Search the Community

Hi, I haven't posted in a while, but i've always found the people on this forum to be very helpful and supportive. I have an OpenVpn server which also has Tor installed. I am wondering, just for curiosity purposes is there any way to route all the traffic coming to the server through the VPN over Tor so it would look like this Client ---> OpenVpn Server -----> Tor ------> internet. I assume this is possible but im only just learning about ip routes so was looking for a bit of guidance. If anyone could help that would be great. I've found a few similar things on other forums but im not sure they are achieving exactly what i want, and i don't understand the routing commands enough to change it to suit my needs. Many Thanks David

Hello all, first post here on the forms... I am having an issue with my ufw rules on routing vpn traffic to/from my LAN. I followed the “OpenVPN from scratch” and changed the server.conf to allow LAN resource sharing over my tun0 connection. I included what I added in the server.conf file. If I disable the ufw service, I can successfully share my resources over my vpn connection. My issue is that, I lack the true ufw-fu... I have looked into the wild and found some iptables rules that look solid, but I do not yet have the experience to translate them into a usable ufw format... I want to learn and know this is platform. ———————MyConfigs——————— nano server.conf dh2048.pem dev tun topology subnet 10.8.0.0 255.255.255.0 redirect-gateway DNS (change DNS addresses to google) 8.8.8.8 8.8.4.4 nobody (user and group) push "route 192.168.1.0 255.255.255.0" save nano /etc/sysctl.conf uncomment net.ipv4.ip_forward save ufw allow 1194/udp nano /etc/default/ufw change DEFAULT_FORWARD_POLICY="ACCEPT" save nano /etc/ufw/before.rules add the follow toward the top: *nat :POSTROUTING ACCEPT [0.0] -A POSTROUTING -s 10.8.0.0/8 -o ens33 -j MASQUERADE COMMIT save ufw status ufw enable y ufw status https://m.youtube.com/watch?v=XcsQdtsCS1U&autoplay=1 ———————MyConfigs——————— ———————FromTheWild——————— # Allow traffic initiated from VPN to access LAN iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT # Allow traffic initiated from VPN to access "the world" iptables -I FORWARD -i tun0 -o eth1 -s 10.8.0.0/24 -m conntrack --ctstate NEW -j ACCEPT # Allow traffic initiated from LAN to access "the world" iptables -I FORWARD -i eth0 -o eth1 -s 192.168.1.0/24 -m conntrack --ctstate NEW -j ACCEPT # Allow established traffic to pass back and forth iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Notice that -I is used, so when listing it (iptables -vxnL) it # will be reversed. This is intentional in this demonstration. # Masquerade traffic from VPN to "the world" -- done in the nat table iptables -t nat -I POSTROUTING -o eth1 -s 10.8.0.0/24 -j MASQUERADE # Masquerade traffic from LAN to "the world" iptables -t nat -I POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE https://community.openvpn.net/openvpn/wiki/BridgingAndRouting ———————FromTheWild———————

So, I'm trying to configure an Open Vpn server to bridge two client connections together. The server is running on a Raspberry Pi 3, and one client, a "drop box" is on a Raspberry Pi 0. The second client is my Ubuntu laptop. Both Pis are running Raspbian Lite, so no GUI interface. I'm pretty comfortable with the command line, but I'm quite stuck here, and after researching for a while, I figured I'd ask for some help. I'm installing open vpn through the quick, vanilla install method. By which, I'm using `wget https://git.io/vpn -O openvpn.sh && bash openvpn.sh`. It gets the script from that address, and executes it, setting it up as a server. I got that far. Where I'm confused is the configuration for the server. The OpenVpn site says to use the GUI web interface, but I only have command line tools, to save on system resources. Every time I try to run `openvpn --config /etc/openvpn/client.ovpn` on my Pi Zero Client to connect to the VPN, I get the following error message: Sat Jan 27 21:00:14 2018 [server] Peer Connection Initiated with [AF_INET]192.168.1.41:1194 Sat Jan 27 21:00:16 2018 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sat Jan 27 21:00:16 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 192.168.1.1,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' Sat Jan 27 21:00:16 2018 OPTIONS IMPORT: timers and/or timeouts modified Sat Jan 27 21:00:16 2018 OPTIONS IMPORT: --ifconfig/up options modified Sat Jan 27 21:00:16 2018 OPTIONS IMPORT: route options modified Sat Jan 27 21:00:16 2018 OPTIONS IMPORT: route-related options modified Sat Jan 27 21:00:16 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sat Jan 27 21:00:16 2018 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=00:e0:4c:53:44:58 Sat Jan 27 21:00:16 2018 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) Sat Jan 27 21:00:16 2018 Exiting due to fatal error To be clear, in case it wasn't already, I want to use the Pi Zero as a 'drop box' type of device. Its purpose is to be 'dropped' on a network, and tunnel out to the VPN Server. I tunnel into the VPN server using my laptop, and the packets sent from my laptop flow to the Pi Zero, letting me into the internal network the Pi is connected to. I'm trying to use the terminal only client because Darren said it's better, and I don't exactly have a lot of hardware to work with. The more resources I can save, the better. I'm only asking on here because the only resources I could find out there wanted the GUI, and I don't have one of those. Hak5 uses the install method I used in the second video I linked, but doesn't explain any of how it works, or how to configure it if you're not using a packet squirrel. I got the idea from a few Hak5 videos, which I will link below. Is there a configuration file I'm missing? If so, what do I have to change? This seems to be a pretty popular method of installing openvpn, so I'm rather surprised there isn't documentation for the command line only version. Thanks for reading all of this mess, and I appreciate any and all responses. Packet Squirrel Remote Access and OpenVPN Client Tunneling! - Hak5 2308 Access Internal Networks with Reverse VPN connections - Hak5 1921

Hi Guys and Gals, Ive recently set a OpenVPN on my home server running Ubuntu Server. I have managed to set it up to a point where i can connect to it via my laptop and phone whilst on and off the network, HOWEVER i have no internet coming through !!! Any ideas or help would be great. Thanxs

I am maybe a little crazy but I am trying to forward network traffic from two differents SSID to two different vps running openvpn. Why ? Because I have two VPS and I woud like to able to browse the Internet from all my device just selecting a WiFi network. Sorry for this dirty hack ; the pineapple is a cool offensive device that I love use but I am trying to configure it as something like a smart defensive device :) Well, my setup is working well with only one wifi / tun interface. It seems impossible to work that with the two VPN at the same time (openvpn client). I don't understand why :/ I think it's not a very complicate setup I hope somebody could help me here since you're network experts. I think it's a routing issue but I am not sure. So my question is the following : - How can I forward correctly forward the network traffic from my two wifi subnets to each tun / vpn interface at the same time ? Anyone can help me to fix this please ? Below few details about my setup : To simplify this, my setup looks like : eth0 (internet link) <===== tun0 <==== wifi-A eth0 (internet link) <===== tun1 <==== wifi-B Note the following statements : 1. My openwrt device get the Internet link with the eth0 interface using DHCP 2. I created a bridge on my wlan0 interface to be able to broadcast two SSID : (wifi-a & wifi-b) 3. On wifi-a : a DHCP server is running pool 172.17.42.100-200 gw 172.18.42.1 4. On wifi-b : a DHCP server is running pool 172.18.42.100-200 gw 172.18.42.1 5. I have two VPS where I installed openvpn : PublicIP-1 & PublicIP-2 6. I run on my device two openvpn client to public-IP-1 (tun0) and to public-IP-2 (tun1) 7. Finally I nated wifi-a subnet to tun0 and wifi-b subnet to tun1 with the following iptables rules : iptables -t nat -A POSTROUTING -s 172.17.42.0/24 -o tun0 -j MASQUERADE iptables -A FORWARD -s 172.17.42.0/24 -o tun0 -j ACCEPT iptables -A FORWARD -d 172.17.42.0/24 -m state --state ESTABLISHED,RELATED -i tun0 -j ACCEPT iptables -t nat -A POSTROUTING -s 172.18.42.0/24 -o tun1 -j MASQUERADE iptables -A FORWARD -s 172.18.42.0/24 -o tun1 -j ACCEPT iptables -A FORWARD -d 172.18.42.0/24 -m state --state ESTABLISHED,RELATED -i tun1 -j ACCEPT Below my interface details : eth0 inet addr:192.168.0.10 Bcast:192.168.0.255 Mask:255.255.255.0 br-wifi-a inet addr:172.17.42.1 Bcast:172.17.42.255 Mask:255.255.255.0 br-wifi-b inet addr:172.18.42.1 Bcast:172.18.42.255 Mask:255.255.255.0 tun0 inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255 tun1 inet addr:10.9.0.6 P-t-P:10.9.0.5 Mask:255.255.255.255 My route table : Destination Gateway Genmask Flags Metric Ref Use Iface default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 10.8.0.1 10.8.0.5 255.255.255.255 UGH 0 0 0 tun0 10.8.0.5 * 255.255.255.255 UH 0 0 0 tun0 10.9.0.1 10.9.0.5 255.255.255.255 UGH 0 0 0 tun1 10.9.0.5 * 255.255.255.255 UH 0 0 0 tun1 [PublicIP-VPS-1] 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0 [PublicIP-VPS-2] 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0 172.17.42.0 * 255.255.255.0 U 0 0 0 br-wifiA 172.17.42.0 * 255.255.255.0 U 0 0 0 br-wifiB 172.22.42.0 * 255.255.255.0 U 0 0 0 br-lan 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 **Quick debug :** ping google.com -I tun1 PING google.fr (108.177.119.94): 56 data bytes 64 bytes from 108.177.119.94: seq=0 ttl=43 time=29.665 ms ping google.com -I tun0 PING google.fr (108.177.119.94): 56 data bytes 64 bytes from 108.177.119.94: seq=0 ttl=43 time=30.277 ms ping google.com -I eth0 PING google.fr (108.177.119.94): 56 data bytes 64 bytes from 108.177.119.94: seq=0 ttl=42 time=17.860 ms ^C Again, I think it's routing issue but I am maybe to much tired to see my mistake. Can you help me to debug this ? Thanks for your help guys,

So I have been working on this Server/VPN project for about a month now and I'm supper happy i finally have everything together, setup and boxed up. A quick rundown on what is in there and what i have done. The top black box is clearly just my router and the bottom hosing is an electronic project box i picked up for my local electronics store (Jaycar). The actual internals consist of 3 raspberry pi 3's, a TP 5 port switch which i removed the housing from as the board by itself takes up significantly less room, a 70 watt powered USB hub to power the pi's, 3 micro USB power cables, 3 cat 5e Ethernet cables, and a 2TB external hard drive. The standalone raspberry pi with the 2TB external drive is a self contained, fully functional, and port forwarded for external access, OwnCloud server which i have found myself using on a dally basis. The other 2 that are stack, are VPN related. The bottom pi is my own OpenVPN household server which is port forwarded for external access and it is what i actually connect all of my devices to. The top pi is my NordVPN client that i have also set up as a local internet gateway for my local network. So the config currently works and is setup as follows. My OwnCloud server stands allow with internal pi encryption, https, and encrypted storage. The OpenVPN local server runs all of its encrypted traffic through the NordVPN pi gateway, then through to my router, while still encrypted out to the NordVPN servers and then finally decrypted and out to the internet with a change of location and ip address. Device --> OpenVPN pi Server --> NordVPN pi Client --> Router --> NordVPN Server --> Internet The theory behind this is now i can create and revoke as many client keys as I want and keep track of all of my devices with my own OpenVPN server as well as encrypting my traffic while i am way from home without setting up all of my devices with NordVPN (its all most as simple as drag and drop a ovpn file for most devices using OpenVPN plus OpenVPN can be setup in may different ways and has loads more configuration options), but then also tunnel them out through the internet while maintaining the encryption (instead of decrypt all of my traffic before it leaves my router) as well as changing my geo-location, hiding my traffic from my ISP and also avoiding the 8 device limit that NordVPN sets. Thought? Hope i Have sparked some creativity in everyone.

Alright, so I've managed to get OpenVPN to work on the Nano.. I even managed to get it to connect to PIA. However the moment the connection establishes I lose the internet. I'm pretty sure this is a routing issue. But I'm unsure of what I need to add to the config file to fix the issue upon connecting. This is the result of the IP config table after it establishes a connection. Destination Gateway Genmask Flags Metric Ref Use Iface default 10.24.10.5 128.0.0.0 UG 0 0 0 tun0 default 192.168.2.5 0.0.0.0 UG 0 0 0 wlan1 10.24.10.1 10.24.10.5 255.255.255.255 UGH 0 0 0 tun0 10.24.10.5 * 255.255.255.255 UH 0 0 0 tun0 128.0.0.0 10.24.10.5 128.0.0.0 UG 0 0 0 tun0 162.216.46.86 192.168.2.5 255.255.255.255 UGH 0 0 0 wlan1 172.16.42.0 * 255.255.255.0 U 0 0 0 br-lan 192.168.2.0 * 255.255.255.0 U 0 0 0 wlan1 192.168.2.5 * 255.255.255.255 UH 0 0 0 wlan1 I would like to connect to the router using Wan1, and then connect to Wan0 with my laptop or other internet devices during traveling and still run my traffic over an encrypted VPN. any suggestions?

I have configured my openvpn on my turtle lan. The openvpn works fine if I manually start it in the menu or issue a /etc/init.d/openvpn start command. I have set the Bootup Status to Enabled. I reboot the turtlelan and openvpn does not start, viewing the menu it confirms that Bootup Status is Enabled and the Current Status is stopped. If I click on Start the openvpn starts up and works as expected. But I cannot get openvpn to start on bootup even though it is configured to. Side note: If you click on stop after start you get "Command failed: Not found" for an error and the openvpn is still started.

If you click on stop once openvpn is running you get "Command failed: Not found" for an error and the openvpn is still started. I am on v2 and no updates are available as of today.

Hello All, I am considering to install my own VPN server to surf anonymously and change my IP to an American one. This tutorial explains how to setup Open VPN on a VPS (DO) i am wondering is OpenVPN necessary or i could go for an L2TP installation as it seems to be much easier to install and easier to maintain. Is L2TP really unsafe as I could read it around online? Thanks for your inputs.

Hi All I own a Raspberry PI B+ running the latest version of Dietpi. I would like to setup my pi as an OpenVPN server so all my internet traffic at home and from my smartphone will go through the pi. I have been unsuccessful with the installation using the instructions from the dietpi website. http://dietpi.com/phpbb/viewtopic.php?f=8&t=5&p=613#p613 I have also tried this blog post with no luck. http://ruudabma.com/archives/6 So I was think of thing an episode of hak5 a go, but which episode would do the trick as OpenVPN has been quiet a popular top on the show. Or if anyone has any other solutions to my problem that would be greatly appreciated. Cheers

I install openvpn to my rasberry pi from scratch and the VPN is working inside my house i can connect to it from my phone but i can not access it from outside my house. What is that i have to do to be able to access the VPN from outside my house is there a file to edit or a setting in my router I have to change I am kinda loss any tips of what i should do to that be amazing.

So the latest YouTube video (https://www.youtube.com/watch?v=04EmeXSZo_0&t=1156s) on easily setting up OpenVPN on a Raspberry Pi using the StarshipEngineer script is super useful. But I'm wondering if the Raspberry Pi can also be turned into a WiFi Access Point (assuming onboard wifi available, or appropriate wifi dongle connected), thus allowing any devices to connect to the RPi AP and automatically be routed through the VPN for encrypted onward connection to the ISP and public internet. Is this even possible?

I've been excited to see the results for the past few months when they announced an audit. https://www.privateinternetaccess.com/blog/2017/05/openvpn-2-4-evaluation-summary-report/ Theres a section on insecure settings which have some good suggestions.

So I really need help, I though I had everything squared up and ready but I tried to connected externally this afternoon and found a large hole in my plan (a little cranky) . I have everything working great but external access to my OpenVPN server. For more information please read the below link https://forums.hak5.org/index.php?/topi ... vpn-build/ Long story short I need to access my server from outside the network. The setup is my open VPN server on a raspberry pi running raspbian which is on local ip 10.1.1.101 and I run all of its traffic through another raspberry pi configured as a gateway with the ip of 10.1.1.102 then out to the Internet. Everything is working great internally I just need to know what I have to do to access it external. The default gateway for the gateway pi is 10.1.1.1

I recently got a WiFi PineApple and managed to setup a working openvpn connection. My issue is when i go to http://dnsleaktest.com what is shown as my resolver is my default's internet connection when on the VPN connection I use google's DNS resolvers 8.8.8.8 and 8.8.4.4.With this known I can not seem to create a up script that will allow me to get the right DNS servers to be shown and used. I know this is not just a openvpn/openwrt issue so there must be some way to write a script that will force the use of the passed DNS servers from openvpn. I noticed the "issue" is also with my Ubuntu system that I'm using. with the Ubuntu system I know how to fix that issue but not with the WiFi PineApple

I have to travel a lot for work, so I am looking for a travel router that will be able to act as an OpenVPN client. I have considered purchasing a WIFI Pineapple nano for this application, but it seems to be a bit of an overkill for what I need. What would you suggest I get?

What is easiest free way to setup OpenVPN with a Raspberry Pi? I want to use it with my Linux VM, MacBook Pro, iPhone, and iPad.

Hi, I am a mark V owner thinking of purchasing a TETRA. If I were to use it as a normal router with an OpenVPN tunnel (i.e. TETRA is the client) what kind of speeds can I expect to get? It seems most routers max out at ~ 20Mb/s. Am I correct in assuming TETRA will not be able to handle a 100Mb/s connection ?

Hey guys! Just followed the Hak5 Episode on making an OpenVPN server from scratch on Linux. I can connect to the VPN as long as I am connected to my own internal network... I thought the whole purpose was to be able to connect from the outside?

I'm trying to put OpenVPN on the pineapple nano using Private internet Access as the VPN service, but I'm having issues getting the ovpn to load properly while following along with Darren's video https://www.hak5.org/frontpage/hak5-2018-how-to-build-an-openvpn-access-point-pt-2. I listed below the script errors that I'm getting and also the text file for the ovpn that I'm trying to load. Here is the text file for the ovpn that I'm trying to load on the nano: client dev tun remote us-east.privateinternetaccess.com 1198 udp remote us-east.privateinternetaccess.com 502 tcp resolv-retry infinite nobind persist-key persist-tun setenv CLIENT_CERT 0 <ca> -----BEGIN CERTIFICATE----- MIIFqzCCBJOgAwIBAgIJAKZ7D5Yv87qDMA0GCSqGSIb3DQEBDQUAMIHoMQswCQYD VQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNV BAoTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIElu dGVybmV0IEFjY2VzczEgMB4GA1UEAxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3Mx IDAeBgNVBCkTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkB FiBzZWN1cmVAcHJpdmF0ZWludGVybmV0YWNjZXNzLmNvbTAeFw0xNDA0MTcxNzM1 MThaFw0zNDA0MTIxNzM1MThaMIHoMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex EzARBgNVBAcTCkxvc0FuZ2VsZXMxIDAeBgNVBAoTF1ByaXZhdGUgSW50ZXJuZXQg QWNjZXNzMSAwHgYDVQQLExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UE AxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBCkTF1ByaXZhdGUgSW50 ZXJuZXQgQWNjZXNzMS8wLQYJKoZIhvcNAQkBFiBzZWN1cmVAcHJpdmF0ZWludGVy bmV0YWNjZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXD L1L9tX6DGf36liA7UBTy5I869z0UVo3lImfOs/GSiFKPtInlesP65577nd7UNzzX lH/P/CnFPdBWlLp5ze3HRBCc/Avgr5CdMRkEsySL5GHBZsx6w2cayQ2EcRhVTwWp cdldeNO+pPr9rIgPrtXqT4SWViTQRBeGM8CDxAyTopTsobjSiYZCF9Ta1gunl0G/ 8Vfp+SXfYCC+ZzWvP+L1pFhPRqzQQ8k+wMZIovObK1s+nlwPaLyayzw9a8sUnvWB /5rGPdIYnQWPgoNlLN9HpSmsAcw2z8DXI9pIxbr74cb3/HSfuYGOLkRqrOk6h4RC OfuWoTrZup1uEOn+fw8CAwEAAaOCAVQwggFQMB0GA1UdDgQWBBQv63nQ/pJAt5tL y8VJcbHe22ZOsjCCAR8GA1UdIwSCARYwggESgBQv63nQ/pJAt5tLy8VJcbHe22ZO sqGB7qSB6zCB6DELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpM b3NBbmdlbGVzMSAwHgYDVQQKExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4G A1UECxMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAMTF1ByaXZhdGUg SW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQpExdQcml2YXRlIEludGVybmV0IEFjY2Vz czEvMC0GCSqGSIb3DQEJARYgc2VjdXJlQHByaXZhdGVpbnRlcm5ldGFjY2Vzcy5j b22CCQCmew+WL/O6gzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4IBAQAn a5PgrtxfwTumD4+3/SYvwoD66cB8IcK//h1mCzAduU8KgUXocLx7QgJWo9lnZ8xU ryXvWab2usg4fqk7FPi00bED4f4qVQFVfGfPZIH9QQ7/48bPM9RyfzImZWUCenK3 7pdw4Bvgoys2rHLHbGen7f28knT2j/cbMxd78tQc20TIObGjo8+ISTRclSTRBtyC GohseKYpTS9himFERpUgNtefvYHbn70mIOzfOJFTVqfrptf9jXa9N8Mpy3ayfodz 1wiqdteqFXkTYoSDctgKMiZ6GdocK9nMroQipIQtpnwd4yBDWIyC6Bvlkrq5TQUt YDQ8z9v+DMO6iwyIDRiU -----END CERTIFICATE----- </ca> cipher aes-128-cbc auth sha1 tls-client remote-cert-tls server auth-user-pass comp-lzo verb 1 reneg-sec 0 <crl-verify> -----BEGIN X509 CRL----- MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0 ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG 9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5 jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA 5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A== -----END X509 CRL----- </crl-verify>

On my nano I have set it up to auto connect to my open vpn server upon internet connection. I did all this in rc.local my question is how do i test that the iptable settings are correct with all connections going through tun0? My other question is how to I configure the connection to autoconnect if the connection gets dropped? -M

So here's the skinny - I have two OpenVPN servers now, both in my home. One is running on a Raspberry Pi and the other is an OpenVPN Access Server running on Ubuntu 14.04 (64bit). I am trying to access either of them (we'll concentrate on the OpenVPN Access Server) from my client's office. I can connect just fine when I am not one said client's network. However when on the client's network I see the following: sudo openvpn client.ovpn [sudo] password for marty331: Tue Jul 5 19:05:35 2016 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 Tue Jul 5 19:05:35 2016 library versions: OpenSSL 1.0.2g-fips 1 Mar 2016, LZO 2.08 Tue Jul 5 19:05:35 2016 Control Channel Authentication: tls-auth using INLINE static key file Tue Jul 5 19:05:35 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 5 19:05:35 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 5 19:05:35 2016 Socket Buffers: R=[212992->200000] S=[212992->200000] Tue Jul 5 19:05:35 2016 UDPv4 link local: [undef] Tue Jul 5 19:05:35 2016 UDPv4 link remote: [AF_INET]super.secret.ipaddress:1194 Tue Jul 5 19:05:39 2016 Server poll timeout, restarting Tue Jul 5 19:05:39 2016 SIGUSR1[soft,server_poll] received, process restarting Tue Jul 5 19:05:39 2016 Control Channel Authentication: tls-auth using INLINE static key file Tue Jul 5 19:05:39 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 5 19:05:39 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 5 19:05:39 2016 Socket Buffers: R=[212992->200000] S=[212992->200000] Tue Jul 5 19:05:39 2016 UDPv4 link local: [undef] Tue Jul 5 19:05:39 2016 UDPv4 link remote: [AF_INET]super.secret.ipaddress:1194 Tue Jul 5 19:05:43 2016 Server poll timeout, restarting Tue Jul 5 19:05:43 2016 SIGUSR1[soft,server_poll] received, process restarting Tue Jul 5 19:05:43 2016 Control Channel Authentication: tls-auth using INLINE static key file Tue Jul 5 19:05:43 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 5 19:05:43 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 5 19:05:43 2016 Socket Buffers: R=[87380->200000] S=[16384->200000] Tue Jul 5 19:05:43 2016 Attempting to establish TCP connection with [AF_INET]super.secret.ipaddress:444 [nonblock] Tue Jul 5 19:05:44 2016 TCP connection established with [AF_INET]super.secret.ipaddress:444 Tue Jul 5 19:05:44 2016 TCPv4_CLIENT link local: [undef] Tue Jul 5 19:05:44 2016 TCPv4_CLIENT link remote: [AF_INET]super.secret.ipaddress:444 Tue Jul 5 19:05:44 2016 TLS: Initial packet from [AF_INET]super.secret.ipaddress:444, sid=aeb6abae 035f030d Tue Jul 5 19:05:44 2016 VERIFY OK: depth=1, CN=OpenVPN CA Tue Jul 5 19:05:44 2016 VERIFY OK: nsCertType=SERVER Tue Jul 5 19:05:44 2016 VERIFY OK: depth=0, CN=OpenVPN Server Tue Jul 5 19:05:45 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Jul 5 19:05:45 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 5 19:05:45 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Jul 5 19:05:45 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Jul 5 19:05:45 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA Tue Jul 5 19:05:45 2016 [OpenVPN Server] Peer Connection Initiated with [AF_INET]super.secret.ipaddress:444 Tue Jul 5 19:05:47 2016 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1) Tue Jul 5 19:05:47 2016 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,socket-flags TCP_NODELAY,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.27.224.1,dhcp-option DNS 127.0.1.1,register-dns,block-ipv6,ifconfig 172.27.224.7 255.255.252.0' Tue Jul 5 19:05:47 2016 Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks Tue Jul 5 19:05:47 2016 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.10) Tue Jul 5 19:05:47 2016 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.10) Tue Jul 5 19:05:47 2016 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.10) Tue Jul 5 19:05:47 2016 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:17: register-dns (2.3.10) Tue Jul 5 19:05:47 2016 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: block-ipv6 (2.3.10) Tue Jul 5 19:05:47 2016 OPTIONS IMPORT: timers and/or timeouts modified Tue Jul 5 19:05:47 2016 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp Tue Jul 5 19:05:47 2016 OPTIONS IMPORT: LZO parms modified Tue Jul 5 19:05:47 2016 OPTIONS IMPORT: --socket-flags option modified Tue Jul 5 19:05:47 2016 Socket flags: TCP_NODELAY=1 succeeded Tue Jul 5 19:05:47 2016 OPTIONS IMPORT: --ifconfig/up options modified Tue Jul 5 19:05:47 2016 OPTIONS IMPORT: route options modified Tue Jul 5 19:05:47 2016 OPTIONS IMPORT: route-related options modified Tue Jul 5 19:05:47 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Jul 5 19:05:47 2016 ROUTE_GATEWAY 172.20.1.1/255.255.240.0 IFACE=wlp3s0 HWADDR=th:is:nt:th:ad:dr Tue Jul 5 19:05:47 2016 TUN/TAP device tun0 opened Tue Jul 5 19:05:47 2016 TUN/TAP TX queue length set to 100 Tue Jul 5 19:05:47 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Jul 5 19:05:47 2016 /sbin/ip link set dev tun0 up mtu 1500 Tue Jul 5 19:05:47 2016 /sbin/ip addr add dev tun0 172.27.224.7/22 broadcast 172.27.227.255 Tue Jul 5 19:05:52 2016 ROUTE remote_host is NOT LOCAL Tue Jul 5 19:05:52 2016 /sbin/ip route add super.secret.ipaddress/32 via 172.20.1.1 Tue Jul 5 19:05:52 2016 /sbin/ip route add 0.0.0.0/1 via 172.27.224.1 Tue Jul 5 19:05:52 2016 /sbin/ip route add 128.0.0.0/1 via 172.27.224.1 Tue Jul 5 19:05:52 2016 Initialization Sequence Completed Wed Jul 6 01:05:44 2016 VERIFY OK: depth=1, CN=OpenVPN CA Wed Jul 6 01:05:44 2016 VERIFY OK: nsCertType=SERVER Wed Jul 6 01:05:44 2016 VERIFY OK: depth=0, CN=OpenVPN Server Wed Jul 6 01:05:45 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed Jul 6 01:05:45 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 01:05:45 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed Jul 6 01:05:45 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 01:05:45 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA Wed Jul 6 02:05:44 2016 TLS: tls_process: killed expiring key ^CWed Jul 6 06:11:30 2016 event_wait : Interrupted system call (code=4) Wed Jul 6 06:11:30 2016 /sbin/ip route del super.secret.ipaddress/32 Wed Jul 6 06:11:30 2016 /sbin/ip route del 0.0.0.0/1 Wed Jul 6 06:11:30 2016 /sbin/ip route del 128.0.0.0/1 Wed Jul 6 06:11:30 2016 Closing TUN/TAP interface Wed Jul 6 06:11:30 2016 /sbin/ip addr del dev tun0 172.27.224.7/22 Wed Jul 6 06:11:30 2016 SIGINT[hard,] received, process exiting marty331@galago:~/open/pinkie$ sudo openvpn client.ovpn [sudo] password for marty331: Wed Jul 6 07:00:59 2016 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016 Wed Jul 6 07:00:59 2016 library versions: OpenSSL 1.0.2g-fips 1 Mar 2016, LZO 2.08 Wed Jul 6 07:00:59 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Jul 6 07:00:59 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:00:59 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:00:59 2016 Socket Buffers: R=[212992->200000] S=[212992->200000] Wed Jul 6 07:00:59 2016 UDPv4 link local: [undef] Wed Jul 6 07:00:59 2016 UDPv4 link remote: [AF_INET]super.secret.ipaddress:1194 Wed Jul 6 07:01:03 2016 Server poll timeout, restarting Wed Jul 6 07:01:03 2016 SIGUSR1[soft,server_poll] received, process restarting Wed Jul 6 07:01:03 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Jul 6 07:01:03 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:03 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:03 2016 Socket Buffers: R=[212992->200000] S=[212992->200000] Wed Jul 6 07:01:03 2016 UDPv4 link local: [undef] Wed Jul 6 07:01:03 2016 UDPv4 link remote: [AF_INET]super.secret.ipaddress:1194 Wed Jul 6 07:01:07 2016 Server poll timeout, restarting Wed Jul 6 07:01:07 2016 SIGUSR1[soft,server_poll] received, process restarting Wed Jul 6 07:01:07 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Jul 6 07:01:07 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:07 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:07 2016 Socket Buffers: R=[87380->200000] S=[16384->200000] Wed Jul 6 07:01:07 2016 Attempting to establish TCP connection with [AF_INET]super.secret.ipaddress:444 [nonblock] Wed Jul 6 07:01:08 2016 TCP connection established with [AF_INET]super.secret.ipaddress:444 Wed Jul 6 07:01:08 2016 TCPv4_CLIENT link local: [undef] Wed Jul 6 07:01:08 2016 TCPv4_CLIENT link remote: [AF_INET]super.secret.ipaddress:444 Wed Jul 6 07:01:12 2016 Server poll timeout, restarting Wed Jul 6 07:01:12 2016 SIGUSR1[soft,server_poll] received, process restarting Wed Jul 6 07:01:12 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Jul 6 07:01:12 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:12 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:12 2016 Socket Buffers: R=[212992->200000] S=[212992->200000] Wed Jul 6 07:01:12 2016 UDPv4 link local: [undef] Wed Jul 6 07:01:12 2016 UDPv4 link remote: [AF_INET]super.secret.ipaddress:1194 Wed Jul 6 07:01:16 2016 Server poll timeout, restarting Wed Jul 6 07:01:16 2016 SIGUSR1[soft,server_poll] received, process restarting Wed Jul 6 07:01:16 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Jul 6 07:01:16 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:16 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:16 2016 Socket Buffers: R=[212992->200000] S=[212992->200000] Wed Jul 6 07:01:16 2016 UDPv4 link local: [undef] Wed Jul 6 07:01:16 2016 UDPv4 link remote: [AF_INET]super.secret.ipaddress:1194 Wed Jul 6 07:01:20 2016 Server poll timeout, restarting Wed Jul 6 07:01:20 2016 SIGUSR1[soft,server_poll] received, process restarting Wed Jul 6 07:01:20 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Jul 6 07:01:20 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:20 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:20 2016 Socket Buffers: R=[212992->200000] S=[212992->200000] Wed Jul 6 07:01:20 2016 UDPv4 link local: [undef] Wed Jul 6 07:01:20 2016 UDPv4 link remote: [AF_INET]super.secret.ipaddress:1194 Wed Jul 6 07:01:24 2016 Server poll timeout, restarting Wed Jul 6 07:01:24 2016 SIGUSR1[soft,server_poll] received, process restarting Wed Jul 6 07:01:24 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Jul 6 07:01:24 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:24 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:24 2016 Socket Buffers: R=[212992->200000] S=[212992->200000] Wed Jul 6 07:01:24 2016 UDPv4 link local: [undef] Wed Jul 6 07:01:24 2016 UDPv4 link remote: [AF_INET]super.secret.ipaddress:1194 Wed Jul 6 07:01:28 2016 Server poll timeout, restarting Wed Jul 6 07:01:28 2016 SIGUSR1[soft,server_poll] received, process restarting Wed Jul 6 07:01:28 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Jul 6 07:01:28 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:28 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:28 2016 Socket Buffers: R=[212992->200000] S=[212992->200000] Wed Jul 6 07:01:28 2016 UDPv4 link local: [undef] Wed Jul 6 07:01:28 2016 UDPv4 link remote: [AF_INET]super.secret.ipaddress:1194 Wed Jul 6 07:01:32 2016 Server poll timeout, restarting Wed Jul 6 07:01:32 2016 SIGUSR1[soft,server_poll] received, process restarting Wed Jul 6 07:01:32 2016 Control Channel Authentication: tls-auth using INLINE static key file Wed Jul 6 07:01:32 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:32 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Jul 6 07:01:32 2016 Socket Buffers: R=[212992->200000] S=[212992->200000] Wed Jul 6 07:01:32 2016 UDPv4 link local: [undef] Wed Jul 6 07:01:32 2016 UDPv4 link remote: [AF_INET]super.secret.ipaddress:1194 Wed Jul 6 07:01:36 2016 Server poll timeout, restarting Wed Jul 6 07:01:36 2016 SIGUSR1[soft,server_poll] received, process restarting

Hi! Tried to find something useful, but no luck. I want to send syslog messages to central server. I have openvpn working from command line. So I would need 2 things: 1. Where to configure persistent, that syslog messages will be sent to central syslog server. I need this so ship some logs to logstash server. I didn't find anything useful except syslog. 2. I want so openpvn start with my configuration. Its not started at the moment. It is installed on SD card. Any tips, hints? Thanks. MIlan

I'm trying to set up a VPN tunnel for all traffic connected to the Pineapple in client mode, with the tunnel endpoint being my Ubuntu VPS out in the cloud. The goal here is to provide internet access to all clients connected to the Pineapple, while enabling more powerful MitM attacks like Metasploit using my VPS. I've installed OpenVPN on both my server and Pineapple and set up their respective keys, but I am at a loss now as to the proper configuration. Tun? Tap? Br0? lo? Should I be using tap0 or tun0 for each side of the tunnel? (And how does it hook into the pineapple's traffic?) Could someone kindly sketch out the ideal configs for this kind of setup? In an earlier post, Sebkinne referred a user to this "howto", which specifies the client [=pineapple] as tap0. Forgive my ignorance, but don't you want to make the OpenVPN client side [=pineapple] "tun0" and the OpenVPN tunnel's endpoint on the ubuntu server "tap0"? (Which in turn redirects internet traffic to its internet-facing eth0 interface?) I'm lost. In advance, thank very much for any help you can offer.