I have a dream compute instance that only has one network adapter and it has a public IP address. I am attempting to run OpenVPN with the TAP interface bridged to a dummy interface in order to access the instance from home/work/etc securely. Also as an added benefit I want all connected clients to be able to talk to each other.
The client can ping the server and vice versa as well get to sites on the internet. However, I cannot access any of my services running on the instance (apache, pure-ftpd, samba, git, etc.) I have set 192.168.2.1 as a listening address on apache2 and restarted the server after the vpn connection is established but still no luck.
What am I missing?
Here are my details:
eth0 is the interface with the public IP
Dummy interface: eth10:0
OpenVPN IP 192.168.2.1
OpenVPN DHCP IP's 192.168.2.200 - 192.168.2.254
208.xxx.xxx.1 in the openvpn config file is my public gateway on eth0
The Process:
I load my modules:
modprobe dummy modprobe bridge modprobe br_netfilter modprobe tun
Setup forwarding thru sysctl:
sysctl -w net.ipv4.conf.all.forwarding=1
On the server I create a dummy interface as follows:
ip link set name eth10 dev dummy0
ifconfig eth10 hw ether 00:22:22:ff:ff:ff
ip addr add 192.168.2.1/24 brd + dev eth10 label eth10:0
Then I start the bridge:
# start bridge
brctl addbr br0
brctl addif br0 eth10:0
brctl setageing br0 0 # for vmware?
# start OpenVPN
/etc/init.d/openvpn start
tap="tap0"
# add tap to bridge
for t in $tap; do
brctl addif br0 $t
done
# bring taps up and allow access
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
iptables -A INPUT -i $t -j ACCEPT
done
# bring bridge up and assign internal IP
ifconfig br0 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
# allow NAT
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
OpenVPN has the following config:
port 1194 proto udp dev tap ca ca.crt cert server.crt key server.key dh dh.pem auth SHA512 tls-auth ta.key 0 topology subnet server-bridge 192.168.2.1 255.255.255.0 192.168.2.200 192.168.2.254 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" client-to-client keepalive 10 120 cipher AES-256-CBC comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 crl-verify crl.pem mssfix #set the WINS server (SAMBA) push "dhcp-option WINS 192.168.2.1" #For windows, to make the network recognized push "route 0.0.0.0 0.0.0.0 208.xxx.xxx.1" cipher AES-256-CBC auth SHA512
OpenVPN Log lines below:
Jun 30 09:37:47 pubby systemd[1]: Starting OpenVPN connection to
server…
Jun 30 09:37:47 pubby systemd[1]: Starting OpenVPN
service… Jun 30 09:37:47 pubby systemd[1]: Started OpenVPN service.
Jun 30 09:37:47 pubby ovpn-server[25518]: OpenVPN 2.4.0
x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11]
[MH/PKTINFO] [AEAD] built on Jul 18 2017 Jun 30 09:37:47 pubby
ovpn-server[25518]: library versions: OpenSSL 1.0.2l 25 May 2017, LZO
2.08 Jun 30 09:37:47 pubby systemd[1]: Started OpenVPN connection to server. Jun 30 09:37:48 pubby ovpn-server[25524]: NOTE: when bridging
your LAN adapter with the TAP adapter, note that the new bridge
adapter will often take on its own IP address that is different from
what the LAN adapter was previously set to Jun 30 09:37:48 pubby
ovpn-server[25524]: Diffie-Hellman initialized with 2048 bit key Jun
30 09:37:48 pubby ovpn-server[25524]: Outgoing Control Channel
Authentication: Using 512 bit message hash 'SHA512' for HMAC
authentication Jun 30 09:37:48 pubby ovpn-server[25524]: Incoming
Control Channel Authentication: Using 512 bit message hash 'SHA512'
for HMAC authentication Jun 30 09:37:48 pubby ovpn-server[25524]:
TUN/TAP device tap0 opened Jun 30 09:37:48 pubby ovpn-server[25524]:
TUN/TAP TX queue length set to 100 Jun 30 09:37:48 pubby
ovpn-server[25524]: Could not determine IPv4/IPv6 protocol. Using
AF_INET Jun 30 09:37:48 pubby ovpn-server[25524]: Socket Buffers:
R=[212992->212992] S=[212992->212992] Jun 30 09:37:48 pubby
ovpn-server[25524]: UDPv4 link local (bound): [AF_INET][undef]:1194
Jun 30 09:37:48 pubby ovpn-server[25524]: UDPv4 link remote:
[AF_UNSPEC] Jun 30 09:37:48 pubby ovpn-server[25524]: GID set to
nogroup Jun 30 09:37:48 pubby ovpn-server[25524]: UID set to nobody
Jun 30 09:37:48 pubby ovpn-server[25524]: MULTI: multi_init called,
r=256 v=256 Jun 30 09:37:48 pubby ovpn-server[25524]: IFCONFIG POOL:
base=192.168.2.200 size=55, ipv6=0 Jun 30 09:37:48 pubby
ovpn-server[25524]: ifconfig_pool_read(), in='t430,192.168.2.200',
TODO: IPv6 Jun 30 09:37:48 pubby ovpn-server[25524]: succeeded ->
ifconfig_pool_set() Jun 30 09:37:48 pubby ovpn-server[25524]: IFCONFIG
POOL LIST Jun 30 09:37:48 pubby ovpn-server[25524]: t430,192.168.2.200
Jun 30 09:37:48 pubby ovpn-server[25524]: Initialization Sequence
Completed Jun 30 09:37:56 pubby ovpn-server[25524]:
73.81.xxx.xxx:43841 VERIFY OK: depth=1, CN=ChangeMe Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 VERIFY OK: depth=0,
CN=t430 Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841
peer info: IV_VER=2.4.0 Jun 30 09:37:56 pubby ovpn-server[25524]:
73.81.xxx.xxx:43841 peer info: IV_PLAT=linux Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 peer info: IV_PROTO=2 Jun 30
09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 peer info:
IV_NCP=2 Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841
peer info: IV_LZ4=1 Jun 30 09:37:56 pubby ovpn-server[25524]:
73.81.xxx.xxx:43841 peer info: IV_LZ4v2=1 Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 peer info: IV_LZO=1 Jun 30
09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 peer info:
IV_COMP_STUB=1 Jun 30 09:37:56 pubby ovpn-server[25524]:
73.81.xxx.xxx:43841 peer info: IV_COMP_STUBv2=1 Jun 30 09:37:56 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 peer info: IV_TCPNL=1 Jun 30
09:37:57 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841 Control
Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048
bit RSA Jun 30 09:37:57 pubby ovpn-server[25524]: 73.81.xxx.xxx:43841
[t430] Peer Connection Initiated with [AF_INET]73.81.xxx.xxx:43841 Jun
30 09:37:57 pubby ovpn-server[25524]: t430/73.81.xxx.xxx:43841
MULTI_sva: pool returned IPv4=192.168.2.200, IPv6=(Not enabled) Jun 30
09:37:58 pubby ovpn-server[25524]: t430/73.81.xxx.xxx:43841 PUSH:
Received control message: 'PUSH_REQUEST' Jun 30 09:37:58 pubby
ovpn-server[25524]: t430/73.81.xxx.xxx:43841 SENT CONTROL [t430]:
'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS
8.8.8.8,dhcp-option DNS 8.8.4.4,dhcp-option WINS 192.168.2.1,route 0.0.0.0 0.0.0.0 208.xxx.xxx.1,route-gateway 192.168.2.1,ping 10,ping-restart 120,ifconfig 192.168.2.200 255.255.255.0,peer-id
0,cipher AES-256-GCM' (status=1) Jun 30 09:37:58 pubby
ovpn-server[25524]: t430/73.81.xxx.xxx:43841 Data Channel Encrypt:
Cipher 'AES-256-GCM' initialized with 256 bit key Jun 30 09:37:58
pubby ovpn-server[25524]: t430/73.81.xxx.xxx:43841 Data Channel
Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key Jun 30
09:37:58 pubby ovpn-server[25524]: t430/73.81.xxx.xxx:43841 MULTI:
Learn: 92:34:xx:xx:xx:xx -> t430/73.81.xxx.xxx:43841
Best Answer
When ICMP works but not TCP it almost always comes down to a firewall issue. Verify that your server's iptables are in order.