2.84 - Cannot route through VPN

[mafredri]

Works perfectly!

I'm not sure about the routing tho:

Code: Select all

root@asustor:/volume1/.@plugins/AppCentral/openvpn/CONTROL # ip route
0.0.0.0/1 via 188.72.115.129 dev tun0
default via 188.72.115.129 dev tun0
default via 10.0.1.2 dev eth0
10.0.1.0/24 dev eth0  src 10.0.1.150
128.0.0.0/1 via 188.72.115.129 dev tun0
188.72.115.3 via 10.0.1.2 dev eth0
188.72.115.128/26 dev tun0  src 188.72.115.138

how does it look?

Also, openvpn doesn't look like starting in daemon mode (even giving the --daemon parameter), stopping from execute all the subsequential "starts" in init.d

It looks like your openvpn is still manually adding the routes as well. Does your .ovpn file include

Code: Select all

redirect-gateway def1

? If so, try commenting it out or removing it entirely.

[mafredri]

Also, I would not recommend the --daemon parameter if you're using the while loop since it won't work then. If you really want to get this init.d working I recommend looking at how some other programs are implemented there. So far I have not bothered to implement this as a init-script so I can't really help you there .

Some tips for init mode:

1. Modify start.sh to trap interrupt/kill signals, run openvpn as a child process in it and always wait for it in the loop.

   Code: Select all

   ...
   
   cleanup() {
     kill $OPENVPN_PID
     exit 0
   }
   
   trap cleanup INT TERM
   
   while true; do
     openvpn &
     OPENVPN_PID=$!
   
     wait
     sleep 5
   done
   

2. Call start.sh from your init.d script and send a kill signal to start.sh when you wish to stop your script

PS. Code not to be taken literally, it should work but still it's only there if you wish to explore that path.

[dhstsw]

It looks like your openvpn is still manually adding the routes as well. Does your .ovpn file include

Code: Select all

redirect-gateway def1

? If so, try commenting it out or removing it entirely.

Nope.
That's the .ovpn

Code: Select all

client
dev tun
proto udp
remote ip.ofthe.vpnserver 53
persist-key
persist-tun
ca /share/Download/vpn/certificate.crt
tls-auth /share/Download/vpn/key.key 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0
auth-user-pass /share/Download/vpn/login.txt
auth-retry interact
explicit-exit-notify 2
ifconfig-nowarn
auth-nocache 

i also tried removing the following:

Code: Select all

route-method exe
route-delay 2
route 0.0.0.0 0.0.0.0

But the result is the same.

As for the example code i deeply thank you but that's far beyond my very light knowledge of sh and linux

[mafredri]

Just to make sure there aren't routes left over on your system I would recommend you do a reboot, make sure you use the start.sh and route-up.sh from the bottom of my last post (do not try to set any variables yourself except for ETH and TUN). And also, use this config.ovpn (I've removed routes and changed auth-retry)

Code: Select all

client
dev tun
proto udp
remote ip.ofthe.vpnserver 53
persist-key
persist-tun
ca /share/Download/vpn/certificate.crt
tls-auth /share/Download/vpn/key.key 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20
auth-user-pass /share/Download/vpn/login.txt
auth-retry nointeract
explicit-exit-notify 2
ifconfig-nowarn
auth-nocache

Post your routes (ip route) after the reboot (before running openvpn) and once again after you have started it through start.sh.

[dhstsw]

ip route before:

Code: Select all

default via 10.0.1.2 dev eth0
10.0.1.0/24 dev eth0  src 10.0.1.150

ip route after:

Code: Select all

0.0.0.0/1 via 188.72.115.129 dev tun0
default via 10.0.1.2 dev eth0
10.0.1.0/24 dev eth0  src 10.0.1.150
128.0.0.0/1 via 188.72.115.129 dev tun0
188.72.115.3 via 10.0.1.2 dev eth0
188.72.115.128/26 dev tun0  src 188.72.115.137

launching it it gives me:

Code: Select all

root@asustor:/volume1/.@root # insmod: can't read '/lib/modules/3.4.26/arc4.ko': No such file or directory
insmod: can't read '/lib/modules/3.4.26/zlib_deflate.ko': No such file or directory
Tue Dec 29 11:22:37 2015 OpenVPN 2.3.8 i686-asustor-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov  6 2015
Tue Dec 29 11:22:37 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.06
Tue Dec 29 11:22:37 2015 WARNING: file '/share/Download/vpn/login.txt' is group or others accessible
Tue Dec 29 11:22:37 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 29 11:22:37 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Dec 29 11:22:37 2015 WARNING: file '/share/Download/vpn/Wdc.key' is group or others accessible
Tue Dec 29 11:22:37 2015 Control Channel Authentication: using '/share/Download/vpn/Wdc.key' as a OpenVPN static key file
Tue Dec 29 11:22:37 2015 UDPv4 link local (bound): [undef]
Tue Dec 29 11:22:37 2015 UDPv4 link remote: [AF_INET]188.72.115.3:53
Tue Dec 29 11:22:43 2015 [PureVPN] Peer Connection Initiated with [AF_INET]188.72.115.3:53
Tue Dec 29 11:22:45 2015 TUN/TAP device tun0 opened
Tue Dec 29 11:22:45 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Dec 29 11:22:45 2015 /sbin/ifconfig tun0 188.72.115.137 netmask 255.255.255.192 mtu 1500 broadcast 188.72.115.191
RTNETLINK answers: File exists
Error: an inet address is expected rather than "dev".
Error: an inet address is expected rather than "dev".
RTNETLINK answers: No such file or directory
RTNETLINK answers: No such file or directory
Stopping transmission-daemon
sed: /usr/local/AppCentral/transmission/config/settings.json: No such file or directory
Starting transmission-daemon
Tue Dec 29 11:22:50 2015 Initialization Sequence Completed

[mafredri]

ip route before:

Code: Select all

default via 10.0.1.2 dev eth0
10.0.1.0/24 dev eth0  src 10.0.1.150

ip route after:

Code: Select all

0.0.0.0/1 via 188.72.115.129 dev tun0
default via 10.0.1.2 dev eth0
10.0.1.0/24 dev eth0  src 10.0.1.150
128.0.0.0/1 via 188.72.115.129 dev tun0
188.72.115.3 via 10.0.1.2 dev eth0
188.72.115.128/26 dev tun0  src 188.72.115.137

launching it it gives me:

Code: Select all

root@asustor:/volume1/.@root # insmod: can't read '/lib/modules/3.4.26/arc4.ko': No such file or directory
insmod: can't read '/lib/modules/3.4.26/zlib_deflate.ko': No such file or directory
Tue Dec 29 11:22:37 2015 OpenVPN 2.3.8 i686-asustor-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Nov  6 2015
Tue Dec 29 11:22:37 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.06
Tue Dec 29 11:22:37 2015 WARNING: file '/share/Download/vpn/login.txt' is group or others accessible
Tue Dec 29 11:22:37 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 29 11:22:37 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Dec 29 11:22:37 2015 WARNING: file '/share/Download/vpn/Wdc.key' is group or others accessible
Tue Dec 29 11:22:37 2015 Control Channel Authentication: using '/share/Download/vpn/Wdc.key' as a OpenVPN static key file
Tue Dec 29 11:22:37 2015 UDPv4 link local (bound): [undef]
Tue Dec 29 11:22:37 2015 UDPv4 link remote: [AF_INET]188.72.115.3:53
Tue Dec 29 11:22:43 2015 [PureVPN] Peer Connection Initiated with [AF_INET]188.72.115.3:53
Tue Dec 29 11:22:45 2015 TUN/TAP device tun0 opened
Tue Dec 29 11:22:45 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Dec 29 11:22:45 2015 /sbin/ifconfig tun0 188.72.115.137 netmask 255.255.255.192 mtu 1500 broadcast 188.72.115.191
RTNETLINK answers: File exists
Error: an inet address is expected rather than "dev".
Error: an inet address is expected rather than "dev".
RTNETLINK answers: No such file or directory
RTNETLINK answers: No such file or directory
Stopping transmission-daemon
sed: /usr/local/AppCentral/transmission/config/settings.json: No such file or directory
Starting transmission-daemon
Tue Dec 29 11:22:50 2015 Initialization Sequence Completed

You need to go through your scripts and make sure they are the ones I mentioned in my previous post.

From

Code: Select all

128.0.0.0/1 via 188.72.115.129 dev tun0

I know that you are not using the scripts I mentioned, this is the old script I posted a while back, otherwise 128.0.0.0/1 would not get added to the routes.

Also, with regard to

Code: Select all

sed: /usr/local/AppCentral/transmission/config/settings.json: No such file or directory

you don't seem to be using my version of Transmission downloadable from the forum, so you need to figure out where it's settings.json is and update the script appropriately.

[dhstsw]

Fixed the transmission with your version.

Those are the scripts i use:

to run everything i call (softlinked from /usr/local/etc/init.d/) this, wich is here: /volume1/.@plugins/AppCentral/openvpn/CONTROL/start-stop.sh

Code: Select all

#!/bin/sh

	/volume1/.@plugins/AppCentral/openvpn/CONTROL/start.sh &
exit

Not elegant but demonizes what follows, allowing the init.d chain to go on.

It calls /volume1/.@plugins/AppCentral/openvpn/CONTROL/start.sh wich is:

Code: Select all

#!/bin/sh
# filename: /root/openvpn/start.sh

SERVER=vpnserver.ovpn

/etc/script/vpn.sh insmod

while true; do
    openvpn --config /share/Download/vpn/$SERVER \
        --mute-replay-warnings \
        --script-security 2 \
        --route-up /volume1/.@plugins/AppCentral/openvpn/CONTROL/route-up.sh
    sleep 5
done

As per script, it 1st calls /etc/script/vpn.sh (with insmod), then launches openvpn, wich uses the --route-up to call route-up.sh wich is:

Code: Select all

#!/bin/sh
# filename: /root/openvpn/route-up.sh

IP=/root/openvpn/ip
ETH=eth0
TUN=tun0

# Cleanup
$IP route flush table 42

$IP route add $trusted_ip via $route_net_gateway dev $ETH
$IP route add ${trusted_ip%%.*}.0.0.0/1 via $ifconfig_remote dev $TUN
$IP route add 0.0.0.0/1 via $ifconfig_remote dev $TUN table 42

$IP rule del from all to $ifconfig_local lookup 42
$IP rule del from $ifconfig_local lookup 42
$IP rule add from all to $ifconfig_local lookup 42
$IP rule add from $ifconfig_local lookup 42

# Make sure transmission is stopped
/usr/local/AppCentral/transmission/CONTROL/start-stop.sh stop
# Wait a bit
sleep 5

# Update IP
sed -ie "s/\(.*ipv4\": \"\)[^\"]*\(.*\)/\1${ifconfig_local}\2/g" /usr/local/AppCentral/transmission/config/settings.json
# Start Transmission
/usr/local/AppCentral/transmission/CONTROL/start-stop.sh start

Of course, i copied the "ip" you gave me to /root/openvpn/
Unless i'm losing something, i'm using the scripts in the previous posts (?).

[mafredri]

Fixed the transmission with your version.

...

Of course, i copied the "ip" you gave me to /root/openvpn/
Unless i'm losing something, i'm using the scripts in the previous posts (?).

Hmm, all that looks fine to me, and unless you're accidentally calling another script somewhere or the contents of the script called is not what you expect, I really don't understand where

Code: Select all

128.0.0.0/1 via 188.72.115.129 dev tun0

is coming from, it should not be present in your routing table from what I can gather.

It should be:

Code: Select all

188.0.0.0/1 via 188.72.115.129 dev tun0

[dhstsw]

Maybe it's related to problems to the /etc/script/vpn.sh insmod ?

when i execute it by itself i get:

Code: Select all

root@asustor:/volume1/.@root # /etc/script/vpn.sh insmod
insmod: can't read '/lib/modules/3.4.26/arc4.ko': No such file or directory
insmod: can't read '/lib/modules/3.4.26/zlib_deflate.ko': No such file or directory

Also, i get some errors when executing the route-up.sh by itself:

Code: Select all

root@asustor:/volume1/.@root # /volume1/.@plugins/AppCentral/openvpn/CONTROL/route-up.sh
Error: an inet address is expected rather than "dev".
Error: an inet prefix is expected rather than ".0.0.0/1".
Error: an inet address is expected rather than "dev".
Error: an inet prefix is expected rather than "lookup".
Error: an inet prefix is expected rather than "lookup".
Error: an inet prefix is expected rather than "lookup".
Error: an inet prefix is expected rather than "lookup".
net.core.rmem_max = 4194304
net.core.wmem_max = 1048576
Stopping transmission-daemon
net.core.rmem_max = 4194304
net.core.wmem_max = 1048576
Starting transmission-daemon

[mafredri]

Maybe it's related to problems to the /etc/script/vpn.sh insmod ?

when i execute it by itself i get:

Code: Select all

root@asustor:/volume1/.@root # /etc/script/vpn.sh insmod
insmod: can't read '/lib/modules/3.4.26/arc4.ko': No such file or directory
insmod: can't read '/lib/modules/3.4.26/zlib_deflate.ko': No such file or directory

These are not problems, they're not required as the modules are built into the kernel. I've notified asustor of this but it seems they don't care enough to fix it since it's mostly a visual problem.

Also, i get some errors when executing the route-up.sh by itself:

Code: Select all

root@asustor:/volume1/.@root # /volume1/.@plugins/AppCentral/openvpn/CONTROL/route-up.sh
Error: an inet address is expected rather than "dev".
Error: an inet prefix is expected rather than ".0.0.0/1".
Error: an inet address is expected rather than "dev".
Error: an inet prefix is expected rather than "lookup".
Error: an inet prefix is expected rather than "lookup".
Error: an inet prefix is expected rather than "lookup".
Error: an inet prefix is expected rather than "lookup".
net.core.rmem_max = 4194304
net.core.wmem_max = 1048576
Stopping transmission-daemon
net.core.rmem_max = 4194304
net.core.wmem_max = 1048576
Starting transmission-daemon

Hmm, these errors must either be from missing variables or that the script isn't using the ip-binary I provided.

You could try posting the output after running it with the following script (added echo statements and a final env at the end which will print out all environment variables):

Code: Select all

#!/bin/sh
# filename: /root/openvpn/route-up.sh

IP=/root/openvpn/ip
ETH=eth0
TUN=tun0

# Cleanup
$IP route flush table 42

echo $IP route add $trusted_ip via $route_net_gateway dev $ETH
echo $IP route add ${trusted_ip%%.*}.0.0.0/1 via $ifconfig_remote dev $TUN
echo $IP route add 0.0.0.0/1 via $ifconfig_remote dev $TUN table 42

echo $IP rule del from all to $ifconfig_local lookup 42
echo $IP rule del from $ifconfig_local lookup 42
echo $IP rule add from all to $ifconfig_local lookup 42
echo $IP rule add from $ifconfig_local lookup 42

$IP route add $trusted_ip via $route_net_gateway dev $ETH
$IP route add ${trusted_ip%%.*}.0.0.0/1 via $ifconfig_remote dev $TUN
$IP route add 0.0.0.0/1 via $ifconfig_remote dev $TUN table 42

$IP rule del from all to $ifconfig_local lookup 42
$IP rule del from $ifconfig_local lookup 42
$IP rule add from all to $ifconfig_local lookup 42
$IP rule add from $ifconfig_local lookup 42

# Make sure transmission is stopped
/usr/local/AppCentral/transmission/CONTROL/start-stop.sh stop
# Wait a bit
sleep 5

# Update IP
sed -ie "s/\(.*ipv4\": \"\)[^\"]*\(.*\)/\1${ifconfig_local}\2/g" /usr/local/AppCentral/transmission/config/settings.json
# Start Transmission
/usr/local/AppCentral/transmission/CONTROL/start-stop.sh start

env

[/size]