OpenVPN connection established but not working

rgarrigue · September 13, 2015, 7:46pm

Hi guys

I’ḿ running yunohost on a OVH VPS, Debian 8. I can connect from both my Win 7 work station or my home Ubuntu PC, but once connected, nothing.
I feel like there’s a problem with dns but can’t be 100% sure. Here are some more info

OpenVPN server is running, here’s the status / ps

root@garrigue:~# service openvpn status
● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled)
   Active: active (exited) since mer. 2015-09-09 12:19:01 CEST; 4 days ago
 Main PID: 21291 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/openvpn.service

sept. 09 12:19:01 garrigue.re systemd[1]: Started OpenVPN service.
root@garrigue:~# ps -ef | grep openvpn
root     14960 14948  0 21:28 pts/1    00:00:00 grep openvpn
openvpn  21310     1  0 sept.09 ?      00:01:18 /usr/sbin/openvpn --daemon ovpn-yunohost --status /run/openvpn/yunohost.status 10 --cd /etc/openvpn --config /etc/openvpn/yunohost.conf

And here is the config

root@garrigue:~# cat /etc/openvpn/yunohost.conf
port 1194
dev tun
proto udp
ca   /etc/yunohost/certs/garrigue.re/ca.pem
cert /etc/yunohost/certs/garrigue.re/crt.pem
key  /etc/yunohost/certs/garrigue.re/key.pem
dh   /etc/yunohost/certs/garrigue.re/dh.pem
server 10.8.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
keepalive 10 60
inactive 600
user openvpn
group openvpn
persist-tun
persist-key
verb 5
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
client-cert-not-required
status /var/log/openvpn.log
comp-lzo
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"

Once the VPN is connected, from my ubuntu here’s the tunnel ifconfig

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet adr:10.8.0.14  P-t-P:10.8.0.13  Masque:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          Packets reçus:0 erreurs:0 :0 overruns:0 frame:0
          TX packets:408 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 lg file transmission:100 
          Octets reçus:0 (0.0 B) Octets transmis:48476 (48.4 KB)

I’m not familiar with VPN, is 0 byte downloaded right ? 255.255.255.255 masq ok ? Here is a dig

remy@remy:~$ dig

; <<>> DiG 9.9.5-9ubuntu0.3-Ubuntu <<>>
;; global options: +cmd
;; connection timed out; no servers could be reached

Of course as soon as disconnect the VPN, from my ubuntu dig is listing the usual a to m.root-servers.net. Here is another one from the server, everything seems ok

root@garrigue:/etc/dnsmasq.d# dig

; <<>> DiG 9.9.5-9+deb8u3-Debian <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 10878
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;.                IN    NS

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Sep 13 21:41:26 CEST 2015
;; MSG SIZE  rcvd: 17

I can resolv a random website, like xkcd

root@garrigue:/etc/dnsmasq.d# ping xkcd.com
PING xkcd.com (104.156.81.67) 56(84) bytes of data.
64 bytes from 104.156.81.67: icmp_seq=1 ttl=57 time=4.82 ms

I’m at a loss so far… anyone can help, can tell me how to investigate this matter further ?

rgarrigue · September 25, 2015, 9:31pm

After some more search, two potentials problems

my OVH’s VPS got a “venet0” interface instead of eth0 or wlan0. Seems yunohost don’t know about this: /etc/yunohost/interface = wlan0
plus, my public IP is on an aliased interface, venet0:0. Seems iptables doesn’t understand that, you need to replace -i venet0:0 by -i venet0 -s IP etc. Tried it, doesn’t work.

I’ld still be glad for any help on the topic.

Especially, I saw a lot of fail2ban stuff in iptables -L. I know pretty much nothing about it. May it be a problem, like a yunohost configuration to drop anything outside /etc/yunohost/interface ?