Que Hacer Cuando Falla Nuestra Vpn

Gracias a los scripts automatizados como el de Angristan una vpn se puede montar muy facil y rapidamente.
Pero que hacemos cuando falla….?
Estos scripts tocan tanta cosas en nuestro sistema que detectar y corregir el orgien de un problema cuando algo falla Puede ser una mision imposible….

Hace poco migraron el Anfitrion de una de mis VPS y de repende dejo de funcionar la VPN.
Asi que dejo una serie de comprovaciones y pruebas para acotar este tipo de problemas tan dificiles de acomenter.

En el articulo openvpn_angristan Montamos una vpn practicamente en 10 minutos. Tambien viene con unas comprobaciones basicas.




Comprobar que se ha cargado la interfaz correctamente

ifconfig / ip a / ip a | grep tun

root@em50l:~# ip a |grep tun   
3: tun0:  mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0

Si no ha cargado:

  • revisar drivers del kernel
  • Reactivar la interfaz tun/tap desde el panel de gestion



Comprobar la redireccion de paquetes

root@em50l:~# cat /etc/sysctl.conf |grep forward
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
cat /proc/sys/net/ipv4/ip_forward
1

Para habilitar ip_forward sysctl -w net.ipv4.ip_forward=1 o echo 1 > /proc/sys/net/ipv4/ip_forward




Comprobar reglas iptables

root@em50l:~# iptables --list-rules

-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i venet0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i venet0:0 -p tcp -m tcp --dport 80 -m comment --comment "permito http" -j ACCEPT
-A INPUT -i venet0:0 -p tcp -m tcp --dport 443 -m comment --comment "permito https" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -m comment --comment "ssh max 5/5min"
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 5 --name SSH --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Comprobar tabla NAT (name addres traslation)

root@em50l:~# iptables -L -n -t nat

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.8.0.0/24         !10.8.0.0/24          to: aa.bb.cc.dd

Aqui vemos que todos los paquetes provenientes de la red 10.8.0.0 y con distino distinto de su segmento.
Se redirigen por la ip exterior (ip lado WAN).
Sin estra regla los clientes de la VPN no tendrian acceso a internet. (solo a la vpn).

root@em50l:~# iptables -L -n 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1194
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /*permito ya Activas*/

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.8.0.0/24          0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Lo mas logico es que esten permitidas las conexiones entrantes al puerto de la vpn. (en este caso openvpn p1194)
Tambien es bueno que en las primeras reglas se permitan las conexiones ya estabilizadas. (esto acelera iptables ya que asi no hay que revisar todas las reglas.)

root@em50l:~# iptables -S -t nat
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source aa.bb.cc.dd

Aqui veo que como todos los paquetes origen 10.8.0.0/24 con destino cualquier ip que no sea de la vpn ! -d 10.8.0.0/24 se les haga snat y se reenvian por la ip conectada a internet.

https://wiki.openvz.org/VPN_via_the_TUN/TAP_device#Troubleshooting




Comprobar Funcionamiento del Servidor a mano

  • Podemos lanzar el servidor a mano con el modo verbose activado para ir viendo que pasa.

cd /etc/openvpn/
openvpn --verb 6 --config server.conf

root@hard:~# cd /etc/openvpn/
root@hard:/etc/openvpn# ls
ca.crt  client-template.txt  ipp.txt      server_8KDHOkdw97Z.crt  update-resolv-conf
ca.key  crl.pem          server   server_8KDHOkdw97Z.key
client  easy-rsa         server.conf  tls-crypt.key

root@hard:/etc/openvpn# openvpn --verb 6 --config server.conf 
Fri Dec  6 12:02:50 2019 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 14 2018
Fri Dec  6 12:02:50 2019 library versions: OpenSSL 1.0.2s  28 May 2019, LZO 2.08
Fri Dec  6 12:02:50 2019 ECDH curve prime256v1 added
Fri Dec  6 12:02:50 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec  6 12:02:50 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec  6 12:02:50 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec  6 12:02:50 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec  6 12:02:50 2019 TUN/TAP device tun0 opened
Fri Dec  6 12:02:50 2019 TUN/TAP TX queue length set to 100
Fri Dec  6 12:02:50 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Fri Dec  6 12:02:50 2019 /sbin/ip link set dev tun0 up mtu 1500
Fri Dec  6 12:02:50 2019 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Dec  6 12:02:50 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Dec  6 12:02:50 2019 Socket Buffers: R=[133120->133120] S=[133120->133120]
Fri Dec  6 12:02:50 2019 UDPv4 link local (bound): [AF_INET][undef]:13020
Fri Dec  6 12:02:50 2019 UDPv4 link remote: [AF_UNSPEC]
Fri Dec  6 12:02:50 2019 GID set to nogroup
Fri Dec  6 12:02:50 2019 UID set to nobody
Fri Dec  6 12:02:50 2019 MULTI: multi_init called, r=256 v=256
Fri Dec  6 12:02:50 2019 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Fri Dec  6 12:02:50 2019 IFCONFIG POOL LIST
Fri Dec  6 12:02:50 2019 Initialization Sequence Completed

Y cuando se conecte un cliente veremos:

Fri Dec  6 12:10:22 2019 83.33.184.238:35001 TLS: Initial packet from [AF_INET]83.33.184.238:35001, sid=5126a9c3 7a1c9ac8
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 VERIFY OK: depth=1, CN=cn_r7RIKDTGgmwtNtgX
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 VERIFY OK: depth=0, CN=x30
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_VER=2.5_master
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_PLAT=android
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_PROTO=2
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_NCP=2
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_LZ4=1
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_LZ4v2=1
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_LZO=1
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_COMP_STUB=1
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_COMP_STUBv2=1
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_TCPNL=1
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.7
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES128-GCM-SHA256
Fri Dec  6 12:10:22 2019 83.33.184.238:35001 [x30] Peer Connection Initiated with [AF_INET]83.33.184.238:35001
Fri Dec  6 12:10:22 2019 x30/83.33.184.238:35001 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Fri Dec  6 12:10:22 2019 x30/83.33.184.238:35001 MULTI: Learn: 10.8.0.2 -> x30/83.33.184.238:35001
Fri Dec  6 12:10:22 2019 x30/83.33.184.238:35001 MULTI: primary virtual IP for x30/83.33.184.238:35001: 10.8.0.2



Notas

Referencias

https://linuxconfig.org/how-to-run-a-vpn-client-automatically-as-a-service https://www.linuxquestions.org/questions/linux-newbie-8/openvpn-verbose-876318/ http://kamilslab.com/2017/01/22/how-to-turn-your-raspberry-pi-into-a-home-vpn-server-using-pivpn/