This HowTo document describes how to add a Linux OS to rsp.mbCONNECT24 as an VPN-Client. This provides you the ability to connect a linux device, as a VPN-client, via a secure VPN tunnel worldwide.
1. First, login to your account at the portal rsp.mbCONNECT24 through mbDIALUP.
2. Add a new device with the symbol in the rsp.mbCONNECT24 portal. As “Device Type”, the “VPN-CLIENT“ must be chosen:
3. Check the LAN IP address of this VPN-client configuration, with the IP address of your Linux device. They must be the same. With the symbol you can edit the LAN settings:
4. Download and save the configuration file of this device to the PC, by clicking on the symbol:
5. Unzip the .zip – file “mbCONNECT24.zip“. You have the file “vpnclient.ovpn“ and the folder “private“, where the file “user_passw.auth“ is included, now.
6. Please copy the file “vpnclient.ovpn“ and the folder “private“, where the file “user_passw.auth“ is included, to the configuration folder of the software OpenVPN. At this example, the configuration folder is under “/etc/openvpn/client“.
If you want to route to uplink networks, like the LAN, you need to enable routing on your Linux system.
Troubleshoot:
The most know issue comes with the routing Table. In our example here the VPN-Client has its VPN-IP 10.0.240.10. In rsp.mbCONNECT24 Standard Account we would have then 10.0.240.1 as the Server-IP. Every traffic between mbDIALUP and the VPN-Client has to be routed through the Server-IP (Here 10.0.240.1).
If you see an error in your logging something like this:
openvpn[29108]: TUN/TAP TX queue length set to 100
openvpn[29108]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
openvpn[29108]: /sbin/ip link set dev tap10 up mtu 1500
openvpn[29108]: /sbin/ip addr add dev tap10 10.0.240.9/24 broadcast 10.0.240.255
openvpn[29108]: /sbin/ip route add 10.0.240.0/24 via 10.0.240.1
openvpn[29108]: ERROR: Linux route add command failed: external program exited with error status: 2
openvpn[29108]: /sbin/ip route add 10.0.1.1/32 via 10.0.240.1
it means that add routes to linux routing table was not successful. This is related to kernel version etc.
For solving this, you need to use "route-up" option of openvpn together with "route-noexec". Use the attached route-up script and put it on your linux system. Reference it at your vpn-config file like this:
"...
route-noexec
route-up /etc/openvpn/client/route_up.sh
..."
When the client is connected, your routing table must look like this:
10.0.1.1 10.0.240.1 255.255.255.255 UGH 0 0 0 tap10
10.0.240.0 10.0.240.1 255.255.255.0 UG 0 0 0 tap10
10.0.240.1 0.0.0.0 255.255.255.255 UH 0 0 0 tap10
and NOT like this:
10.0.1.1 10.0.240.1 255.255.255.255 UGH 0 0 0 tap10
10.0.240.0 0.0.0.0 255.255.255.0 U 0 0 0 tap10
10.0.240.1 0.0.0.0 255.255.255.255 UH 0 0 0 tap10
This basically means the VPN Network (in my case 10.0.240.0/24) must be routed to gateway 10.0.240.1 instead 0.0.0.0 with interface tap10.
The approach is to go from:
10.0.240.0 0.0.0.0 255.255.255.0 U 0 0 0 tap10
to
10.0.240.0 10.0.240.1 255.255.255.0 UG 0 0 0 tap10
If you are using the OpenVPN >= 2.4.5 then add "tls-cipher "DEFAULT:@SECLEVEL=0" " to your config-file.
| Type: HowTo | Revision: EN-mbconnect24-03-V1.2 | Date: 22.10.2019 |
|---|