Raspi2B with OSMC as OpenVPN Gateway

hi
im new to this and not a native english speaker, so please have a heart :wink:

im using osmc on raspi2B but i have also a RaspiB+ with raspbmc on it.

On the B+ i managed to use it as raspbmc and also as an openvpn gateway that drops all packets that doesnt go over the tunnel.
as raspi B+ is a little slow on crypting and cant use full speed, i decided to use my new raspi2B as openvpn gateway

i installed open vpn and configured it (wasnt easy without root :disappointed: )
i tried to use the same iptables as i have on the b+ and that worked.
but then i realised that if the connetion to the vpn was lost it didnt drop the packets.
so i tried to also use the interface settings from b+ with different ips, but then it completely fucked up the whole networking.
now the openvpn connection isnt working as gateway, but i dont know very much about the tricky iptables so i decided to ask you for help. For the B+ it was chaotic work and luck and i cant figure out what im doing wrong now or have done right then :confounded:

Is there any “out of the box” solution for osmc to work as vpn gateway, and drop the packets if not going over vpn ?
or is it just too simple that i cant find it?
In the end it should work with osmc running on it and as a vpn gateway for the other devices, and if the connection to the vpn is lost, it should block all traffic.

maybe for ppl with a better understanding of all this, i post the configs i have out of different guides and as i am a fully noob, you can see that even in the working one, not everything is good, but it works :wink:

at first the working config on b+

ifconfig

eth0      Link encap:Ethernet  HWaddr b8:27:eb:f1:16:40  
          inet addr:192.168.2.221  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:494973 errors:0 dropped:1 overruns:0 frame:0
          TX packets:432466 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:248040480 (236.5 MiB)  TX bytes:236952372 (225.9 MiB)

eth0:0    Link encap:Ethernet  HWaddr b8:27:eb:f1:16:40  
          inet addr:192.168.2.222  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.15.32.142  P-t-P:10.15.32.142  Mask:255.255.255.128
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:239453 errors:0 dropped:0 overruns:0 frame:0
          TX packets:176717 errors:0 dropped:7703 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:182268441 (173.8 MiB)  TX bytes:19262387 (18.3 MiB)

etc/network/interfaces :

   #loopback
    auto lo
    iface lo inet loopback
    
    #eigenes netz
    auto eth0
    iface eth0 inet static
    address 192.168.2.221
    netmask 255.255.255.0
    gateway 192.168.2.1
    dns-nameservers 213.73.91.35

auto eth0:0
 iface eth0:0 inet static
 address 192.168.2.222

etc/rc.local :

# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
  printf "My IP address is %s\n" "$_IP"
fi
iptables -I FORWARD ! -o tun0 -s 192.168.2.0/24 -j DROP
exit 0

/etc/iptables/rules.v4 :

# Generated by iptables-save v1.4.14 on Wed Feb 18 20:00:19 2015
*nat
:PREROUTING ACCEPT [2485:193594]
:INPUT ACCEPT [1390:126953]
:OUTPUT ACCEPT [401:77941]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE
COMMIT
# Completed on Wed Feb 18 20:00:19 2015
# Generated by iptables-save v1.4.14 on Wed Feb 18 20:00:19 2015
*filter
:INPUT ACCEPT [6243:4177912]
:FORWARD ACCEPT [6228:4058668]
:OUTPUT ACCEPT [2729:1039713]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -s 92.63.88.87/32 -j DROP
-A INPUT -s 92.63.88.97/32 -j DROP
-A INPUT -s 92.63.88.100/32 -j DROP
-A INPUT -s 92.63.88.105/32 -j DROP
-A INPUT -s 92.63.88.106/32 -j DROP
-A INPUT -s 92.63.88.108/32 -j DROP
-A FORWARD -s 192.168.2.0/24 -i eth0:0 -o eth0 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.2.0/24 -i eth0:0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Wed Feb 18 20:00:19 2015

/etc/sysctl.conf :

# Uncomment the next line to enable packet forwarding for IPv4  (only thing that is changed)
net.ipv4.ip_forward=1

and here is the configs from the raspi 2B with osmc

ifconfig

eth0      Link encap:Ethernet  Hardware Adresse b8:27:eb:41:d5:12  
          inet Adresse:192.168.2.210  Bcast:192.168.2.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST DYNAMIC  MTU:1500  Metrik:1
          RX packets:5569 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1896 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000 
          RX bytes:476760 (465.5 KiB)  TX bytes:328995 (321.2 KiB)

lo        Link encap:Lokale Schleife  
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 GĂźltigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX packets:16 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0 
          RX bytes:1440 (1.4 KiB)  TX bytes:1440 (1.4 KiB)

tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet Adresse:10.15.32.136  P-z-P:10.15.32.136  Maske:255.255.255.128
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX packets:336 errors:0 dropped:0 overruns:0 frame:0
          TX packets:337 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:100 
          RX bytes:25150 (24.5 KiB)  TX bytes:25074 (24.4 KiB)

/etc/network/interfaces

#loopback
auto lo
iface lo inet loopback

#eigenes netz
auto eth0
iface eth0 inet static
address 192.168.2.210
netmask 255.255.255.0
gateway 192.168.2.1
dns-nameservers 8.8.8.8

auto eth0:0
 iface eth0:0 inet static
 address 192.168.2.209

/etc/rc.local

# Print the IP address
_IP=$(hostname -I) || true
if [ "$_IP" ]; then
  printf "My IP address is %s\n" "$_IP"
fi
iptables -I FORWARD ! -o tun0 -s 192.168.2.0/24 -j DROP
exit 0

/etc/iptables/rules.v4

# Generated by iptables-save v1.4.14 on Wed Feb 18 20:00:19 2015
*nat
:PREROUTING ACCEPT [2485:193594]
:INPUT ACCEPT [1390:126953]
:OUTPUT ACCEPT [401:77941]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Feb 18 20:00:19 2015
# Generated by iptables-save v1.4.14 on Wed Feb 18 20:00:19 2015
*filter
:INPUT ACCEPT [6243:4177912]
:FORWARD ACCEPT [6228:4058668]
:OUTPUT ACCEPT [2729:1039713]
-A FORWARD -s 192.168.2.0/24 -i eth0:0 -o eth0 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -s 192.168.2.0/24 -i eth0:0 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Wed Feb 18 20:00:19 2015

/etc/sysctl.conf :

# Uncomment the next line to enable packet forwarding for IPv4  (only thing that is changed)
net.ipv4.ip_forward=1

What you have shown above is not going to work as is, because OSMC does not use or support /etc/network/interfaces. This is because we use connman as our network manager and it does not use /etc/network/interfaces.

I’m not sure off hand how you would do what you are trying to do or whether it is currently possible as we also don’t support if-up.d scripts at the moment.

yeah i though something like that, because if i changed the ip adresses in the osmc interface it “overrides” the ones in /etc/network/interfaces.

but as the nework/interfaces is the default solution, isnt it possible to go back to it and take the connman off?

i dont know how but yesterday i was able to use it as gateway before i tried to change the interfaces thing. it just didnt dropped the traffic if the vpn server was disconnected, but maybe i can live with that.

ill try to reinstall osmc and do what i did yesterday, maybe i have some luck again :smile:

as the new thread is closed despite its an other problem i hope someone will answer even if the new problem is different then the one mentioned above .

As mentioned i completely reinstalled osmc with 2015.06-1 .

but as i tried today to reinstall openvpn it doesnt work now.

i installed it via sudo apt-get install openvpn and copied all the vpn config files to /etc/openvpn/ as i did yesterday and on my other raspis.

it says that it is runnung but in ifconfig there is no tun adapter.

what did i do wrong?

osmc@osmc:~$ sudo /etc/init.d/openvpn start
[ ok ] Starting openvpn (via systemctl): openvpn.service.
osmc@osmc:~$ sudo /etc/init.d/openvpn status
● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled)
   Active: active (exited) since Di 2015-07-21 17:47:11 UTC; 16min ago
  Process: 668 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 668 (code=exited, status=0/SUCCESS)
osmc@osmc:~$ ifconfig
eth0      Link encap:Ethernet  Hardware Adresse b8:27:eb:41:d5:12  
          inet Adresse:192.168.2.210  Bcast:192.168.2.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST DYNAMIC  MTU:1500  Metrik:1
          RX packets:2655 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2054 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000 
          RX bytes:218599 (213.4 KiB)  TX bytes:368880 (360.2 KiB)

lo        Link encap:Lokale Schleife  
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 GĂźltigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)