Client config for OpenVPN/Linux server connection using shared key

114 views

Skip to first unread message

Anders Östling

unread,

Feb 28, 2021, 4:56:01 AM2/28/21

to tunnelblick-discuss

So, let me rephrase my earlier post.

Ubuntu 20.4/OpenVPN server with shared key secret

MacOS/Big Sur with Tunnelblick VPN client

Connecting through a Netgear FVS router with forwarding of 1195/UDP to the Ubuntu server.

FVS firewall log shows:

2021 Feb 28 10:39:01 [FVS318g] [kernel] WAN2LAN[ACCEPT] IN=WAN OUT=LAN SRC=83.249.133.106 DST=10.0.2.13 PROTO=UDP SPT=47084 DPT=1195

2021 Feb 28 10:38:41 [FVS318g] [kernel] WAN2LAN[ACCEPT] IN=WAN OUT=LAN SRC=83.249.133.106 DST=10.0.2.13 PROTO=UDP SPT=47084 DPT=1195

- Last output repeated 8 times -

Ubuntu tcpdump output when connecting:

root@hp-srv05:/var/log/openvpn# tcpdump -i ens3 port 1195

listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes

10:38:41.376777 IP port389.47084 > hp-srv05.hoganas-platslagaren.se.1195: UDP, length 60

10:38:51.146468 IP port389.47084 > hp-srv05.hoganas-platslagaren.se.1195: UDP, length 60

10:39:01.487123 IP port389.47084 > hp-srv05.hoganas-platslagaren.se.1195: UDP, length 60

"port389" is the DNS/IP of my clients public IP. So traffic flows from the client through the FVS router to the ethernet interface as expected.

Tunnelblick status log: (last lines)

10:38:28 *Tunnelblick: **********************************************

10:38:28 *Tunnelblick: Start of output from client.up.tunnelblick.sh

WARNING: $route_vpn_gateway is empty

10:38:30 *Tunnelblick: NOTE: No network configuration changes need to be made.

10:38:30 *Tunnelblick: WARNING: Will NOT monitor for other network configuration changes.

10:38:30 *Tunnelblick: WARNING: Will NOT disable IPv6 settings.

10:38:30 *Tunnelblick: DNS servers '8.8.8.8 10.0.2.50' were set manually

10:38:30 *Tunnelblick: DNS servers '8.8.8.8 10.0.2.50' will be used for DNS queries when the VPN is active

10:38:30 *Tunnelblick: NOTE: The DNS servers include one or more free public DNS servers known to Tunnelblick and one or more DNS servers not known to Tunnelblick. If used, the DNS servers not known to Tunnelblick may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.

10:38:30 *Tunnelblick: Flushed the DNS cache via dscacheutil

10:38:30 *Tunnelblick: /usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil

10:38:30 *Tunnelblick: Notified mDNSResponder that the DNS cache was flushed

10:38:30 *Tunnelblick: Not notifying mDNSResponderHelper that the DNS cache was flushed because it is not running

10:38:30 *Tunnelblick: End of output from client.up.tunnelblick.sh

10:38:30 *Tunnelblick: **********************************************

2021-02-28 10:38:30.917054 TCP/UDP: Preserving recently used remote address: [AF_INET]194.22.X.Y:1195

2021-02-28 10:38:30.917130 Socket Buffers: R=[786896->786896] S=[9216->9216]

2021-02-28 10:38:30.917234 UDP link local (bound): [AF_INET][undef]:1194

2021-02-28 10:38:30.917250 UDP link remote: [AF_INET]194.22.X.Y:11952021-02-28 10:38:30.917054 TCP/UDP: Preserving recently used remote address: [AF_INET]194.22.X.Y:1195

2021-02-28 10:38:30.917130 Socket Buffers: R=[786896->786896] S=[9216->9216]

2021-02-28 10:38:30.917234 UDP link local (bound): [AF_INET][undef]:1194

2021-02-28 10:38:30.917250 UDP link remote: [AF_INET]194.22.X.Y:1195

194.22.X.Y is the public IP of the FCS router

On the server after "successful ?" connection

root@hp-srv05:/var/log/openvpn# ip route

default via 10.0.2.1 dev ens3 onlink

10.0.2.0/24 dev ens3 proto kernel scope link src 10.0.2.13

10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1

10.8.0.0/24 dev tun1 proto kernel scope link src 10.8.0.1

root@hp-srv05:/var/log/openvpn# ip a s

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

inet 127.0.0.1/8 scope host lo

valid_lft forever preferred_lft forever

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000

link/ether 52:54:00:3d:ac:2e brd ff:ff:ff:ff:ff:ff

inet 10.0.2.13/24 brd 10.0.2.255 scope global ens3

valid_lft forever preferred_lft forever

inet6 fe80::5054:ff:fe3d:ac2e/64 scope link

valid_lft forever preferred_lft forever

4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100

link/none

inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0

valid_lft forever preferred_lft forever

inet6 fe80::37c1:4cca:5249:c351/64 scope link stable-privacy

valid_lft forever preferred_lft forever

8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100

link/none

inet 10.8.0.1/24 brd 10.8.0.255 scope global tun1

valid_lft forever preferred_lft forever

inet6 fe80::ebff:8b73:d02f:4b64/64 scope link stable-privacy

valid_lft forever preferred_lft forever

On the Mac:

anders@iMac-som-tillhor-Anders macos-vpn % ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>

inet 127.0.0.1 netmask 0xff000000

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

nd6 options=201<PERFORMNUD,DAD>

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=40b<RXCSUM,TXCSUM,VLAN_HWTAGGING,CHANNEL_IO>

ether 1c:69:7a:66:9f:19

inet6 fe80::cc8:f729:f5fc:29b1%en0 prefixlen 64 secured scopeid 0x4

inet 10.0.2.102 netmask 0xffffff00 broadcast 10.0.2.255

nd6 options=201<PERFORMNUD,DAD>

media: autoselect (1000baseT <full-duplex,flow-control>)

status: active

en2: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=400<CHANNEL_IO>

ether d8:3b:bf:94:04:c1

inet6 fe80::41:d626:74e0:1b56%en2 prefixlen 64 secured scopeid 0x5

inet6 fdaa:bbcc:ddee:0:1c1c:c903:7895:e020 prefixlen 64 autoconf secured

inet6 fdaa:bbcc:ddee:0:b07f:1658:1726:33cc prefixlen 64 autoconf temporary

inet 10.0.64.167 netmask 0xffffff00 broadcast 10.0.64.255

nd6 options=201<PERFORMNUD,DAD>

media: autoselect

status: active

p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304

options=400<CHANNEL_IO>

ether 0a:3b:bf:94:04:c1

media: autoselect

status: active

awdl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1484

options=400<CHANNEL_IO>

ether 7e:45:25:54:ed:a9

inet6 fe80::7c45:25ff:fe54:eda9%awdl0 prefixlen 64 scopeid 0x7

nd6 options=201<PERFORMNUD,DAD>

media: autoselect

status: active

utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380

inet6 fe80::f6f0:9818:45ea:ac34%utun0 prefixlen 64 scopeid 0x8

nd6 options=201<PERFORMNUD,DAD>

utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000

inet6 fe80::6476:dc1a:77ba:a28b%utun1 prefixlen 64 scopeid 0x9

nd6 options=201<PERFORMNUD,DAD>

utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380

inet6 fe80::94c6:abee:c4e:3699%utun2 prefixlen 64 scopeid 0xa

nd6 options=201<PERFORMNUD,DAD>

utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380

inet6 fe80::17b7:c534:a8a8:e014%utun3 prefixlen 64 scopeid 0xb

nd6 options=201<PERFORMNUD,DAD>

utun4: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500

inet 10.8.0.2 --> 10.8.0.1 netmask 0xffffffff So, it looks as if the connection succeeds, but there is no end-point Ip configured on the server to the client. I had expected 10.8.0.2. utun4 seems to be up, but I cant send anything on it.

The mac's route for 10.8.0.2 shows en0, not utun4, as gateway.

anders@iMac-som-tillhor-Anders macos-vpn % route get 10.8.0.2

route to: 10.8.0.2

destination: default

mask: default

gateway: 10.0.2.1

interface: en0

flags: <UP,GATEWAY,DONE,STATIC,PRCLONING>

recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire

0 0 0 0 0 0 1500 0

Reply all

Reply to author

Forward

0 new messages