I am following OpenVPN Static Key Mini-HOWTO to create a minimal setup for routing all network traffic from my laptop through a VPS.
I created a static key with openvpn --genkey --secret static.key and copied it to my laptop.
The configuration files I took exactly as provided in the tutorial, namely
Server Config (Centos 7, OpenVPN 2.4.8 from source)
dev tunifconfig 10.8.0.1 10.8.0.2secret static.keyand starting the server with openvpn server.conf produces the following output
[root@vps etc]# openvpn server.confThu Apr 2 11:57:08 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server modeThu Apr 2 11:57:08 2020 OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 1 2020Thu Apr 2 11:57:08 2020 library versions: OpenSSL 1.0.2k-fips 26 Jan 2017, LZO 2.06Thu Apr 2 11:57:08 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).Thu Apr 2 11:57:08 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).Thu Apr 2 11:57:08 2020 TUN/TAP device tun0 openedThu Apr 2 11:57:08 2020 /usr/sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500Thu Apr 2 11:57:08 2020 Could not determine IPv4/IPv6 protocol. Using AF_INETThu Apr 2 11:57:08 2020 UDPv4 link local (bound): [AF_INET][undef]:1194Thu Apr 2 11:57:08 2020 UDPv4 link remote: [AF_UNSPEC]which, despite the warnings of the setup being insecure, signals success. Checking ifconfig gives
[root@vps etc]# ifconfigeth0: ...lo: ...tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2 inet6 fe80::3de0:d771:402f:c4f3 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 3 bytes 144 (144.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0and ip route list gives
default via 172.31.0.1 dev eth010.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1169.254.0.0/16 dev eth0 scope link metric 1002169.254.169.254 via 172.31.0.1 dev eth0 proto static172.31.0.0/24 dev eth0 proto kernel scope link src 172.31.0.9Client Config (Arch, OpenVPN 2.4.8 from pacman)
remote IP-OF-MY-VPSdev tunifconfig 10.8.0.2 10.8.0.1secret static.keyThe output on the laptop looks similarly.
ip route list gives
default via 192.168.1.1 dev wlp2s0 proto dhcp src 192.168.1.6 metric 30210.8.0.1 dev tun0 proto kernel scope link src 10.8.0.2192.168.1.0/24 dev wlp2s0 proto dhcp scope link src 192.168.1.6 metric 302sudo openvpn client.ovpn gives
unprivileged@laptop:~/openvpn# sudo openvpn client.ovpnThu Apr 2 13:04:52 2020 disabling NCP mode (--ncp-disable) because not in P2MP client or server modeThu Apr 2 13:04:52 2020 OpenVPN 2.4.8 [git:makepkg/3976acda9bf10b5e+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jan 3 2020Thu Apr 2 13:04:52 2020 library versions: OpenSSL 1.1.1e 17 Mar 2020, LZO 2.10Thu Apr 2 13:04:52 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).Thu Apr 2 13:04:52 2020 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).Thu Apr 2 13:04:52 2020 TUN/TAP device tun0 openedThu Apr 2 13:04:52 2020 /usr/bin/ip link set dev tun0 up mtu 1500Thu Apr 2 13:04:52 2020 /usr/bin/ip addr add dev tun0 local 10.8.0.2 peer 10.8.0.1Thu Apr 2 13:04:52 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]IP-OF-MY-VPS:1194Thu Apr 2 13:04:52 2020 UDP link local (bound): [AF_INET][undef]:1194Thu Apr 2 13:04:52 2020 UDP link remote: [AF_INET]IP-OF-MY-VPS:1194and ifconfig also shows a configured tunnel
wlp2s0: ...lo: ...tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.2 netmask 255.255.255.255 destination 10.8.0.1 inet6 fe80::97f0:521f:5d15:6482 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1 bytes 48 (48.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Testing the connection
For the sake of testing the connection I disabled the firewall.
[root@vps etc]# systemctl status firewalld● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)[root@vps etc]# firewall-cmd --statenot runningThe tutorial now states that
To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client.
From the client I receive a response using either interface, ie ping 10.8.0.2 and ping -I tun0 10.8.0.2 produces a response.
From the server however all requests time out with or without specifying the interface tun0. What am I missing here? I also find it a bit confusing that server and client use netmask /0