Solved OpenVPN packets are going only in one direction..

bryn1u

Well-Known Member

Thanks: 9
Messages: 336

#1
hey,

I think i read all internet to solve my problem but i can't understand what is going on.
I have configured OpenVPN like others. I can connect from my laptop to the server but i can't go further. I can't do anything more for example view website.
My connection from laptop client looks good:
Code:
....
Sun Feb 18 00:35:58 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Feb 18 00:35:58 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Feb 18 00:35:58 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Feb 18 00:35:58 2018 ROUTE_GATEWAY 192.168.8.1/255.255.255.0 IFACE=wlan0 HWADDR=a4:34:d9:46:c0:44
Sun Feb 18 00:35:58 2018 TUN/TAP device tun0 opened
Sun Feb 18 00:35:58 2018 TUN/TAP TX queue length set to 100
Sun Feb 18 00:35:58 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Feb 18 00:35:58 2018 /sbin/ip link set dev tun0 up mtu 1500
Sun Feb 18 00:35:58 2018 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Sun Feb 18 00:35:58 2018 /sbin/ip route add 91.121.78.120/32 via 192.168.8.1
Sun Feb 18 00:35:58 2018 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Sun Feb 18 00:35:58 2018 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Sun Feb 18 00:35:58 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Sun Feb 18 00:35:58 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Feb 18 00:35:58 2018 Initialization Sequence Completed
I can ping 10.8.0.1
Code:
bryn1u@laptop:~$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=186 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=83.a8 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=155 ms
And that's all. When im trying go to the google.pl, site is freezing and waiting, waiting ....
rc.conf
Code:
gateway_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
tcpdump
Code:
root@BSD:~ # tcpdump -i em0 -n -l port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:30:25.751745 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 64
00:30:25.851860 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:26.091831 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:26.871860 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:27.131810 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:28.898794 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:29.151858 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:29.691867 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:31.530315 IP 46.215.82.205.35467 > 91.121.78.120.1194: UDP, length 54
00:30:32.131735 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 76
00:30:33.011802 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:33.251820 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:33.271735 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:34.271837 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:34.811817 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:34.818691 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:35.896143 IP 91.121.78.120.1194 > 46.215.82.205.32848: UDP, length 37 - 1)
00:30:36.211897 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 64
00:30:36.291780 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:40.431782 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:41.211750 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:41.471936 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:44.711958 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:44.971849 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:45.711854 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:45.711971 IP 91.121.78.120.1194 > 46.215.82.205.32848: UDP, length 37 - 2)
00:30:45.731934 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:45.971966 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
It looks like packets are going only in one direction except those 2 (huraa !).
I used some similar ipfw nat rules to these and it worked for a while:
It's only example.
Code:
ipfw nat 1 config if epair0b
ipfw add nat 1 all from 10.8.0.0/24 to any out via epair0b
ipfw add nat 1 all from any to any in via epair0b
I turned firewall, i was trying many configuration with pf/nat but doesn't work :(
Someone can tell me what's is going on with this ? Why can't i use normal routing ? What am i doing wrong ?
 
OP
OP
B

bryn1u

Well-Known Member

Thanks: 9
Messages: 336

#3
What server, and what configuration do you have there?
I think there is nothing special but - FreeBSD 11 - OpenVPN Server:
Code:
port 1194
proto udp

dev tun

ca ca.crt
cert server.crt
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

keepalive 10 120
cipher AES-256-CBC

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log
verb 3
explicit-exit-notify 1
key-direction 0
From server:
Code:
root@BSD:~ # ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.1 --> 10.8.0.2  netmask 0xffffffff 
    nd6 options=43<PERFORMNUD,ACCEPT_RTADV,NO_RADR>
    groups: tun 
    Opened by PID 9455
root@BSD:~ #
rc.conf
Code:
# Network configuration (IPv4)
ifconfig_em0="inet 91.121.78.120 netmask 255.255.255.0 broadcast 91.121.78.255"
defaultrouter="91.121.78.254"

# Network configuration (IPv6)
ifconfig_em0_ipv6="inet6 2001:41d0:0001:8378:: prefixlen 64 accept_rtadv no_radr"
ipv6_network_interfaces="em0"
ipv6_default_interface="em0"
ipv6_defaultrouter="2001:41d0:0001:83ff:ff:ff:ff:ff"
ipv6_route_ovhgw="2001:41d0:0001:83ff:ff:ff:ff:ff -prefixlen 128 -interface em0"
ipv6_static_routes="ovhgw"

# Various options
dumpdev="AUTO"
clear_tmp_enable="YES"
accounting_enable="YES"

# Daemons
ntpd_enable="YES"
sshd_enable="YES"
#local_unbound_enable="YES"

hostname="BSD"

# Sendmail
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# TMP_Clear
clear_tmp_enable="YES"

# Jail
jail_enable="YES"

# mac_bsdextended
ugidfw_enable="YES"
bsdextended_script="/etc/bsdextended"

cloned_interfaces="lo1"
ipv4_addrs_lo1="192.168.0.1-3/29"
ipv4_addrs_em0="79.137.56.144/32 79.137.46.236/32 178.32.60.216/32 188.165.137.101/32 213.32.63.103/32"

secadm_enable="YES"

gateway_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
 
OP
OP
B

bryn1u

Well-Known Member

Thanks: 9
Messages: 336

#4
Never mind.

It resolving problem.
Code:
nat on em0 inet from 10.8.0.0/24 to any -> em0
pass out on tun0 from any to any
 
Top