Hi, I have been trying to get this working for a couple of weeks - with several reinstallations each day, but I'm getting stuck at the same place each time.
I am a tech with 30+ years experience with IT, but recent health-issues make things which earlier were a no-brainer much harder to grasp. I'm now used to have to read the same page up to 4 or 5 times before it sticks, so guides like this are gold to me.
Your guides are very easy to follow - thank you very much for doing it, and doing it this way.
Now, to my problem...
I go through the whole guide without problem until I reach the vpn-test with curl.
The first test works fine
..returns the expected result, but
..will hang until timeout
The results are the same both with the vpn connection up and down, and I can not figure out why.
The dns-servers works fine with the regular user, but somehow not with the vpn user.
Any hint or nudge in the right direction is greatly appreciated.
systemctl status openvpn@openvpn.service
iptables -S
iptables -L
openvpn.conf
EDIT ADMIN: removed certificate data from post.
I am a tech with 30+ years experience with IT, but recent health-issues make things which earlier were a no-brainer much harder to grasp. I'm now used to have to read the same page up to 4 or 5 times before it sticks, so guides like this are gold to me.
Your guides are very easy to follow - thank you very much for doing it, and doing it this way.
Now, to my problem...
I go through the whole guide without problem until I reach the vpn-test with curl.
The first test works fine
Code:
curl ipinfo.io
Code:
sudo -u vpn -i -- curl ipinfo.io
Code:
curl: (7) Failed to connect to ipinfo.io port 80: Connection timed out
The results are the same both with the vpn connection up and down, and I can not figure out why.
The dns-servers works fine with the regular user, but somehow not with the vpn user.
Any hint or nudge in the right direction is greatly appreciated.
systemctl status openvpn@openvpn.service
Code:
â openvpn@openvpn.service - OpenVPN connection to openvpn
Loaded: loaded (/etc/systemd/system/openvpn@openvpn.service; enabled)
Active: active (running) since Fri 2017-03-17 17:38:07 CET; 12s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 9465 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid (code=exited, status=0/SUCCESS)
Main PID: 9466 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@openvpn.service
ââ9466 /usr/sbin/openvpn --daemon ovpn-openvpn --status /run/openvpn/openvpn.status 10 --cd /etc/openvpn --script-security 2 --config /etc...
iptables -S
Code:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i tun0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT -o tun0 -m owner --uid-owner 1001 -j ACCEPT
-A OUTPUT ! -s 172.16.16.222/32 -o eth1 -j REJECT --reject-with icmp-port-unreachable
iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere owner UID match vpn
ACCEPT all -- anywhere anywhere owner UID match vpn
REJECT all -- !localmachine anywhere reject-with icmp-port-unreachable
openvpn.conf
Code:
client
dev tun0
proto udp
remote pw.openvpn.ipredator.se 1194
remote pw.openvpn.ipredator.me 1194
remote pw.openvpn.ipredator.es 1194
resolv-retry infinite
nobind
auth-user-pass /etc/openvpn/IPredator.auth
auth-retry nointeract
ca [inline]
tls-client
tls-auth [inline]
ns-cert-type server
remote-cert-tls server
remote-cert-ku 0x00e0
keepalive 10 30
cipher AES-256-CBC
persist-key
comp-lzo
tun-mtu 1500
mssfix 1200
passtos
verb 3
replay-window 512 60
mute-replay-warnings
ifconfig-nowarn
# Disable this if your system does not support it!
tls-version-min 1.2
script-security 2
#up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
#--------------------------------#
#from htpc #
#-------------------------------#
route-noexec
up /etc/openvpn/iptables.sh
#auth-nocache
#--------------------------------#
# end: from htpc #
#-------------------------------#
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>