OpenVPN on OpenVZ on a VPS – Internet routing

I wanted to route my internet through the VPS using my Windows 7 laptop. It took me more than a day to get this set up. So putting it down here as a reference for the future. My guess is that this is probably something that only a first-time user of VPS will encounter. The other times, you would have been forced to learn it and you don’t have to go through the difficulty again. Once you know how to do it, it will probably take you 20mins end to end.

But anyways, long story short, this is what you need to know:

  • OpenVPN configuration – I am not kidding, definitely go through this page. It will take around 20-30 mins, but that’s the best way to do it. Otherwise you’ll keep wondering whether the issue lies with OpenVPN or with something else
  • IPTables configuration – A good tutorial that will really get you started on the hows and whats. Read it carefully, you’ll need it.

Here’s how I did it. I’m setting up VPN to route my Internet traffic through the VPS server. We’ll break it down step by step.

IPTables configuration:

The documentation for openvpn is pretty straightforward, so I won’t go into it here. You can refer the tutorial above and as long as you take the time to read through everything, you shouldn’t have a problem.

At this point, I was able to connect to my VPN from my Windows machine, but unfortunately couldn’t access the net. I needed to check iptables to see if there was anything missing over there.

Two things to remember when working with iptables. If you ever make a mistake and what to reset your tables to clean, use the command:

user@server:~$ sudo iptables -F

This will flush all the rules.

If you want to take a backup of the rules before you clean it out, use the following command:

user@server:~$ sudo iptables-save > ./iptables.backup-20140922

And lastly, iptables gets reset when you reboot unless you set it up to load the rules at startup. In this post, we won’t be saving anything and there are lots of tutorials on how to do that. So, if you make a mistake and lock yourself out, just login to your openvz web console and hard reboot your machine.

First thing was to check iptables. This is done with the following command

user@server:~$ sudo iptables -L -v

The -L is to list all the rules and -v is to be extra verbose.

Here’s what the output looked like:

Chain INPUT (policy ACCEPT 34 packets, 3088 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 30 packets, 16329 bytes)
pkts bytes target     prot opt in     out     source               destination

You should see something similar. Now, let’s add in some rules. Always a good idea to put some rules in to keep malicious programs and people at bay.

Following the steps in the tutorial above, first add in the command to allow established connections access:

sudo iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

Next, lets make sure we can connect through ssh (defaults to 22):

sudo iptables -A INPUT -p tcp –dport ssh -j ACCEPT

Now, lets make sure that the openvpn port is open (mine is 1194, if you configured something else, replace it here). Also, in the openvpn configuration, I chose udp as the protocol. If yours is tcp, make the changes accordingly:

sudo iptables -A INPUT -p udp –dport 1194 -j ACCEPT

If you want to open up port 80 for your webserver, repeat the above step but replace the port and the protocol.

We’re done with allowing! Now let’s block anything else that tries to reach our server:

sudo iptables -A INPUT -j DROP

Finally, make sure loopback is enabled at the top of the rules (INPUT 1) or we won’t be able to ping localhost 😉

sudo iptables -I INPUT 1 -i lo -j ACCEPT

All done! The rules follow in the order they are entered in. If we entered this command in the beginning, it would have blocked everything else following it.

At this point, you should see the rules as follows when you run “sudo iptables -L -v”. Try connecting your VPN to make sure you are able to connect:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
0     0 ACCEPT     all  —  lo     any     anywhere             anywhere
196 17518 ACCEPT     all  —  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
0     0 ACCEPT     tcp  —  any    any     anywhere             anywhere             tcp dpt:ssh
0     0 ACCEPT     udp  —  any    any     anywhere             anywhere             udp dpt:openvpn
4   221 DROP       all  —  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3 packets, 2648 bytes)
pkts bytes target     prot opt in     out     source               destination

If you’re able to connect, great! If not, I sympathise. Retrace your steps and see if you’ve missed something or search online for something that’s specific to your rig.

Now, we still won’t be able to access the net. That’s because port forwarding has not been set. First step is to make sure that you have port forwarding enabled. To enable it just for this session, run the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

If you want to have it enabled on boot, set the following option to 1 in /etc/sysctl.conf:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

The part of getting internet to work was the one which stumped me. It took me a very long time to find the commands that work mainly because I am not a networking expert.

After a lot of searching, I found that the issue was in the way of setting up the command for OpenVZ systems. I followed the instructions on this forum post on OpenVPN which finally worked and got the net working for me (Thanks HalfEatenPie!).

It mainly requires that the FORWARD chain be set up correctly to “forward” any requests to the client system. Similar to the previous rules, first allow everything for connections already established:

iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

Accept all forwarding requests to your settings in server.conf of openvpn. Mine points to the default i.e. 10.8.0.0

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

Reject all other forwarding requests:

iptables -A FORWARD -j REJECT

Make sure the routing goes through to the right network device (venet0 in this case). Replace the IP address below to the actual IP address that is assigned to your VPS machine.

iptables -t nat -A POSTROUTING -o venet0 -j SNAT –to-source 100.200.255.256

This last command is the secret sauce that finally gets your internet working. And the parameters are very specific to OpenVPN on OpenVZ systems.

Once I did this, I could route all my traffic through my VPS!

Advertisements

One thought on “OpenVPN on OpenVZ on a VPS – Internet routing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s