Not signed in (Sign In)

Welcome, Guest

Want to take part in these discussions? Sign in if you have an account, or apply for one below

Vanilla 1.1.10 is a product of Lussumo. More Information: Documentation, Community Support.

    • CommentAuthornormskiboy
    • CommentTimeNov 18th 2008
     
    Hi admin@AlwaysVPN

    I seem to be having similar problems to some of the others, in trying to connect to anything. I followed your instructions and have compiled from source (2.0.9). I have read some of the discussions on the support pages but am unable to resolve my connection issues. I have provided some details below which may help you to try and deduce where I am going wrong :-(

    Any help/advice appreciated.

    Just like to say thankyou for providing the AlwaysVPN service.


    OS : Ubuntu 8.04.1
    Kernel : Linux version 2.6.24-21-generic
    Processor : AMD64

    On running the 'connection' command, I do receive the following,
    'Initialization Sequence Completed'


    >ping 10.19.96.1

    PING 10.19.96.1 (10.19.96.1) 56(84) bytes of data.
    From 10.19.96.7 icmp_seq=1 Destination Host Unreachable
    From 10.19.96.7 icmp_seq=2 Destination Host Unreachable
    From 10.19.96.7 icmp_seq=3 Destination Host Unreachable


    >route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    67.207.148.228 10.0.0.2 255.255.255.255 UGH 0 0 0 eth0
    10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    10.19.96.0 0.0.0.0 255.255.252.0 U 0 0 0 tap0
    169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
    0.0.0.0 10.19.96.1 128.0.0.0 UG 0 0 0 tap0
    128.0.0.0 10.19.96.1 128.0.0.0 UG 0 0 0 tap0
    0.0.0.0 10.0.0.2 0.0.0.0 UG 100 0 0 eth0


    >cat /etc/resolv.conf
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 10.0.0.2
    nameserver 208.67.220.220
    nameserver 208.67.222.222


    >iptables-save
    -A INBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INBOUND -s 10.0.0.0/255.255.255.0 -p tcp -m tcp --dport 443 -j ACCEPT
    -A INBOUND -s 10.0.0.0/255.255.255.0 -p udp -m udp --dport 443 -j ACCEPT
    -A INBOUND -s 10.0.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j ACCEPT
    -A INBOUND -s 10.0.0.0/255.255.255.0 -p udp -m udp --dport 80 -j ACCEPT
    -A INBOUND -s 10.0.0.0/255.255.255.0 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INBOUND -s 10.0.0.0/255.255.255.0 -p udp -m udp --dport 53 -j ACCEPT
    -A INBOUND -s 208.67.220.220 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INBOUND -s 208.67.220.220 -p udp -m udp --dport 53 -j ACCEPT
    -A INBOUND -s 208.67.222.222 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INBOUND -s 208.67.222.222 -p udp -m udp --dport 53 -j ACCEPT
    -A INBOUND -s 10.19.96.0/255.255.252.0 -p tcp -m tcp --dport 443 -j ACCEPT
    -A INBOUND -s 10.19.96.0/255.255.252.0 -p udp -m udp --dport 443 -j ACCEPT
    -A INBOUND -s 10.19.96.0/255.255.252.0 -p tcp -m tcp --dport 80 -j ACCEPT
    -A INBOUND -s 10.19.96.0/255.255.252.0 -p udp -m udp --dport 80 -j ACCEPT

    -A OUTBOUND -p icmp -j ACCEPT
    -A OUTBOUND -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTBOUND -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTBOUND -s 10.0.0.0/255.255.255.0 -p tcp -m tcp --dport 67 -j ACCEPT
    -A OUTBOUND -s 10.0.0.0/255.255.255.0 -p udp -m udp --dport 67 -j ACCEPT
    -A OUTBOUND -s 10.0.0.0/255.255.255.0 -p tcp -m tcp --dport 554 -j ACCEPT
    -A OUTBOUND -s 10.0.0.0/255.255.255.0 -p udp -m udp --dport 554 -j ACCEPT
    -A OUTBOUND -s 10.0.0.0/255.255.255.0 -p tcp -m tcp --dport 443 -j ACCEPT
    -A OUTBOUND -s 10.0.0.0/255.255.255.0 -p udp -m udp --dport 443 -j ACCEPT
    -A OUTBOUND -s 10.0.0.0/255.255.255.0 -p tcp -m tcp --dport 80 -j ACCEPT
    -A OUTBOUND -s 10.0.0.0/255.255.255.0 -p udp -m udp --dport 80 -j ACCEPT
    -A OUTBOUND -s 10.19.96.0/255.255.252.0 -p tcp -m tcp --dport 53 -j ACCEPT
    -A OUTBOUND -s 10.19.96.0/255.255.252.0 -p udp -m udp --dport 53 -j ACCEPT
    -A OUTBOUND -s 10.19.96.0/255.255.252.0 -p tcp -m tcp --dport 443 -j ACCEPT
    -A OUTBOUND -s 10.19.96.0/255.255.252.0 -p udp -m udp --dport 443 -j ACCEPT
    -A OUTBOUND -s 10.19.96.0/255.255.252.0 -p tcp -m tcp --dport 80 -j ACCEPT
    -A OUTBOUND -s 10.19.96.0/255.255.252.0 -p udp -m udp --dport 80 -j ACCEPT
    -A OUTBOUND -s 10.19.96.0/255.255.252.0 -p tcp -m tcp --dport 22 -j ACCEPT
    -A OUTBOUND -s 10.19.96.0/255.255.252.0 -p udp -m udp --dport 22 -j ACCEPT
    -A OUTBOUND -j LSO



    Error Message From Other Terminal Window :

    Tue Nov 18 22:07:12 2008 RESOLVE: Cannot resolve host address: cluster2.alwaysvpn.com: [HOST_NOT_FOUND] The specified host is unknown.


    Hope the above helps.......
    • CommentAuthoradmin
    • CommentTimeNov 18th 2008
     
    Can you clarify what you mean by: "Error Message From Other Terminal Window :

    Tue Nov 18 22:07:12 2008 RESOLVE: Cannot resolve host address: cluster2.alwaysvpn.com: [HOST_NOT_FOUND] The specified host is unknown." ?

    As a starting point I would try disabling all of your iptables rules just to see if that is the cause of your problem.
    • CommentAuthoradmin
    • CommentTimeNov 18th 2008
     
    Do you use opendns on your home firewall?
    And try removing the def1 option from the alwaysvpn config file.
    • CommentAuthornormskiboy
    • CommentTimeNov 19th 2008
     
    Hi admin,

    What I meant by error message is..... I open two Terminal windows,

    First Terminal Window, I type, >sudo openvpn --config /etc/openvpn/alwaysvpn-tcp-Compatible.conf
    and it does it's thing

    Second Terminal Window, this is where I type >ping 10.19.96.1

    The message

    RESOLVE: Cannot resolve host address: cluster2.alwaysvpn.com: [HOST_NOT_FOUND] The specified host is unknown." ?

    appears in the first window.

    But you will pleased to hear, following your instructions (to a tee) I was able to ping 10.19.96.1 successfully.

    As you advised, switching off the firewall allowed the ICMP packet to your gateway (10.19.96.1).

    On that note, surfing without a Firewall is not sensible at all, with or without VPN, therefore is it possible you can advise
    i.e. a minimum list of firewall rules needed to function with AlwaysVPN
    e.g.
    Outbound 10.19.96.0/22 > 10.19.96.1
    Outbound 10.19.96.0/22 > 207.67.220.220
    Outbound 10.19.96.0/22 > 207.67.222.222

    Inbound 10.19.96.1 > 10.19.96.0/22
    Inbound 207.67.220.220 > 10.19.96.0/22
    Inbound 207.67.222.222 > 10.19.96.0/22

    I also started Ethereal (Wireshark) to see if my traffic was using the tap0 interface. the tap0 interface is only used for ARP messages between my machine and I assume your gateway, and when I ping 10.19.96.1, i see the ICMP packets. When I open a browser (Firefox3) and surf to any site, this traffic seems to still be using the eth0 interface and so my data is being sent in clear text. I would be grateful if you can tell me what I need to do in order to have all my traffic sent via tap0 i.e. encrypted.

    Many Thanks
    • CommentAuthornormskiboy
    • CommentTimeNov 19th 2008
     
    Hi admin,

    I've answered my question re: Ethereal and being able to send encrypted traffic....................

    ..........................(apologies if I sound a little thick, it's possibly because I am :-)) )

    What I did is change Firefox's network settings, and set the proxy to use 10.19.96.1:80. I then used Ethereal to monitor eth0 and tap0. All the eth0 traffic is SSL/TLS and tap0 traffic is normal, just as you should expect from a VPN !! Voila !! Is this what you would advise ??

    I would still like your advice about Firewall settings and the basic firewall rules required to allow AlwaysVPN to function.

    Many Thanks
    • CommentAuthoradmin
    • CommentTimeNov 19th 2008
     
    the firefox proxy settings should not be necessary. the redirect gateway option should force all traffic through your tap interface.

    As far as iptables goes. The only inbound traffic you need to allow on the tap interface is icmp. For outbound I would recommend port 53 for opendns servers and 80 and 443 for web browsing.
    • CommentAuthornormskiboy
    • CommentTimeNov 25th 2008
     
    Hi admin,

    I am still currently unable to ping 10.19.96.1...... I know it is a firewall (iptables) issue, as everything works ok when it is turned off :-((

    I get allocated a 10.19.96.XX address, does this mean 'incoming' traffic is being allowed ? and only 'outgoing' traffic is being blocked ?

    Also with Ethereal, looking a traffic through the tap0 interface (firewall is on), all I see are ARP requests, possibly because there is no known route to 10.19.96.1 ?

    I have been reading forums online and have tried changing ' iptables' ' config,
    e.g.
    >iptables -t nat -I POSTROUTING -o tap0 -j MASQUERADE

    I also tried,

    To allow TAP interface connections to OpenVPN server
    >iptables -A INPUT -i tap+ -j ACCEPT

    To allow TAP interface connections to be forwarded through other interfaces
    >iptables -A FORWARD -i tap+ -j ACCEPT

    really just 'clutching at straws' as they say, but no joy !!!

    If anyone else encounters a similar problem and finds a solution, please do post.....

    Thanks to Admin and all.
    • CommentAuthoradmin
    • CommentTimeNov 25th 2008
     
    You get allocated an internal ip on our 10.19.96.1/255.255.252.0 subnet. Our VPN server then performs NAT on that IP address.
    What do you mean by: "...does this mean 'incoming' traffic is being allowed ? and only 'outgoing' traffic is being blocked ?"

    There is no need for you to setup NAT with iptables on your box.
    Are you using a GUI to edit iptables? And why are you so concerned with setting up firewall rules for openvpn, when our vpn network is already very restricted.
    • CommentAuthoradmin
    • CommentTimeNov 25th 2008
     
    • CommentAuthornormskiboy
    • CommentTimeNov 28th 2008
     
    Hi admin,

    HAL-LE-LU-JAH....................

    Yes I was finally successful in logging onto the VPN, using a firewall (iptables)........

    Why setup a firewall ? even though the vpn network is restricted, what's stopping one of many internal users probing my PC ?
    I work in an area of IT security, so I guess I am a little more paranoid about online security :-(

    Anyway, back to how I resolved this issue....... firstly I was using Firestarter (iptables GUI), now everytime I made changes to iptables and saved my new config, on reboot, the old config would be reloaded.

    So I un-installed Firestarter and typed in the following commands........

    sudo iptables -F #to flush about existing config

    sudo iptables -A INPUT -i eth0 -p icmp -s 10.0.0.2/24 -j ACCEPT
    sudo iptables -A INPUT -i eth0 -p tcp --dport 67 -s 10.0.0.2/24 -j ACCEPT
    sudo iptables -A INPUT -i tap0 -p icmp -s 10.19.96.0/24 -j ACCEPT
    sudo iptables -P INPUT DROP
    sudo iptables -P FORWARD DROP
    sudo iptables -P OUTPUT ACCEPT
    sudo iptables -A INPUT -i lo -j ACCEPT
    sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    sudo iptables-save

    for a more detailed explanation of the above and other config changes, visit the link 'admin' provided (http://wiki.centos.org/HowTos/Network/IPTables), thanks for that !!

    Very grateful for you continued help & support.

    Adios
    • CommentAuthornettlebay
    • CommentTimeDec 4th 2013
     
    I had problems with my firewall that I was forced to stop for AlwaysVPN to work.
    I found the solution, just go to Firestarter: Edition-> Preferences (or Settings)-> Network Configuration -> Devices connected to the local network. Select "VPN Tunnel (tap0)" and check "allow sharing the Internet connection." Then click "accept". Exit and restart Firestarter.
    If Alwaysvpn still does not work, restart your PC.*
    *Not sure it is the good translation (My Firestarter is in French)
    Works especially with Debian Crunchbang, Bodhi Linux and Ubuntu probably.

    En Français:
    Ce qui suit s'applique à Debian Crunchbang, Bodhi Linux (dérivé d'Ubuntu Precise) et donc avec Ubuntu aussi probablement.
    J'avais des problèmes avec mon Firewall que j'étais obligé d'arrêter pour que AlwaysVPN fonctionne.
    J'ai trouvé la solution, il suffit d'aller dans Firestarter: ->Edition->Préférences->configuration du réseau -> Périphériques connectés au réseau local: sélectionner "Tunnel VPN (tap0)" et cocher "autoriser le partage de la connexion internet". Cliquez ensuite sur "accepter". Quitter Firestarter puis redémarrez-le. Si ça ne fonctionne toujours pas, redémarrez votre machine.
    Note: je n'utilise pas le partage de connexion Internet sur Ethernet. J'ai utilisé cette solution sur Crunchbang et Bodhi Linux avec succès.