0

I'm trying to use OpenVPN on my arch box to be able to route some traffic through an OpenVPN connection, but not all traffic. But I'm having trouble trying to use my OpenVPN tunnel when using for example curl --interface tun0 --ipv4 ifconfig.co

Curl will just stand there and chew. I've tried to use tcpdump to look and this is what i can see

sudo tcpdump -i tun0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
21:26:47.157506 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86206754 ecr 0,nop,wscale 7], length 0
21:26:47.175936 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89410613 ecr 86206754,nop,wscale 7], length 0
21:26:48.159089 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86207055 ecr 0,nop,wscale 7], length 0
21:26:48.177388 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89410863 ecr 86206754,nop,wscale 7], length 0
21:26:49.350452 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89411157 ecr 86206754,nop,wscale 7], length 0
21:26:50.162463 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86207656 ecr 0,nop,wscale 7], length 0
21:26:50.180780 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89411364 ecr 86206754,nop,wscale 7], length 0
21:26:54.175887 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86208860 ecr 0,nop,wscale 7], length 0
21:26:54.194130 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89412367 ecr 86206754,nop,wscale 7], length 0
21:26:58.350110 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89413407 ecr 86206754,nop,wscale 7], length 0
21:27:02.189071 IP higgins.48585 > 188.113.88.193.http: Flags [S], seq 3838273657, win 29200, options [mss 1460,sackOK,TS val 86211264 ecr 0,nop,wscale 7], length 0
21:27:02.207028 IP 188.113.88.193.http > higgins.48585: Flags [S.], seq 1582779772, ack 3838273658, win 28960, options [mss 1352,sackOK,TS val 89414371 ecr 86206754,nop,wscale 7], length 0

My OpenVPN config looks like this

client
user nobody
group nobody
auth-retry nointeract
dev tun
proto udp
remote pool.prd.se.ovpn.se 1194
remote pool.prd.se.ovpn.se 1195
dhcp-option DNS 46.227.67.134
dhcp-option DNS 46.227.67.135
remote-random
remote-cert-tls server
cipher AES-256-CBC
pull
nobind
auth-user-pass /etc/openvpn/ovpn.se.cred
reneg-sec 432000
resolv-retry infinite
comp-lzo
verb 4
mute-replay-warnings
replay-window 256
persist-key
persist-tun
ca /etc/openvpn/ovpn-ca.crt
tls-auth /etc/openvpn/ovpn-tls.key 1
script-security 2
route-nopull

My iptables looks like this

# Generated by iptables-save v1.6.0 on Mon Apr 25 00:27:51 2016
*nat
:PREROUTING ACCEPT [3262:437462]
:INPUT ACCEPT [171:18235]
:OUTPUT ACCEPT [1901:151707]
:POSTROUTING ACCEPT [1734:132967]
-A POSTROUTING -s 10.128.0.0/16 -o enp3s0 -j MASQUERADE
-A POSTROUTING -s 10.128.0.0/24 -o enp3s0 -j MASQUERADE
-A POSTROUTING -o enp3s0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 25 00:27:51 2016
# Generated by iptables-save v1.6.0 on Mon Apr 25 00:27:51 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [38410:467842615]
-A INPUT -i tun0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i tun+ -o enp3s0 -j ACCEPT
-A FORWARD -i enp3s0 -o tun+ -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Apr 25 00:27:51 2016

ip addr gives

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether d0:50:99:52:b3:6d brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.10/24 brd 10.0.0.255 scope global enp3s0
       valid_lft forever preferred_lft forever
    inet6 fe80::febb:c610:7e4c:e134/64 scope link
       valid_lft forever preferred_lft forever
32: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 100
    link/none
    inet 10.128.0.37/16 brd 10.128.255.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 2a03:8600:1003:101:96c0:ee8d:9162:4fd0/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::48f2:b482:4ab6:fb52/64 scope link flags 800
       valid_lft forever preferred_lft forever

ip route gives

default via 10.0.0.1 dev enp3s0  src 10.0.0.10  metric 202
10.0.0.0/24 dev enp3s0  proto kernel  scope link  src 10.0.0.10  metric 202
10.128.0.0/16 dev tun0  proto kernel  scope link  src 10.128.0.37

and sysctl -a | grep forward gives

~ $ sysctl -a | grep forward
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.enp3s0.forwarding = 1
net.ipv4.conf.enp3s0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.enp3s0.stable_secret"
net.ipv6.conf.enp3s0.forwarding = 1
net.ipv6.conf.enp3s0.mc_forwarding = 0
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.tun0.forwarding = 1
net.ipv6.conf.tun0.mc_forwarding = 0

I'm not an network guy so it's quite possible that i've missed something silly

Lisinge
  • 3
  • 3
  • what is the output of the curl command or it does not give any output? – Farhan May 25 '16 at 11:42
  • 1
    @Farhan no output, it hangs until i cancel it – Lisinge May 25 '16 at 11:49
  • I have 2 questions. 1. ifconfig.co is your domain I assume, where are you resolving it? Is it an address in the 10.128.0.0/16 network? 2. Have you tried pinging a host you know exists in the 10.128.0.0 network? – NickW May 25 '16 at 14:14

2 Answers2

0

I have not tried a thing close enough to that to be certain (I always insert things in the routing table, or use network namespaces like with LXC, not those --interface <...> things)... but I think probably it just has no gateway to use on that interface. ifconfig.co is not link-local, and your gateway is through enp3s0, not tun0. (However, if this was the case, they coded it badly since it should easily return an error [no route to host] rather than just hang.)

Peter
  • 2,756
  • 1
  • 20
  • 26
0

You are getting the SYN+ACK responses from ifconfig.co but they are ignored. Firewall should be accepting them but rp_filter might drop them. Is adding a route to ifconfig.co

ip route add ifconfig.co dev tun0

fixing the issue ?

If yes you might try to disable reverse path filtering (rp_filter sysctl settings)

Lazy404
  • 365
  • 1
  • 6