My question seems to be the exact same as this one, but the solution didn’t work for me.

Set-up:

I have one Ubuntu machine acting as a Virtualbox host and OpenVPN server, and several Virtualbox guests inside the host-only network vboxnet1 172.16.0.0/24.

I can connect to the Ubuntu machine from my macOs host which gets the address 10.8.0.2 with VPN, I can also ping the server’s host-only address 172.16.0.1.

Problem

I’d like to access a VM located inside the host-only network at 172.16.0.3, but all my pings have timed out.

What I tried

• Pushing the subnet to all clients in OpenVPN config with push "route 172.16.0.0 255.255.255.0"

• Enabling IP forwarding according to the solution in the link.

cat /proc/sys/net/ipv4/ip_forward returns 1. Still doesn’t work.

• Running tcpdump on both ends show that my ICMP requests from 10.8.0.2 are indeed reaching 172.16.0.3 and 172.16.0.3 has been sending ICMP replies back. But tcpdump on vboxnet1 on the Ubuntu host doesn't show any of the reply packets. Probably dropped somewhere in the host-only network?

Question

What do I need to do to allow connected VPN clients to access virtual machines in the host-only network?

Many thanks in advance. I’ve been banging my head on the wall for the past few days for this.

I have setup an OpenVPN server with a script from GitHub (https://github.com/Nyr/openvpn-install) on a Raspberry Pi in my home network.

I have additionally commented out the following line in the server.conf

push "redirect-gateway def1 bypass-dhcp"

to only send DNS through the VPN.

The only thing I have configured on the router I got from my ISP is a port forward to the Raspberry Pi.

Up until the last week everything worked fine and I could connect from anywhere to the VPN. But since last week I can't connect to the VPN server when I'm connected to my home network. It is stuck on Waiting for server response. As soon as I connect to a different network (e.g. the hotspot of my mobile phone) everything works fine.

I have no clue where to even start looking and am grateful for any hints.

I have a raspi at home with openvpn so I can safely browse the internet when I use my laptop or phone in a public place (coffee shop, bar, hotel...) that has open wifi.

I want make my openvpn server use elliptic curve cryptography. Im using openvpn 2.4 and openssl 1.0.1t. I tried rolling ec keys and certs on openssl and I keep failing.

So here are the files i need and the commands im trying to use in openssl:

Ecdh.pem

ecparam -out /openvpn/easy-rsa/ecKeys/ecca.pem -name prime256v1 -genkey
ecparam -out /home/black/ecdh256.pem -name prime256v1

ca.crt

ecparam -out /etc/openvpn/easy-rsa/ecKeys/ecca.key -name prime256v1 -genkey
req -days 3650 -nodes -new -x509 -key /openvpn/easy-rsa/ecKeys/ecca.key -out /openvpn/easy-rsa/ecKeys/ecca.crt

client.key

ecparam -out /openvpn/easy-rsa/ecKeys/client.key -name prime256v1 -genkey

client.crt

 req -days 3650 -nodes -new -key /openvpn/easy-rsa/ecKeys/client.key -out /openvpn/easy-rsa/ecKeys/server.csr

Server.key

 ecparam -out /openvpn/easy-rsa/ecKeys/server.key -name prime256v1 -genkey

Server.crt

 req -days 3650 -nodes -new -key /openvpn/easy-rsa/ecKeys/server.key -out /openvpn/easy-rsa/ecKeys/server.csr

ta.key

<have no idea>

Am I using the correct commands to create certs and keys i need to run in my openvpn server?

I cant seem to figure out how to create an EC ta key?

Can i use RSA for control channel and use EC for data channel or vise versa in openvpn?

Finals are coming up so I might not respond quickly. Im doing this for fun but I am sure other people will appreciate this as well. Thank you.

I found these two sites useful when creating my server if any one reading this is intrested:

Easy Windows Guide - openvpn -

Set up a Hardened OpenVPN Server on Debian

package's version:

openvpn-systemd-resolved: 1.3.0-3

openvpn: 2.4.7-1ubuntu2

root@xps-13:~# openvpn --version
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

config file

client
dev tun
proto udp
remote vpn.xxx.com 1194
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
;pull dhcp-options

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

starting

root@xps-13:~# openvpn xxxVPN.ovpn 
Wed Jan  1 12:35:11 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
Wed Jan  1 12:35:11 2020 library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
Wed Jan  1 12:35:11 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jan  1 12:35:11 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jan  1 12:35:11 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]18.228.104.124:1194
Wed Jan  1 12:35:11 2020 UDP link local: (not bound)
Wed Jan  1 12:35:11 2020 UDP link remote: [AF_INET]x.x.x.x:1194
Wed Jan  1 12:35:13 2020 [server] Peer Connection Initiated with [AF_INET]18.228.104.124:1194
Wed Jan  1 12:35:14 2020 TUN/TAP device tun0 opened
Wed Jan  1 12:35:14 2020 /sbin/ip link set dev tun0 up mtu 1500
Wed Jan  1 12:35:14 2020 /sbin/ip addr add dev tun0 local 10.99.0.42 peer 10.99.0.41
Wed Jan  1 12:35:14 2020 /etc/openvpn/update-resolv-conf tun0 1500 1553 10.99.0.42 10.99.0.41 init
dhcp-option DNS 10.104.1.130
Wed Jan  1 12:35:19 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jan  1 12:35:19 2020 Initialization Sequence Completed

resolv.conf after connecting

root@xps-13:~$ cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 10.104.1.130
nameserver 127.0.0.53
search home tendawifi.com

then some how DNS is resolved

root@xps-13:~# nslookup kibana-teahupoo.aws.xxx.com
Server:     10.104.1.130
Address:    10.104.1.130#53

Non-authoritative answer:
kibana-teahupoo.aws.xxx.com canonical name = kibana-prod.aws.xxx.com.
Name:   kibana-prod.aws.xxx.com
Address: 10.103.4.184

but not for ping

root@xps-13:~# ping kibana-teahupoo.aws.xxx.com
ping: kibana-teahupoo.aws.xxx.com: Name or service not known

or browser

This site can’t be reached kibana-teahupoo.aws.xxx.com’s server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN

any clue ????

I am trying to route to a LAN subnet that is connected via an OpenVPN client.

I am having trouble with the route command - I cannot make sense of it. The OpenVPN link is established and I can ping the client.

When I try to add a route to the LAN subnet on the VPN server, I get this error:

# route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.9.0.6 dev tun0
SIOCADDRT: No such process

The routing table for the OpenVPN server has 10.9.0.0/24 in it, so I'm not sure what the problem is.

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         ve108.csr2.lga1 0.0.0.0         UG    0      0        0 eth0
10.9.0.0        10.9.0.2        255.255.255.0   UG    0      0        0 tun0
10.9.0.2        *               255.255.255.255 UH    0      0        0 tun0
204.145.81.0    *               255.255.255.0   U     0      0        0 eth0

More information:

# ip ad sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0e:cf:20:c1:24 brd ff:ff:ff:ff:ff:ff
    inet 204.145.81.11/24 brd 204.145.81.255 scope global eth0
    inet6 fe80::20e:cfff:fe20:c124/64 scope link 
       valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none 
    inet 10.9.0.1 peer 10.9.0.2/32 scope global tun0

Considering that I can ping the VPN client I am trying to route to, I don't understand why I am having this problem. As far as I know I should just be able to add the route.

# ping -c 1 10.9.0.6
PING 10.9.0.6 (10.9.0.6) 56(84) bytes of data.
64 bytes from 10.9.0.6: icmp_req=1 ttl=64 time=24.0 ms

--- 10.9.0.6 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 24.008/24.008/24.008/0.000 ms

Here is the details from the OpenVPN client, which is connected to the VPN server. The network I am trying to route to is on this client.

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         greece-gw.secus 0.0.0.0         UG    2      0        0 eth0
10.9.0.1        10.9.0.5        255.255.255.255 UGH   0      0        0 tun0
10.9.0.5        *               255.255.255.255 UH    0      0        0 tun0
loopback        localhost       255.0.0.0       UG    0      0        0 lo
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
198.50.241.0    *               255.255.255.0   U     0      0        0 eth0

It can reach the VPN server fine:

# ping -c 1 10.9.0.1
PING 10.9.0.1 (10.9.0.1) 56(84) bytes of data.
64 bytes from 10.9.0.1: icmp_seq=1 ttl=64 time=24.0 ms

--- 10.9.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 24.017/24.017/24.017/0.000 ms

It has IP forwarding enabled:

# sysctl -a | grep forwarding
net.ipv4.conf.all.forwarding = 1

I've set iptables to allow forwarding:

# iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tun0   eth1    0.0.0.0/0            0.0.0.0/0

Here is the config for the interfaces on the client:

# ip ad sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:5f:f2:1e brd ff:ff:ff:ff:ff:ff
    inet 198.50.241.113/24 brd 198.50.241.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe5f:f21e/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:c6:b8:fd brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fec6:b8fd/64 scope link 
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN 
    link/sit 0.0.0.0 brd 0.0.0.0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
    link/none 
    inet 10.9.0.6 peer 10.9.0.5/32 scope global tun0
       valid_lft forever preferred_lft forever

I would like to configure VPN server on my home AsusWrt router. I have created OpenVpn server on my router, did OpenVPN client installation and configuration in my remote PC.

Home network with AsusWrt also uses 192.168.1.xxx 255.255.255.0 network which contains Linux PC with 192.168.1.222. Currently I can't reach 192.168.1.222 from remote PC. What I should perform in order to connect from remote PC to Linux PC 192.168.1.222 in home network via SSH.

Log file from OpenVPN client:

Sun Jan 05 18:28:54 2020 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Sun Jan 05 18:28:54 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Jan 05 18:28:54 2020 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Sun Jan 05 18:28:57 2020 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Sun Jan 05 18:28:58 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]78.61.152.172:1194
Sun Jan 05 18:28:58 2020 UDP link local: (not bound)
Sun Jan 05 18:28:58 2020 UDP link remote: [AF_INET]78.61.152.172:1194
Sun Jan 05 18:28:58 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 05 18:28:58 2020 [RT-AC87U] Peer Connection Initiated with [AF_INET]78.61.152.172:1194
Sun Jan 05 18:28:59 2020 open_tun
Sun Jan 05 18:28:59 2020 TAP-WIN32 device [Local Area Connection] opened: \\.\Global\{63456A0B-A368-49F1-A830-23CC88608ACE}.tap
Sun Jan 05 18:28:59 2020 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.10/255.255.255.252 on interface {63456A0B-A368-49F1-A830-23CC88608ACE} [DHCP-serv: 10.8.0.9, lease-time: 31536000]
Sun Jan 05 18:28:59 2020 Successful ARP Flush on interface [17] {63456A0B-A368-49F1-A830-23CC88608ACE}
Sun Jan 05 18:29:34 2020 Warning: route gateway is not reachable on any active network adapters: 10.8.0.9
Sun Jan 05 18:29:34 2020 Warning: route gateway is not reachable on any active network adapters: 10.8.0.9
Sun Jan 05 18:29:34 2020 SYSTEM ROUTING TABLE
Sun Jan 05 18:29:34 2020 0.0.0.0 0.0.0.0 192.168.43.1 p=0 i=13 t=4 pr=3 a=2263 h=0 m=55/0/0/0/0
Sun Jan 05 18:29:34 2020 127.0.0.0 255.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=783184 h=0 m=331/0/0/0/0
Sun Jan 05 18:29:34 2020 127.0.0.1 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=783184 h=0 m=331/0/0/0/0
Sun Jan 05 18:29:34 2020 127.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=783184 h=0 m=331/0/0/0/0
Sun Jan 05 18:29:34 2020 169.254.0.0 255.255.0.0 169.254.255.134 p=0 i=17 t=3 pr=2 a=2246 h=0 m=281/0/0/0/0
Sun Jan 05 18:29:34 2020 169.254.255.134 255.255.255.255 169.254.255.134 p=0 i=17 t=3 pr=2 a=2246 h=0 m=281/0/0/0/0
Sun Jan 05 18:29:34 2020 169.254.255.255 255.255.255.255 169.254.255.134 p=0 i=17 t=3 pr=2 a=2246 h=0 m=281/0/0/0/0
Sun Jan 05 18:29:34 2020 192.168.43.0 255.255.255.0 192.168.43.60 p=0 i=13 t=3 pr=2 a=2263 h=0 m=311/0/0/0/0
Sun Jan 05 18:29:34 2020 192.168.43.60 255.255.255.255 192.168.43.60 p=0 i=13 t=3 pr=2 a=2263 h=0 m=311/0/0/0/0
Sun Jan 05 18:29:34 2020 192.168.43.255 255.255.255.255 192.168.43.60 p=0 i=13 t=3 pr=2 a=2263 h=0 m=311/0/0/0/0
Sun Jan 05 18:29:34 2020 192.168.199.0 255.255.255.0 192.168.199.1 p=0 i=22 t=3 pr=2 a=2883 h=0 m=291/0/0/0/0
Sun Jan 05 18:29:34 2020 192.168.199.1 255.255.255.255 192.168.199.1 p=0 i=22 t=3 pr=2 a=2883 h=0 m=291/0/0/0/0
Sun Jan 05 18:29:34 2020 192.168.199.255 255.255.255.255 192.168.199.1 p=0 i=22 t=3 pr=2 a=2883 h=0 m=291/0/0/0/0
Sun Jan 05 18:29:34 2020 192.168.220.0 255.255.255.0 192.168.220.1 p=0 i=12 t=3 pr=2 a=2889 h=0 m=291/0/0/0/0
Sun Jan 05 18:29:34 2020 192.168.220.1 255.255.255.255 192.168.220.1 p=0 i=12 t=3 pr=2 a=2889 h=0 m=291/0/0/0/0
Sun Jan 05 18:29:34 2020 192.168.220.255 255.255.255.255 192.168.220.1 p=0 i=12 t=3 pr=2 a=2889 h=0 m=291/0/0/0/0
Sun Jan 05 18:29:34 2020 224.0.0.0 240.0.0.0 127.0.0.1 p=0 i=1 t=3 pr=2 a=783184 h=0 m=331/0/0/0/0
Sun Jan 05 18:29:34 2020 224.0.0.0 240.0.0.0 192.168.43.60 p=0 i=13 t=3 pr=2 a=783166 h=0 m=311/0/0/0/0
Sun Jan 05 18:29:34 2020 224.0.0.0 240.0.0.0 169.254.255.134 p=0 i=17 t=3 pr=2 a=84001 h=0 m=281/0/0/0/0
Sun Jan 05 18:29:34 2020 224.0.0.0 240.0.0.0 192.168.199.1 p=0 i=22 t=3 pr=2 a=2890 h=0 m=291/0/0/0/0
Sun Jan 05 18:29:34 2020 224.0.0.0 240.0.0.0 192.168.220.1 p=0 i=12 t=3 pr=2 a=2890 h=0 m=291/0/0/0/0
Sun Jan 05 18:29:34 2020 255.255.255.255 255.255.255.255 127.0.0.1 p=0 i=1 t=3 pr=2 a=783184 h=0 m=331/0/0/0/0
Sun Jan 05 18:29:34 2020 255.255.255.255 255.255.255.255 192.168.43.60 p=0 i=13 t=3 pr=2 a=783166 h=0 m=311/0/0/0/0
Sun Jan 05 18:29:34 2020 255.255.255.255 255.255.255.255 169.254.255.134 p=0 i=17 t=3 pr=2 a=84001 h=0 m=281/0/0/0/0
Sun Jan 05 18:29:34 2020 255.255.255.255 255.255.255.255 192.168.199.1 p=0 i=22 t=3 pr=2 a=2890 h=0 m=291/0/0/0/0
Sun Jan 05 18:29:34 2020 255.255.255.255 255.255.255.255 192.168.220.1 p=0 i=12 t=3 pr=2 a=2890 h=0 m=291/0/0/0/0
Sun Jan 05 18:29:34 2020 SYSTEM ADAPTER LIST
Sun Jan 05 18:29:34 2020 Realtek PCIe FE Family Controller
Sun Jan 05 18:29:34 2020   Index = 16
Sun Jan 05 18:29:34 2020   GUID = {BAD8E8E0-A4FA-4CBD-A40A-669DCCD044ED}
Sun Jan 05 18:29:34 2020   IP = 0.0.0.0/0.0.0.0 
Sun Jan 05 18:29:34 2020   MAC = 6c:2b:59:4b:0d:f6
Sun Jan 05 18:29:34 2020   GATEWAY = 0.0.0.0/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP SERV =  
Sun Jan 05 18:29:34 2020   DHCP LEASE OBTAINED = Sun Jan 05 18:29:34 2020
Sun Jan 05 18:29:34 2020   DHCP LEASE EXPIRES  = Sun Jan 05 18:29:34 2020
Sun Jan 05 18:29:34 2020   DNS SERV =  
Sun Jan 05 18:29:34 2020 Bluetooth Device (Personal Area Network)
Sun Jan 05 18:29:34 2020   Index = 7
Sun Jan 05 18:29:34 2020   GUID = {4768CC9E-24CC-4293-8712-5A560E0BE7EC}
Sun Jan 05 18:29:34 2020   IP = 0.0.0.0/0.0.0.0 
Sun Jan 05 18:29:34 2020   MAC = fc:77:74:cc:4b:ec
Sun Jan 05 18:29:34 2020   GATEWAY = 0.0.0.0/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP SERV =  
Sun Jan 05 18:29:34 2020   DHCP LEASE OBTAINED = Sun Jan 05 18:29:34 2020
Sun Jan 05 18:29:34 2020   DHCP LEASE EXPIRES  = Sun Jan 05 18:29:34 2020
Sun Jan 05 18:29:34 2020   DNS SERV =  
Sun Jan 05 18:29:34 2020 VMware Virtual Ethernet Adapter for VMnet1
Sun Jan 05 18:29:34 2020   Index = 12
Sun Jan 05 18:29:34 2020   GUID = {7659E513-211C-4ADE-B386-CAF9A936C236}
Sun Jan 05 18:29:34 2020   IP = 192.168.220.1/255.255.255.0 
Sun Jan 05 18:29:34 2020   MAC = 00:50:56:c0:00:02
Sun Jan 05 18:29:34 2020   GATEWAY = 0.0.0.0/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP SERV = 192.168.220.254/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP LEASE OBTAINED = Sun Jan 05 18:26:25 2020
Sun Jan 05 18:29:34 2020   DHCP LEASE EXPIRES  = Sun Jan 05 18:56:25 2020
Sun Jan 05 18:29:34 2020   DNS SERV =  
Sun Jan 05 18:29:34 2020 VMware Virtual Ethernet Adapter for VMnet8
Sun Jan 05 18:29:34 2020   Index = 22
Sun Jan 05 18:29:34 2020   GUID = {FBA75E1D-0C87-430C-8B6B-5B907B85286C}
Sun Jan 05 18:29:34 2020   IP = 192.168.199.1/255.255.255.0 
Sun Jan 05 18:29:34 2020   MAC = 00:50:56:c0:00:09
Sun Jan 05 18:29:34 2020   GATEWAY = 0.0.0.0/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP SERV = 192.168.199.254/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP LEASE OBTAINED = Sun Jan 05 18:26:29 2020
Sun Jan 05 18:29:34 2020   DHCP LEASE EXPIRES  = Sun Jan 05 18:56:29 2020
Sun Jan 05 18:29:34 2020   PRI WINS = 192.168.199.2/255.255.255.255 
Sun Jan 05 18:29:34 2020   SEC WINS =  
Sun Jan 05 18:29:34 2020   DNS SERV =  
Sun Jan 05 18:29:34 2020 TAP-Windows Adapter V9
Sun Jan 05 18:29:34 2020   Index = 17
Sun Jan 05 18:29:34 2020   GUID = {63456A0B-A368-49F1-A830-23CC88608ACE}
Sun Jan 05 18:29:34 2020   IP = 169.254.255.134/255.255.0.0 
Sun Jan 05 18:29:34 2020   MAC = 00:ff:63:45:6a:0c
Sun Jan 05 18:29:34 2020   GATEWAY = 0.0.0.0/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP SERV = 0.0.0.0/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP LEASE OBTAINED = Sun Jan 05 18:29:34 2020
Sun Jan 05 18:29:34 2020   DHCP LEASE EXPIRES  = Sun Jan 05 18:29:34 2020
Sun Jan 05 18:29:34 2020   DNS SERV =  
Sun Jan 05 18:29:34 2020 Intel(R) Dual Band Wireless-AC 3165
Sun Jan 05 18:29:34 2020   Index = 13
Sun Jan 05 18:29:34 2020   GUID = {8909B16D-66D7-4CF6-A656-2F7B9C9C1BC4}
Sun Jan 05 18:29:34 2020   IP = 192.168.43.60/255.255.255.0 
Sun Jan 05 18:29:34 2020   MAC = fc:77:74:cc:4b:e8
Sun Jan 05 18:29:34 2020   GATEWAY = 192.168.43.1/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP SERV = 192.168.43.1/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP LEASE OBTAINED = Sun Jan 05 18:21:51 2020
Sun Jan 05 18:29:34 2020   DHCP LEASE EXPIRES  = Sun Jan 05 19:21:51 2020
Sun Jan 05 18:29:34 2020   DNS SERV = 8.8.8.8/255.255.255.255 
Sun Jan 05 18:29:34 2020 Microsoft Wi-Fi Direct Virtual Adapter
Sun Jan 05 18:29:34 2020   Index = 8
Sun Jan 05 18:29:34 2020   GUID = {5BDA4D46-8564-40A1-BE64-6EB33C7C61C2}
Sun Jan 05 18:29:34 2020   IP = 0.0.0.0/0.0.0.0 
Sun Jan 05 18:29:34 2020   MAC = fc:77:74:cc:4b:e9
Sun Jan 05 18:29:34 2020   GATEWAY = 0.0.0.0/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP SERV =  
Sun Jan 05 18:29:34 2020   DHCP LEASE OBTAINED = Sun Jan 05 18:29:34 2020
Sun Jan 05 18:29:34 2020   DHCP LEASE EXPIRES  = Sun Jan 05 18:29:34 2020
Sun Jan 05 18:29:34 2020   DNS SERV =  
Sun Jan 05 18:29:34 2020 Microsoft Wi-Fi Direct Virtual Adapter #2
Sun Jan 05 18:29:34 2020   Index = 11
Sun Jan 05 18:29:34 2020   GUID = {74D0884C-0FDA-4DF9-A8AF-476B3FC51984}
Sun Jan 05 18:29:34 2020   IP = 0.0.0.0/0.0.0.0 
Sun Jan 05 18:29:34 2020   MAC = fe:77:74:cc:4b:e8
Sun Jan 05 18:29:34 2020   GATEWAY = 0.0.0.0/255.255.255.255 
Sun Jan 05 18:29:34 2020   DHCP SERV =  
Sun Jan 05 18:29:34 2020   DHCP LEASE OBTAINED = Sun Jan 05 18:29:34 2020
Sun Jan 05 18:29:34 2020   DHCP LEASE EXPIRES  = Sun Jan 05 18:29:34 2020
Sun Jan 05 18:29:34 2020   DNS SERV =  
Sun Jan 05 18:29:34 2020 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv )

I have setup OpenVPN client and server between two VPS. I have a client and server setup, server using 10.8.0.1 and 10.8.0.2 IPs in tun interface, and client using 10.8.0.6 and 10.8.0.5 in tun interface. (vps1 is the client and vps2 is the server.) The client can ping server tun IP 10.8.0.1 but not any other IPs. From the server I'm not able to ping to any of the tun IPs or client tun IPs.

server conf:

port 1194
proto udp
dev tun0

ca ca.crt
cert server.crt
key server.key
tls-server
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

keepalive 10 120

comp-lzo
user nobody
group nobody
persist-key
persist-tun

verb 3

client conf:

client
dev tun
proto udp
remote 198.168.XXX 1194
nobind
tun-mtu 1500
persist-key
persist-tun
keepalive 14 120
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3

As per the logs connection is setup successfully,

Jun  9 13:25:28 vps2 openvpn[6484]: MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Jun  9 13:25:28 vps2 openvpn[6484]: MULTI: Learn: 10.8.0.6 -> vps1.xxx/xxxxx:33012
Jun  9 13:25:28 vps2 openvpn[6484]: MULTI: primary virtual IP for vps1.xxx/xxxxx:33012: 10.8.0.6
Jun  9 13:25:30 vps2 openvpn[6484]: vps1.xxx/xxxxx:33012 PUSH: Received control message: 'PUSH_REQUEST'
Jun  9 13:25:30 vps2 openvpn[6484]: vps1.xxx/xxxxx:33012 send_push_reply(): safe_cap=940
Jun  9 13:25:30 vps2 openvpn[6484]: vps1.xxx/xxxxx:33012 SENT CONTROL [vps1.xxx]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)

And tunnels are established at both ends:

Server

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:420 (420.0 b)  TX bytes:1968 (1.9 KiB)

Client

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

The client also able to ping and ssh to server via the gateway IP

root@vps1:~# ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=72.6 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=72.6 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=72.7 ms
^C
--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 72.666/72.691/72.726/0.221 ms

root@vps1:~# ssh 10.8.0.1
root@10.8.0.1's password:

But not able to ping the opnevpn ip's from server and client.

root@vps1:~# ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2) 56(84) bytes of data.
^C
--- 10.8.0.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms

root@vps1:~# ping 10.8.0.5
PING 10.8.0.5 (10.8.0.5) 56(84) bytes of data.

My home topology:

router1 (192.168.1.1) - D-Link dsl2540u server with static IP available from Internet (ADSL via ppoe). 4 LAN ports.

router2 (192.168.1.2) - D-Link DIR-300 with OpenWRT. Plays role of WiFi access point. 4 LAN ports + WAN port.

                             Home PC (connects to router1 via DHCP)
                            |                           
internet ------ router1-----
                            |
                             router2 (OpenVPN server on OpenWRT)

On router1 I set up NAT Virtual Servers and can connect to my router via SSH or OpenVPN (tcp on 443 port)

OpenVPN server works fine and all traffic goes via tun interface after connection.

OpenVPN server config (if matter):

--script-security 2
mode        server
dev               tun
port              443
proto             tcp

server            10.0.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1" # Change this to your router's LAN IP Address
push "route 192.168.1.0 255.255.255.0" # Change this to your network

client-config-dir ccd
client-to-client
tls-server
dh                /etc/openvpn/dh2048.pem
ca                /etc/openvpn/CA_cert.pem
cert              /etc/openvpn/certs/server.pem
key               /etc/openvpn/keys/server.pem
crl-verify        /etc/openvpn/crl/crl.pem
tls-auth          /etc/openvpn/ta.key 0
#comp-lzo
keepalive         10 120
tun-mtu           1500
mssfix            1450
persist-key
persist-tun
verb              3
log /var/log/openvpn.log

My goal is OpenVPN tunnel with Internet from my home router1. At now I can connect to OpenVPN server but all traffic that goes via tunnel does not reach Internet.

Firewall rules on router2 (OpenWRT):

iptables -t nat -A prerouting_wan -p tcp --dport 443 -j ACCEPT
iptables -A input_wan -p tcp --dport 443 -j ACCEPT

iptables -t nat -A prerouting_lan -p tcp --dport 443 -j ACCEPT
iptables -A input_lan -p tcp --dport 443 -j ACCEPT


iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

It's definitely a problem with routing but I have no enough knowledges to solve it.

As the description says, I want to set up an OpenVPN connection which is available through my Netgear R8500 router for use on my laptop which is running Pop!_OS. I don't think the fact that it's Pop!_OS specifically has any impact on the matter as it's based on Ubuntu 19.10.

I updated the firmware on my Netgear router and regenerated the OpenVPN certificate. I downloaded the configuration package for smart phones and set it up on my Android device as a test that the router is accessible through the internet and that I can connect. I'm able to access a computer running on my home network.

I then downloaded and extracted all 3 of the configuration packages (for Windows, for non-Windows, for Smartphone) to my laptop.

I have the openvpn, network-manager-openvpn, and network-manager-openvpn-gnome packages installed.

From the terminal openvpn --config [win|non-win|smart].ovpn runs without warnings or errors... but it never seems to do anything. There's no output at all and it doesn't seem to ever time out. I can still access the internet fine, but I'm not able to connect to a computer on my home network. I looked in /var/log/openvpn but there are no files in there. I also tried running the command with sudo.

I've also tried configuring the VPN through the network manager GUI by importing from file. I've tried all 3 of the configuration packages and they all have the same result. They go into a connecting state for a minute and then it errors out just with the message "Activation of network connection failed."

I install openvpn server in Centos VPS. I can connect from my pfsense router. I forwrad rdp a port to my local pc, but can not forward rtp port.

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.8.0.19

iptables -t nat -A PREROUTING -p udp --dport 10000:20000 -j DNAT --to 10.8.0.19
iptables -t filter -A FORWARD -p udp -d 10.8.0.19 --dport 10000:20000 -j ACCEPT 

Good morning. I have rasbian and all updates installed.

Three different network devices are running on my pi. eth0 tun0 and tun1. I want that all goes through eth0 except for one service that goes through tun1 (that service is megatools). tun0 should be just open for networking (connecting to home-network when on mobile).

So this should be possible. How can route that. I know of ufw and iptables but they use ips and masks. This is not my field. Can anybody help me?

I have a raspberry pi with raspbian os which is connected to an openvpn server. Openvpn server has public IP and runs Ubuntu. I am able to reach a web application which runs on raspberry pi via public ip address of the vpn server if I enable port forwarding on the vpn server this way (XXX.XXX.XXX.XXX is a public ip):

iptables -t nat -A PREROUTING -d XXX.XXX.XXX.XXX -p tcp --dport 8765 -j DNAT --to-dest 10.8.0.6:8765

But I would like to reach also an IP camera which is on the same LAN as the raspberry is. Unfortunately I can't run openvpn client on the ip camera, so the IP camera has only local IP 192.168.1.110 and it listens on port 80. Is it possible to forward a port on the public IP to raspberry pi openvpn client and then forward further to the ip camera on the local lan?

I'm trying to run openvpn server within podman unprivileged container.

Openvpn needs to be able to manage network interfaces (i.e. create tun interface, assign IP address to it, bring it up). On my system (arch linux) within openvpn-server.service I noticed CapabilityBoundingSet and this made me to experiment and create my own service which instead of running openvpn will run podman run.

First I created my openvpn container, below is Dockerfile (I used archlinux as base for convenience):

FROM archlinux
RUN pacman -Sy --noconfirm openvpn

I then build this container (being logged in as my_unprivileged_user)

podman build \
--force-rm \
--no-cache \
--rm \
--device=/dev/net/tun \
-t openvpn .

Then I created my_custom_openvpn.service:

Description=OpenVPN in Podman container
After=syslog.target network-online.target
Wants=network-online.target

[Service]
User=my_unprivileged_user
Group=my_unprivileged_group
WorkingDirectory=/etc/openvpn
ExecStart=/usr/bin/podman run --rm -v ./server:/server --device /dev/net/tun --network "host" --cap-add CAP_IPC_LOCK,CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETGID,CAP_SETUID,CAP_SYS_CHROOT,CAP_DAC_OVERRIDE,CAP_AUDIT_WRITE localhost/openvpn:latest /usr/bin/openvpn --config /server/my_config.conf
ExecStop=/usr/bin/podman stop -t 1 localhost/openvpn:latest
Capabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
#ProtectSystem=true
#ProtectHome=true
RestartSec=5s
Restart=on-failure
TimeoutSec=5s

[Install]
WantedBy=multi-user.target

So I thought systemd will pass capabilities to podman, which in turn will pass them further down to openvpn.

But openvpn fails to start complaining it cannot create tun0 interface. Even if I create tun0 myself like this openvpn --mktun --dev tun0 I get another error that openvpn cannot set this tun0 interface up.

I thought maybe I need to do setcap within the container, so I have podman exec into it and executed below:

setcap CAP_IPC_LOCK,CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETGID,CAP_SETUID,CAP_SYS_CHROOT,CAP_DAC_OVERRIDE,CAP_AUDIT_WRITE=+ep /usr/bin/openvpn

But this did not help. I keep getting this error:

Tue Jan 28 13:34:31 2020 /usr/bin/ip link set dev tun0 up mtu 1500
RTNETLINK answers: Operation not permitted

Maybe trying to use capabilities like this does not make sense?

I'm trying to connect to an IPVanish server on Linux Mint. IPVanish does not provide software for Linux so it has to be done manually.

I downloaded an ovpn file from IPVanish here. I then went to Mint's Network Settings, hit the + button to add a network, and selected VPN. It prompted me to browse to my VPN config file and when I tried to import it I got this error

The next thing I tried was following this tutorial. Using OpenVPN, I was able to connect to the service using this command as root

openvpn --config newyork.ovpn

in the directory I downloaded the .ovpn and cert files to. It prompted me for my login information and then printed this

Mon Nov 23 13:10:42 2015 DEPRECATED OPTION: --tls-remote, please update your configuration
Mon Nov 23 13:10:42 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Enter Auth Username:nickgilbert1994
Enter Auth Password:
Mon Nov 23 13:11:24 2015 Deprecated TLS cipher name 'DHE-RSA-AES256-SHA', please use IANA name 'TLS-DHE-RSA-WITH-AES-256-CBC-SHA'
Mon Nov 23 13:11:24 2015 Deprecated TLS cipher name 'DHE-DSS-AES256-SHA', please use IANA name 'TLS-DHE-DSS-WITH-AES-256-CBC-SHA'
Mon Nov 23 13:11:24 2015 Deprecated TLS cipher name 'AES256-SHA', please use IANA name 'TLS-RSA-WITH-AES-256-CBC-SHA'
Mon Nov 23 13:11:24 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Mon Nov 23 13:11:24 2015 UDPv4 link local: [undef]
Mon Nov 23 13:11:24 2015 UDPv4 link remote: [AF_INET]216.151.180.2:443
Mon Nov 23 13:11:24 2015 TLS: Initial packet from [AF_INET]216.151.180.2:443, sid=aad3ff40 72d53cab
Mon Nov 23 13:11:24 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Nov 23 13:11:25 2015 VERIFY OK: depth=1, /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=IPVanish_CA/emailAddress=support@ipvanish.com
Mon Nov 23 13:11:25 2015 VERIFY X509NAME OK: /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=nyc-a01.ipvanish.com/emailAddress=support@ipvanish.com
Mon Nov 23 13:11:25 2015 VERIFY OK: depth=0, /C=US/ST=FL/L=Winter_Park/O=IPVanish/OU=IPVanish_VPN/CN=nyc-a01.ipvanish.com/emailAddress=support@ipvanish.com
Mon Nov 23 13:11:25 2015 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 23 13:11:25 2015 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 23 13:11:25 2015 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Nov 23 13:11:25 2015 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Nov 23 13:11:25 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Nov 23 13:11:25 2015 [nyc-a01.ipvanish.com] Peer Connection Initiated with [AF_INET]216.151.180.2:443
Mon Nov 23 13:11:27 2015 SENT CONTROL [nyc-a01.ipvanish.com]: 'PUSH_REQUEST' (status=1)
Mon Nov 23 13:11:27 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,dhcp-option DNS 198.18.0.2,rcvbuf 262144,explicit-exit-notify 5,route-gateway 172.20.32.1,topology subnet,ping 20,ping-restart 40,ifconfig 172.20.32.71 255.255.252.0'
Mon Nov 23 13:11:27 2015 OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 23 13:11:27 2015 OPTIONS IMPORT: explicit notify parm(s) modified
Mon Nov 23 13:11:27 2015 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Mon Nov 23 13:11:27 2015 Socket Buffers: R=[131072->425984] S=[131072->131072]
Mon Nov 23 13:11:27 2015 OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 23 13:11:27 2015 OPTIONS IMPORT: route options modified
Mon Nov 23 13:11:27 2015 OPTIONS IMPORT: route-related options modified
Mon Nov 23 13:11:27 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Nov 23 13:11:27 2015 ROUTE_GATEWAY 10.0.47.254/255.255.240.0 IFACE=wlan0 HWADDR=48:5a:b6:aa:19:17
Mon Nov 23 13:11:27 2015 TUN/TAP device tun0 opened
Mon Nov 23 13:11:27 2015 TUN/TAP TX queue length set to 100
Mon Nov 23 13:11:27 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Nov 23 13:11:27 2015 /sbin/ip link set dev tun0 up mtu 1500
Mon Nov 23 13:11:27 2015 /sbin/ip addr add dev tun0 172.20.32.71/22 broadcast 172.20.35.255
Mon Nov 23 13:11:27 2015 /sbin/ip route add 216.151.180.2/32 via 10.0.47.254
Mon Nov 23 13:11:27 2015 /sbin/ip route add 0.0.0.0/1 via 172.20.32.1
Mon Nov 23 13:11:27 2015 /sbin/ip route add 128.0.0.0/1 via 172.20.32.1
Mon Nov 23 13:11:27 2015 Initialization Sequence Completed

I assume that means it connected to the IPVanish server successfully but then when I tried to go online or ping www.google.com I realized I had no internet.

Here is the output of ifconfig when I'm connected to the IPVanish server

eth0      Link encap:Ethernet  HWaddr 20:1a:06:cd:26:ef  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:18 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:25337 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25337 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:14440746 (14.4 MB)  TX bytes:14440746 (14.4 MB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.20.32.71  P-t-P:172.20.32.71  Mask:255.255.252.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:144 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:9401 (9.4 KB)

wlan0     Link encap:Ethernet  HWaddr 48:5a:b6:aa:19:17  
          inet addr:10.0.42.167  Bcast:10.0.47.255  Mask:255.255.240.0
          inet6 addr: fe80::4a5a:b6ff:feaa:1917/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:459377 errors:0 dropped:1 overruns:0 frame:0
          TX packets:18214 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:71371126 (71.3 MB)  TX bytes:3267392 (3.2 MB)

I'm fairly new to Linux and would really appreciate any help I can get on this. Thanks so much!

UPDATE

Traceroute to Google with VPN on

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  172.20.32.1 (172.20.32.1)  23.133 ms  25.232 ms  25.521 ms
 2  64.145.79.1 (64.145.79.1)  26.103 ms  26.134 ms  26.165 ms
 3  206.130.10.41 (206.130.10.41)  26.187 ms  26.210 ms  26.232 ms
 4  209.85.244.157 (209.85.244.157)  26.357 ms 209.85.244.145 (209.85.244.145)  26.481 ms 209.85.244.153 (209.85.244.153)  26.444 ms
 5  8.8.8.8 (8.8.8.8)  26.225 ms  26.255 ms  26.281 ms

Result of route command with VPN on

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.20.32.1     128.0.0.0       UG    0      0        0 tun0
default         10.0.47.254     0.0.0.0         UG    0      0        0 wlan0
10.0.32.0       *               255.255.240.0   U     9      0        0 wlan0
128.0.0.0       172.20.32.1     128.0.0.0       UG    0      0        0 tun0
172.20.32.0     *               255.255.252.0   U     0      0        0 tun0
216.151.180.2   10.0.47.254     255.255.255.255 UGH   0      0        0 wlan0

I have an OpenVPN Server (IP 123.234.345.456). This server has also two another ip address added to eth0 (234.345.456.567, 345.456.567.678).

Now I have an VPN with two Clients (Client1: 10.8.0.2, Client2: 10.8.0.3).

My target is that when Client1 is connected to VPN has the external ip 234.345.456.567 and Client2 has the external ip 345.456.567.678. How can I do this?

I'm attempting to install VPN on my Kali Linux Gnome 3 laptop. I've followed the instructions on this page https://www.privateinternetaccess.com/forum/discussion/18003/openvpn-step-by-step-setups-for-various-debian-based-linux-oss-with-videos-ubuntu-mint-debian

There is no network manager applet in my panel and whenever I try to start it in a shell with 'sudo nm-applet' I get:

(nm-applet:2858): libnotify-WARNING **: Failed to connect to proxy

(nm-applet:2858): nm-applet-WARNING **: Failed to show notification: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.freedesktop.Notifications was not provided by any .service files

My network-manager service is running btw. I look at the connection editor (nm-connection-editor) and the VPN is there but I cannot connect without the applet. I've looked at various solutions but none seem to work. If anyone can help I'd really appreciate it.

I have exactly the same problem like the user khofm asked in https://unix.stackexchange.com/a/352968/394150

So in summary:

The openVPN client and the openVPN server instance work fine as long as I don't run them simultaneously. As soon as the openVPN client has a connection to the Paid VPN provider (in my case NordVPN), the WAN clients are unable to connect to the openVPN server.

My system is a Raspberry Pi 4 with dietpi (Debian Buster).

I'm very new to this community and this is my first question, therefore I can't add a comment on khofm question. My understanding of networks (especially about routes) is not very good, therefore I would like to know from khofm if he could explain his working setup in more detail with some explanations.

How does the OpenVPN server.conf looks, how about the client.ovpn of the Paid VPN Provider?

How do you separate the OpenVPN Server and OpenVPN Client in tun0 and tun1 with the two different subnets?

With the provided solution I could not solve my problem, maybe because I don't understand it that good. I wasted already serveral hours without any success. And I don't want to give up especially if I know that there is a solution. Please help me!

Thanks a lot in advance!

My goal is to set up a public IP for a Android Smartphone which is running an "IP Cam" software. The interface can be accessed in local network on (example) 192.168.0.2:8080, but it has no public IP, as it should also work in the 3G network.

I know there are services which offer a VPN with static dedicated addresses; the free one I found offers only PPTP with IPv6 (didn't work).

The rest of them offer IPv4 for much higher cost than an actual VPS at Host1Plus with the lowest specs, so I went with this. At least I can practice and/or use the VPS for other projects. I followed this tutorial.

Now I am at the point where I created a new user, assigned a static VPN Address in the OpenVPN Admin Panel to the account, and logged in with my device.

Everything works so far. My android device gets the public IP of the VPS while browsing.

I can ping the device's private VPN IP in the ssh terminal of the VPS.
What is the next step?

I tried this, but it doesn't really work. I am lost at this point. I never did anything with routes or forwarding.

If I enter the public VPS IP right now, I get the openVPN Login Form as before. If I enter [PublicVPSIP]:8080 I get a "Server not reachable etc." error.

At the end it should work like this.

Android (running some service at port 8080) (VPN IP: 1.2.3.4)
▼
connects via openVPN to my VPS
▼
VPS (running openVPN Server) (Public IP: 123.123.123.123)
▼
Traffic from visitor at 123.123.123.123:8080 should be redirected/forwarded to my android device. (1.2.3.4:8080)

I connected to an OpenVPN server on Ubuntu and confirmed if my IP changed with a Curl. Does also Tor get affected from this? I want to achieve:

Me --> OpenVPN Server --> Tor

Thanks.

I am trying to install PQCrypto-VPN (as a server) https://github.com/Microsoft/PQCrypto-VPN which is a post-quantum version of openVPN on a kali virtual machine but I have hard time to understand the installation guide. I have a basic knowledge in unix and never installed a VPN server and I did unpacked the "pq-openvpn-linux-staged.tgz" file with "tar zxvf" command but I don't find a "server.ovpn" and have no idea what to do.

I want to install this VPN service on one virtual machine and use it from another virtual machine/computer. There is a simple guide for this?, a general explanation of what I should do and configure can help.