Solved Establish a connection with OpenVPN on Raspbian

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

artouf06

Thread Starter
Joined
Mar 5, 2017
Messages
5
I am trying to establish a VPN connection on a Raspberry Pi 3 with Raspbian. But I cannot make this work.

I am using VPNBook and I downloaded the .ovpn file in order to use OpenVPN.

Here is the content of the .ovpn file:
Code:
    client
    dev tun3
    proto tcp
    remote 176.126.237.217 80
    remote euro217.vpnbook.com 80
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    auth-user-pass pass.txt
    comp-lzo
    verb 3
    cipher AES-128-CBC
    fast-io
    pull
    redirect-gateway
    script-security 2
Here is the output I get:
Code:
    [email protected]:/etc/openvpn/vpnbook $ sudo openvpn --config vpnbook-euro1-tcp80.ovpn
    Wed Feb  8 00:07:45 2017 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 23 2016
    Wed Feb  8 00:07:45 2017 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.08
    Wed Feb  8 00:07:45 2017 WARNING: file 'pass.txt' is group or others accessible
    Wed Feb  8 00:07:45 2017 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Wed Feb  8 00:07:45 2017 NOTE: --fast-io is disabled since we are not using UDP
    Wed Feb  8 00:07:45 2017 Socket Buffers: R=[87380->131072] S=[16384->131072]
    Wed Feb  8 00:07:45 2017 Attempting to establish TCP connection with [AF_INET]176.126.237.217:80 [nonblock]
    Wed Feb  8 00:07:46 2017 TCP connection established with [AF_INET]176.126.237.217:80
    Wed Feb  8 00:07:46 2017 TCPv4_CLIENT link local: [undef]
    Wed Feb  8 00:07:46 2017 TCPv4_CLIENT link remote: [AF_INET]176.126.237.217:80
    Wed Feb  8 00:07:46 2017 TLS: Initial packet from [AF_INET]176.126.237.217:80, sid=f8773375 a8e3c418
    Wed Feb  8 00:07:46 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Wed Feb  8 00:07:47 2017 VERIFY OK: depth=1, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, [email protected]
    Wed Feb  8 00:07:47 2017 VERIFY OK: depth=0, C=CH, ST=Zurich, L=Zurich, O=vpnbook.com, OU=IT, CN=vpnbook.com, name=vpnbook.com, [email protected]
    Wed Feb  8 00:07:48 2017 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Feb  8 00:07:48 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Feb  8 00:07:48 2017 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
    Wed Feb  8 00:07:48 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Feb  8 00:07:48 2017 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Wed Feb  8 00:07:48 2017 [vpnbook.com] Peer Connection Initiated with [AF_INET]176.126.237.217:80
    Wed Feb  8 00:07:50 2017 SENT CONTROL [vpnbook.com]: 'PUSH_REQUEST' (status=1)
    Wed Feb  8 00:07:50 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS  89.233.43.71,dhcp-option DNS  91.239.100.100,route 10.12.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.12.0.6 10.12.0.5'
    Wed Feb  8 00:07:50 2017 OPTIONS IMPORT: timers and/or timeouts modified
    Wed Feb  8 00:07:50 2017 OPTIONS IMPORT: --ifconfig/up options modified
    Wed Feb  8 00:07:50 2017 OPTIONS IMPORT: route options modified
    Wed Feb  8 00:07:50 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
    Wed Feb  8 00:07:50 2017 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlan0 HWADDR=b8:27:eb:e3:f8:56
    Wed Feb  8 00:07:50 2017 TUN/TAP device tun3 opened
    Wed Feb  8 00:07:50 2017 TUN/TAP TX queue length set to 100
    Wed Feb  8 00:07:50 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Wed Feb  8 00:07:50 2017 /sbin/ip link set dev tun3 up mtu 1500
    Wed Feb  8 00:07:50 2017 /sbin/ip addr add dev tun3 local 10.12.0.6 peer 10.12.0.5
    Wed Feb  8 00:07:50 2017 /sbin/ip route add 176.126.237.217/32 via 192.168.0.1
    Wed Feb  8 00:07:50 2017 /sbin/ip route add 0.0.0.0/1 via 10.12.0.5
    Wed Feb  8 00:07:50 2017 /sbin/ip route add 128.0.0.0/1 via 10.12.0.5
    Wed Feb  8 00:07:50 2017 /sbin/ip route add 10.12.0.1/32 via 10.12.0.5
    Wed Feb  8 00:07:50 2017 Initialization Sequence Completed
At this point, I cannot access any website (by putting name or IP address). However, I can ping some IP addresses like 216.58.212.99 but not hostnames like www.google.fr.

I thought it was a DNS issue, I tried to search for it and updated my .ovpn file with the following lines:
Code:
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
This didn't change anything.

I also tried with another VPN (VPNGate) but I have the same behaviour.

Everything about the network is painfully slow once openvpn is launch. And I don't even know if the tunnel is working. How to be sure without being able to load a single website? Everything is just really slow and I don't know why. It probably comes from my configuration because I guess I'm not the only one using VPNBook, and also tried with another VPN provider with the same result.

Having been stuck with this problem for 2 months now, I am reading a tutorial to fully understand how a network is working.
For what I can say at the moment, I see 2 strange things in my configuration when the VPN is activated.

First, on the "tun3" interface created for the connection with the VPN, the MAC address is full of 0. Shouldn't it be the same as my other interface?
Code:
    tun3      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:10.12.0.170  P-t-P:10.12.0.169  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:126 errors:0 dropped:0 overruns:0 frame:0
              TX packets:358 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:16864 (16.4 KiB)  TX bytes:35559 (34.7 KiB)

    wlan0     Link encap:Ethernet  HWaddr b8:27:eb:e3:f8:56
              inet addr:192.168.0.17  Bcast:192.168.0.255  Mask:255.255.255.0
              inet6 addr: fe80::6dfb:5d45:2ae7:fe43/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:24791 errors:0 dropped:7790 overruns:0 frame:0
              TX packets:19963 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:4974169 (4.7 MiB)  TX bytes:2843776 (2.7 MiB)
Second, the route table (which is displayed very slowly when the VPN is on):

Without VPN:
Code:
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         192.168.0.1     0.0.0.0         UG    303    0        0 wlan0
    192.168.0.0     *               255.255.255.0   U     303    0        0 wlan0
With VPN:
Code:
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    default         10.12.0.169     128.0.0.0       UG    0      0        0 tun3
    default         192.168.0.1     0.0.0.0         UG    303    0        0 wlan0
    10.12.0.1       10.12.0.169     255.255.255.255 UGH   0      0        0 tun3
    10.12.0.169     *               255.255.255.255 UH    0      0        0 tun3
    128.0.0.0       10.12.0.169     128.0.0.0       UG    0      0        0 tun3
    176.126.237.217 192.168.0.1     255.255.255.255 UGH   0      0        0 wlan0
    192.168.0.0     *               255.255.255.0   U     303    0        0 wlan0
Here there is 1 gateaway that I can't even ping: 10.12.0.169. Actually I don't even understand why I have this new IP address completely different from the rest of my network. Shouldn't "tun3" also have an IP address like 192.168.0.xxx? Also, except for the route toward my own local network, shouldn't the gateway be 192.168.0.1 (my internet provider) for all the destinations?

My ISP blocked the VPN connection, but I have now activated the PPTP, IPSEC and MULTICAST pass-through, and I still have the same behaviour.
 

artouf06

Thread Starter
Joined
Mar 5, 2017
Messages
5
What can I do step by step to understand my problem? I've tried thousand of things I found on the internet, without any success. I definitely can't tell all the things I've tried. I actually manage to connect to a single website, cisco, but only with its IP address 72.163.4.161. The "same" configuration (but obviously not the same) on my Windows PC on the same local network works perfectly fine.
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,408
Have you tried doing a DNS lookup to see if DNS name resolution is working with the VPN tunnel up? If you are getting proper DNS name resolution, then it's most likely a routing issue. I don't know any details about configuring OpenVPN. But if you want to be able to route out to the Internet through the VPN tunnel, you'll have to see if you can configure hair pinning on OpenVPN. The alternative is to see if you can configure split tunneling which will allow you to access the Internet from the remote LAN and only send specific traffic down the tunnel.
 

artouf06

Thread Starter
Joined
Mar 5, 2017
Messages
5
I managed to make it work by installing the resolvconf package and doing an update and upgrade. The strange thing is that I didn't have any message saying that resolvconf was missing. At resolvconf installation, it says it needed to uninstall openresolv, so it was probably using this one instead of resolvconf.

Anyway, this worked at that time and worked after a reboot. After that, I shut my device down, and now, without having done any change, it can't resolve host names. It looks like the resolvconf doesn't do anything.
 

artouf06

Thread Starter
Joined
Mar 5, 2017
Messages
5
I removed dnsmasq package and added the following lines in the following files and it's now working.

/etc/host.conf
Code:
order hosts,bind # was missing
multi off # was on
/etc/nsswitch.conf
Code:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat
gshadow:        files

hosts:          files myhostname mdns4_minimal [NOTFOUND=return] dns
networks:       files dns # dns was missing

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
However, it can now resolve some names, but not all of them. I can resolve www.google.com, but not torrent.ubuntu.com for example. Even if I use the command "dig" to specify the DNS I want to use, I can't resolve torrent.ubuntu.com while connected to the VPN. When I'm not connected to the VPN, I can resolve it, and I can also resolve it by using the DNS of my VPN server.

Not connected to VPN (84.200.69.80 is the DNS address given by my VPN server):
Code:
[email protected]:/etc/openvpn/vpnbook $ dig torrent.ubuntu.com

; <<>> DiG 9.9.5-9+deb8u10-Raspbian <<>> torrent.ubuntu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12612
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;torrent.ubuntu.com.            IN      A

;; ANSWER SECTION:
torrent.ubuntu.com.     600     IN      A       91.189.95.21

;; Query time: 26 msec
;; SERVER: 194.168.4.100#53(194.168.4.100)
;; WHEN: Tue Mar 28 23:36:14 UTC 2017
;; MSG SIZE  rcvd: 63



[email protected]:/etc/openvpn/vpnbook $ dig @8.8.8.8 torrent.ubuntu.com

; <<>> DiG 9.9.5-9+deb8u10-Raspbian <<>> @8.8.8.8 torrent.ubuntu.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54658
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;torrent.ubuntu.com.            IN      A

;; ANSWER SECTION:
torrent.ubuntu.com.     565     IN      A       91.189.95.21

;; Query time: 38 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Mar 28 23:36:30 UTC 2017
;; MSG SIZE  rcvd: 63



[email protected]:/etc/openvpn/vpnbook $ dig @84.200.69.80 torrent.ubuntu.com

; <<>> DiG 9.9.5-9+deb8u10-Raspbian <<>> @84.200.69.80 torrent.ubuntu.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25789
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;torrent.ubuntu.com.            IN      A

;; ANSWER SECTION:
torrent.ubuntu.com.     153     IN      A       91.189.95.21

;; AUTHORITY SECTION:
ubuntu.com.             600     IN      NS      ns4.p27.dynect.net.
ubuntu.com.             600     IN      NS      ns2.p27.dynect.net.
ubuntu.com.             600     IN      NS      ns1.p27.dynect.net.
ubuntu.com.             600     IN      NS      ns3.p27.dynect.net.

;; Query time: 48 msec
;; SERVER: 84.200.69.80#53(84.200.69.80)
;; WHEN: Tue Mar 28 23:36:47 UTC 2017
;; MSG SIZE  rcvd: 149

Connected to the VPN:
Code:
[email protected]:/etc/openvpn/vpnbook $ dig torrent.ubuntu.com

; <<>> DiG 9.9.5-9+deb8u10-Raspbian <<>> torrent.ubuntu.com
;; global options: +cmd
;; connection timed out; no servers could be reached



[email protected]:/etc/openvpn/vpnbook $ dig @84.200.69.80 torrent.ubuntu.com

; <<>> DiG 9.9.5-9+deb8u10-Raspbian <<>> @84.200.69.80 torrent.ubuntu.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached



[email protected]:/etc/openvpn/vpnbook $ dig @8.8.8.8 torrent.ubuntu.com

; <<>> DiG 9.9.5-9+deb8u10-Raspbian <<>> @8.8.8.8 torrent.ubuntu.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached



[email protected]:/etc/openvpn/vpnbook $ dig www.google.com

; <<>> DiG 9.9.5-9+deb8u10-Raspbian <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59828
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         132     IN      A       172.217.20.196

;; Query time: 211 msec
;; SERVER: 84.200.69.80#53(84.200.69.80)
;; WHEN: Tue Mar 28 23:38:58 UTC 2017
;; MSG SIZE  rcvd: 59
 
Last edited:

artouf06

Thread Starter
Joined
Mar 5, 2017
Messages
5
After surfing a bit on internet, it seems pretty obvious that the VPN server is blocking every DNS request which contains the word "torrent", even if it's a legal torrent like torrent.ubuntu.com.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top