[Solved] OpenVPN: Don't redirect everything through tunnel
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
[Solved] OpenVPN: Don't redirect everything through tunnel
Hello there
I'm owning a Server (Debian 10) which runs an Openvpn server on it. I mainly installed the VPN for accessing the samba shares (hosted on the same machine) from my client (Linux Mint 19.1 Cinnamon) over the internet.
I added the VPN Client details using the Network manager GUI:
I can connect to the VPN & also connect to the samba share, but I have a problem.
When connected to the VPN, I can't connect to the internet any more (Think I didn't set up any redirections on the server), but I don't want my whole traffic to go through the tunnel anyway, I only need it to connect to the samba shares on 192.168.x.x (BTW the subnet differs from what I have locally, so it doesn't confuses). Any other traffic from my machine should go the direct way(Use normal route+dns etc). I know I could probably do it changing some routes (on the client) after connecting to the VPN.
If possible, I would like to configure this on server side, so I could potentially add more clients for using the samba shares without routing further traffic over the VPN, without to configure individual routes for each client.
Is that possible, and if so, how?
Regards,
XXXBold
I'm owning a Server (Debian 10) which runs an Openvpn server on it. I mainly installed the VPN for accessing the samba shares (hosted on the same machine) from my client (Linux Mint 19.1 Cinnamon) over the internet.
I added the VPN Client details using the Network manager GUI:
I can connect to the VPN & also connect to the samba share, but I have a problem.
When connected to the VPN, I can't connect to the internet any more (Think I didn't set up any redirections on the server), but I don't want my whole traffic to go through the tunnel anyway, I only need it to connect to the samba shares on 192.168.x.x (BTW the subnet differs from what I have locally, so it doesn't confuses). Any other traffic from my machine should go the direct way(Use normal route+dns etc). I know I could probably do it changing some routes (on the client) after connecting to the VPN.
If possible, I would like to configure this on server side, so I could potentially add more clients for using the samba shares without routing further traffic over the VPN, without to configure individual routes for each client.
Is that possible, and if so, how?
Regards,
XXXBold
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: OpenVPN: Don't redirect everything through tunnel
Thanks for your response.
I tried that option, but it didn't solve my problem. When enabled, I could still access the internet, but however, was not able to connect to the local network over the VPN anymore.
Maybe this is interesting, what "route" prints (on the client) when connected or not.
If not connected to the VPN, it looks like this:
If connected normally (Without the "use connection only for resources" option checked):
If connected "use connection only for resources" enabled:
I tried that option, but it didn't solve my problem. When enabled, I could still access the internet, but however, was not able to connect to the local network over the VPN anymore.
Maybe this is interesting, what "route" prints (on the client) when connected or not.
If not connected to the VPN, it looks like this:
Code: Select all
default RT-N56U 0.0.0.0 UG 100 0 0 enp1s0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp1s0
192.168.10.0 0.0.0.0 255.255.255.0 U 100 0 0 enp1s0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
Code: Select all
default _gateway 0.0.0.0 UG 50 0 0 tun0
default RT-N56U 0.0.0.0 UG 100 0 0 enp1s0
10.8.0.1 _gateway 255.255.255.255 UGH 50 0 0 tun0
_gateway 0.0.0.0 255.255.255.255 UH 50 0 0 tun0
xx-xx-xx-xx.dy RT-N56U 255.255.255.255 UGH 100 0 0 enp1s0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp1s0
192.168.10.0 0.0.0.0 255.255.255.0 U 100 0 0 enp1s0
RT-N56U 0.0.0.0 255.255.255.255 UH 100 0 0 enp1s0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
Code: Select all
default RT-N56U 0.0.0.0 UG 100 0 0 enp1s0
10.8.0.1 10.8.0.5 255.255.255.255 UGH 50 0 0 tun0
10.8.0.5 0.0.0.0 255.255.255.255 UH 50 0 0 tun0
xx-xx-xx-xx.dy RT-N56U 255.255.255.255 UGH 100 0 0 enp1s0
link-local 0.0.0.0 255.255.0.0 U 1000 0 0 enp1s0
192.168.10.0 0.0.0.0 255.255.255.0 U 100 0 0 enp1s0
RT-N56U 0.0.0.0 255.255.255.255 UH 100 0 0 enp1s0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
Re: OpenVPN: Don't redirect everything through tunnel
You are redirecting gateway.
Can you post your server and client config?
Can you post your server and client config?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
Re: OpenVPN: Don't redirect everything through tunnel
server.conf:
client (/etc/NetworkManager/system-connections/VPN-simonServer):
Code: Select all
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients <-> one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine <-> single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
# #
# Comments are preceded with '#' or ';' #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port xxx
# TCP or UDP server?
;proto tcp
proto udp
# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert simonprivatevpn.crt
key simonprivatevpn.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh dh.pem
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
;topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist /var/log/openvpn/ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
;push "redirect-gateway def1 bypass-dhcp"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"
# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status /var/log/openvpn/openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it. Use one
# or the other (but not both).
;log /var/log/openvpn/openvpn.log
;log-append /var/log/openvpn/openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
auth SHA256
Code: Select all
[connection]
id=VPN-simonServer
uuid=xxx
type=vpn
autoconnect=false
permissions=user:simon:;
timestamp=1567711309
[vpn]
auth=SHA256
ca=xxx
cert=xxx
cert-pass-flags=1
cipher=AES-256-CBC
connect-timeout=30
connection-type=tls
key=xxx
port=xxx
remote=xxx
remote-cert-tls=server
ta=xxx
ta-dir=1
service-type=org.freedesktop.NetworkManager.openvpn
[ipv4]
dns-search=
method=auto
[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto
Re: OpenVPN: Don't redirect everything through tunnel
Ok, step by step.
In server config file change
to
The LAN where the server resides, is it 192.168.10.0 or 192.168.122.0?
Also post a drawing of your network topology.
In server config file change
Code: Select all
;topology subnet
Code: Select all
topology subnet
Also post a drawing of your network topology.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
Re: OpenVPN: Don't redirect everything through tunnel
192.168.10.0/24: My Home network's (of my openvpn client) LAN
192.168.1.0/24 : My server's(where the openvpn server is running) LAN.
192.168.122.0 : This is just for a local samba share (clientside) with using in QEMU/KVM, so this doesn't apply here, ignore it.
Hmm, drawing, hope this will explain it:
Client(192.168.10.140)<-->Router(192.168.10.0/24)<--->Internet<--->Router(192.168.1.0/24)<-->Server(192.168.1.100)
Is this fine, or you need additional information?
192.168.1.0/24 : My server's(where the openvpn server is running) LAN.
192.168.122.0 : This is just for a local samba share (clientside) with using in QEMU/KVM, so this doesn't apply here, ignore it.
Hmm, drawing, hope this will explain it:
Client(192.168.10.140)<-->Router(192.168.10.0/24)<--->Internet<--->Router(192.168.1.0/24)<-->Server(192.168.1.100)
Is this fine, or you need additional information?
Re: OpenVPN: Don't redirect everything through tunnel
Let's first check the server:
Add to it's config
and change
to
Do a full restart of the OpenVPN server and post the /var/log/openvpn.log
1. Is ip_forward enabled?
Should return, 1.
2. Did you add any firewall rule?
Add to it's config
Code: Select all
log /var/log/openvpn.log
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
Code: Select all
verb 3
Code: Select all
verb 4
1. Is ip_forward enabled?
Code: Select all
cat /proc/sys/net/ipv4/ip_forward
2. Did you add any firewall rule?
Code: Select all
iptables -S
iptables -t nat -S
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
Re: OpenVPN: Don't redirect everything through tunnel
Seems it's working now as intended (When I set the "Use this connection only for ressources in network" option on client's side as well).
I've added/uncommented/changed the following options in server.conf:
IP forwarding wasn't enabled, I enabled it now. ("sysctl -w net.ipv4.ip_forward=1" enabled it temporary, for testing, will make it persistent now I guess)
I didn't set up any rules via iptables (Well, previously did, but deleted them all for troubleshooting) because I don't think it's really needed anyway, cause the server is behind a Router.
There are a few more questions I have:
1: I'm not sure if this is a "clean" log because there are some errors on it (on start and a "hard" sigterm when exiting),
Here's the openvpn.log (start + stop the server, without making connections on it from the client):
When I connect log looks good.
2: If I close the openvpn server while still connected from the client, I don't get any notification on the clientside. It still shows the "connected" status in the GUI. Is it possible to enable something like that?
That's how it looks if the server gets closed (obviously the same as if still connected):
Thanks a lot for your effort so far, I appreciate that very much!
I've added/uncommented/changed the following options in server.conf:
Code: Select all
topology subnet
log /var/log/openvpn.log
route 192.168.1.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
verb 4
I didn't set up any rules via iptables (Well, previously did, but deleted them all for troubleshooting) because I don't think it's really needed anyway, cause the server is behind a Router.
There are a few more questions I have:
1: I'm not sure if this is a "clean" log because there are some errors on it (on start and a "hard" sigterm when exiting),
Here's the openvpn.log (start + stop the server, without making connections on it from the client):
Code: Select all
Sun Sep 8 13:23:44 2019 us=606175 Current Parameter Settings:
Sun Sep 8 13:23:44 2019 us=606208 config = '/etc/openvpn/server.conf'
Sun Sep 8 13:23:44 2019 us=606227 mode = 1
Sun Sep 8 13:23:44 2019 us=606230 persist_config = DISABLED
Sun Sep 8 13:23:44 2019 us=606234 persist_mode = 1
Sun Sep 8 13:23:44 2019 us=606237 show_ciphers = DISABLED
Sun Sep 8 13:23:44 2019 us=606240 show_digests = DISABLED
Sun Sep 8 13:23:44 2019 us=606243 show_engines = DISABLED
Sun Sep 8 13:23:44 2019 us=606246 genkey = DISABLED
Sun Sep 8 13:23:44 2019 us=606249 key_pass_file = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606252 show_tls_ciphers = DISABLED
Sun Sep 8 13:23:44 2019 us=606256 connect_retry_max = 0
Sun Sep 8 13:23:44 2019 us=606259 Connection profiles [0]:
Sun Sep 8 13:23:44 2019 us=606262 proto = udp
Sun Sep 8 13:23:44 2019 us=606265 local = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606268 local_port = 'xxx'
Sun Sep 8 13:23:44 2019 us=606271 remote = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606274 remote_port = 'xxx'
Sun Sep 8 13:23:44 2019 us=606277 remote_float = DISABLED
Sun Sep 8 13:23:44 2019 us=606280 bind_defined = DISABLED
Sun Sep 8 13:23:44 2019 us=606283 bind_local = ENABLED
Sun Sep 8 13:23:44 2019 us=606286 bind_ipv6_only = DISABLED
Sun Sep 8 13:23:44 2019 us=606290 connect_retry_seconds = 5
Sun Sep 8 13:23:44 2019 us=606293 connect_timeout = 120
Sun Sep 8 13:23:44 2019 us=606296 socks_proxy_server = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606299 socks_proxy_port = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606302 tun_mtu = 1500
Sun Sep 8 13:23:44 2019 us=606305 tun_mtu_defined = ENABLED
Sun Sep 8 13:23:44 2019 us=606308 link_mtu = 1500
Sun Sep 8 13:23:44 2019 us=606311 link_mtu_defined = DISABLED
Sun Sep 8 13:23:44 2019 us=606314 tun_mtu_extra = 0
Sun Sep 8 13:23:44 2019 us=606317 tun_mtu_extra_defined = DISABLED
Sun Sep 8 13:23:44 2019 us=606320 mtu_discover_type = -1
Sun Sep 8 13:23:44 2019 us=606323 fragment = 0
Sun Sep 8 13:23:44 2019 us=606327 mssfix = 1450
Sun Sep 8 13:23:44 2019 us=606330 explicit_exit_notification = 1
Sun Sep 8 13:23:44 2019 us=606333 Connection profiles END
Sun Sep 8 13:23:44 2019 us=606336 remote_random = DISABLED
Sun Sep 8 13:23:44 2019 us=606339 ipchange = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606342 dev = 'tun'
Sun Sep 8 13:23:44 2019 us=606345 dev_type = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606348 dev_node = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606351 lladdr = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606354 topology = 3
Sun Sep 8 13:23:44 2019 us=606357 ifconfig_local = '10.8.0.1'
Sun Sep 8 13:23:44 2019 us=606360 ifconfig_remote_netmask = '255.255.255.0'
Sun Sep 8 13:23:44 2019 us=606363 ifconfig_noexec = DISABLED
Sun Sep 8 13:23:44 2019 us=606366 ifconfig_nowarn = DISABLED
Sun Sep 8 13:23:44 2019 us=606369 ifconfig_ipv6_local = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606372 ifconfig_ipv6_netbits = 0
Sun Sep 8 13:23:44 2019 us=606375 ifconfig_ipv6_remote = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606378 shaper = 0
Sun Sep 8 13:23:44 2019 us=606381 mtu_test = 0
Sun Sep 8 13:23:44 2019 us=606384 mlock = DISABLED
Sun Sep 8 13:23:44 2019 us=606387 keepalive_ping = 10
Sun Sep 8 13:23:44 2019 us=606390 keepalive_timeout = 120
Sun Sep 8 13:23:44 2019 us=606393 inactivity_timeout = 0
Sun Sep 8 13:23:44 2019 us=606396 ping_send_timeout = 10
Sun Sep 8 13:23:44 2019 us=606399 ping_rec_timeout = 240
Sun Sep 8 13:23:44 2019 us=606404 ping_rec_timeout_action = 2
Sun Sep 8 13:23:44 2019 us=606407 ping_timer_remote = DISABLED
Sun Sep 8 13:23:44 2019 us=606410 remap_sigusr1 = 0
Sun Sep 8 13:23:44 2019 us=606413 persist_tun = ENABLED
Sun Sep 8 13:23:44 2019 us=606416 persist_local_ip = DISABLED
Sun Sep 8 13:23:44 2019 us=606419 persist_remote_ip = DISABLED
Sun Sep 8 13:23:44 2019 us=606422 persist_key = ENABLED
Sun Sep 8 13:23:44 2019 us=606425 passtos = DISABLED
Sun Sep 8 13:23:44 2019 us=606428 resolve_retry_seconds = 1000000000
Sun Sep 8 13:23:44 2019 us=606431 resolve_in_advance = DISABLED
Sun Sep 8 13:23:44 2019 us=606444 username = 'nobody'
Sun Sep 8 13:23:44 2019 us=606448 groupname = 'nogroup'
Sun Sep 8 13:23:44 2019 us=606451 chroot_dir = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606454 cd_dir = '/etc/openvpn'
Sun Sep 8 13:23:44 2019 us=606457 writepid = '/run/openvpn/server.pid'
Sun Sep 8 13:23:44 2019 us=606460 up_script = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606463 down_script = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606466 down_pre = DISABLED
Sun Sep 8 13:23:44 2019 us=606469 up_restart = DISABLED
Sun Sep 8 13:23:44 2019 us=606472 up_delay = DISABLED
Sun Sep 8 13:23:44 2019 us=606475 daemon = ENABLED
Sun Sep 8 13:23:44 2019 us=606478 inetd = 0
Sun Sep 8 13:23:44 2019 us=606481 log = ENABLED
Sun Sep 8 13:23:44 2019 us=606484 suppress_timestamps = DISABLED
Sun Sep 8 13:23:44 2019 us=606487 machine_readable_output = DISABLED
Sun Sep 8 13:23:44 2019 us=606490 nice = 0
Sun Sep 8 13:23:44 2019 us=606493 verbosity = 4
Sun Sep 8 13:23:44 2019 us=606496 mute = 0
Sun Sep 8 13:23:44 2019 us=606499 gremlin = 0
Sun Sep 8 13:23:44 2019 us=606503 status_file = '/var/log/openvpn-status.log'
Sun Sep 8 13:23:44 2019 us=606506 status_file_version = 1
Sun Sep 8 13:23:44 2019 us=606509 status_file_update_freq = 10
Sun Sep 8 13:23:44 2019 us=606512 occ = ENABLED
Sun Sep 8 13:23:44 2019 us=606515 rcvbuf = 0
Sun Sep 8 13:23:44 2019 us=606518 sndbuf = 0
Sun Sep 8 13:23:44 2019 us=606521 mark = 0
Sun Sep 8 13:23:44 2019 us=606524 sockflags = 0
Sun Sep 8 13:23:44 2019 us=606527 fast_io = DISABLED
Sun Sep 8 13:23:44 2019 us=606530 comp.alg = 0
Sun Sep 8 13:23:44 2019 us=606533 comp.flags = 0
Sun Sep 8 13:23:44 2019 us=606536 route_script = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606539 route_default_gateway = '10.8.0.2'
Sun Sep 8 13:23:44 2019 us=606542 route_default_metric = 0
Sun Sep 8 13:23:44 2019 us=606545 route_noexec = DISABLED
Sun Sep 8 13:23:44 2019 us=606548 route_delay = 0
Sun Sep 8 13:23:44 2019 us=606551 route_delay_window = 30
Sun Sep 8 13:23:44 2019 us=606554 route_delay_defined = DISABLED
Sun Sep 8 13:23:44 2019 us=606557 route_nopull = DISABLED
Sun Sep 8 13:23:44 2019 us=606560 route_gateway_via_dhcp = DISABLED
Sun Sep 8 13:23:44 2019 us=606563 allow_pull_fqdn = DISABLED
Sun Sep 8 13:23:44 2019 us=606567 route 192.168.1.0/255.255.255.0/default (not set)/default (not set)
Sun Sep 8 13:23:44 2019 us=606571 management_addr = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606574 management_port = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606577 management_user_pass = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606580 management_log_history_cache = 250
Sun Sep 8 13:23:44 2019 us=606583 management_echo_buffer_size = 100
Sun Sep 8 13:23:44 2019 us=606586 management_write_peer_info_file = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606590 management_client_user = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606593 management_client_group = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606596 management_flags = 0
Sun Sep 8 13:23:44 2019 us=606599 shared_secret_file = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606602 key_direction = 0
Sun Sep 8 13:23:44 2019 us=606606 ciphername = 'AES-256-CBC'
Sun Sep 8 13:23:44 2019 us=606609 ncp_enabled = ENABLED
Sun Sep 8 13:23:44 2019 us=606612 ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sun Sep 8 13:23:44 2019 us=606615 authname = 'SHA256'
Sun Sep 8 13:23:44 2019 us=606618 prng_hash = 'SHA1'
Sun Sep 8 13:23:44 2019 us=606622 prng_nonce_secret_len = 16
Sun Sep 8 13:23:44 2019 us=606625 keysize = 0
Sun Sep 8 13:23:44 2019 us=606628 engine = DISABLED
Sun Sep 8 13:23:44 2019 us=606631 replay = ENABLED
Sun Sep 8 13:23:44 2019 us=606635 mute_replay_warnings = DISABLED
Sun Sep 8 13:23:44 2019 us=606638 replay_window = 64
Sun Sep 8 13:23:44 2019 us=606641 replay_time = 15
Sun Sep 8 13:23:44 2019 us=606644 packet_id_file = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606647 use_iv = ENABLED
Sun Sep 8 13:23:44 2019 us=606650 test_crypto = DISABLED
Sun Sep 8 13:23:44 2019 us=606656 tls_server = ENABLED
Sun Sep 8 13:23:44 2019 us=606659 tls_client = DISABLED
Sun Sep 8 13:23:44 2019 us=606662 key_method = 2
Sun Sep 8 13:23:44 2019 us=606666 ca_file = 'ca.crt'
Sun Sep 8 13:23:44 2019 us=606669 ca_path = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606672 dh_file = 'dh.pem'
Sun Sep 8 13:23:44 2019 us=606675 cert_file = 'simonprivatevpn.crt'
Sun Sep 8 13:23:44 2019 us=606678 extra_certs_file = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606682 priv_key_file = 'simonprivatevpn.key'
Sun Sep 8 13:23:44 2019 us=606685 pkcs12_file = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606688 cipher_list = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606691 cipher_list_tls13 = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606694 tls_cert_profile = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606697 tls_verify = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606700 tls_export_cert = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606703 verify_x509_type = 0
Sun Sep 8 13:23:44 2019 us=606706 verify_x509_name = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606709 crl_file = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606712 ns_cert_type = 0
Sun Sep 8 13:23:44 2019 us=606716 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606719 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606722 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606725 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606728 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606731 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606734 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606737 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606740 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606743 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606746 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606749 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606752 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606755 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606758 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606761 remote_cert_ku[i] = 0
Sun Sep 8 13:23:44 2019 us=606765 remote_cert_eku = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606768 ssl_flags = 0
Sun Sep 8 13:23:44 2019 us=606771 tls_timeout = 2
Sun Sep 8 13:23:44 2019 us=606774 renegotiate_bytes = -1
Sun Sep 8 13:23:44 2019 us=606777 renegotiate_packets = 0
Sun Sep 8 13:23:44 2019 us=606780 renegotiate_seconds = 3600
Sun Sep 8 13:23:44 2019 us=606784 handshake_window = 60
Sun Sep 8 13:23:44 2019 us=606787 transition_window = 3600
Sun Sep 8 13:23:44 2019 us=606790 single_session = DISABLED
Sun Sep 8 13:23:44 2019 us=606793 push_peer_info = DISABLED
Sun Sep 8 13:23:44 2019 us=606796 tls_exit = DISABLED
Sun Sep 8 13:23:44 2019 us=606799 tls_auth_file = 'ta.key'
Sun Sep 8 13:23:44 2019 us=606802 tls_crypt_file = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606805 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606808 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606812 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606815 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606818 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606821 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606824 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606827 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606830 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606833 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606836 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606839 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606842 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606845 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606848 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606853 pkcs11_protected_authentication = DISABLED
Sun Sep 8 13:23:44 2019 us=606856 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606859 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606863 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606866 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606869 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606872 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606875 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606878 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606881 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606884 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606887 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606890 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606893 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606896 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606899 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606902 pkcs11_private_mode = 00000000
Sun Sep 8 13:23:44 2019 us=606905 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606908 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606912 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606915 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606918 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606921 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606924 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606927 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606930 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606933 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606936 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606939 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606942 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606945 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606948 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606951 pkcs11_cert_private = DISABLED
Sun Sep 8 13:23:44 2019 us=606954 pkcs11_pin_cache_period = -1
Sun Sep 8 13:23:44 2019 us=606957 pkcs11_id = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=606961 pkcs11_id_management = DISABLED
Sun Sep 8 13:23:44 2019 us=606964 server_network = 10.8.0.0
Sun Sep 8 13:23:44 2019 us=606968 server_netmask = 255.255.255.0
Sun Sep 8 13:23:44 2019 us=606971 server_network_ipv6 = ::
Sun Sep 8 13:23:44 2019 us=606975 server_netbits_ipv6 = 0
Sun Sep 8 13:23:44 2019 us=606978 server_bridge_ip = 0.0.0.0
Sun Sep 8 13:23:44 2019 us=606982 server_bridge_netmask = 0.0.0.0
Sun Sep 8 13:23:44 2019 us=606985 server_bridge_pool_start = 0.0.0.0
Sun Sep 8 13:23:44 2019 us=606988 server_bridge_pool_end = 0.0.0.0
Sun Sep 8 13:23:44 2019 us=606992 push_entry = 'route 192.168.1.0 255.255.255.0'
Sun Sep 8 13:23:44 2019 us=606995 push_entry = 'route-gateway 10.8.0.1'
Sun Sep 8 13:23:44 2019 us=606998 push_entry = 'topology subnet'
Sun Sep 8 13:23:44 2019 us=607001 push_entry = 'ping 10'
Sun Sep 8 13:23:44 2019 us=607004 push_entry = 'ping-restart 120'
Sun Sep 8 13:23:44 2019 us=607007 ifconfig_pool_defined = ENABLED
Sun Sep 8 13:23:44 2019 us=607010 ifconfig_pool_start = 10.8.0.2
Sun Sep 8 13:23:44 2019 us=607014 ifconfig_pool_end = 10.8.0.253
Sun Sep 8 13:23:44 2019 us=607019 ifconfig_pool_netmask = 255.255.255.0
Sun Sep 8 13:23:44 2019 us=607022 ifconfig_pool_persist_filename = '/var/log/openvpn/ipp.txt'
Sun Sep 8 13:23:44 2019 us=607026 ifconfig_pool_persist_refresh_freq = 600
Sun Sep 8 13:23:44 2019 us=607029 ifconfig_ipv6_pool_defined = DISABLED
Sun Sep 8 13:23:44 2019 us=607032 ifconfig_ipv6_pool_base = ::
Sun Sep 8 13:23:44 2019 us=607036 ifconfig_ipv6_pool_netbits = 0
Sun Sep 8 13:23:44 2019 us=607039 n_bcast_buf = 256
Sun Sep 8 13:23:44 2019 us=607042 tcp_queue_limit = 64
Sun Sep 8 13:23:44 2019 us=607047 real_hash_size = 256
Sun Sep 8 13:23:44 2019 us=607051 virtual_hash_size = 256
Sun Sep 8 13:23:44 2019 us=607054 client_connect_script = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=607057 learn_address_script = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=607060 client_disconnect_script = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=607063 client_config_dir = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=607066 ccd_exclusive = DISABLED
Sun Sep 8 13:23:44 2019 us=607070 tmp_dir = '/tmp'
Sun Sep 8 13:23:44 2019 us=607073 push_ifconfig_defined = DISABLED
Sun Sep 8 13:23:44 2019 us=607076 push_ifconfig_local = 0.0.0.0
Sun Sep 8 13:23:44 2019 us=607080 push_ifconfig_remote_netmask = 0.0.0.0
Sun Sep 8 13:23:44 2019 us=607083 push_ifconfig_ipv6_defined = DISABLED
Sun Sep 8 13:23:44 2019 us=607087 push_ifconfig_ipv6_local = ::/0
Sun Sep 8 13:23:44 2019 us=607090 push_ifconfig_ipv6_remote = ::
Sun Sep 8 13:23:44 2019 us=607093 enable_c2c = DISABLED
Sun Sep 8 13:23:44 2019 us=607097 duplicate_cn = DISABLED
Sun Sep 8 13:23:44 2019 us=607100 cf_max = 0
Sun Sep 8 13:23:44 2019 us=607103 cf_per = 0
Sun Sep 8 13:23:44 2019 us=607106 max_clients = 1024
Sun Sep 8 13:23:44 2019 us=607110 max_routes_per_client = 256
Sun Sep 8 13:23:44 2019 us=607113 auth_user_pass_verify_script = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=607116 auth_user_pass_verify_script_via_file = DISABLED
Sun Sep 8 13:23:44 2019 us=607119 auth_token_generate = DISABLED
Sun Sep 8 13:23:44 2019 us=607122 auth_token_lifetime = 0
Sun Sep 8 13:23:44 2019 us=607125 port_share_host = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=607128 port_share_port = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=607131 client = DISABLED
Sun Sep 8 13:23:44 2019 us=607134 pull = DISABLED
Sun Sep 8 13:23:44 2019 us=607138 auth_user_pass_file = '[UNDEF]'
Sun Sep 8 13:23:44 2019 us=607142 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sun Sep 8 13:23:44 2019 us=607148 library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.10
Sun Sep 8 13:23:44 2019 us=607301 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sun Sep 8 13:23:44 2019 us=607468 Diffie-Hellman initialized with 2048 bit key
Sun Sep 8 13:23:44 2019 us=607708 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Sep 8 13:23:44 2019 us=607718 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Sun Sep 8 13:23:44 2019 us=607724 TLS-Auth MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Sun Sep 8 13:23:44 2019 us=607825 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=enp0s31f6 HWADDR=18:31:bf:0b:31:79
Sun Sep 8 13:23:44 2019 us=607939 TUN/TAP device tun0 opened
Sun Sep 8 13:23:44 2019 us=607954 TUN/TAP TX queue length set to 100
Sun Sep 8 13:23:44 2019 us=607962 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Sep 8 13:23:44 2019 us=607970 /sbin/ip link set dev tun0 up mtu 1500
Sun Sep 8 13:23:44 2019 us=609094 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Sun Sep 8 13:23:44 2019 us=610000 /sbin/ip route add 192.168.1.0/24 via 10.8.0.2
RTNETLINK answers: File exists
Sun Sep 8 13:23:44 2019 us=610795 ERROR: Linux route add command failed: external program exited with error status: 2
Sun Sep 8 13:23:44 2019 us=610820 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Sun Sep 8 13:23:44 2019 us=610988 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Sep 8 13:23:44 2019 us=611000 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Sep 8 13:23:44 2019 us=611008 UDPv4 link local (bound): [AF_INET][undef]:1195
Sun Sep 8 13:23:44 2019 us=611012 UDPv4 link remote: [AF_UNSPEC]
Sun Sep 8 13:23:44 2019 us=611018 GID set to nogroup
Sun Sep 8 13:23:44 2019 us=611033 UID set to nobody
Sun Sep 8 13:23:44 2019 us=611041 MULTI: multi_init called, r=256 v=256
Sun Sep 8 13:23:44 2019 us=611059 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Sun Sep 8 13:23:44 2019 us=611067 ifconfig_pool_read(), in='simondesktop,10.8.0.4', TODO: IPv6
Sun Sep 8 13:23:44 2019 us=611072 succeeded -> ifconfig_pool_set()
Sun Sep 8 13:23:44 2019 us=611077 IFCONFIG POOL LIST
Sun Sep 8 13:23:44 2019 us=611081 simondesktop,10.8.0.4
Sun Sep 8 13:23:44 2019 us=611113 Initialization Sequence Completed
Sun Sep 8 13:27:41 2019 us=723100 event_wait : Interrupted system call (code=4)
Sun Sep 8 13:27:43 2019 us=725506 TCP/UDP: Closing socket
Sun Sep 8 13:27:43 2019 us=725590 Closing TUN/TAP interface
Sun Sep 8 13:27:43 2019 us=725628 /sbin/ip addr del dev tun0 10.8.0.1/24
RTNETLINK answers: Operation not permitted
Sun Sep 8 13:27:43 2019 us=728895 Linux ip addr del failed: external program exited with error status: 2
Sun Sep 8 13:27:43 2019 us=754254 SIGTERM[hard,] received, process exiting
2: If I close the openvpn server while still connected from the client, I don't get any notification on the clientside. It still shows the "connected" status in the GUI. Is it possible to enable something like that?
That's how it looks if the server gets closed (obviously the same as if still connected):
Thanks a lot for your effort so far, I appreciate that very much!
Re: OpenVPN: Don't redirect everything through tunnel
Hi,
It can be useful, especially if you plan to add more VPN users, to configure firewall rules to restrict access to resources on your network.
You would place those rules in the FORWARD chain on the tun interface using the client tunnel IP address.
If you need such setup, just ask for help...
This picture can be helpful to understand the packet flow:
1:
To avoid routing conflicts you should avoid common subnets.
This list are addresses to avoid on the networks that you control:
The above error is probably because the previous instance was not shutdown properly or still active normally.
This could also be due to
So first check with
before starting the server. After killing "leftover" openvpn process test to see if the error still pops up.
If it does then change the above to
2:
The server has --keepalive 10 120 in it's config, basically this means that the server will wait max. 240 seconds before assuming/becoming aware that the client has disconnected. You can for example change that to 10 60 which will shorten that to 120 seconds. It also depends on the client side setting of --keepalive. See OpenVPN manual: https://community.openvpn.net/openvpn/w ... n24ManPage to understand the logic.
But the server should notify the client because it has --explicit-exit-notify 1 in it's config, unless you changed it since last time. You can set this client side as well.
How do you stop the server?
Any time you need traffic to flow between different interfaces, in this case between enp1s0 and tun0, you need ip_forward enabled.IP forwarding wasn't enabled, I enabled it now. ("sysctl -w net.ipv4.ip_forward=1" enabled it temporary, for testing, will make it persistent now I guess)
Don't want to start a discussion about "hosts are safe/unsafe behind NAT/Router"I didn't set up any rules via iptables (Well, previously did, but deleted them all for troubleshooting) because I don't think it's really needed anyway, cause the server is behind a Router.
It can be useful, especially if you plan to add more VPN users, to configure firewall rules to restrict access to resources on your network.
You would place those rules in the FORWARD chain on the tun interface using the client tunnel IP address.
If you need such setup, just ask for help...
This picture can be helpful to understand the packet flow:
1:
Code: Select all
NOTE: your local LAN uses the extremely common subnet address
This list are addresses to avoid on the networks that you control:
Code: Select all
10.0.0
10.0.1
10.1.1
10.1.10
10.2.0
10.8.0
10.10.1
10.90.90
10.100.1
10.255.255
169.254 # APIPA #
172.16.0
172.16.16
172.16.42
172.16.68
172.19.3
172.20.10 # IPhone built-in hotspot #
192.168.0
192.168.1
192.168.2
192.168.3
192.168.4
192.168.5
192.168.6
192.168.7
192.168.8
192.168.9
192.168.10
192.168.11
192.168.13
192.168.15
192.168.16
192.168.18
192.168.20
192.168.29
192.168.30
192.168.31
192.168.33
192.168.39
192.168.40
192.168.42 # Android USB tethering #
192.168.43 # Android built-in hotspot #
192.168.50
192.168.55
192.168.61
192.168.62
192.168.65
192.168.77
192.168.80
192.168.85
192.168.88
192.168.98
192.168.99
192.168.100
192.168.101
192.168.102
192.168.111
192.168.123
192.168.126
192.168.129
192.168.137 # Windows Phone built-in hotspot #
192.168.168
192.168.178
192.168.190
192.168.199
192.168.200
192.168.220
192.168.223
192.168.229
192.168.240
192.168.245
192.168.251
192.168.252
192.168.254
200.200.200
Code: Select all
/sbin/ip route add 192.168.1.0/24 via 10.8.0.2
RTNETLINK answers: File exists
ERROR: Linux route add command failed: external program exited with error status: 2
This could also be due to
Code: Select all
user nobody
group nogroup
Code: Select all
netstat -atunp
If it does then change the above to
Code: Select all
#user nobody
#group nogroup
The server has --keepalive 10 120 in it's config, basically this means that the server will wait max. 240 seconds before assuming/becoming aware that the client has disconnected. You can for example change that to 10 60 which will shorten that to 120 seconds. It also depends on the client side setting of --keepalive. See OpenVPN manual: https://community.openvpn.net/openvpn/w ... n24ManPage to understand the logic.
But the server should notify the client because it has --explicit-exit-notify 1 in it's config, unless you changed it since last time. You can set this client side as well.
How do you stop the server?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
Re: OpenVPN: Don't redirect everything through tunnel
Agreed, probably I'll add them again back later, but for now while testing it just complicates every step.Pippin wrote: ⤴Sun Sep 08, 2019 8:51 am Don't want to start a discussion about "hosts are safe/unsafe behind NAT/Router"
It can be useful, especially if you plan to add more VPN users, to configure firewall rules to restrict access to resources on your network.
You would place those rules in the FORWARD chain on the tun interface using the client tunnel IP address.
If you need such setup, just ask for help...
I know the subnet is very common, but that's okay so far and not an issue.
After stopping the server, "netstat -atunp" doesn't show any listening process on the port I'm using anymore, so this should be fine. I also don't find any "openvpn" processes anymore after stopping using
Code: Select all
sudo ps -lA | grep open
I use systemd
Code: Select all
systemctl start|stop openvpn@server.service
I tried to both to comment/uncomment the
Code: Select all
user nobody
group nogroup
Is it also possible to push the keepalive directive? like adding
Code: Select all
push "keepalive 10 120"
Re: OpenVPN: Don't redirect everything through tunnel
Hi,
To be honest, I have little experience using systemd, I do it like described here:
https://github.com/OpenVPN/openvpn/blob ... ME.systemd
Same for clients.
That way I have full control over the config, so I do not use Network Manager.
I also use .bash_aliases to stop/start tunnels.
.
from the server config, that route caused the File exists error.
But do not remove
.
.
The keepalive setting is automatically pushed by the server, from the manual :
These are the directives received from the server, see the ping/ping-restart w.r.t. keepalive.
To be honest, I have little experience using systemd, I do it like described here:
https://github.com/OpenVPN/openvpn/blob ... ME.systemd
Same for clients.
That way I have full control over the config, so I do not use Network Manager.
I also use .bash_aliases to stop/start tunnels.
.
Made a mistake, my bad.I get the same errors both time.
The server already knows it's default gateway ^^^ so remove192.168.1.0/24 : My server's(where the openvpn server is running) LAN.
Code: Select all
route 192.168.1.0 255.255.255.0
But do not remove
Code: Select all
push "route 192.168.1.0 255.255.255.0"
Keep it as it was for now.the server is started as root, which isn't the best idea I guess?
.
The keepalive setting is automatically pushed by the server, from the manual :
You can see this happening in the client log (and server), logs can be very useful, my logThis option can be used on both client and server side, but it is enough to add this on the server side as it will push appropriate --ping and --ping-restart options to the client.
Code: Select all
SENT CONTROL [serveraddress]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.8.8.1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,comp-lzo no,route-gateway 10.8.8.1,topology subnet,ping 10,ping-restart 60,ifconfig 10.8.8.38 255.255.255.0,peer-id 35,cipher AES-256-GCM'
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
Re: OpenVPN: Don't redirect everything through tunnel
Ah, indeed, after removing the warning is gone now, thanks a lot
Just two more (hopefully) final questions about this:
1. Do you know a proper solution how to connect the VPN on startup + mount the samba shares from there? Because I think in just adding to fstab it will try to mount too early, before the VPN connection can be established and therefore it fails.
2. Is there a good way to increase the OpenVPNs performance (By performance I mean the transferring speed in both ways)? Do you think enabling data compression is a good idea for that?
I'll check about the ping/keepalive options later. Hopefully that's all so far and I don't have to bother you anymore after this ;D
Just two more (hopefully) final questions about this:
1. Do you know a proper solution how to connect the VPN on startup + mount the samba shares from there? Because I think in just adding to fstab it will try to mount too early, before the VPN connection can be established and therefore it fails.
2. Is there a good way to increase the OpenVPNs performance (By performance I mean the transferring speed in both ways)? Do you think enabling data compression is a good idea for that?
I'll check about the ping/keepalive options later. Hopefully that's all so far and I don't have to bother you anymore after this ;D
Re: OpenVPN: Don't redirect everything through tunnel
Hi,
1.
I think it would be best to search specifically on Debian recources/howto/wiki/forum for autostart.
With regards to mounting samba shares, you can use an --up and --down script for that,
see --up cmd, --down cmd, --script-security level and Order of Execution in manual:
https://community.openvpn.net/openvpn/w ... n24ManPage
Keep in mind that automatic mounting can pose a greater risk with regards to ransomware.
As long as the VPN is up, ransomware can encrypt your remote shares...
2.
On Linux-like hosts you can add:
The following can also be pushed to the client side:
Compression is not advised because of Voracle:
https://community.openvpn.net/openvpn/wiki/VORACLE
Most traffic nowadays is already compressed so can ask oneself it's usefulness.
1.
I think it would be best to search specifically on Debian recources/howto/wiki/forum for autostart.
With regards to mounting samba shares, you can use an --up and --down script for that,
see --up cmd, --down cmd, --script-security level and Order of Execution in manual:
https://community.openvpn.net/openvpn/w ... n24ManPage
Keep in mind that automatic mounting can pose a greater risk with regards to ransomware.
As long as the VPN is up, ransomware can encrypt your remote shares...
2.
On Linux-like hosts you can add:
Code: Select all
fast-io
sndbuf 524288 # can try different values
rcvbuf 524288 # can try different values
txqueuelen 500 # can try different values, default 100
Code: Select all
push "sndbuf 524288" # can try different values
push "rcvbuf 524288" # can try different values
Compression is not advised because of Voracle:
https://community.openvpn.net/openvpn/wiki/VORACLE
Most traffic nowadays is already compressed so can ask oneself it's usefulness.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp
Re: OpenVPN: Don't redirect everything through tunnel
I guess I'll find a way with the autostart to work then, considering your security advise.
I've also added your performance tweaks to my server configuration, and seems it's quite faster (more responsive) now compared to before.
Guess I'll consider this topic solved then, hopefully it will help other people as well if they struggle on it like I did.
Thanks again so much for you help, have a nice day!
I've also added your performance tweaks to my server configuration, and seems it's quite faster (more responsive) now compared to before.
Guess I'll consider this topic solved then, hopefully it will help other people as well if they struggle on it like I did.
Thanks again so much for you help, have a nice day!
Re: [Solved] OpenVPN: Don't redirect everything through tunnel
Welcome and nice day to you too.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
Halton Arp