Jump to content

OpenVPN does not work


nycaleksey

Recommended Posts

Hi,

I just got a Lanturtle and first thing I wanted to do is to make it OpenVPN out to my homebase. I just copied my regular OpenVPN config that works on all other devices incuding IOS devices - but it doesn't work. When I start the module it confirms that OpenVPN is started and even gives out PIDs but then it shows it as "Stopped". The logs on my openvpn server show no connection attempts whatsoever. I cannot find the location of any OpenVPN logs or output on the LanTurtle, and trying run the /usr/sbin/openvpn binary results in empty output. My openvpn config file looks like this:

client

dev tun

proto udp

remote x.x.x.x xxx

resolv-retry infinite

nobind

persist-key

persist-tun

cipher AES-128-CBC

comp-lzo

verb 3

<ca>

-----BEGIN CERTIFICATE-----

ca

-----END CERTIFICATE-----

</ca>

<cert>

-----BEGIN CERTIFICATE-----

cert

-----END CERTIFICATE-----

</cert>

<key>

-----BEGIN PRIVATE KEY-----

key

-----END PRIVATE KEY-----

</key>

could someone help and point me out in the right direction - how do I see why exactly OpenVPN does not start?
Thank you
Link to comment
Share on other sites

I have made some progress - everything works fine if I run openvpn manually:

root@turtle:/tmp# /usr/sbin/openvpn --daemon --config /etc/openvpn/my-vpn.conf

however, /etc/init.d/openvpn start" still does not start openvpn. I have looked through that script and it's quite complex - it tries building configs on the fly and does some other stuff.
So, for now, I made a simple bandaid solution - in /etc/turtle/openvpn module definition I have replace start routine from "/etc/init.d/openvpn start" to "/usr/sbin/openvpn --daemon --config /etc/openvpn/my-vpn.conf " and the stop routine with "killall openvpn"
This works for me - the LanTurtle autostarts OpenVPN when booting up and keeps the tunnel up.
Hopefully this will be fixed in the firmware updates.
Link to comment
Share on other sites

I did some further digging, familiarized myself with OpenWRT for the first time, and I think I found a problem that prevents OpenVPN module from working - it does not enable openvpn.custom_config in UCI. So, after manually running

uci set openvpn.custom_config.enabled=1

uci commit

OpenVPN starts working just fine. This should be done as part of enabling the module by Module Manager, I think.

Link to comment
Share on other sites

Hey great work... i´m learning a lot with this post... Sorry I can´t help with this but let me think laught... It would be helpfull to set a cron to run it form a script (where you can check if the service it´s started)?I´m not sure if i´m saying something very stupid but i´m just thinking laught..

Link to comment
Share on other sites

Thanks nycaleksey. I noticed the custom_config.enabled issue at DEF CON. Just got back and getting my head screwed back on. Will push an updated openvpn module soon. Eventually we'll add the option to "check for updates" in modulemanager but for now we'll just advise removing and reinstalling the module. Next up for version 3 is forcing SSL and other checks to ensure module and firmware downloads aren't MITM'd.

I too noticed the issue with /etc/init.d/openvpn start not working as it should. Odd. It works on my dev Turtle which has been tormented in every which way... Thanks all for the feedback!

Link to comment
Share on other sites

  • 2 weeks later...

Quick thing:

Can anybody walkthrough the settings they have enabled on their OpenVPN access server? I have the "client gateway" box checked, and the correct subnet to route to, but the VPN still won't route to my internal network (when i'm external connected to the access server). Anybody have clear directions on what settings they have enabled on the access server?

Link to comment
Share on other sites

has any progress been made? I see this post is not that old. I finally got time to play with my turtle today, and I updated the before anything, and also pulled down the openvpn from the module directories, so I am assuming it's currently. I can use the information in this post to get it going, but if I try from the turtle menu, it comes back as autostart enabled, it states it's started gives 3 PID's then comes back to the screen as stopped.

Link to comment
Share on other sites

  • 3 weeks later...

has any progress been made? I see this post is not that old. I finally got time to play with my turtle today, and I updated the before anything, and also pulled down the openvpn from the module directories, so I am assuming it's currently. I can use the information in this post to get it going, but if I try from the turtle menu, it comes back as autostart enabled, it states it's started gives 3 PID's then comes back to the screen as stopped.

The module was updated and works with firmware V2

Link to comment
Share on other sites

  • 3 weeks later...

hey folks,

are there any specific config options i need to set in my turtle's vpn config to get the server to acknowledge and push the target route to other vpn connections? i followed darren's screenshot exactly as far as my server user permissions but my 'frog' connection doesnt see the 'turtle'-accessible network.

from 'frog', once connected to the openvpn server, i am able to ssh into 'turtle', but the vpn gateway subnet i configured in user permissions (on which 'turtle' has as a lan connection to) is not reachable. if i look at my route table on 'frog' after i'm connected to the vpn, i do not see 'turtle's lan connection (the target network). so, from here what i did was go into the openvpn server 'advanced vpn' configuration and added the following command:

push "route 192.168.1.0 255.255.255.0"

i redeployed with the config changes and now, the route table in 'frog' has a route added to the target network, but i am still unable to directly access anything on the target network, so back to square one.

any advice? thanks a lot

Link to comment
Share on other sites

I am stuck exactly in the same spot. I have my lan turtle sitting behind a Linksys router. I am on a 10.x.x.x subnet, Openvpn server is on a 172.27.224.x subnet, and my lan turtle is on a 192.168.1.x subnet. Both my laptop and lan turtle have successful connections to the open vpn server.

Tracing route to 192.168.1.1 over a maximum of 30 hops

1 25 ms * 21 ms 172.27.224.1

2 48 ms 43 ms 43 ms 172.27.224.8

3 172.27.224.8 reports: Destination protocol unreachable.

Trace complete.

172.27.224.8 is my lan turtle, so it looks as if it knows to go to the lan turtle to find the 192.168.1.x subnet. It just isn't making that last step.

If I SSH into the lan turtle, I can ping 192.168.1.1 successfully.

Link to comment
Share on other sites

  • 2 weeks later...

Still stuck.. I cant get past this. I found a couple of solutions online that say to reconfigure routes. I didn't want to start messing with that because I feel the turtle should phone home after being dropped and give me a vpn connection from whatever subnet it falls on. It must be something silly that I'm missing.

Link to comment
Share on other sites

Can someone take a look at these routing tables to see if anything looks funny?

104.XXX.XXX.25 = CloudServer

192.168.222.2 = VPN address of LAN Turtle

192.168.222.3 = VPN address of my laptop

192.168.1.1 = Router that the Lan Turtle is connected to

172.27.208.1 = LAN address of OpenVPN Server

CloudServer

turtle@Cloud Server:~$ route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

default 104.XXX.XXX.1 0.0.0.0 UG 0 0 0 eth0

10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0

10.8.0.2 * 255.255.255.255 UH 0 0 0 tun0

104.XXX.XXX.0 * 255.255.192.0 U 0 0 0 eth0

172.27.208.0 * 255.255.255.128 U 0 0 0 as0t0

192.168.1.0 * 255.255.255.0 U 0 0 0 as0t0

192.168.222.2 * 255.255.255.255 UH 0 0 0 as0t0

turtle@ClodServer:~$ ping 192.168.1.1

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.

From 192.168.222.2 icmp_seq=1 Destination Port Unreachable

From 192.168.222.2 icmp_seq=2 Destination Port Unreachable

LAN Turtle

root@turtle:~# route

Kernel IP routing table

Destination Gateway Genmask Flags Metric Ref Use Iface

default 192.168.222.1 128.0.0.0 UG 0 0 0 tun0

default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1

104.XXX.XXX.25 192.168.1.1 255.255.255.255 UGH 0 0 0 eth1

128.0.0.0 192.168.222.1 128.0.0.0 UG 0 0 0 tun0

172.16.84.0 * 255.255.255.0 U 0 0 0 br-lan

192.168.1.0 * 255.255.255.0 U 0 0 0 eth1

192.168.222.0 * 255.255.255.0 U 0 0 0 tun0

root@turtle:~# ping 192.168.1.1

PING 192.168.1.1 (192.168.1.1): 56 data bytes

64 bytes from 192.168.1.1: seq=0 ttl=64 time=1.562 ms

64 bytes from 192.168.1.1: seq=1 ttl=64 time=0.623 ms

My Laptop

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.10.50.1 10.10.50.102 20

0.0.0.0 128.0.0.0 192.168.222.1 192.168.222.3 20

10.10.50.0 255.255.255.0 On-link 10.10.50.102 276

10.10.50.102 255.255.255.255 On-link 10.10.50.102 276

10.10.50.255 255.255.255.255 On-link 10.10.50.102 276

104.XXX.XXX.25 255.255.255.255 10.10.50.1 10.10.50.102 20

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

128.0.0.0 128.0.0.0 192.168.222.1 192.168.222.3 20

192.168.222.0 255.255.255.0 On-link 192.168.222.3 276

192.168.222.3 255.255.255.255 On-link 192.168.222.3 276

192.168.222.255 255.255.255.255 On-link 192.168.222.3 276

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 192.168.222.3 276

224.0.0.0 240.0.0.0 On-link 10.10.50.102 276

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 192.168.222.3 276

255.255.255.255 255.255.255.255 On-link 10.10.50.102 276

Traceroute from my laptop to turtle LAN

Tracing route to 192.168.1.1 over a maximum of 30 hops

1 22 ms * 23 ms 172.27.208.1

2 43 ms 45 ms 46 ms 192.168.222.2

3 192.168.222.2 reports: Destination protocol unreachable.

Trace complete.

Link to comment
Share on other sites

  • 2 months later...

Hi folks, I can see this post might be stale by now, but it seems the right place to ask this.

I've got a tame friend who agreed to plant my turtle on his own LAN. I set it up for autossh, and that worked right out of the box.

I want to try to poke around on his network from *my* network, and so followed Darren's video instructions (and this post) for configuring an OpenVPN server. It all seems fine, but I don't get the route to the remote LAN pushed to my client.

The turtle's VPN user is set up as to gateway the remote LAN - as shown above, but for 192.168.90.0/24 - and if I connect my end to the VPN, I can ping the turtle's VPN IP address directly, and even ssh to it directly from either Windows or Linux, but I cannot ping the remote LAN from my home network.As I understand it, the gateway setting on the OpenVPN server should push a gateway route to me, and should manage the traffic between the VPN clients to that remote net.

I'm sure there's an important point I've misunderstood, so any help much appreciated

Link to comment
Share on other sites

  • 2 weeks later...

Mine works perfectly.

I did at first have the same problem where the VPN tunnel was active but I could not ping the gateway. I had to manually edit the firewall rules on the turtle as described at the end of the video. Have you done that? After fixing the firewall, it works perfectly. I like this much better than having just an ssh to the turtle, as it puts my whole kali laptop on the network instead of just being limited to the turtle's functionality.

Link to comment
Share on other sites

  • 3 weeks later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...