-1

OpenVPN has been installed on a Google Cloud Instance using this script. The Google Cloud Instance is Ubuntu 14.04 LTS, has been tagged with "vpn", with IP Forwarding enabled. Additionally, 3 firewalls have been setup:

  • Allow from any source ICMP, apply to all targets
  • Allow from any source TCP port 22, apply to all targets
  • Allow from any source UDP port 1194, apply to "vpn" tagged targets

Using the client.ovpn file generated by the script it is possible to connect to the Instance with OpenVPN. It is possible to ping the internal IP address of the Instance (i.e 10.20.0.2), however it is not possible to ping other hosts in the same virtual subnet (i.e 10.20.0.3).

With logging enabled, the following is an output of the syslog when a connection is made to the Instance and other hosts on the subnet are pinged remotely.

root@vpn:/home/user# tail /var/log/syslog 
Dec 15 03:54:26 vpn ovpn-server[2633]: client/118.209.255.26:64219 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Dec 15 03:54:26 vpn ovpn-server[2633]: client/118.209.255.26:64219 MULTI: Learn: 10.8.0.2 -> client/118.209.255.26:64219
Dec 15 03:54:26 vpn ovpn-server[2633]: client/118.209.255.26:64219 MULTI: primary virtual IP for client/118.209.255.26:64219: 10.8.0.2
Dec 15 03:54:29 vpn kernel: [  630.713536] iptables denied: IN=eth0 OUT= MAC=42:01:0a:14:00:02:42:01:00:00:00:00:08:00 SRC=118.209.255.26 DST=10.20.0.2 LEN=140 TOS=0x00 PREC=0x00 TTL=50 ID=19209 PROTO=UDP SPT=64219 DPT=1194 LEN=120 
Dec 15 03:54:29 vpn ovpn-server[2633]: client/118.209.255.26:64219 PUSH: Received control message: 'PUSH_REQUEST'
Dec 15 03:54:29 vpn ovpn-server[2633]: client/118.209.255.26:64219 send_push_reply(): safe_cap=940
Dec 15 03:54:29 vpn ovpn-server[2633]: client/118.209.255.26:64219 SENT CONTROL [client]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,redirect-gateway def1 bypass-dhcp,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' (status=1)
Dec 15 03:54:40 vpn kernel: [  641.643199] iptables denied: IN=eth0 OUT= MAC=42:01:0a:14:00:02:42:01:00:00:00:00:08:00 SRC=118.209.255.26 DST=10.20.0.2 LEN=173 TOS=0x00 PREC=0x00 TTL=50 ID=25886 PROTO=UDP SPT=64219 DPT=1194 LEN=153 
Dec 15 03:54:52 vpn kernel: [  653.789393] iptables denied: IN=eth0 OUT= MAC=42:01:0a:14:00:02:42:01:00:00:00:00:08:00 SRC=74.125.41.32 DST=10.20.0.2 LEN=104 TOS=0x00 PREC=0x00 TTL=53 ID=23017 PROTO=TCP SPT=35702 DPT=22 WINDOW=29016 RES=0x00 ACK PSH URGP=0 
Dec 15 03:55:05 vpn kernel: [  667.589193] iptables denied: IN=eth0 OUT= MAC=42:01:0a:14:00:02:42:01:00:00:00:00:08:00 SRC=74.125.41.32 DST=10.20.0.2 LEN=104 TOS=0x00 PREC=0x00 TTL=53 ID=29539 PROTO=TCP SPT=35702 DPT=22 WINDOW=29358 RES=0x00 ACK PSH URGP=0

Additionally:

  • net.ipv4.ip_forward = 1 has been set in /etc/sysctl.conf
  • iptables has been configured using these rules
  • Both TCP and UDP OpenVPN protocol configurations do not work
  • It is possible to ping other Instances from the VPN server when connected via SSH, just not from a remote host connected via VPN
jsc
  • 145
  • 1
  • 2
  • 9
  • Also manually setting up the Instance and OpenVPN server, as per [this guide](http://roshansingh.in/blog/2014/12/08/setting-up-vpn-using-openvpn-on-google-cloud-or-aws/) or [this guide](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-04), has not worked – jsc Dec 15 '16 at 04:01

1 Answers1

1

Looking at the iptables nat table it there was a PREROUTING rule already in place and with higher priority.

root@vpn5:/home/user# iptables -t nat -L
...
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.8.0.0/24          anywhere             to:104.199.150.74

The issue was fixed by issuing:

iptables -t nat -F
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
jsc
  • 145
  • 1
  • 2
  • 9