Que Hacer Cuando Falla Nuestra Vpn
Gracias a los scripts automatizados como el de
Angristan
una vpn se puede montar muy facil y rapidamente.
Pero que hacemos cuando falla….?
Estos scripts tocan tanta cosas en nuestro sistema
que detectar y corregir el orgien de un problema cuando algo falla
Puede ser una mision imposible….
Hace poco migraron el Anfitrion de una de mis VPS
y de repende dejo de funcionar la VPN.
Asi que dejo una serie de comprovaciones y pruebas para acotar este tipo de problemas tan dificiles de acomenter.
En el articulo openvpn_angristan Montamos una vpn practicamente en 10 minutos. Tambien viene con unas comprobaciones basicas.
Comprobar que se ha cargado la interfaz correctamente
ifconfig
/ ip a
/ ip a | grep tun
root@em50l:~# ip a |grep tun 3: tun0:mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500 inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
Si no ha cargado:
- revisar drivers del kernel
- Reactivar la interfaz tun/tap desde el panel de gestion
Comprobar la redireccion de paquetes
root@em50l:~# cat /etc/sysctl.conf |grep forward # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 #net.ipv6.conf.all.forwarding=1
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
cat /proc/sys/net/ipv4/ip_forward
1
Para habilitar ip_forward
sysctl -w net.ipv4.ip_forward=1
o echo 1 > /proc/sys/net/ipv4/ip_forward
Comprobar reglas iptables
root@em50l:~# iptables --list-rules -A INPUT -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -i venet0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i venet0:0 -p tcp -m tcp --dport 80 -m comment --comment "permito http" -j ACCEPT -A INPUT -i venet0:0 -p tcp -m tcp --dport 443 -m comment --comment "permito https" -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -m comment --comment "ssh max 5/5min" -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 5 --name SSH --mask 255.255.255.255 --rsource -j DROP -A FORWARD -s 10.8.0.0/24 -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Comprobar tabla NAT (name addres traslation)
root@em50l:~# iptables -L -n -t nat Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.8.0.0/24 !10.8.0.0/24 to: aa.bb.cc.dd
Aqui vemos que todos los paquetes provenientes de la red 10.8.0.0 y con distino distinto de su segmento.
Se redirigen por la ip exterior (ip lado WAN).
Sin estra regla los clientes de la VPN no tendrian acceso a internet. (solo a la vpn).
root@em50l:~# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /*permito ya Activas*/ Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.8.0.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Lo mas logico es que esten permitidas las conexiones entrantes al puerto de la vpn. (en este caso openvpn p1194)
Tambien es bueno que en las primeras reglas se permitan las conexiones ya estabilizadas. (esto acelera iptables ya que asi no hay que revisar todas las reglas.)
root@em50l:~# iptables -S -t nat -P PREROUTING ACCEPT -P POSTROUTING ACCEPT -P OUTPUT ACCEPT -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to-source aa.bb.cc.dd
Aqui veo que como todos los paquetes origen 10.8.0.0/24
con destino cualquier ip que no sea de la vpn ! -d 10.8.0.0/24
se les haga snat y se reenvian por la ip conectada a internet.
https://wiki.openvz.org/VPN_via_the_TUN/TAP_device#Troubleshooting
Comprobar Funcionamiento del Servidor a mano
- Podemos lanzar el servidor a mano con el modo verbose activado para ir viendo que pasa.
cd /etc/openvpn/
openvpn --verb 6 --config server.conf
root@hard:~# cd /etc/openvpn/ root@hard:/etc/openvpn# ls ca.crt client-template.txt ipp.txt server_8KDHOkdw97Z.crt update-resolv-conf ca.key crl.pem server server_8KDHOkdw97Z.key client easy-rsa server.conf tls-crypt.key root@hard:/etc/openvpn# openvpn --verb 6 --config server.conf Fri Dec 6 12:02:50 2019 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 14 2018 Fri Dec 6 12:02:50 2019 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.08 Fri Dec 6 12:02:50 2019 ECDH curve prime256v1 added Fri Dec 6 12:02:50 2019 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Fri Dec 6 12:02:50 2019 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Fri Dec 6 12:02:50 2019 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Fri Dec 6 12:02:50 2019 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Fri Dec 6 12:02:50 2019 TUN/TAP device tun0 opened Fri Dec 6 12:02:50 2019 TUN/TAP TX queue length set to 100 Fri Dec 6 12:02:50 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Fri Dec 6 12:02:50 2019 /sbin/ip link set dev tun0 up mtu 1500 Fri Dec 6 12:02:50 2019 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255 Fri Dec 6 12:02:50 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET Fri Dec 6 12:02:50 2019 Socket Buffers: R=[133120->133120] S=[133120->133120] Fri Dec 6 12:02:50 2019 UDPv4 link local (bound): [AF_INET][undef]:13020 Fri Dec 6 12:02:50 2019 UDPv4 link remote: [AF_UNSPEC] Fri Dec 6 12:02:50 2019 GID set to nogroup Fri Dec 6 12:02:50 2019 UID set to nobody Fri Dec 6 12:02:50 2019 MULTI: multi_init called, r=256 v=256 Fri Dec 6 12:02:50 2019 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0 Fri Dec 6 12:02:50 2019 IFCONFIG POOL LIST Fri Dec 6 12:02:50 2019 Initialization Sequence Completed
Y cuando se conecte un cliente veremos:
Fri Dec 6 12:10:22 2019 83.33.184.238:35001 TLS: Initial packet from [AF_INET]83.33.184.238:35001, sid=5126a9c3 7a1c9ac8 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 VERIFY OK: depth=1, CN=cn_r7RIKDTGgmwtNtgX Fri Dec 6 12:10:22 2019 83.33.184.238:35001 VERIFY OK: depth=0, CN=x30 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_VER=2.5_master Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_PLAT=android Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_PROTO=2 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_NCP=2 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_LZ4=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_LZ4v2=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_LZO=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_COMP_STUB=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_COMP_STUBv2=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_TCPNL=1 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 peer info: IV_GUI_VER=de.blinkt.openvpn_0.7.7 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-ECDSA-AES128-GCM-SHA256 Fri Dec 6 12:10:22 2019 83.33.184.238:35001 [x30] Peer Connection Initiated with [AF_INET]83.33.184.238:35001 Fri Dec 6 12:10:22 2019 x30/83.33.184.238:35001 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled) Fri Dec 6 12:10:22 2019 x30/83.33.184.238:35001 MULTI: Learn: 10.8.0.2 -> x30/83.33.184.238:35001 Fri Dec 6 12:10:22 2019 x30/83.33.184.238:35001 MULTI: primary virtual IP for x30/83.33.184.238:35001: 10.8.0.2
Notas
Referencias
https://linuxconfig.org/how-to-run-a-vpn-client-automatically-as-a-service https://www.linuxquestions.org/questions/linux-newbie-8/openvpn-verbose-876318/ http://kamilslab.com/2017/01/22/how-to-turn-your-raspberry-pi-into-a-home-vpn-server-using-pivpn/