• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Solved OpenVPN packets are going only in one direction..

bryn1u

Well-Known Member

Thanks: 9
Messages: 323

#1
hey,

I think i read all internet to solve my problem but i can't understand what is going on.
I have configured OpenVPN like others. I can connect from my laptop to the server but i can't go further. I can't do anything more for example view website.
My connection from laptop client looks good:
Code:
....
Sun Feb 18 00:35:58 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Sun Feb 18 00:35:58 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Feb 18 00:35:58 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sun Feb 18 00:35:58 2018 ROUTE_GATEWAY 192.168.8.1/255.255.255.0 IFACE=wlan0 HWADDR=a4:34:d9:46:c0:44
Sun Feb 18 00:35:58 2018 TUN/TAP device tun0 opened
Sun Feb 18 00:35:58 2018 TUN/TAP TX queue length set to 100
Sun Feb 18 00:35:58 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Feb 18 00:35:58 2018 /sbin/ip link set dev tun0 up mtu 1500
Sun Feb 18 00:35:58 2018 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Sun Feb 18 00:35:58 2018 /sbin/ip route add 91.121.78.120/32 via 192.168.8.1
Sun Feb 18 00:35:58 2018 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Sun Feb 18 00:35:58 2018 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Sun Feb 18 00:35:58 2018 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Sun Feb 18 00:35:58 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Feb 18 00:35:58 2018 Initialization Sequence Completed
I can ping 10.8.0.1
Code:
bryn1u@laptop:~$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=186 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=83.a8 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=155 ms
And that's all. When im trying go to the google.pl, site is freezing and waiting, waiting ....
rc.conf
Code:
gateway_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
tcpdump
Code:
root@BSD:~ # tcpdump -i em0 -n -l port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
00:30:25.751745 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 64
00:30:25.851860 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:26.091831 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:26.871860 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:27.131810 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:28.898794 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:29.151858 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:29.691867 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:31.530315 IP 46.215.82.205.35467 > 91.121.78.120.1194: UDP, length 54
00:30:32.131735 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 76
00:30:33.011802 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:33.251820 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:33.271735 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:34.271837 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:34.811817 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:34.818691 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:35.896143 IP 91.121.78.120.1194 > 46.215.82.205.32848: UDP, length 37 - 1)
00:30:36.211897 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 64
00:30:36.291780 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:40.431782 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:41.211750 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:41.471936 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:44.711958 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:44.971849 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:45.711854 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:45.711971 IP 91.121.78.120.1194 > 46.215.82.205.32848: UDP, length 37 - 2)
00:30:45.731934 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
00:30:45.971966 IP 46.215.82.205.32848 > 91.121.78.120.1194: UDP, length 84
It looks like packets are going only in one direction except those 2 (huraa !).
I used some similar ipfw nat rules to these and it worked for a while:
It's only example.
Code:
ipfw nat 1 config if epair0b
ipfw add nat 1 all from 10.8.0.0/24 to any out via epair0b
ipfw add nat 1 all from any to any in via epair0b
I turned firewall, i was trying many configuration with pf/nat but doesn't work :(
Someone can tell me what's is going on with this ? Why can't i use normal routing ? What am i doing wrong ?
 

bryn1u

Well-Known Member

Thanks: 9
Messages: 323

#3
What server, and what configuration do you have there?
I think there is nothing special but - FreeBSD 11 - OpenVPN Server:
Code:
port 1194
proto udp

dev tun

ca ca.crt
cert server.crt
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

keepalive 10 120
cipher AES-256-CBC

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log
verb 3
explicit-exit-notify 1
key-direction 0
From server:
Code:
root@BSD:~ # ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.1 --> 10.8.0.2  netmask 0xffffffff 
    nd6 options=43<PERFORMNUD,ACCEPT_RTADV,NO_RADR>
    groups: tun 
    Opened by PID 9455
root@BSD:~ #
rc.conf
Code:
# Network configuration (IPv4)
ifconfig_em0="inet 91.121.78.120 netmask 255.255.255.0 broadcast 91.121.78.255"
defaultrouter="91.121.78.254"

# Network configuration (IPv6)
ifconfig_em0_ipv6="inet6 2001:41d0:0001:8378:: prefixlen 64 accept_rtadv no_radr"
ipv6_network_interfaces="em0"
ipv6_default_interface="em0"
ipv6_defaultrouter="2001:41d0:0001:83ff:ff:ff:ff:ff"
ipv6_route_ovhgw="2001:41d0:0001:83ff:ff:ff:ff:ff -prefixlen 128 -interface em0"
ipv6_static_routes="ovhgw"

# Various options
dumpdev="AUTO"
clear_tmp_enable="YES"
accounting_enable="YES"

# Daemons
ntpd_enable="YES"
sshd_enable="YES"
#local_unbound_enable="YES"

hostname="BSD"

# Sendmail
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# TMP_Clear
clear_tmp_enable="YES"

# Jail
jail_enable="YES"

# mac_bsdextended
ugidfw_enable="YES"
bsdextended_script="/etc/bsdextended"

cloned_interfaces="lo1"
ipv4_addrs_lo1="192.168.0.1-3/29"
ipv4_addrs_em0="79.137.56.144/32 79.137.46.236/32 178.32.60.216/32 188.165.137.101/32 213.32.63.103/32"

secadm_enable="YES"

gateway_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
 

bryn1u

Well-Known Member

Thanks: 9
Messages: 323

#4
Never mind.

It resolving problem.
Code:
nat on em0 inet from 10.8.0.0/24 to any -> em0
pass out on tun0 from any to any
 
Top