Hi there,
I’ve been banging at this for the past couple of days with some small progress from what I can find here and on the general web
So basically my OpenVPN client connection can be established with my VPN vendor, but I can actually get any communication flowing through the TUN pipe. From what i’ve gathered so far, it seems that my big problem here might have something to do with the way connman handles network interfaces, or how it handles routes. And I’ll note that my openvpn connection has worked with my previous raspberry pis running both raspian and openELEC.
I thought that perhaps installing connman-vpn might help, and in fact one attempt did lead to the error you’ll see below going away concerning the routing table, however communication over the VPN was still not occurring (I can confirm this because my iptable rules force all but local IP to communicate through tun or not at all). At any rate that progress is gone and I am still left with the current error. I could be wrong but it seems that the fact my default gateway is not being updated to the VPNs gateway, I am left unable to communicate with the VPN server.
what am I missing?
What happens when I start OpenVPN
osmc@osmc:~$ sudo systemctl restart openvpn@btguard.service
osmc@osmc:~$ sudo systemctl status openvpn@btguard.service
● openvpn@btguard.service - OpenVPN connection to btguard
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled)
Active: active (running) since Thu 2015-08-20 20:29:30 EDT; 6s ago
Process: 918 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS)
Main PID: 919 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@btguard.service
└─919 /usr/sbin/openvpn --daemon ovpn-btguard --status /run/openvpn/btguard.status 10 --cd /etc/openvpn --config /etc/op...
Aug 20 20:29:33 osmc ovpn-btguard[919]: TUN/TAP TX queue length set to 100
Aug 20 20:29:33 osmc ovpn-btguard[919]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Aug 20 20:29:33 osmc ovpn-btguard[919]: /sbin/ip link set dev tun0 up mtu 1500
Aug 20 20:29:33 osmc ovpn-btguard[919]: /sbin/ip addr add dev tun0 local 10.10.10.118 peer 10.10.10.117
Aug 20 20:29:33 osmc ovpn-btguard[919]: /sbin/ip route add 63.142.161.20/32 via 192.168.0.1
Aug 20 20:29:33 osmc ovpn-btguard[919]: /sbin/ip route del 0.0.0.0/0
Aug 20 20:29:33 osmc ovpn-btguard[919]: /sbin/ip route add 0.0.0.0/0 via 10.10.10.117
Aug 20 20:29:33 osmc ovpn-btguard[919]: ERROR: Linux route add command failed: external program exited with error status: 2
Aug 20 20:29:33 osmc ovpn-btguard[919]: /sbin/ip route add 10.10.10.1/32 via 10.10.10.117
Aug 20 20:29:33 osmc ovpn-btguard[919]: Initialization Sequence Completed
routes:
osmc@osmc:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
10.10.10.1 10.10.10.121 255.255.255.255 UGH 0 0 0 tun0
10.10.10.121 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
63.142.161.20 192.168.0.1 255.255.255.255 UGH 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
osmc@osmc:~$
ifconfig
osmc@osmc:~$ sudo ifconfig
eth0 Link encap:Ethernet HWaddr b8:27:eb:27:03:2a
inet addr:192.168.0.21 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::ba27:ebff:fe27:32a/64 Scope:Link
inet6 addr: 2601:183:4201:83eb:ba27:ebff:fe27:32a/64 Scope:Global
UP BROADCAST RUNNING MULTICAST DYNAMIC MTU:1500 Metric:1
RX packets:109258 errors:0 dropped:0 overruns:0 frame:0
TX packets:32300 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:150579734 (143.6 MiB) TX bytes:3646962 (3.4 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:514 errors:0 dropped:0 overruns:0 frame:0
TX packets:514 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:46725 (45.6 KiB) TX bytes:46725 (45.6 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.10.122 P-t-P:10.10.10.121 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
connman-vpn conf file:
[global]
Name = BTGuard
Description = VPN for BTGuard
[provider_openvpn]
Type = OpenVPN
Name = BTGuard
Host = vpn.btguard.com
Domain = btguard.com
OpenVPN.CACert = /etc/openvpn/btguard.ca.crt
OpenVPN.Proto = UDP
OpenVPN.Port = 1194
OpenVPN.AuthUserPass = /etc/openvpn/btguard.user
Finally, IPTables:
#Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow all local traffic
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT
#Allow VPN establishment
iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -p udp --sport 1194 -j ACCEPT
#Accept all TUN connections (tun = VPN tunnel)
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
#Logging
iptables -A INPUT -j LOG --log-prefix "iptables drop: "
iptables -A FORWARD -j LOG --log-prefix "iptables drop: "
iptables -A OUTPUT -j LOG --log-prefix "iptables drop: "
#Set default policies to drop all other communication
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP