Find the answer to your Linux question:
Results 1 to 10 of 10
I'm using network-manager openvpn plugin to do static key authentication, uncertain if it works with LXC, I configured as follows: Gateway: Server (Container) IP address Static Key: direct to the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2013
    Location
    Debian Stable AMD-64 (Gnome 3)
    Posts
    77

    OpenVPN + Network-Manager (Fake Connection Established?)


    I'm using network-manager openvpn plugin to do static key authentication, uncertain if it works with LXC, I configured as follows:

    Gateway: Server (Container) IP address
    Static Key: direct to the file that was copied from my container
    Key Direction: none (since I have never heard of this option before)
    Remote IP address: tun on server's side ip address (10.9.8.1)
    Local IP address: tun on client's side (10.9.8.2)

    After I turn VPN on, it says the connection was successful. However websites can still trace my IP and location. Not sure if using static key doesn't change my IP address but unsure whether how it works since I know it's can only handle one client-server connection and not as secure as TLS. But documentation fail to reveal if it changes your IP or your location for that matter.

    Anyone wish to talk about this?

  2. #2
    Just Joined!
    Join Date
    Sep 2014
    Location
    Seattle, WA
    Posts
    14
    What's the output from the following?

    Code:
    /sbin/ifconfig
    ip addr
    ip route
    ps -ef | grep openvpn

  3. #3
    Just Joined!
    Join Date
    Jan 2013
    Location
    Debian Stable AMD-64 (Gnome 3)
    Posts
    77
    Quote Originally Posted by TheRHCE View Post
    What's the output from the following?

    Code:
    /sbin/ifconfig
    ip addr
    ip route
    ps -ef | grep openvpn
    /sbin/ifconfig:

    Code:
    eth0      Link encap:Ethernet  HWaddr 60:eb:69:0a:22:4a  
              UP BROADCAST MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
              Interrupt:42 Base address:0x2000 
    
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:200 errors:0 dropped:0 overruns:0 frame:0
              TX packets:200 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:13968 (13.6 KiB)  TX bytes:13968 (13.6 KiB)
    
    tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
              inet addr:10.9.8.2  P-t-P:10.9.8.1  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    vethHxeIEo Link encap:Ethernet  HWaddr fe:fc:d9:ca:ca:c6  
              inet6 addr: fe80::fcfc:d9ff:feca:cac6/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:18 errors:0 dropped:0 overruns:0 frame:0
              TX packets:854 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:2528 (2.4 KiB)  TX bytes:48335 (47.2 KiB)
    
    virbr0    Link encap:Ethernet  HWaddr fe:fc:d9:ca:ca:c6  
              inet addr:192.168.122.X  Bcast:192.168.122.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:18 errors:0 dropped:0 overruns:0 frame:0
              TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:2276 (2.2 KiB)  TX bytes:1816 (1.7 KiB)
    
    wlan0     Link encap:Ethernet  HWaddr 4c:0f:6e:14:b8:a6  
              inet addr:192.168.X.XX  Bcast:192.168.1.255  Mask:255.255.255.0
              inet6 addr: fe80::4e:6eff:fe14:b8a6/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:7560 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2212 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:1706171 (1.6 MiB)  TX bytes:336710 (328.8 KiB)
    ip addr:

    Code:
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
        inet6 ::1/128 scope host 
           valid_lft forever preferred_lft forever
    2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
        link/ether 60:eb:69:0a:22:4a brd ff:ff:ff:ff:ff:ff
    3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
        link/ether 4c:0f:6e:14:b8:a6 brd ff:ff:ff:ff:ff:ff
        inet 192.168.X.XX/24 brd 192.168.1.255 scope global wlan0
        inet6 fe80::4e0f:6eff:fe14:b8a6/64 scope link 
           valid_lft forever preferred_lft forever
    4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
        link/none 
        inet 10.9.8.2 peer 10.9.8.1/32 scope global tun0
    6: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP 
        link/ether fe:fc:d9:ca:ca:c6 brd ff:ff:ff:ff:ff:ff
        inet 192.168.122.X/24 brd 192.168.122.255 scope global virbr0
    8: vethHxeIEo: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master virbr0 state UP qlen 1000
        link/ether fe:fc:d9:ca:ca:c6 brd ff:ff:ff:ff:ff:ff
        inet6 fe80::fcfc:d9ff:feca:cac6/64 scope link 
           valid_lft forever preferred_lft forever
    ip route:

    Code:
    default via 192.168.1.1 dev wlan0  proto static 
    10.9.8.1 dev tun0  proto kernel  scope link  src 10.9.8.2 
    192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.XX 
    192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.X
    ps -ef

    Code:
    root      3348     1  0 22:42 ?        00:00:00 /usr/sbin/openvpn --writepid /var/run/openvpn.tun0.pid --daemon ovpn-tun0 --status /var/run/openvpn.tun0.status 10 --cd /etc/openvpn --config /etc/openvpn/tun0.conf
    root      6319  4931  0 22:47 ?        00:00:00 /usr/sbin/openvpn --writepid /var/run/openvpn.tun0.pid --daemon ovpn-tun0 --status /var/run/openvpn.tun0.status 10 --cd /etc/openvpn --config /etc/openvpn/tun0.conf
    zhong    11338  4734  0 23:18 pts/0    00:00:00 grep openvpn
    Since the plugin isn't made by Openvpn team, I've been trying to get static key to work on tunneling all client's IP traffic over the VPN. Would appreciate if anybody give out pointers.

  4. #4
    Just Joined!
    Join Date
    Sep 2014
    Location
    Seattle, WA
    Posts
    14
    Add the following to your client configuration file:
    Code:
    redirect-gateway def1 bypass-dhcp
    This will direct all non-connected traffic through the tunnel.

    If you want to specify a DNS server to use across the tunnel this can be placed on the server or the client. To place it on the client, add the line to the client config file as follows:
    Code:
    dhcp-option DNS 10.8.0.1
    You'll want to specify your own DNS server, or a public server like Google DNS ( 8.8.8.8 )

  5. #5
    Just Joined!
    Join Date
    Jan 2013
    Location
    Debian Stable AMD-64 (Gnome 3)
    Posts
    77
    Quote Originally Posted by TheRHCE View Post
    Add the following to your client configuration file:
    Code:
    redirect-gateway def1 bypass-dhcp
    This will direct all non-connected traffic through the tunnel.

    If you want to specify a DNS server to use across the tunnel this can be placed on the server or the client. To place it on the client, add the line to the client config file as follows:
    Code:
    dhcp-option DNS 10.8.0.1
    You'll want to specify your own DNS server, or a public server like Google DNS ( 8.8.8.8 )
    I can't use the config file since openvpn will look for missing files required for TLS/SSL encryption. The command just leave the connection hanging.

  6. #6
    Just Joined!
    Join Date
    Sep 2014
    Location
    Seattle, WA
    Posts
    14
    Quote Originally Posted by G-Known View Post
    I can't use the config file since openvpn will look for missing files required for TLS/SSL encryption. The command just leave the connection hanging.
    Add the following to the server configuration, in that case, and restart the OpenVPN service on the server.

    Code:
    push "redirect-gateway def1 bypass-dhcp"
    NOTE: This will cause all client traffic, for all clients to be directed through the VPN server.

  7. #7
    Just Joined!
    Join Date
    Jan 2013
    Location
    Debian Stable AMD-64 (Gnome 3)
    Posts
    77
    Quote Originally Posted by TheRHCE View Post
    Add the following to the server configuration, in that case, and restart the OpenVPN service on the server.

    Code:
    push "redirect-gateway def1 bypass-dhcp"
    NOTE: This will cause all client traffic, for all clients to be directed through the VPN server.

    The server config will continue to queue while the client shows: [EHOSTUNREACH]: No route to host (code=113). This is how I enter the option:

    Code:
    openvpn --dev tun0-00 --ifconfig 10.9.8.1 10.9.8.2 --secret /etc/openvpn/static.key --port 443 --push "redirect-gateway def1 bypass-dhcp"
    NAT and ip forwarding is enabled on server's end. Seems to me like there's documentation for this process on OpenVPN discussing methods on dealing with TLS encryption because push and pull features are TLS exclusives.

    The server is a lxc machine using libvirt for its internet access shown by the info above. Client is the host machine. They each share a slightly different IP address.
    Last edited by G-Known; 1 Week Ago at 05:43 AM.

  8. #8
    Just Joined!
    Join Date
    Sep 2014
    Location
    Seattle, WA
    Posts
    14
    Is there some reason you can't use TLS/SSL? It does make the system much more secure as well as more standard in terms of configuration.

  9. #9
    Just Joined!
    Join Date
    Jan 2013
    Location
    Debian Stable AMD-64 (Gnome 3)
    Posts
    77
    I'm not saying that I can't. I shouldn't need to if static key works just about the same despite being less secure. If I cannot send web traffic over the VPN using static key than it would be pointless to continue using it.

  10. #10
    Just Joined!
    Join Date
    Sep 2014
    Location
    Seattle, WA
    Posts
    14
    Can you send the contents of the config file (or configuration options) that Network Manager is passing to OpenVPN?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •