OpenVPN connects but does not allow traffic

dellarovere · December 4, 2023, 8:25pm

I am able to connect to my OpenVPN service, but no data flows once the connection is made. I tried what is mentions in another similar topic, but it did not help.

First,

$ uname -a
Linux freedombox 6.1.0-13-armmp-lpae #1 SMP Debian 6.1.55-1 (2023-09-29) armv7l GNU/Linux

This is a box I bought several years ago (Olimex A20-OLinuXino-LIME2, 2x ARMv7 Processor rev 4 (v7l)). I have reinstalled the image myself about 6 months ago, downloading it from Freedombox site.

I have turned on OpenVpn and done all configuration through the Plinth UI and I was able to generate all the files for server and client. I am using my phone as a client and I am able to connect, but once I connect data does not flow. I cannot connect on the phone to anything.

I have tried several modifications after that, but was not able to get anywhere.

OpenVpn Config

$ cat /etc/openvpn/server/freedombox.conf

port 1194
proto udp
# proto udp6
dev tun0

# client-to-client

ca /etc/openvpn/freedombox-keys/pki/ca.crt
cert /etc/openvpn/freedombox-keys/pki/issued/server.crt
key /etc/openvpn/freedombox-keys/pki/private/server.key

dh none

server 10.91.0.0 255.255.255.0
keepalive 10 120
verb 3

log-append openvpn.log

tls-server
tls-version-min 1.2
cipher AES-256-CBC
script-security 2

In the config above I tried both dev tun0 and dev tun, but neither seemed to work. I also have disabled udp6 on purpose to make things simpler.

tun0 interface config

$ cat  /etc/NetworkManager/system-connections/tun0.nmconnection 
[connection]
id=tun0
uuid=6aef5d32-b9a2-476a-9e84-c5b93a499c98
type=tun
autoconnect=false
interface-name=tun0
timestamp=1699982689

[tun]

[ipv4]
method=auto

[ipv6]
addr-gen-mode=default
method=disabled

[proxy]

I have explicitly disabled the ipv6 here as well. However, for some reason the Cockpit app is showing different settings and also showing data flowing in both transmitting and receiving directions:

Firewall.
I have removed OpenVpn and tun0 interface from the internal zone:

$ sudo cat /etc/firewalld/zones/external.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>External</short>
  <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="http"/>
  <service name="https"/>
  <service name="openvpn"/>
  <masquerade/>
</zone>

$ sudo cat /etc/firewalld/zones/internal.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Internal</short>
  <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="mdns"/>
  <service name="samba-client"/>
  <service name="dhcpv6-client"/>
  <service name="http"/>
  <service name="https"/>
  <service name="dns"/>
  <service name="dhcp"/>
  <interface name="tun1"/>
  <interface name="tun2"/>
  <interface name="tun3"/>
  <interface name="tun4"/>
  <interface name="tun5"/>
  <interface name="tun6"/>
  <interface name="tun7"/>
</zone>

Any suggestion on where I should look further, what kind of logs I need is greatly appreciated.

fefekrzr · December 4, 2023, 11:01pm

Hello!

It looks like you’re using the same hardware as the Pioneer FreedomBox (Olimex A20-OLinuXino-LIME2). Given that this hardware typically has only one physical network interface, FreedomBox should automatically configure it for the internal zone. For OpenVPN to function properly and allow internet access, you would typically need an additional physical network interface assigned to the external zone. Just as a warning, I wouldn’t recommend changing your only network interface to the external zone.

However, there’s a workaround you might find useful. You can configure your applications (like a web browser) to use a proxy. For example, setting up to use Privoxy (10.91.0.1:8118) or the Tor-Socks Proxy (10.91.0.1:9050) could help in routing your data out to the internet while connected to the VPN. I own a Pioneer FreedomBox and this is the workaround I use. I’d always send my requests thorough Privoxy anyway so I don’t feel any friction with this setup.

I hope this helps you troubleshoot the issue. Let me know if you have any more questions!

EDIT: Added source from the manual page for OpenVPN.

18.5. Browsing Internet after connecting to VPN

After connecting to the VPN, the client device will be able to browse the Internet without any further configuration. However, a pre-condition for this to work is that you need to have at least one Internet connected network interface which is part of the ‘External’ firewall zone. Use the networks configuration page to edit the firewall zone for the device’s network interfaces.

https://wiki.debian.org/FreedomBox/Manual#FreedomBox.2FManual.2FOpenVPN.OpenVPN_.28Virtual_Private_Network.29

dellarovere · December 5, 2023, 12:59am

What really puzzles me here is that a year and a half ago I had OpenVPN working without problems. That was before I had to flush the system with the new image.

fefekrzr · December 5, 2023, 1:17am

Ah, I see - I didn’t catch from your initial message that you had OpenVPN with working internet access on this setup before the reinstallation.

Just to confirm, does your hardware have only the one network interface (the ethernet port)? If that’s the case, it’s possible that in your previous setup, the FreedomBox WAN interface (eth0/end0) was assigned to the “external” zone. This configuration would have allowed internet access via OpenVPN, but it might also have inadvertently exposed internal services to the external network. For instance, if you were running Privoxy, it could have turned into an open proxy accessible from the internet (though I’m not entirely certain if this would have been the case).

If you’re running services beyond OpenVPN, I’d recommend trying the workaround I suggested earlier. However, if OpenVPN is your sole service, setting the network interface to external might work, but I’m hesitant to confirm this without considering potential security risks.

Let’s see if other community members have more insights or suggestions to offer.

nbenedek · December 5, 2023, 11:44am

First of all, 10.91.0.1 is a private IP address, there is no way to reach it from the internet. Secondly, being able to connect through Privoxy and Tor Socks over the internet is a security issue, not a a feauture. The Privoxy part has been fixed and disabled in realease 22.16.

Rather, in your ovpn config file you should try to substitute the private IP with your domain name.

fefekrzr · December 5, 2023, 1:23pm

Hello,

First off, I want to acknowledge that I’m not an expert in this area, so there’s a possibility I could be mistaken. However, I think there’s been a bit of a miscommunication, so I’d like to clarify my previous message. Apologies if my wording wasn’t entirely clear.

In my own setup, which involves a Pioneer FreedomBox, similar to what the original poster might be using, the device comes with only one network interface. This is automatically configured by FreedomBox as part of the “internal” zone. Without a second “external” interface, when I connect devices through OpenVPN to my VPN network, there’s no internet access (for instance, I can’t browse the web or send messages).

My workaround involves setting my browser’s proxy to [FreedomBox VPN address]:[Privoxy port] when connected to my VPN. I’m fully aware that 10.91.0.1 is a private address, as it’s the IP of my FreedomBox within my VPN network. My intention is not to route external traffic through this proxy but to use it post-VPN connection.

Also, as a tentative suggestion with some security concerns, I mentioned that the OP could try changing their sole network interface to the “external” zone. This might provide internet access while connected via VPN. I have experimented with this approach but decided it wasn’t worth the security risks. I cautioned the OP that this might inadvertently expose some services to the internet.

I hope this provides a clearer picture of what I intended to convey. Once more, I apologize for any confusion caused by my initial explanation.

dellarovere · December 6, 2023, 12:58am

Thank you all for the replies.

@nbenedek I am afraid I do not understand the suggestion about the private IP vs domain name in the OVPN config file. Are you suggesting to do that on the server line? But the documentations says

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

Or are you referring to the client configuration? If the latter, then I already have it that way. I can connect to the server from the client, but after that I cannot connect from client anywhere.

@fefekrzr Thank you for the suggestion, but I am trying to forward all the traffic through the VPN, not just browser. I want messaging and all other apps to go through VPN. Most apps do not have the proxy settings. I also want to be able to set the router as a client.

fefekrzr · December 7, 2023, 4:58pm

Alright, let’s see if we can gather more insights from others. However, I believe your current hardware setup might be limiting what you’re trying to achieve with the VPN and you may need to try with other hardware.

I genuinely hope you find a solution or a suitable workaround to your issue soon. If I come across any further ideas or suggestions, I’ll share them with you.

dellarovere · December 8, 2023, 9:47pm

Unfortunately, I have accidentally disabled the main network interface and since the machine is remote I lost access to it. I will get my hands on the physical hardware in a couple of days and will report here on my progress with fixing the problem.

dellarovere · January 15, 2024, 4:35am

Ok, I dug around and I have found these instructions: OpenVPN - Debian Wiki which looked like they may be relevant.

And these instructions worked for me. However, these settings do not persist after reboot and I have not been able to figure out how to make nftables to restore them. I have put the tables/chains/rules into /etc/nftables.conf, but have to run systemctl start nftables.service every time. I have done systemctl enables nftables.service, but that did not help.

So, this is a different problem now, but if anyone has any suggestions, those would be greatly appreciated.

Meanwhile, I will dig further and update once I solve this.