OpenVPN problem

Support
1

Hey,

My YunoHost works like a charm (check it out here: https://1ex.it).
And I wanted to get started with OpenVPN.

So far everything works: the server is running, the client connects, but… the connection can’t get out of my VPS.

As long as I am connected to the VPN, I can use all YunoHost apps, but not access the wider Internet.
So the weird thing is that I can use https://1ex.it/search (my Searx install) and it will find stuff, so it is talking to the rest of the Internet. But any link I click in the search result list will give a “page not found”.

Also, I noticed that my Torrent client on my local PC keeps seeding and downloading, but email and jabber (other ports) do not work… So it seems a port problem at some point.

I just ran:

sudo yunohost app checkport 80
Error: Port 80 is not available

I modified the firewall of my VPS at my hoster, but this doesn’t seem to help…

Anyone any ideas here?

2

Hello,

Same problem and no solution after one week for me!

Maybe open the modem/ box port?

Or Udp/ tcp problem, if I remember you need to configure it with Openvpn.

3

Same problem here. Ports and udp/tcp on modem, vps and within Yunhost install are all set. Still the VPN connection doesn’t get outside the VPN/Yunohost install.

https://granular.is
https://granular.is/searx

4

Try to run:

 sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o $(sudo cat /etc/yunohost/interface) -j MASQUERADE

It should do the job. The thing is that this iptables command is cancelled at each reboot, I need to fix this in the package…

5

Did try, but no difference.

Could you maybe also explain what happens here? (and if it failed, how I can undo it?)

6

Yes sorry, this iptables rule allows the Internet traffic to be routed out of the VPN interface (tun0) when it arrives on the VPN server, through the standard interface of the server (eth0).

If it does not work, try re-installing the app and let me know.

7

Hey Kload,

thnx for your help. I reinstalled the app. re-entered your snippet of code in the terminal on my VPS.
Also downloaded new files for my OpenVPN app (Tunnelblick on OSX10.9.1)

But… to no avail… Same problem persists…
If you have some more ideas that I can test to solve this problem, let me know

8

Did you tried with another VPN client ?

9

yeah, tried from my phone… no luck…

other VPN connections also work fine from tunnelblick.
Also; connection is not the problem; I can even open all my yunohost services when connected. But not any other website.

10

There is currently a known problem of OpenVPN service launching (since one of the latest openvpn version’s release). I’ll investigate on it.

11

sweet! here’s hoping this will get a fix soon :smile:

12

I longer have the problem with the current version. Please try reinstalling the app : )

13

Hi just installed the app on OS X 10.10 with tunnel brick 3.5.2 on still no connection

14

It finally works! I reinstalled OpenVPN without result.

Manually adding push “redirect-gateway” to the yunohost.conf file did the trick.

15

here it also works now. Did not have to add anything. Reinstall was enough to make it work

Next step; make it work with my Open VPN client on iOS…

16

On my side (Debian 7 from OVH), OpenVPN still refuses to run. I cannot start the daemon.

/dev/net/tun exists .

I cannot give more info as the logs for openvpn are completly empty. I have no idea were to look.

17

It is related to an incompatibility between certain kernel versions and openvpn:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767836

Downgrading kernel should do the work…

18

has there been any progress on this?
I don’t know how to downgrade a kernel, and am hoping this will get fixed eventually…

19

Hey, I seem to be the lucky one then. After updating and upgrading Debian, Yunohost and reinatalling the OpenVPN app I only had the same routing problems the first try. I used ‘sanatised’ configuration files and applied a route-delay of 5 seconds (changed existing entry ‘route delay’ to ‘rout delay 5’). But I don’t think that makes any difference actually.

Full diangostic info for a better understanding about my configuration:

*Tunnelblick: OS X 10.5.8; Tunnelblick 3.5beta08 (build 4236); Standard user

Configuration granular.is

“Sanitized” condensed configuration file for /Users/floris/Library/Application Support/Tunnelblick/Configurations/granular.is.tblk:

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
remote granular.is 1194
route-delay 5
reneg-sec 0
auth-user-pass

[Security-related line(s) omitted]

================================================================================

“Sanitized” full configuration file

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
remote granular.is 1194
route-delay 5
reneg-sec 0
auth-user-pass

[Security-related line(s) omitted]

================================================================================

There are no unusual files in granular.is.tblk

================================================================================

Configuration preferences:

useDNS = 3
-routeAllTrafficThroughVpn = 1
-runMtuTest = 0
-keychainHasUsernameAndPassword = 1
-loadTun =
-lastConnectionSucceeded = 1

================================================================================

Wildcard preferences:

================================================================================

Program preferences:

launchAtNextLogin = 1
notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0
askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1
tunnelblickVersionHistory = (
“3.5beta08 (build 4236)”
)
lastLaunchTime = 449349666.563489
connectionWindowDisplayCriteria = showWhenConnecting
maxLogDisplaySize = 102400
lastConnectedDisplayName = granular.is
keyboardShortcutIndex = 1
updateCheckAutomatically = 1
updateSendProfileInfo = 1
NSWindow Frame ConnectingWindow = 434 374 412 297 0 0 1280 778
detailsWindowFrameVersion = 4236
detailsWindowFrame = {{864, 298}, {920, 468}}
detailsWindowLeftFrame = {{0, 0}, {165, 350}}
leftNavSelectedDisplayName = granular.is
haveDealtWithSparkle1dot5b6 = 1
haveDealtWithOldTunTapPreferences = 1
haveDealtWithOldLoginItem = 1
SUEnableAutomaticChecks = 1
SUFeedURL = https://www.tunnelblick.net/appcast-b.rss
SUScheduledCheckInterval = 86400
SUSendProfileInfo = 1
SULastCheckTime = 2015-03-29 21:20:40 +0200
SUHasLaunchedBefore = 1
WebKitDefaultFontSize = 16
WebKitStandardFont = Times

================================================================================

Tunnelblick Log:

2015-03-30 00:13:17 OpenVPN 2.3.6 i386-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 19 2015
2015-03-30 00:13:17 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
2015-03-30 00:13:17 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1338
2015-03-30 00:13:17 Need hold release from management interface, waiting…
2015-03-30 00:13:17 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1338
2015-03-30 00:13:17 *Tunnelblick: openvpnstart starting OpenVPN
2015-03-30 00:13:17 *Tunnelblick: Established communication with OpenVPN
2015-03-30 00:13:17 MANAGEMENT: CMD 'pid’
2015-03-30 00:13:17 MANAGEMENT: CMD 'state on’
2015-03-30 00:13:17 MANAGEMENT: CMD 'state’
2015-03-30 00:13:17 MANAGEMENT: CMD 'bytecount 1’
2015-03-30 00:13:17 MANAGEMENT: CMD 'hold release’
2015-03-30 00:13:17 *Tunnelblick: Obtained VPN username and password from the Keychain
2015-03-30 00:13:17 MANAGEMENT: CMD 'username “Auth” “zachtbaardige”'
2015-03-30 00:13:17 MANAGEMENT: CMD 'password […]'
2015-03-30 00:13:17 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2015-03-30 00:13:17 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2015-03-30 00:13:17 Socket Buffers: R=[42080->65536] S=[9216->65536]
2015-03-30 00:13:17 MANAGEMENT: >STATE:1427667197,RESOLVE,
2015-03-30 00:13:17 UDPv4 link local: [undef]
2015-03-30 00:13:17 UDPv4 link remote: [AF_INET]213.108.108.24:1194
2015-03-30 00:13:17 MANAGEMENT: >STATE:1427667197,WAIT,
2015-03-30 00:13:18 MANAGEMENT: >STATE:1427667198,AUTH,
2015-03-30 00:13:18 TLS: Initial packet from [AF_INET]213.108.108.24:1194, sid=1b7ca473 290a291f
2015-03-30 00:13:18 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
2015-03-30 00:13:18 VERIFY OK: depth=1, CN=granular.is
2015-03-30 00:13:18 VERIFY OK: depth=0, CN=granular.is
2015-03-30 00:13:18 Data Channel Encrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
2015-03-30 00:13:18 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2015-03-30 00:13:18 Data Channel Decrypt: Cipher ‘BF-CBC’ initialized with 128 bit key
2015-03-30 00:13:18 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
2015-03-30 00:13:18 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
2015-03-30 00:13:18 [granular.is] Peer Connection Initiated with [AF_INET]213.108.108.24:1194
2015-03-30 00:13:19 MANAGEMENT: >STATE:1427667199,GET_CONFIG,
2015-03-30 00:13:20 SENT CONTROL [granular.is]: ‘PUSH_REQUEST’ (status=1)
2015-03-30 00:13:20 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.34 10.8.0.33’
2015-03-30 00:13:20 OPTIONS IMPORT: timers and/or timeouts modified
2015-03-30 00:13:20 OPTIONS IMPORT: --ifconfig/up options modified
2015-03-30 00:13:20 OPTIONS IMPORT: route options modified
2015-03-30 00:13:20 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2015-03-30 00:13:20 Opening utun (ioctl(CTLIOCGINFO)): No such file or directory
2015-03-30 00:13:20 Failed to open utun device. Falling back to /dev/tun device
2015-03-30 00:13:20 TUN/TAP device /dev/tun0 opened
2015-03-30 00:13:20 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
2015-03-30 00:13:20 MANAGEMENT: >STATE:1427667200,ASSIGN_IP,10.8.0.34,
2015-03-30 00:13:20 /sbin/ifconfig tun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can’t assign requested address
2015-03-30 00:13:20 NOTE: Tried to delete pre-existing tun/tap instance – No Problem if failure
2015-03-30 00:13:20 /sbin/ifconfig tun0 10.8.0.34 10.8.0.33 mtu 1500 netmask 255.255.255.255 up
2015-03-30 00:13:20 /Applications/Tunnelblick.app/Contents/Resources/client.2.up.tunnelblick.sh -d -f -w -ptADGNWradsgnw tun0 1500 1542 10.8.0.34 10.8.0.33 init
2015-03-30 00:13:25 /sbin/route add -net 213.108.108.24 192.168.1.1 255.255.255.255
add net 213.108.108.24: gateway 192.168.1.1
2015-03-30 00:13:25 /sbin/route add -net 0.0.0.0 10.8.0.33 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.33
2015-03-30 00:13:25 /sbin/route add -net 128.0.0.0 10.8.0.33 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.33
2015-03-30 00:13:25 MANAGEMENT: >STATE:1427667205,ADD_ROUTES,
2015-03-30 00:13:25 /sbin/route add -net 10.8.0.1 10.8.0.33 255.255.255.255
add net 10.8.0.1: gateway 10.8.0.33
2015-03-30 00:13:25 Initialization Sequence Completed
2015-03-30 00:13:25 MANAGEMENT: >STATE:1427667205,CONNECTED,SUCCESS,10.8.0.34,213.108.108.24
2015-03-30 00:13:26 *Tunnelblick: No ‘connected.sh’ script to execute
2015-03-30 00:13:50 *Tunnelblick: This computer’s apparent public IP address changed from 82.173.136.122 before connection to 213.108.108.24 after connection zet 4 spaties voor opgemaakte tekst

20

and? does it still work? :wink: