You are not logged in.
- Topics: Active | Unanswered
#126 Re: Off-topic » I didn't do it!!! » 2018-06-18 21:11:14
Next time, might I suggest https://lmsptfy.com/ ?
#127 Re: Hardware & System Configuration » openvpn server and client on same box » 2018-06-18 21:09:44
Well, as long as you have to default route on tunY VPN config should be fine. What i'd do at this point is fire up tcpdump to debug:
tcpdump -ni eth0Do you see the packets from your client connecting to your internal VPN server? If yes do also see the replies going from the server to the client? If you see the packets from the client but don't see any replies can you see replies when running
tcpdump -ni tunYEdit: You can add
port [YOUR-INTERNAL-VPN-SERVER-PORT]to the tcpdump commandline to filter traffic. Might be a bit hard to spot anything otherwise.
Okay, so I have no idea why I never thought to run tcpdump, but you nailed part of the diagnosis, which puts me at ease. With route-nopull, I can see packets to-and-from my mobile device, but it doesn't use tunY.
On the other hand, with route-nopull disabled, I saw the packets trying to reach ethX, but as you said, no replies. And I've gotta be totally honest with you, but I have no idea what that means.
Are you sure the packets aren't getting blocked by iptables?
Again, in all honesty, I'm not sure. What would be the best way to check?
#128 Re: Devuan Derivatives » Refracta no-dbus experiment » 2018-06-18 20:36:03
@fsr: awesome project. I have the same goal ^_^
@panopticon: that sounds like a much more desirable palemoon. I hate bloat.
#129 Re: Off-topic » I didn't do it!!! » 2018-06-18 20:33:52
Miyo has clearly never ran a search containing only the string "miyo"
#130 Re: Hardware & System Configuration » openvpn server and client on same box » 2018-06-15 23:09:39
echo 200 isp >> /etc/iproute2/rt_tables iptables -A PREROUTING -i eth0 -t mangle -p udp --sport [YOUR-INTERNAL-VPN-SERVER-PORT] -j MARK --set-mark 1 ip rule add fwmark 1 table isp ip route add default via 192.168.x.1 dev eth0 table ispObviously can't really test it but it should basically mark packets coming from your internal VPN server and add a rule to make them use an entirely different routing table which does nothing but send the packets through your ISP instead of the external VPN. Rationale being: I think the problem isn't really not being able to reach the box from out side (the packets arrive just fine) the packets that the internal VPN server sends back to it's outer client get routed through the external VPN instead of being routed through your ISP as the client expects.
Interesting idea. Unfortunately, the behaviour is the same. :\ (I tried it with and without route-nopull; those behaviours haven't changed at all.) Should this be used in conjunction with some option added to my server/client configs?
#131 Re: Hardware & System Configuration » openvpn server and client on same box » 2018-06-15 22:23:30
So basically you want to have all all outgoing traffic directed towards the internet go over tunY?
That's the idea. It works okay from the box, and from devices connected to its hotspot. Also, when I'm on the box's hotspot, I can connect through openvpn, and everything works as normal.
It's only when I'm outside the lan that I have any issues. My conjecture is it has something to do with the outside VPN service changing the box's public IP -- it overrides the ISP public IP. Yet, my client.ovpn is set to reach out to the ISP's public ip, and as I mentioned, it works okay on the LAN, just not outside of it. That's weird to me. (Edit: this behaviour changes when route-nopull is used; see below.)
That's kinda strange since tunY still is the default route
Why wouldn't it be? All routing information was taken off. I'm assuming that the external VPN service I'm using pulls everything by default.
Really, if you want to connect to the internet over tunY is the main question at this point
Yeah, that's the idea. I want the box to be a middle-man for filtering and monitoring network traffic. Otherwise, I would connect directly to the external VPN service.
The problem is that, anytime it's running, I lose VPN access to tunX from outside the network. (Inside the local network, though, it's okay.)
If you just want packets toward 10.8.y.0/24 to go over tunY this route is enough
10.8.y.0 0.0.0.0 255.255.255.0 U 0 0 0 tunY
This is the behavior when route-nopull is used. (If you want, I can post route -n so you can see the full table.) The issue is that when this happens, it seems like nothing at all is routed through tunY: browserleaks.com/ip reveals my ISP public IP, not the VPN service's (xx.xx.xxx.xx from my previous post).
Interestingly, when route-nopull is used, my devices outside of the local network can connect to the box. It's just that, as I said, when it's used, it seems like nothing at all is going over tunY.
and we have to figure out why it even adds the default route or at least stop it from doing so.
My conjecture is that my external VPN service pulls all routes by default. I want to use tunY to access websites. The problem is that when it's running, I can't access the box from outside the LAN.
#132 Re: Hardware & System Configuration » openvpn server and client on same box » 2018-06-15 20:23:04
"redirect-gateway def1" (that is what route-nopull would ignore if you could not control the server config) is not what you want at all.
What I'd really like to do is use the external VPN service as something like a proxy for devices connected on all the interfaces.
Devices on tunX connect to the box from outside the local network. Ideally, the flow of information would be something like this:
1) Laptop at a coffee shop connects to this box at home (tunX). It performs this by connecting to my ISP's public IP address.
2) The box at home does some filtering and monitoring, then redirects the packets through the VPN service (tunY).
3) The box receives the reply from tunY, filters/monitors, and uses tunX to send the packets to my laptop at the coffee shop.
The problem is that, when tun1 is up, step 1 doesn't happen on the laptop at the coffee shop -- it hangs while trying to connect. So, if this is impossible for devices on tunX, then as a fallback, I'd like to use it for at least wlanX and ethX, and ignore tunX altogether.
Could you please remove all routing related config (including redirect-gateway def1) from client and server and post the output of route -n?
With push "redirect-gateway def1" removed from server.conf, the output is the same as what I posted earlier:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.y.1 128.0.0.0 UG 0 0 0 tunY
0.0.0.0 192.168.x.1 0.0.0.0 UG 0 0 0 ethX
10.8.x.0 10.8.x.2 255.255.255.0 UG 0 0 0 tunX
10.8.x.2 0.0.0.0 255.255.255.255 UH 0 0 0 tunX
10.8.y.0 0.0.0.0 255.255.255.0 U 0 0 0 tunY
xx.xx.xxx.xx 192.168.x.1 255.255.255.255 UGH 0 0 0 ethX
128.0.0.0 10.8.y.1 128.0.0.0 UG 0 0 0 tunY
169.xxx.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 ethX
192.168.x.0 0.0.0.0 255.255.255.0 U 0 0 0 ethX
192.168.y.0 0.0.0.0 255.255.255.0 U 0 0 0 wlanX#133 Re: Hardware & System Configuration » openvpn server and client on same box » 2018-06-15 17:39:49
Thanks for the responses so far. I've been researching routing with openvpn, to little avail.
One issue that I'm noticing is that openvpn seems to ignore routing information. For example, based on this post, I added this line to my external client's (which creates tunY) .ovpn file:
route 192.168.0.0 255.255.0.0 net_gateway
redirect-gateway def1According to the posts, this should exclude any devices on any 192.168.(...) networks from being routed through the vpn. In fact, it does not.
My personal favorite so far is this one:
Here are a couple of simple lines for your CCD files that will redirect all traffic except for a specific IP range, in this case 10.0.0.0/16:
push "route 10.0.0.0 255.255.0.0 net_gateway" push "redirect-gateway def1"
Seems simple enough, so I also modified the route to 192.168.0.0 255.255.0.0, in hopes to exclude that IP range.
Despite the enthusiastic accolades in the topics comments, the same results occur: all network traffic is routed over the VPN.
I'm having the exact opposite problem when using the route-nopull option, coupled with custom route or push "route options.
#134 Re: Hardware & System Configuration » openvpn server and client on same box » 2018-06-12 18:35:29
inspect the output of route -n before and after connecting to the VPN.
Here's the output of route -n before and after:
# BEFORE VPN
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.x.1 0.0.0.0 UG 0 0 0 ethX
10.8.x.0 10.8.x.2 255.255.255.0 UG 0 0 0 tunX
10.8.x.2 0.0.0.0 255.255.255.255 UH 0 0 0 tunX
169.xxx.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 ethX
192.168.x.0 0.0.0.0 255.255.255.0 U 0 0 0 ethX
192.168.y.0 0.0.0.0 255.255.255.0 U 0 0 0 wlanX
#AFTER VPN
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.8.y.1 128.0.0.0 UG 0 0 0 tunY
0.0.0.0 192.168.x.1 0.0.0.0 UG 0 0 0 ethX
10.8.x.0 10.8.x.2 255.255.255.0 UG 0 0 0 tunX
10.8.x.2 0.0.0.0 255.255.255.255 UH 0 0 0 tunX
10.8.y.0 0.0.0.0 255.255.255.0 U 0 0 0 tunY
xx.xx.xxx.xx 192.168.x.1 255.255.255.255 UGH 0 0 0 ethX
128.0.0.0 10.8.y.1 128.0.0.0 UG 0 0 0 tunY
169.xxx.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 ethX
192.168.x.0 0.0.0.0 255.255.255.0 U 0 0 0 ethX
192.168.y.0 0.0.0.0 255.255.255.0 U 0 0 0 wlanXcheck routing regarding the ethX network. In particular, the server-vpn return traffic must not be routed through the client-vpn.
In the routing table, it doesn't look like it is. I'm not sure the best way to make that route; I'm still pretty new at this and doing a lot of reading on the fly.
One thing that wasn't immediately obvious is the public IP. When I connect to the external VPN server, my network's public IP changes (in the routing table, it's the xx.xx.xxx.xx IP); and even though everything connected to the box on the internal network plays nicely with tunY, the clients that connect to the same box from outside the internal network hang at the connection process. The error is the same as if the box were offline, and the second I kill the box's client connection (tunY), my IP changes back, and those external clients connect exactly as expected.
I'm wondering if this is causing this grief for my external clients. I assumed that I should still be able to access my router from the "actual" (my ISP's) public IP. I wonder if that assumption was in err.
(Also, just for fun, I tried to redirect the external clients to xx.xx.xxx.xx instead of my ISP public ip, but to no avail, as I suspected.)
#135 Re: Hardware & System Configuration » openvpn server and client on same box » 2018-06-12 02:14:15
you'll also need a MASQUERADE rule on the OUTPUT chain of the nat table.
In this context, I'm not completely sure what this would look like.
it perhaps worked out to use something else (eth0) as its outbound interface
Correct, that's been the deal since I first set up the "original" vpn (connect to box from wherever). My iptables rules for that are as follows:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.y.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.y.0/24 -o ethX -j MASQUERADEmaybe a restart of the server, after the outbound openvpn (client) is set up makes this happen?
No idea. I've restarted both client and server to no avail.
#136 Re: Hardware & System Configuration » openvpn server and client on same box » 2018-06-11 22:03:50
@dutch: I've never set up a tunnel, either. My understanding is that they can link one adapter to another, but I would need something that can funnel several adapters to tunY, and visa-versa.
@rrq: I tried iptables -t nat -A POSTROUTING -s 10.8.x.x/24 -o tunY -j MASQUERADE, and that worked okay for devices connected to the AP, but not on the VPN from an outside network. Outside devices hang at UDP link remote [AF_INET] public.ip.address:port.
#137 Hardware & System Configuration » openvpn server and client on same box » 2018-06-11 20:41:34
- siva
- Replies: 31
I have a box behind a router. Said box currently works as a vpn server (openvpn) and wifi AP (hostapd). openvpn and hostapd run on their own subnets. There are, therefore, three subnets: one for ethX (router), tunX (vpn), and wlanX (ap). Right now, everything behind the box can access the internet just fine.
I'd like to configure said box to redirect all network traffic to-from an external vpn (tunY). I can connect to this external vpn from said box, as an openvpn client (eg, sudo openvpn ./external.ovpn). However, when that happens, all of my devices behind the box -- on the ap or vpn server -- lose internet until I close tunY.
Google et al were pretty unhelpful.
I assume this will require some iptables or ip commands that I'm unaware of. I'm hoping someone can help me figure out what's missing. Please let me know if I need to provide any other information that would be helpful.
#138 Re: Off-topic » Music » 2018-06-11 04:38:00
Glad you like it! I recommend digging a bit more into Black Hill's other music and aliases if you get a chance. His other project named "musicformessier" is also great: https://musicformessier.bandcamp.com/.
I downloaded both awhile back and forgot to mention so. Thanks for the share!
Also in this episode:
So Se Neon - The Wave
https://www.youtube.com/watch?v=HdkSpAL … jreload=10
This particular recording brings out the grittiness of the other guitar at the end, while the "lead" guitarist's sound is more reserved, like a texture over it.
#139 Re: Installation » [SOLVED] equivalent for Debian SID available? yes there are, read #3 » 2018-06-10 01:52:27
I'm half sure that I understand this question, so I'll try my best...
Devuan unstable (aka Debian's sid) is called ceres. If you want to use that, update your sources.list
If you're asking to use sid within a devuan system, try a chroot or virtual machindm
#140 Re: Devuan Derivatives » crunkbong is looking for testers » 2018-06-10 01:49:41
^my man
#141 Re: Off-topic » Microsoft acquiring GitHub » 2018-06-10 01:48:40
Where will you be when Microsoft starts charging for github service?
#142 Re: Devuan » Desktop Screenshot Contest! » 2018-05-31 13:38:38
live studio audience siva?
Who will your audience be? Inquiring minds must know.
#143 Re: Devuan » Will Devuan ever stop being based on Debian? » 2018-05-27 19:19:52
OT: Hoping you'll change that behavior. Come play with us!
I just need to sit down and invest four brain cells into an automated way to download the logs, so I can keep up to date with the conversations. I always seem to dip-in during dead hours 
#144 Re: Devuan » Will Devuan ever stop being based on Debian? » 2018-05-27 19:06:38
So why so many complaints on #systemd Freenode from Debianers?
Depends on the community you frequent, I guess; thanks for sharing that, as I rarely use IRC. I was thinking of the "official" forums (FDN). The attitude is implicitly pro-choice so long as Debian keeps other avenues open and doesn't completely restrict init choice. A lot of users there are renowned for derivates that use sysv or systemd and usually get along; the point is choice.
#145 Re: Installation » A journey thorugh ASCII » 2018-05-27 18:58:35
Warning: pinning ain't what it used to be. Stuff that's blocked on install is not necessarily (or maybe not at all) blocked on dist-upgrade. I've seen libsystemd0 come in like that on upgrading from jessie to ascii.
Do you know if there's a better way to prevent them from showing up?
Yes, I experienced this on upgrades from lenny to squeeze to wheezy to jessie to ascii. I don't recall what happened from sarge to etch to lenny, but I'll bet it was similar.
Makes sense. It isn't my primary system, so I'm not upset, but it is a little weird.
#146 Re: Devuan » Desktop Screenshot Contest! » 2018-05-27 18:30:34
OK, you seem to like dwm, here another one. No more info because I already took the scrot before but liked it enough to include it here.
But you can see urxvt, mpd running with ncmpcpp and conky included into the dwm bar on an ancient HP laptop that might die the next day.
Quite sexy. Can you share the configuration for the topbar? I just run mine as a small "while" script, but I'm interested to see how conky could pull this off.
#147 Re: Devuan » Will Devuan ever stop being based on Debian? » 2018-05-27 18:03:07
99.99% Archers didn't switch to OpenRC, and remaining 0.01% did it because they HEARD systemd is pure evil...I don't care what NASA uses nowadays, back in the day they chose YellowDogLinux, the worst distro ever for PPC machines.
This seems awfully familiar...oh, right.
Casual users and hobbyists probably won't care.
Archers have always had a tendency to go with the flow and whatever performs best; their culture is a nonsequitur because their goals are oriented with that mindset. Debian users' attitudes towards systemd range between apathetic and complicit, and there's a good reason: most of the professionals have fled to other projects, including Devuan. Debian's implementation of systemd is fine, and I recommend dropping by their community to test your beliefs about systemd, otherwise I'm going to [continue to] assume that you're just trolling ours.
As far as this community is concerned, it's more about maintaining software choice, even if that choice means a derivative of the mothership. Systemd is already a hard dependency in many programs, and that trend will probably continue if no one does anything about it. If intrusive software is properly configured, it's still intrusive software.
Since we're on nonsequiturs, I'd like to announce that I baked potatoes in the oven for the first time ever. They were delicious.
#148 Re: Devuan Derivatives » [MiyoLinux] New Releases Uploaded » 2018-05-27 14:06:15
Regarding crack: never used it, but I did crack my collar bone in a motorcycle accident in 1983. Not being one to leave things half finished, a few days later, I broke it completely.
Well, as long as you aren't a crack addict...
Regarding Openbox: it's all Awesome; however, as I'm an Openbox lover, I made my own Openbox-like window control buttons and themes for this release. Awesome has so many window control buttons, that they can almost fill the entire title bar. One of my goals...as it was with MiyoLinux and Miyo-i3...is to try and make a system a little easier for people who may have wanted to try a window manager, but never felt comfortable enough to actually do so. One small part of that (for this release) is giving users a familiar look on the windows. So...yes, it looks Openboxy on purpose, but it's all Awesome.
That makes sense. On the flip-side of this, Openbox has similar resize/non-titlebar features as well. If only there were a way for it to tile...
LOLOLOLOLOLOLOLOLOL!
Lol.
#149 Re: Installation » How to install Devuan system/language into spanish? [solved] » 2018-05-27 14:04:17
I believe you. I'm just trying to figure out how this user pulled that off -- especially since he/she has yet to reply.
#150 Re: Devuan » Will Devuan ever stop being based on Debian? » 2018-05-27 13:15:31
Systemd itself is not a mess. It's only Debian where it got totally messed up.
Fedora or Arch distributions don't really need systemd-free versions because systemd in these distros are implemented properly.
lmfao.
See also: http://forums.debian.net/viewtopic.php?f=20&t=120652 (I'm guessing you won't read it.)
Board footer
