OpenVPN "repeater"

[thedigitaldoctor]

I posted this to the OpenVPN official forum, but it seems pretty dead over there...

 

I'm trying to set up a debian VPS as a "repeater" between myself and my commercial VPN provider.  OpenVPN AS is working fine on the VPS, but as soon as I run the client (to connect to the commercial VPN), all other traffic is cut off.  This includes SSH, HTTPS, and HTTP.  The only way to regain access is to reboot the VPS via the host's control panel.  However, the commercial VPN control panel shows that the connection is active and passing traffic (minimal traffic [probably just DNS], but traffic none the less).

 

I'm guessing I have to make changes in iptables somewhere, but I have no idea where to start.  I've found threads on other forums where people have done similar things, but no one with the same problem.

 

I can link the OpenVPN forum thread if anyone cares (as long as it doesn't break LTTF rules; not sure).

Edited March 28, 2016 by thedigitaldoctor
added more details

[Guest]

Well, what appears to be happening there is - your VPS starts to route all traffic on its public network interface through the commercial VPN and so you can only connect to it through the commercial VPN.

That's not a firewall issue. That's a network configuration issue.

[thedigitaldoctor]

1 minute ago, Svinsparbriivu said:

That's a network configuration issue.

Should I be looking at the OpenVPN client configuration file then, or somewhere else?  ifconfig?

[Guest]

2 minutes ago, thedigitaldoctor said:

Should I be looking at the OpenVPN client configuration file then, or somewhere else?  ifconfig?

If there's a way of making it work without adding a second network interface to the VPS, it lies in the configuration of the VPN software on the VPS.

I don't have any experience with OpenvpnAS though and the configuration I've done with Openvpn has been setting up a by-the-textbook server

[Guest]

This thread seems to have the OP solving his problem with a setup like that.

[thedigitaldoctor]

Looks like that thread might indeed have to solution.  I'll post back here when I'm done testing.

[thedigitaldoctor]

No luck so far.  This is the solution from the other thread:

Solved it.

Had to add a specific source rating command

ip route add default via 172.16.0.5 dev tun11 table VPN
ip rule add from 10.8.0.0/16 table VPN

 

To get this to work, I had to write a script and attach it to the client config file:

#!/bin/sh
ip="$(ifconfig | grep -A 1 'eth0' | tail -1 | cut -d ':' -f 2 | cut -d ' ' -f 1)"
ip route add default via $ip dev tun0
ip rule add from 172.28.0.0/16

The "ip" variable is the IP address the VPN service gives the VPS when it connects.  The 172.128.* subnet is what the OpenVPN AS installation on the VPS uses.

 

However, I'm getting this error in the log:

Mon Mar 28 16:50:24 2016 /etc/openvpn/config/onconnect.sh tun0 1500 1560 10.50.4.201 255.255.0.0 init
RTNETLINK answers: File exists

At this point I'm working on the theory that it's a IP conflict, but no solution so far.  If anyone else has any wisdom to dispense, it would be greatly appreciated.

[thedigitaldoctor]

I figured out what was causing the "file exists" error.  My script was trying to create a new default route, but one existed already on the WAN interface (eth0).  So I changed the script to remove the default route on eth0 before adding the new one.  This causes "event_wait : Interrupted system call (code=4)" as there is no longer a path to the internet.

 

This means I need to find some way to only apply the

ip route add default via $ip dev tun0

line in the script to the tun0 interface.

[thedigitaldoctor]

I found something that explains how that solution from the OpenVPN official forum is supposed to work: https://www.thomas-krenn.com/en/wiki/Two_Default_Gateways_on_One_System

 

But because the tun0 interface doesn't get created until the openvpn client is run, I'll have to figure out how to integrate this into the script that runs when the interface is created.

[thedigitaldoctor]

I got the script sorted; no more errors related to it:

#!/bin/sh
ip=$(
    ifconfig tun0 |
    perl -ne 'print $1 if /inet\s.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b/'
)
ip route add default via $ip dev tun0 table rt2
ip rule add from 172.28.0.0/16 table rt2

Still no workie.  I noticed this in the log after the script runs:

Mon Mar 28 19:01:21 2016 /etc/openvpn/config/onconnect.sh tun0 1500 1560 10.50.4.183 255.255.0.0 init
Mon Mar 28 19:01:27 2016 /sbin/ip route add *VPN service public IP*/32 via *VPS gateway*
Mon Mar 28 19:01:27 2016 /sbin/ip route add 0.0.0.0/1 via 10.50.0.1
Mon Mar 28 19:01:27 2016 /sbin/ip route add 128.0.0.0/1 via 10.50.0.1

I wonder if those two last routes the VPN services pushes are causing the problem.

 

Another possible solution; I wonder if adding a second IP (which would end up generating a virtual interface [aka: alias]) would solve the problem.  VPS --> VPN service would connect over one and user device --> VPS would connect over the other...

[thedigitaldoctor]

Fresh new day, fresh new installation.  After unsuccessfully monkeying with trying to get the OpenVPN client on the VPS to only use once interface (I added a second IP), I've decided to wipe the VPS and start from scratch with the second interface.

[thedigitaldoctor]

Much better!  I'm now seeing the OpenVPN client connection status instead of being cut off as soon as it starts the connection process.  It still eventually cuts off though.  These are the last lines I see before it happens:

Tue Mar 29 10:55:03 2016 /sbin/ip route add *VPN service public IP*/32 via *VPS public IP*
Tue Mar 29 10:55:03 2016 /sbin/ip route add 0.0.0.0/1 via 10.30.0.1

I'm guessing its the second route that's pushed that's causing the problem.  Now I'm working on how to either remove that route after it's created, or use the "route-nopull" option and create the first route with a script of some sort.  The problem with the latter is that the IP address assigned by the VPN service is dynamic, so I need to figure out how to parse the IP from the OpenVPN push settings.

[thedigitaldoctor]

I got the OpenVPN client to connect without it cutting all the traffic off by using the "route-nopull" option.  Now I just need to figure out how to route the traffic coming through the user device --> VPS connection through the VPS --> VPN service connection.  I may save this for another day...