How to fix OpenVPN issues?

O

Oleg2017-09-21 07:37:22

openvpn

Oleg, 2017-09-21 07:37:22

OpenVPN is up on the home router (Linux). It is configured to connect a computer at work to RDP one of the home machines and a tablet to access the Internet. Some time ago, on the tablet, the Internet stopped working through OpenVPN. For diagnostics, I decided to start by checking the Internet access from a working PC. The speed turned out to be very low: 100-200 kb / s, despite the fact that at home 100 Mbps, at work there is also good Internet (all in Moscow). Then I decided to simply go to the router's FTP from a working computer. [After I figured out why iptables interfered and added the necessary rule] the FTP authorization stage passes, but the list of files is no longer received - an error.
Please help those who have encountered similar problems with OpenVPN.
I ask you to suggest good instructions for diagnosing network traffic (for those who have never done this).

iptables rules

# $wan - внешний интерфейс
# $internal - внутренний интерфейс
# $internal_subnet - диапазон IP-адресов внутренней сети
# $tun_subnet - диапазон IP-адресов сети OpenVPN
# $tun_ip2 - один из IP-адресов в подсети OpenVPN
# $internal_ip1 - IP-адрес шлюза во внутренней сети
# $internal_ip3 - один из IP-адресов во внутренней сети; компьютер с RDP-доступом
# $port_for_openvpn, $port_for_transmission - соответственно внешние порты для OpenVPN и Transmission
# Generated by iptables-save v1.6.1 on Sun Sep 10 22:04:03 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [11995:17808563]
:TCP - [0:0]
:UDP - [0:0]
:fw-interfaces - [0:0]
:fw-open - [0:0]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -s 127.0.0.0/8 -i $wan -j DROP
-A INPUT -s 192.168.0.0/16 -i $wan -j DROP
-A INPUT -s 172.16.0.0/12 -i $wan -j DROP
-A INPUT -s 10.0.0.0/8 -i $wan -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j interfaces
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -j open
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -s $tun_ip2 -d $internal_ip1 -p tcp --dport 21 -j ACCEPT
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A fw-interfaces -s $tun_ip2/32 -d $internal_ip3/32 -i tun0 -p tcp -m tcp --dport 3389 -j ACCEPT
-A fw-interfaces -i $internal -j ACCEPT
-A fw-interfaces -s $tun_subnet/16 -d $internal_subnet/16 -i tun0 -j DROP
-A fw-interfaces -i tun0 -j ACCEPT
-A interfaces -i lo -j ACCEPT
-A interfaces -i $internal -j ACCEPT
-A open -i $wan -p tcp -m tcp --dport $port_for_transmission -j ACCEPT
-A open -i $wan -p udp -m state --state NEW -m udp --dport $port_for_openvpn -j ACCEPT
COMMIT
# Completed on Sun Sep 10 22:04:03 2017
# Generated by iptables-save v1.6.1 on Sun Sep 10 22:04:03 2017
*nat
:PREROUTING ACCEPT [1047254:79013676]
:INPUT ACCEPT [475742:27967758]
:OUTPUT ACCEPT [1334746:86050937]
:POSTROUTING ACCEPT [1354682:86848493]
-A POSTROUTING -s $internal_subnet/16 -o $wan -j MASQUERADE
-A POSTROUTING -s $tun_subnet/24 -o $wan -j MASQUERADE
COMMIT
# Completed on Sun Sep 10 22:04:03 2017

/etc/vsftp.conf

# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=066
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES

/etc/xinet.d/vsftp

Installed and enabled xinetd - after that, authorizations began to get into the vsftpd logs (before - only file operations).

# vsftpd is the secure FTP server.
service ftp
{
        disable                 = no
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/local/sbin/vsftpd
        per_source              = 5
        instances               = 200
#        no_access               = 192.168.1.3
        banner_fail             = /etc/vsftpd.busy_banner
        log_on_success          += PID HOST DURATION
        log_on_failure          += HOST
}

openvpn conf

Now there are no lines in the OpenVPN config for redirecting traffic to the Internet - only for accessing the home network.

#port 1194
mode server
port $port_for_openvpn
proto udp
dev tun0

server $tun_subnet 255.255.255.0

user nobody
group nobody

cd /etc/openvpn/server
persist-key
persist-tun

tls-server
tls-timeout 120

dh /etc/openvpn/server/dh.pem
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpn-server.crt
key /etc/openvpn/server/server.key
crl-verify /etc/openvpn/server/crl.pem
tls-auth /etc/openvpn/server/ta.key 0

ifconfig-pool-persist /etc/openvpn/server/ipp.txt
client-config-dir /etc/openvpn/ccd
client-to-client
topology subnet
max-clients 2

push "route $internal_subnet 255.255.255.0"

comp-lzo
keepalive 10 120

status /var/log/openvpn/openvpn-status.log 1
status-version 3
log-append /var/log/openvpn/server.log
verb 3

By the way, after some update, the date-time was no longer written to the logs, I had to remove the --suppress-date key from the openvpn service description file for systemd.

PS Question The problem with the transmission speed through openvpn, as ... I saw, I will study.
PPS Work computer on Windows, tablet on Android 4.4. RDP from work to home and from home to work generally works fine, max. graphics rarely slow down, even file transfers up to 30 MB were more than once.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

O

Oleg, 2017-09-26
@Batiskaf_stv

All problems with the working computer were solved.
1. FTP for work required not only to open 21 ports. According to the Instructions added a rule:

# iptables -A PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp

and everything worked. Transfer rate in Far: 9400 - 9800 kb/s.
The processor of the router is loaded by 60-80%.
2. Also, following the link to the next question, I reset the receive-transmit buffers, now Internet access from a working computer is already at a decent speed: Yandex shows 65/85 Mbps (in / out).
And the tablet has not yet earned. I will continue to dig.