Hi,
I’m toying around with VyOS and OpenVPN client to see if I can get connected to Surfshark.
I have two Zones INTERNAL and DEVICES. On DEVICES Interface I have one system I would like to test going through OpenVPN client.
OpenVPN Client Configuration
set interfaces openvpn vtun10 authentication password xxxxxx
set interfaces openvpn vtun10 authentication username xxxxxx
set interfaces openvpn vtun10 description ‘VPN’
set interfaces openvpn vtun10 device-type ‘tun’
set interfaces openvpn vtun10 encryption cipher ‘aes256’
set interfaces openvpn vtun10 hash ‘sha512’
set interfaces openvpn vtun10 mode ‘client’
set interfaces openvpn vtun10 openvpn-option ‘–resolv-retry infinite’
set interfaces openvpn vtun10 openvpn-option ‘–verb 3’
set interfaces openvpn vtun10 openvpn-option ‘–pull’
set interfaces openvpn vtun10 openvpn-option ‘–fast-io’
set interfaces openvpn vtun10 openvpn-option ‘–remote-random’
set interfaces openvpn vtun10 openvpn-option ‘–nobind’
set interfaces openvpn vtun10 openvpn-option ‘–tun-mtu 1500’
set interfaces openvpn vtun10 openvpn-option ‘–tun-mtu-extra 32’
set interfaces openvpn vtun10 openvpn-option ‘–mssfix 1450’
set interfaces openvpn vtun10 openvpn-option ‘–persist-key’
set interfaces openvpn vtun10 openvpn-option ‘–persist-tun’
set interfaces openvpn vtun10 openvpn-option ‘–ping 15’
set interfaces openvpn vtun10 openvpn-option ‘–ping-restart 0’
set interfaces openvpn vtun10 openvpn-option ‘–ping-timer-rem’
set interfaces openvpn vtun10 openvpn-option ‘–reneg-sec 0’
set interfaces openvpn vtun10 persistent-tunnel
set interfaces openvpn vtun10 protocol ‘udp’
set interfaces openvpn vtun10 remote-host ‘au-syd.prod.surfshark.com’
set interfaces openvpn vtun10 remote-port ‘1194’
set interfaces openvpn vtun10 tls auth-file ‘/config/auth/client.key’
Zone rule
set firewall name LOCAL-OUTSIDE rule 2000 action ‘accept’
set firewall name LOCAL-OUTSIDE rule 2000 description ‘Allow LOCAL VPN OUTSIDE’
set firewall name LOCAL-OUTSIDE rule 2000 destination port ‘1194’
set firewall name LOCAL-OUTSIDE rule 2000 log ‘enable’
set firewall name LOCAL-OUTSIDE rule 2000 protocol ‘udp’
set firewall name LOCAL-OUTSIDE rule 2000 state new ‘enable’
When I enable the config all external networking drops.
I’ve struggled with VyOS logging as I seem to get nothing when tailing the messages log.
At one point it did spit out the following
adm@box# tail -f /var/log/messages | grep openvpn
Oct 7 17:46:18 box vyos-configd[662]: Received message: {“type”: “node”, “data”: “VYOS_TAGNODE_VALUE=vtun10/usr/libexec/vyos/conf_mode/interfaces-openvpn.py”}
Oct 7 17:46:19 box openvpn-vtun10[32747]: DEPRECATED OPTION: --cipher set to ‘aes-256-cbc’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘aes-256-cbc’ to --data-ciphers or change --cipher ‘aes-256-cbc’ to --data-ciphers-fallback ‘aes-256-cbc’ to silence this warning.
Oct 7 17:46:19 box openvpn-vtun10[32747]: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Oct 7 17:46:19 box openvpn-vtun10[32747]: library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Oct 7 17:46:19 box openvpn-vtun10[32747]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Oct 7 17:46:19 box openvpn-vtun10[32747]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Oct 7 17:46:19 box openvpn-vtun10[32747]: Outgoing Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Oct 7 17:46:19 box openvpn-vtun10[32747]: Incoming Control Channel Authentication: Using 512 bit message hash ‘SHA512’ for HMAC authentication
Oct 7 17:46:19 box openvpn-vtun10[32747]: TCP/UDP: Preserving recently used remote address: [AF_INET]144.48.38.21:1194
Oct 7 17:46:19 box openvpn-vtun10[32747]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Oct 7 17:46:19 box openvpn-vtun10[32747]: UDP link local: (not bound)
Oct 7 17:46:19 box openvpn-vtun10[32747]: UDP link remote: [AF_INET]144.48.38.21:1194
Oct 7 17:46:19 box openvpn-vtun10[32747]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Oct 7 17:46:19 box openvpn-vtun10[32747]: TLS: Initial packet from [AF_INET]144.48.38.21:1194, sid=242f0b8f d3e619de
Oct 7 17:46:19 box openvpn-vtun10[32747]: VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA
Oct 7 17:46:19 box openvpn-vtun10[32747]: VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA
Oct 7 17:46:19 box openvpn-vtun10[32747]: VERIFY OK: depth=0, CN=au-syd-v010.prod.surfshark.com
Oct 7 17:46:19 box openvpn-vtun10[32747]: WARNING: ‘link-mtu’ is used inconsistently, local=‘link-mtu 1633’, remote=‘link-mtu 1581’
Oct 7 17:46:19 box openvpn-vtun10[32747]: WARNING: ‘auth’ is used inconsistently, local=‘auth SHA512’, remote=‘auth [null-digest]’
Oct 7 17:46:19 box openvpn-vtun10[32747]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Oct 7 17:46:19 box openvpn-vtun10[32747]: [au-syd-v010.prod.surfshark.com] Peer Connection Initiated with [AF_INET]144.48.38.21:1194
Oct 7 17:46:20 box openvpn-vtun10[32747]: SENT CONTROL [au-syd-v010.prod.surfshark.com]: ‘PUSH_REQUEST’ (status=1)
Oct 7 17:46:20 box openvpn-vtun10[32747]: PUSH: Received control message: ‘PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.8.8.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.8.8.2 255.255.255.0,peer-id 0,cipher AES-256-GCM’
Oct 7 17:46:20 box openvpn-vtun10[32747]: Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.5.1)
Oct 7 17:46:20 box openvpn-vtun10[32747]: OPTIONS IMPORT: timers and/or timeouts modified
Oct 7 17:46:20 box openvpn-vtun10[32747]: OPTIONS IMPORT: explicit notify parm(s) modified
Oct 7 17:46:20 box openvpn-vtun10[32747]: OPTIONS IMPORT: --sndbuf/–rcvbuf options modified
Oct 7 17:46:20 box openvpn-vtun10[32747]: Socket Buffers: R=[212992->446464] S=[212992->425984]
Oct 7 17:46:20 box openvpn-vtun10[32747]: OPTIONS IMPORT: --ifconfig/up options modified
Oct 7 17:46:20 box openvpn-vtun10[32747]: OPTIONS IMPORT: route options modified
Oct 7 17:46:20 box openvpn-vtun10[32747]: OPTIONS IMPORT: route-related options modified
Oct 7 17:46:20 box openvpn-vtun10[32747]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Oct 7 17:46:20 box openvpn-vtun10[32747]: OPTIONS IMPORT: peer-id set
Oct 7 17:46:20 box openvpn-vtun10[32747]: OPTIONS IMPORT: adjusting link_mtu to 1656
Oct 7 17:46:20 box openvpn-vtun10[32747]: OPTIONS IMPORT: data channel crypto options modified
Oct 7 17:46:20 box openvpn-vtun10[32747]: Data Channel: using negotiated cipher ‘AES-256-GCM’
Oct 7 17:46:20 box openvpn-vtun10[32747]: Outgoing Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Oct 7 17:46:20 box openvpn-vtun10[32747]: Incoming Data Channel: Cipher ‘AES-256-GCM’ initialized with 256 bit key
Oct 7 17:46:20 box openvpn-vtun10[32747]: net_route_v4_best_gw query: dst 0.0.0.0
Oct 7 17:46:20 box openvpn-vtun10[32747]: net_route_v4_best_gw result: via 100.66.128.1 dev eth0
Oct 7 17:46:20 box openvpn-vtun10[32747]: ROUTE_GATEWAY 100.66.128.1/255.255.128.0 IFACE=eth0 HWADDR=2c:f0:5d:d6:b3:ca
Oct 7 17:46:20 box openvpn-vtun10[32747]: TUN/TAP device vtun10 opened
Oct 7 17:46:20 box openvpn-vtun10[32747]: net_iface_mtu_set: mtu 1500 for vtun10
Oct 7 17:46:20 box openvpn-vtun10[32747]: net_iface_up: set vtun10 up
Oct 7 17:46:20 box openvpn-vtun10[32747]: net_addr_v4_add: 10.8.8.2/24 dev vtun10
Oct 7 17:46:20 box openvpn-vtun10[32747]: net_route_v4_add: 144.48.38.21/32 via 100.66.128.1 dev [NULL] table 0 metric -1
Oct 7 17:46:20 box openvpn-vtun10[32747]: net_route_v4_add: 0.0.0.0/1 via 10.8.8.1 dev [NULL] table 0 metric -1
Oct 7 17:46:20 box openvpn-vtun10[32747]: net_route_v4_add: 128.0.0.0/1 via 10.8.8.1 dev [NULL] table 0 metric -1
Oct 7 17:46:20 box openvpn-vtun10[32747]: GID set to openvpn
Oct 7 17:46:20 box openvpn-vtun10[32747]: UID set to openvpn
Oct 7 17:46:20 box openvpn-vtun10[32747]: WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Oct 7 17:46:20 box openvpn-vtun10[32747]: Initialization Sequence Completed
But that is it… I disable and re-enable the interface, without anymore logs.
Any insight would be good?
Believe it is setting up routes which kill off the nat rules.
Kind Regards