0

I have a problem... I worked a lot of days on configure a VPN on my dedicated serv... I started 1 month ago. Now it works, I am able to connect to it. I have no error.

But I want to have a static IP when I'm connected to it, I have read that I must add a gateway, but I haven't understood all and my english isn't that good to understand all explanations...

So could you help me ?

Here are my confs : server.conf

local 12.345.678.901

port 12345

proto tcp

dev tun

ca /etc/openvpn/easy-rsa/keys/ca.crt

cert /etc/openvpn/easy-rsa/keys/server.crt

key /etc/openvpn/easy-rsa/keys/server.key

dh /etc/openvpn/easy-rsa/keys/dh1024.pem

server 192.168.0.0 255.255.255.0

push "route 10.4.0.0 255.255.255.0"

keepalive 10 120

cipher AES-128-CBC

comp-lzo

max-clients 5

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log
log openvpn.log

verb 6

client.conf

client

dev tun

proto tcp

remote 12.345.678.901 12345

#tentative de connexion infinie
resolv-retry infinite
nobind

#pour rendre la connexion persistante
persist-key
persist-tun

#pour cacher les avertissements
mute-replay-warnings

ca ca.crt

cert client.crt

key client.key

cipher AES-128-CBC

comp-lzo

verb 5

I also read somthing about add some routes with iptables, but all i tried wasn't working... Thanks for your help!

Kyu_
  • 103
  • 2
  • What do you mean by "*have a static IP when I'm connected to it*"? – MadHatter Dec 03 '13 at 12:58
  • Sorry I wasn't clear... I want to connect to my VPN (Which is on a dedicated server) and use his static IP to navigate on the web. Is it clearer ? – Kyu_ Dec 03 '13 at 13:28

1 Answers1

1

If you want to connect to your OpenVPN server and it have a static IP, then you need to make sure that the server end truly has a static IP and isn't being dynamically NAT'd or could change. So that is something you need to look into on the server hosting side. What I do is just use a dynamic DNS entry so that my client config can always point to "myvpnserver.dyndns.org" and even if the IP changes, I don't have to change the config. Once you get that issue lined out, you just need to put"push "redirect-gateway def1 bypass-dhcp" in your server.conf file so when your client connects to the VPN, all traffic will be pushed through the server and always show that IP when surfing the web. That is what I do for secure web browsing on public wifi.

:PREROUTING ACCEPT [2:96]
:POSTROUTING ACCEPT [2:112]
:OUTPUT ACCEPT [2:112]
-A POSTROUTING -j SNAT --to-source server_external_ip
COMMIT
*mangle
:PREROUTING ACCEPT [175:17408]
:INPUT ACCEPT [175:17408]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [132:30416]
:POSTROUTING ACCEPT [132:30416]
COMMIT
*filter
:INPUT DROP [2:96]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [131:30292]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
COMMIT
Eric
  • 1,373
  • 3
  • 17
  • 33
  • My OpenVPN server is a dedicated serv which has a static IP yes. I've added the `push "redirect-gateway def1 bypass-dhcp"` line in the server.conf. After restart, I connected myself to the VPN, but I wasn't able to load any web page in my browser... – Kyu_ Dec 03 '13 at 14:20
  • Are you able to do anything through the VPN? Can you confirm that you are allowing all forwarding rules and if you cat the /etc/sysctl.conf file that there is a 1 by the ip_forward section? – Eric Dec 03 '13 at 14:29
  • I enabled ip_forward yep, I did it some hours ago! But for allowing all forwading rules, I've added some rules, but I'm not sure that I've added all of these... To be honest, I'm not sure of what I've added.. – Kyu_ Dec 03 '13 at 14:31
  • Just make sure when you enabled ip_forward you restarted to ensure it took affect. I put a copy of my iptables in my answer above and that is what works for me. If all of that looks good, you need to start doing some packet captures on your interfaces. Look at the tun0 interface and see if you see the ping, then look at the ethX interface and see if you see it going out. Then see if you ever get a response or not and try to determine where the connection is dying. – Eric Dec 03 '13 at 14:42
  • Sorry but, I don't understand, what are the lines starting by a ":"? – Kyu_ Dec 03 '13 at 14:48
  • That's just the output that it shows in /etc/sysconfig/iptables. You aren't supposed to modify that file directly, you should use a script or individual iptables commands but you can edit it directly if you want to. Look at yours and see what it shows. Worse case is you can copy it and paste mine in with your port and IP modifications and see if that works. – Eric Dec 03 '13 at 14:51
  • Thanks for all... It's not working yet but thanks! Just a little question to (I hope) finish, You add rules with iptables on ports 22, 53 and 1194 but in my case, i'm using the 59311 port. Do I have to change one of them by 59311 ? – Kyu_ Dec 03 '13 at 15:02
  • My 1194 is my OpenVPN connection port. So that should be 59311 for you. Also ensure the correct protocol is there because in my example I'm using udp. – Eric Dec 03 '13 at 15:06
  • I entered that : http://pastebin.com/wje9Aqph I had an error on the first command : "iptables : No chain/target/match by that name", I searched but didn't find any solution, the command seems to be good :/ And to finish, after entering all theses commands (but the first because it's not working), I can't use my vpn to navigate on the web.. I'm such a noob. – Kyu_ Dec 03 '13 at 15:18
  • I'd just do some basic Googling on the error and what chain/table you are trying to call. At a quick glance, it may be something like this: http://www.linuxquestions.org/questions/linux-security-4/iptables-iptables-no-chain-target-match-by-that-name-941406/. – Eric Dec 03 '13 at 15:27
  • Arf... My bad, I search a little more nex time. I executed all theses commands : http://pastebin.com/9nHP3uux I think I haven't forgotten anyone than yours, I restarted OpenVPN but always the same, I can connect to the VPN but I have no connection to internet – Kyu_ Dec 03 '13 at 15:38
  • Start doing the tcpdumps to determine where the traffic is dying. – Eric Dec 03 '13 at 16:05
  • I saved the output in a file while I was connecting to the VPN and trying to open webpages, there is a looooot of things. I had some packets dropped and other, but there is nothing very different from the others – Kyu_ Dec 03 '13 at 18:01