[TriLUG] Linode question

[Joseph Mack NA3T via TriLUG]

On Mon, 10 Jul 2017, Matt Flyer via TriLUG wrote:

> Sorry to hear you're having such a negative experience with Amazon.

It was a nightmare.

Thanks to Scott Schulz for off-list assurance that I'd have a sane machine on 
Linode and for your pointers here.

Linode worked in relatively short time, thanks to having access to the output of 
iptables and being able to see my real ip with ifconfig (rather than just the 
local private 172.26.x.x address) and `route -n`

My initial install of openvpn on linode had the same problem as the install on 
lightsail; there were no errors in the openvpn logs, I could connect to the tun0 
ip on the server (10.8.0.1), but I couldn't route to the internet through the 
openvpn server. My home setup of openvpn was routing just fine with the same 
config files. This was a little disconcerting, since I'd assumed that my problem 
was associated with lightsail.

After a bit of headscratching and reading the docs I realised that the server 
needs iptables rules to nat out the 10.8.0.1 tun0 IP on the server and to 
forward packets through the server machine.

These iptables rules are not part of the openvpn install. However years ago, at 
home, I'd written the required rules into my firewall and had forgotten they 
even existed.

A look at the output of

iptables -L -n

and

iptables -L -t nat

on my home server showed a bunch of rules for 10.8.x.x all of which were absent 
on the linode machine.

Fortunately linode has a nice write up of what to do here (lightsail doesn't)

https://www.linode.com/docs/networking/vpn/tunnel-your-internet-traffic-through-an-openvpn-server

and within minutes the linode openvpn server was routing packets to the 
internet.

Joy and happiness!

Presumbly I could have written equivalent rules on the lightsail machine, but 
working there was so painful, I wouldn't want to do it.

By comparison, the Linode machine looked like a normal machine sitting under 
your desk.

A note on testing at home: openvpnd runs on my router. Machines at home use the 
ip on the inside of my router (192.168.2.254) as the default gw. Openvpn clients 
at home use the IP on the outside of the router (50.x.x.x) as the default gw. ie 
the same box is the default gw for both methods of operation. Possibly packets 
aren't really going through openvpnd at all, but are just leaking through 
somehow (you can check with traceroute; packets going over openvpn go through 
10.8.0.1). I need to be able to test that openvpn will correctly route an 
openvpn packet coming from the outside, not just the inside of the router. So I 
have to take my openvpn client (laptop) outside the house. For the initial 
install 5yrs ago, I did this at a TriLUG meeting. Now I have a cellphone with a 
personal hotspot, which can connect my openvpn client (laptop) to the internet 
without using my home router as the default gw. I used this setup to test that 
my home openvpnd could route openvpn packets coming from the outside (these 
packets started from my laptop at home).

Thanks everyone for your help.

Joe
-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) austintek (dot) com - azimuthal equidistant
map generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!