OpenVPN in LXC container - no connection posible

Blueside

New Member
Mar 17, 2022
6
0
1
41
Hey friends of Proxmox,

I am trying to get OpenVPN running in a lxc container. I followed this guide: https://pve.proxmox.com/wiki/OpenVPN_in_LXC

My Problem is, that I can't establish a connection to the vpn server. I'm trying to connect from my iPhone via cellular. The error I receive on the phone is: "Server poll timeout, trying next remote entry".

My setup is as follows:
- Proxmox 7.1-10 (Kernel 5.13.19-5-pve, IP 10.10.0.70) on IntelNuc behind unifi UDM-Pro
- lxc container with ubuntu 21.10
- DynDNS URL mapped to my public IP (doublechecked the IP address)
- forwarded external UDP port 1194 to the IP of the vm (IP 10.10.0.76) on unifi UDM-Pro (IP 10.10.0.90)
Bildschirmfoto 2022-03-17 um 09.20.52.jpg
Bildschirmfoto 2022-03-17 um 09.21.30.jpg

- the container has full internet access and DNS resolution is working (ping google.com works)

When I run "tcpdump udp port 1194" in the container and try to establish a OpenVPN connection with my phone I don't get any output. So I assume there is a configuration Problem on the Proxmox host system so that the forwarded traffic does not reach the container?

(before trying OpenVPN I tried Wireguard in a LXC container (tried ubuntu and debian) and had nearly the same result: "handshake did not complete").

Hope someone has a good idea on this issue.

Best regards,
Lucas
 
hi,

When I run "tcpdump udp port 1194" in the container and try to establish a OpenVPN connection with my phone I don't get any output. So I assume there is a configuration Problem on the Proxmox host system so that the forwarded traffic does not reach the container?
that sounds like you might have an error in your port forwarding configuration, or maybe you missed to enable ip forwarding?

can you connect to your VPN over the local network IP of your container? (you could adapt the IP address in the VPN config and try that)
if it works like that, then i'd re-check the networking..

which device is the gateway of your container? (10.10.0.90)
 
hi oguz,

thank you for your help. The gateway of the container is the UDM-Pro (10.10.0.90).
I tried to connect over the local network but this results in the same error. At least the container responds on ping over the local network.

Best regards,
Lucas
 
The gateway of the container is the UDM-Pro (10.10.0.90).
okay
I tried to connect over the local network but this results in the same error.
have you edited the ovpn config file to use the container IP?

please check the output of ss -antlpu inside your container and make sure the VPN service is running.
 
The result of "ss -antlpu" is:
Bash:
root@vpn:~# ss -antlpu
Netid  State   Recv-Q  Send-Q    Local Address:Port     Peer Address:Port  Process                                   
udp    UNCONN  0       0            10.10.0.76:1194          0.0.0.0:*      users:(("openvpn",pid=128,fd=6))         
udp    UNCONN  0       0         127.0.0.53%lo:53            0.0.0.0:*      users:(("systemd-resolve",pid=92,fd=13)) 
tcp    LISTEN  0       4096      127.0.0.53%lo:53            0.0.0.0:*      users:(("systemd-resolve",pid=92,fd=14)) 
tcp    LISTEN  0       100           127.0.0.1:25            0.0.0.0:*      users:(("master",pid=276,fd=13))         
tcp    LISTEN  0       4096                  *:22                  *:*      users:(("systemd",pid=1,fd=40))           
tcp    LISTEN  0       100               [::1]:25               [::]:*      users:(("master",pid=276,fd=14))

and the server.conf local IP is matching the container:

Code:
local 10.10.0.76
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify crl.pem
explicit-exit-notify

also the service looks linke in the documentation:

Bash:
root@vpn:~# systemctl | grep openvpn
  openvpn-iptables.service             loaded active exited    openvpn-iptables.service
  openvpn-server@server.service        loaded active running   OpenVPN service for server
  openvpn.service                      loaded active exited    OpenVPN service
  system-openvpn\x2dserver.slice       loaded active active    system-openvpn\x2dserver.slice
 
hi,

I already did this to test the local connection. My client config file for the local connection looks like this (normally the "remote" parameter represents my public dyndns url):

Code:
client
dev tun
proto udp
remote 10.10.0.76 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
ignore-unknown-option block-outside-dns
block-outside-dns
verb 3
<ca>
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
removed
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
removed
-----END PRIVATE KEY-----
</key>
<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
removed
-----END OpenVPN Static key V1-----
</tls-crypt>
 
how's your PVE network configured? can you post /etc/network/interfaces?

So I assume there is a configuration Problem on the Proxmox host system so that the forwarded traffic does not reach the container?
could it be that you need to enable IP forwarding? echo 1 > /proc/sys/net/ipv4/ip_forward
though i'm not sure since you don't have a masquerading setup but instead use the same gateway for the container...


but if it's not working on the local network either then i'm at a loss...

* have you tested only with your phone (client)?

* any firewalls inbetween that could be interfering?

as another sanity check you could try running a netcat on your container: nc -lnvp 1234 and then try accessing that port over the local network to see if you receive the connection there.
 
Thank you, now I can get a local and a remote connection :D
I think it is because of enabling IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward (but not sure)
But as this setting is not persistent, I made it persist through the network config (see at the bottom)

But there is still a small problem. I can't connect to a local device nor to any website using the tunnel. So I think there is still a kind of routing issue.

My PVE Network config is this:
Code:
auto lo
iface lo inet loopback

iface eno1 inet manual

auto vmbr0
iface vmbr0 inet static
        address  10.10.0.70
        netmask  255.255.255.0
        gateway  10.10.0.90
        bridge_ports eno1
        bridge_stp off
        bridge_fd 0
        bridge_vlan_aware yes
        post-up   echo 1 > /proc/sys/net/ipv4/ip_forward
 
Last edited:
But there is still a small problem. I can't connect to a local device nor to any website using the tunnel.
can you ping public IP addresses like 1.1.1.1 while connected to the VPN server? if yes then probably you can't reach websites because of DNS? (you have a block-outside-dns in your config file)

for local devices you'd have to either add a static route for all your local devices (located on the openvpn server's network), or use the bridging mode of openvpn instead of routing [0]

[0]: https://www.grc.com/vpn/routing.htm
 
mhhh, there is still something wired. I can't ping public IP addresses so the DNS seems not to be the problem (with and without block-outside-dns in the client config file). And also by adding a route to the local subnet with push "route 10.10.0.0 255.255.255.0" I can't access local machines.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!