: 176

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by michaelk View Post
With ip forwarding you should be able to view cups web page via the 10.x.x.x address. cups needs to be enabled for lan access but would show you that the vpn is working. If a firewall is running you might to allow tun traffic.
localhost:631 OK but 10.8.0.1:631 and 10.8.0.2:631 refuse to connect

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ControlPanel.Ho 0.0.0.0         UG    100    0        0 enp4s0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun1
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp4s0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U     100    0        0 enp4s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0
magically 128 subnet disappeared

as far I can understand tun0 is the server and tun 1 is the openvpn@client (start at boot). I disabled openvpn-server@client because tied to connect every few seconds and error.

and ping to 10.8.0.1 and 10.8.0.2 OK

also for the first time ping to 8.8.8.8 not dropped when tun1 connected. I do not know if this is good or bad still try to understand the magic

Thanks!

Last edited by lattimro; 11-25-2021 at 07:42 AM.
 
Old 11-25-2021, 11:34 AM   #36
lattimro
Member
 
Registered: Jul 2021
Distribution: SOLARIS-BSD-like, almost Linux-like, some Arch-like, some GENTO-like, some RH-like, some slacky-like
Posts: 176

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by wpeckham View Post
Look for the address of the OpenVPN server node.
I hope that helps.
I wish I know where to look. Where? Is that the local IP in server.conf?
 
Old 11-25-2021, 12:00 PM   #37
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDo, tinycore, Q4OS,Manjaro
Posts: 4,183

Rep: Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937
Quote:
Originally Posted by lattimro View Post
I wish I know where to look. Where? Is that the local IP in server.conf?
INSIDE the OpenVPN server guest, run
Code:
ip address
Report or record the IPv4 "inet" value, there may be more than one. If there is only one (or only one that is not loopback: not 127.0.0.1) use that.
 
Old 12-03-2021, 04:28 PM   #38
lattimro
Member
 
Registered: Jul 2021
Distribution: SOLARIS-BSD-like, almost Linux-like, some Arch-like, some GENTO-like, some RH-like, some slacky-like
Posts: 176

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by wpeckham View Post
INSIDE the OpenVPN server guest, run
Code:
ip address
Report or record the IPv4 "inet" value, there may be more than one. If there is only one (or only one that is not loopback: not 127.0.0.1) use that.
what is OpenVPN server guest?

Last edited by lattimro; 12-03-2021 at 04:58 PM.
 
Old 12-04-2021, 12:24 AM   #39
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDo, tinycore, Q4OS,Manjaro
Posts: 4,183

Rep: Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937
Quote:
Originally Posted by lattimro View Post
what is OpenVPN server guest?
Never mind. I was thinking you had virtual nodes.
I do not believe that you can, having a node connect back to itself in a loopback VPN, ever verify that your configuration would work if the server and client were separate or on separate networks (Which is what a VPN is really for).
 
Old 12-04-2021, 12:20 PM   #40
lattimro
Member
 
Registered: Jul 2021
Distribution: SOLARIS-BSD-like, almost Linux-like, some Arch-like, some GENTO-like, some RH-like, some slacky-like
Posts: 176

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by wpeckham View Post
Never mind. I was thinking you had virtual nodes.
I do not believe that you can, having a node connect back to itself in a loopback VPN, ever verify that your configuration would work if the server and client were separate or on separate networks (Which is what a VPN is really for).
I see now what you meant by 'server guest'. No, the server is on physical machine but the clients could be on VM guests. I gave up the localhost vpn client. The client is on the same subnet is raising tun0 10.8.0.3 but I do not know how to check the tunnel

Last edited by lattimro; 12-04-2021 at 03:36 PM.
 
Old 12-04-2021, 05:22 PM   #41
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, VSIDo, tinycore, Q4OS,Manjaro
Posts: 4,183

Rep: Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937Reputation: 1937
Quote:
Originally Posted by lattimro View Post
I see now what you meant by 'server guest'. No, the server is on physical machine but the clients could be on VM guests. I gave up the localhost vpn client. The client is on the same subnet is raising tun0 10.8.0.3 but I do not know how to check the tunnel
Do you have the same or different user accounts on the two ends? Just curious.

Do you know how to execute a command on a remote node and see the result using ssh?
On mine I would run the commands:
Code:
whoami;ssh billpk@10.0.250.9 whoami
because my remote server is at 10.0.250.9 and I use the account billpk on that node. I already have ssh keys set up so I do not need to enter a password, but the commands would look just the same if a password was needed. The output might look like
Quote:
william
billpk
If it failed, the error might be educational.

I am not on the 10.0.250.x subnet (and that is not the real subnet anyway) so I can ONLY access that node via a VPN.
In your case I am unsure if the test will be valid. Having nodes that are local to each other WITHOUT the VPN makes a VPN not really useful. It also makes it a bit challenging to consider a simple, easy, quick test to see if it is working.
 
Old 12-05-2021, 12:29 PM   #42
lattimro
Member
 
Registered: Jul 2021
Distribution: SOLARIS-BSD-like, almost Linux-like, some Arch-like, some GENTO-like, some RH-like, some slacky-like
Posts: 176

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by wpeckham View Post
Do you have the same or different user accounts on the two ends? Just curious.

Do you know how to execute a command on a remote node and see the result using ssh?
On mine I would run the commands:
Code:
whoami;ssh billpk@10.0.250.9 whoami
because my remote server is at 10.0.250.9 and I use the account billpk on that node. I already have ssh keys set up so I do not need to enter a password, but the commands would look just the same if a password was needed. The output might look like If it failed, the error might be educational.

I am not on the 10.0.250.x subnet (and that is not the real subnet anyway) so I can ONLY access that node via a VPN.
In your case I am unsure if the test will be valid. Having nodes that are local to each other WITHOUT the VPN makes a VPN not really useful. It also makes it a bit challenging to consider a simple, easy, quick test to see if it is working.
I can ssh from each end. Below is from client to the VPNserver
Code:
whoami;ssh brad@10.8.0.1 whoami
brad
brad@10.8.0.1's password: 
brad
from VPN server (10.8.0.1). syeno/192.168.1.18 is the vpnclient which created tun0/10.8.0.3

Code:
● openvpn-server@server.service - OpenVPN service for server
     Loaded: loaded (/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-12-05 13:26:50 EST; 1min 44s ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
   Main PID: 149716 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 4494)
     Memory: 1.0M
        CPU: 124ms
     CGroup: /system.slice/system-openvpn\x2dserver.slice/openvpn-server@server.service
             └─149716 /usr/sbin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --confi>

Dec 05 13:27:52 zika openvpn[149716]: 192.168.1.18:53806 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Dec 05 13:27:52 zika openvpn[149716]: 192.168.1.18:53806 [syeno] Peer Connection Initiated with [AF_INET]192.168.1.18:53806
Dec 05 13:27:52 zika openvpn[149716]: syeno/192.168.1.18:53806 MULTI_sva: pool returned IPv4=10.8.0.3, IPv6=(Not enabled)
Dec 05 13:27:52 zika openvpn[149716]: syeno/192.168.1.18:53806 MULTI: Learn: 10.8.0.3 -> syeno/192.168.1.18:53806
Dec 05 13:27:52 zika openvpn[149716]: syeno/192.168.1.18:53806 MULTI: primary virtual IP for syeno/192.168.1.18:53806: 10.8.0.3
Dec 05 13:27:52 zika openvpn[149716]: syeno/192.168.1.18:53806 Data Channel: using negotiated cipher 'AES-256-GCM'
Dec 05 13:27:52 zika openvpn[149716]: syeno/192.168.1.18:53806 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Dec 05 13:27:52 zika openvpn[149716]: syeno/192.168.1.18:53806 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Dec 05 13:27:53 zika openvpn[149716]: syeno/192.168.1.18:53806 PUSH: Received control message: 'PUSH_REQUEST'
Dec 05 13:27:53 zika openvpn[149716]: syeno/192.168.1.18:53806 SENT CONTROL [syeno]: 'PUSH_REPLY,dhcp-option DNS 1.1.1.1,dhcp-option DN>

Last edited by lattimro; 12-05-2021 at 01:33 PM.
 
Old 12-05-2021, 02:48 PM   #43
lattimro
Member
 
Registered: Jul 2021
Distribution: SOLARIS-BSD-like, almost Linux-like, some Arch-like, some GENTO-like, some RH-like, some slacky-like
Posts: 176

Original Poster
Rep: Reputation: Disabled
I started over, in a nutshell this is what I did:
server (192.168.1.4)

- ./openvpn-install.sh
- on server tun0 created 10.8.0.1
- add a remote client (192.168.1.18)

client (192.168.1.18)
- installed openvpn on client
- scp client.ovpn to client's /etc/openvpn/client.conf
- on client tun0 created 10.8.0.2
- changed /etc/openvpn/client.conf from public to local 192.168.1.4

- restart server and client, no errors

on client:

systemctl status openvpn@client

Code:
● openvpn@client.service - OpenVPN connection to client
     Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled-runtime; vendor preset: enabled)
     Active: active (running) since Sun 2021-12-05 15:27:27 EST; 25min ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
   Main PID: 1055 (openvpn)
     Status: "Initialization Sequence Completed"
      Tasks: 1 (limit: 1079)
     Memory: 1.9M
     CGroup: /system.slice/system-openvpn.slice/openvpn@client.service
             └─1055 /usr/sbin/openvpn --daemon ovpn-client --status /run/openvpn/client.status 10 --cd /etc/openvpn --script-security 2>

Dec 05 15:27:28 syeno ovpn-client[1055]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp5s0 HWADDR=b4:82:fe:e4:de:a5
Dec 05 15:27:28 syeno ovpn-client[1055]: TUN/TAP device tun0 opened
Dec 05 15:27:28 syeno ovpn-client[1055]: TUN/TAP TX queue length set to 100
Dec 05 15:27:28 syeno ovpn-client[1055]: /sbin/ip link set dev tun0 up mtu 1500
Dec 05 15:27:28 syeno ovpn-client[1055]: /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Dec 05 15:27:28 syeno ovpn-client[1055]: /sbin/ip route add 192.168.1.4/32 dev wlp5s0
Dec 05 15:27:29 syeno ovpn-client[1055]: /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Dec 05 15:27:29 syeno ovpn-client[1055]: /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Dec 05 15:27:29 syeno ovpn-client[1055]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to pr>
Dec 05 15:27:29 syeno ovpn-client[1055]: Initialization Sequence Completed
and:

root@syeno:/home/brad# route
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.1        128.0.0.0       UG    0      0        0 tun0
default         ControlPanel.Ho 0.0.0.0         UG    600    0        0 wlp5s0
10.8.0.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
128.0.0.0       10.8.0.1        128.0.0.0       UG    0      0        0 tun0
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 wlp5s0
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp5s0
zika.gattaca.ne 0.0.0.0         255.255.255.255 UH    0      0        0 wlp5s0

Last edited by lattimro; 12-06-2021 at 10:34 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Error log: upstream timed out (110: Connection timed out) on Nginx nikaway Linux - Server 1 09-30-2015 03:43 PM
[error] (110)Connection timed out: proxy: HTTP: attempt to connect to xx.xx.xx.xx:80 sekarlinux Linux - Server 0 08-14-2015 10:44 AM
[SOLVED] USB: Connection timed out SYS: Connection timed out PeterUK Programming 3 07-18-2013 03:59 AM
Postgresql giving connection timed out because of iptables thatishari Linux - Security 3 07-20-2011 01:23 AM
sendmail - Connection timed out [dsn=4.0.0 stat=Deferred: Connection timed out] ananthak Linux - Software 0 04-24-2007 08:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration