Ubuntu 14.04 OpenVPN port forwarding

m1xm4sterm1xm4ster
edited May 2014 in P2P Support
Hi!

Is there a tutorial on how to enable port forwarding in Ubuntu? It's pretty easy on Windows with the pia app, but on Ubuntu it seems to be more complicated.

Any help appreciated :)

Thx in advance!

Comments

  • rainmakerrawrainmakerraw
    I posted a quick guide for another user, who runs Kubuntu 14.04, HERE. Ubuntu will be the same as you'll be using CLI. Bear in mind importing of VPN connections is broken in Ubuntu 14.04 and as such you'll need to do things manually or else install the app (which works the same as in Windows). 
  • m1xm4sterm1xm4ster
    edited May 2014
    I start the connection via terminal
    sudo openvpn --auth-nocache --script-security 2 --config pia.conf
    This works very good so far. No DNS Leak and stable connection. The killswitch does not work yet, but I'm on it.
    By importing you mean import via network manager gui? Havn't found that option anyways..

    I will try your tutorial now :)
  • m1xm4sterm1xm4ster
    edited May 2014
    Does not seem to work. I get a port, but http://www.canyouseeme.org "Error: I could not see your service"

    Maybe for me it's better to install the app.
    Is this the right one? https://www.privateinternetaccess.com/pages/client-support/#ubuntu_openvpn_installer

    edit: ah I guess it's this one. https://www.privateinternetaccess.com/forum/index.php?p=/discussion/1940/pia-vpn-app-linux-beta/p1

    edit:
    same thing with the app. not connectable
  • rainmakerrawrainmakerraw
    edited May 2014
    Do you actually have a program open and listening actively on that port at the time you test? It will only work (show as connectable) if you're actually trying to listen on the given port when you run the test. If you have already input the port into your client and it's still saying not visible, try restarting the client/program and having another go. 
  • m1xm4sterm1xm4ster
    edited May 2014
    It works now somehow. But the thing is, that pia restarts, after one minute or so and gives me another port. Maybe it has something to do with my VM. I will start the next test, when my new pc arrives.
  • nmrmannmrman
    @rainmakerraw helped me with that and it has been working very well.  From what you write I understand that you are using PIA app and this method.  If I am right, you have to use one or the other.  You make a connection with openvpn and follow his method to get the port, plug that to wherever you want and off you go.  Or, use the pia app, set up with port forwarding and get that port.
  • m1xm4sterm1xm4ster
    alright thanks, it is working now. the app says "upgrade available", but when I click on it nothing happens.
  • rainmakerrawrainmakerraw
    @m1xm4ster That's just a cock up feature in the Linux client. There are recent updates for Windows and OS X so the Linux client (which hasn't had an update in ages) kindly reminds you everyone else is getting dev love while you're left in the wilderness to fend for yourself. :p
  • m1xm4sterm1xm4ster
    Ah that makes sense :D

    Today I installed the pia app on a fresh Ubuntu 14.04. Everything is working really good.
    But there is one Problem:
    I cannot connect from an other PC while the "kill switch" is activated.
    => No VNC or homenetwork possible.

    Is that a normal feature or am I doing something wrong?
  • VPNVPN
    You're doing something wrong.
    Local network routes are not affected by the VPN, so you must be missing one.
    Please describe your local network address scheme and show us the routing table from the VPN-enabled device, we'll figure it out.
  • m1xm4sterm1xm4ster
    edited May 2014
    PC-Windows (7 x64)  <-----> DHCP Router (Internet)   <------> Linux-PC (Ubuntu 14.04)


    [email protected]:~$ ifconfig
    eth1 Link encap:Ethernet Hardware Adresse xx:xx:xx:xx:xx:xx
    inet Adresse:192.168.11.138 Bcast:192.168.11.255 Maske:255.255.255.0
    inet6-Adresse: fe80::d250:99ff:fe1d:51b/64 Gültigkeitsbereich:Verbindung
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
    RX-Pakete:56423 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
    TX-Pakete:33388 Fehler:0 Verloren:0 Überläufe:0 Träger:0
    Kollisionen:0 Sendewarteschlangenlänge:1000
    RX-Bytes:75828378 (75.8 MB) TX-Bytes:5287392 (5.2 MB)

    lo Link encap:Lokale Schleife
    inet Adresse:127.0.0.1 Maske:255.0.0.0
    UP LOOPBACK RUNNING MTU:65536 Metrik:1
    RX-Pakete:8885 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
    TX-Pakete:8885 Fehler:0 Verloren:0 Überläufe:0 Träger:0
    Kollisionen:0 Sendewarteschlangenlänge:0
    RX-Bytes:1916687 (1.9 MB) TX-Bytes:1916687 (1.9 MB)

    tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet Adresse:10.164.1.6 P-z-P:10.164.1.5 Maske:255.255.255.255
    UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1
    RX-Pakete:54886 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
    TX-Pakete:32978 Fehler:0 Verloren:490 Überläufe:0 Träger:0
    Kollisionen:0 Sendewarteschlangenlänge:100
    RX-Bytes:71256639 (71.2 MB) TX-Bytes:2378115 (2.3 MB)
    [email protected]:~$ route -n
    Kernel-IP-Routentabelle
    Ziel Router Genmask Flags Metric Ref Use Iface
    0.0.0.0 10.164.1.5 128.0.0.0 UG 0 0 0 tun0
    0.0.0.0 192.168.11.1 0.0.0.0 UG 0 0 0 eth1
    10.164.1.1 10.164.1.5 255.255.255.255 UGH 0 0 0 tun0
    10.164.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    <> 192.168.11.1 255.255.255.255 UGH 0 0 0 eth1
    128.0.0.0 10.164.1.5 128.0.0.0 UG 0 0 0 tun0
    192.168.11.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1 [email protected]:~$ cat /etc/resolv.conf
    nameserver 209.222.18.222
    nameserver 209.222.18.218
    [email protected]:~$ nm-tool

    NetworkManager Tool

    State: connected (global)

    - Device: eth1 [Kabelnetzwerkverbindung 1] ------------------------------------
    Type: Wired
    Driver: r8169
    State: connected
    Default: yes
    HW Address: xx:xx:xx:xx:xx:xx

    Capabilities:
    Carrier Detect: yes
    Speed: 1000 Mb/s

    Wired Properties
    Carrier: on

    IPv4 Settings:
    Address: 192.168.11.138
    Prefix: 24 (255.255.255.0)
    Gateway: 192.168.11.1

    DNS: 192.168.11.1
  • VPNVPN
    All devices on 192.168.11/24 should be able to connect to "server". If you have devices on other networks, those need extra routes.
  • m1xm4sterm1xm4ster 
    OK, but both PCs are on the same Network.

    192.168.11.150 Windows
    192.168.11.138 Linux

    Pingtest:

    [email protected]:~$ sudo tcpdump -c 30 -ven -i any icmp
    tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
    00:32:48.488324  In 74:d4:35:83:e6:fb ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 18850, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.11.150 > 192.168.11.138: ICMP echo request, id 1, seq 8, length 40
    00:32:53.079340  In 74:d4:35:83:e6:fb ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 18901, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.11.150 > 192.168.11.138: ICMP echo request, id 1, seq 9, length 40
    00:32:58.079286  In 74:d4:35:83:e6:fb ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 128, id 18973, offset 0, flags [none], proto ICMP (1), length 60)
        192.168.11.150 > 192.168.11.138: ICMP echo request, id 1, seq 10, length 40
    ^[^C
    3 packets captured
    3 packets received by filter
    0 packets dropped by kernel


  • m1xm4sterm1xm4ster
    edited May 2014
    When I turn off the kill switch, I get a response from the Ubuntu PC and everything works.
    It has something to do with the pia app..
  • VPNVPN
    With the killswitch, check "iptables -L -n -v".
  • m1xm4sterm1xm4ster
    edited May 2014
    here you go.

    With kill-swith:
     [email protected]:/home/user# iptables -L -n -v
    Chain INPUT (policy ACCEPT 144 packets, 23797 bytes)
    pkts bytes target prot opt in out source destination

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 108 packets, 10169 bytes)
    pkts bytes target prot opt in out source destination
    173 21872 PIA_KILLSWITCH_OUTPUT_RULES all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain PIA_KILLSWITCH_OUTPUT_RULES (1 references)
    pkts bytes target prot opt in out source destination
    20 3268 RETURN all -- * * 0.0.0.0/0 109.201.154.192
    69 5175 RETURN all -- * * 0.0.0.0/0 127.0.0.0/8
    19 1726 RETURN all -- * tun+ 0.0.0.0/0 0.0.0.0/0
    62 11332 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

    without kill-switch:
    [email protected]:/home/user# iptables -L -n -v
    Chain INPUT (policy ACCEPT 358 packets, 44832 bytes)
     pkts bytes target     prot opt in     out     source               destination        

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination        

    Chain OUTPUT (policy ACCEPT 332 packets, 32723 bytes)
     pkts bytes target     prot opt in     out     source               destination   
  • VPNVPN
    The kill switch blocks access to the local network.

    I would classify this as a bug.

    As a workaround, disable the killswitch and build your own firewall rules to protect you from leaking traffic when the VPN dies.
  • m1xm4sterm1xm4ster
    edited May 2014
    Here is what I did:
    http://i.imgur.com/ieIG70R.png
    IP range for NForce
    Netherlands: 109.201.128.0 - 109.201.159.255


    But this won't do the job.I can't connect to the internet when vpn+firewall are acitve.

    Source: http://ubuntuforums.org/showthread.php?t=1496473


    edit: tested it with my vpn IP, still no progress.
  • pyro12pyro12
    FWIW, if I temporarily turn off the kill switch, connect to my LAN, and then re-enable the kill switch, my LAN remains accessible.
  • VPNVPN
    @m1xm4ster, I don't know the tool that screenshot is from. There's likely very much going on that we don't see.

    If that is indeed the exact firewall configuration for the only network interface in your machine, then you have probably cut yourself off from your DNS servers and also your LAN.

    You could probably keep the killswitch and just add an allow rule for your LAN?
  • mattfox27mattfox27
    I have the same issue, when the killswitch is activated i lose my local lan
  • m1xm4sterm1xm4ster
    edited May 2014
    FWIW, if I temporarily turn off the kill switch, connect to my LAN, and then re-enable the kill switch, my LAN remains accessible.
    But is the kill switch really active then? I don't know how to test this.

    @m1xm4ster, [...] You could probably keep the killswitch and just add an allow rule for your LAN?
    That does not work with gufw. You can just set Incoming and Outgoing globally and then specify rules for exceptions.
    I could set "allow" for Incoming and Outgoing globally and then "reject" certain things. Unfortunately I'm not into that kind of stuff and woulnd't really know what I am doing.

    Isn't there a simple thing that i can do? Like allow internet traffic only over tun0 or such thing?

    edit:
    now I'm playing a little bit with ufw.
    These commands helped me a little bit. When I close pia or disconnect, no internet connection, bravo. :)

    But still LAN does not work. :/ 
    sudo ufw default deny outgoing
    sudo ufw default deny incoming

    sudo ufw allow out on tun0 from any to any
    sudo ufw allow in on tun0 from any to any

    sudo ufw allow in from 109.201.128.0/109.201.159.255 to any
    sudo ufw allow out from any to 109.201.128.0/109.201.159.255

    sudo ufw allow in on eth0 from 192.168.11.0/192.168.11.255 to any
    sudo ufw allow out on eth0 from any to 192.168.11.0/192.168.11.255
Sign In or Register to comment.