VPN out + OpenVPN in

Having issues with your DietPi installation or found a bug? Post it here.
User avatar
trendy
Posts: 282
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN out + OpenVPN in

Post by trendy »

First of all OpenVPN is udp/1194, the rest belong to other protocols. But which one are you using?
Also if you are adding multiple ports you should also change the sequence number, as now the first two are overwritten by the third.
cotarelo
Posts: 22
Joined: Mon May 11, 2020 10:39 pm

Re: VPN out + OpenVPN in

Post by cotarelo »

Ok thank you. I tried at the beginning only with 1194 but ot didn't connect so I added the other two which I thought they were also needed for Openvpn.

I am using the default installer from dietpi for Openvpn slño if 1194 UDP is enough i can leave the first one only.
Still it doesn't get through
User avatar
trendy
Posts: 282
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN out + OpenVPN in

Post by trendy »

You can verify the port with ss -tunlp | grep vpn
Other than that post the following: ip -4 addr; ip -4 ro list table all; ip -4 ru
cotarelo
Posts: 22
Joined: Mon May 11, 2020 10:39 pm

Re: VPN out + OpenVPN in

Post by cotarelo »

The fist command has no return, the second gives a lot of information

Code: Select all

dietpi@DietPi:~$ ss -tunlp | grep vpn
dietpi@DietPi:~$ ip -4 addr; ip -4 ro list table all; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.31.254/24 brd 192.168.31.255 scope global eth0
       valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    inet 10.121.34.39/23 brd 10.121.35.255 scope global tun1
       valid_lft forever preferred_lft forever
default via 192.168.31.1 dev eth0 table 100 
0.0.0.0/1 via 10.121.34.1 dev tun1 
default via 192.168.31.1 dev eth0 onlink 
10.8.0.0/24 via 10.8.0.2 dev tun0 
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1 
10.121.34.0/23 dev tun1 proto kernel scope link src 10.121.34.39 
37.120.136.243 via 192.168.31.1 dev eth0 
128.0.0.0/1 via 10.121.34.1 dev tun1 
192.168.31.0/24 dev eth0 proto kernel scope link src 192.168.31.254 
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1 
broadcast 10.121.34.0 dev tun1 table local proto kernel scope link src 10.121.34.39 
local 10.121.34.39 dev tun1 table local proto kernel scope host src 10.121.34.39 
broadcast 10.121.35.255 dev tun1 table local proto kernel scope link src 10.121.34.39 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.31.0 dev eth0 table local proto kernel scope link src 192.168.31.254 
local 192.168.31.254 dev eth0 table local proto kernel scope host src 192.168.31.254 
broadcast 192.168.31.255 dev eth0 table local proto kernel scope link src 192.168.31.254 
0:	from all lookup local 
16010:	from all sport 1194 lookup 100 
32766:	from all lookup main 
32767:	from all lookup default 
Not related, but I also have realised that thr no-ip ddns script is updating to the wrong ip even when I mark eth0 as the interface for updating.
User avatar
trendy
Posts: 282
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN out + OpenVPN in

Post by trendy »

What about this?
grep port /etc/openvpn/*
cotarelo
Posts: 22
Joined: Mon May 11, 2020 10:39 pm

Re: VPN out + OpenVPN in

Post by cotarelo »

Code: Select all

grep port /etc/openvpn/*
grep: /etc/openvpn/client: Is a directory
grep: /etc/openvpn/easy-rsa: Is a directory
grep: /etc/openvpn/server: Is a directory
/etc/openvpn/server.conf:port 1194
Also

Code: Select all

netstat -putan | grep 1194
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           1240/openvpn        
[/code]
User avatar
trendy
Posts: 282
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN out + OpenVPN in

Post by trendy »

netstat is not included in dietpi and is deprecated, ss is the successor. Anyway, we have established the openvpn server is running on udp/1194
Install tcpdump if you don't have it already and run: sudo tcpdump -i eth0 -evn udp port 1194
Then try to connect from the client, let it capture a few packets, stop with Ctrl-c and paste here the output.
Last edited by trendy on Sat Mar 27, 2021 6:40 pm, edited 1 time in total.
User avatar
MichaIng
Site Admin
Posts: 2780
Joined: Sat Nov 18, 2017 6:21 pm

Re: VPN out + OpenVPN in

Post by MichaIng »

Probably it's required to add "dev eth0" to the ip route, to force it using the right device as well.
User avatar
trendy
Posts: 282
Joined: Tue Feb 25, 2020 2:54 pm

Re: VPN out + OpenVPN in

Post by trendy »

It doesn't hurt to add it, however the dietpi shouldn't have any issues finding the 192.168.31.1 as it is directly connected to the eth0.
cotarelo
Posts: 22
Joined: Mon May 11, 2020 10:39 pm

Re: VPN out + OpenVPN in

Post by cotarelo »

Where should I add the dev flag? What other things I can do?
Post Reply