OpenVPN Tunnel not working

pnemenz · July 15, 2017, 5:05pm

NethServer Version: 7.3.1611
Module: openVPN tunnel

I have 2 sites I need to connect. I use openVPN tunnel on one side the Server, on the other side the Client.
should everyone on the server side also see everything on the client side or do I need to configure on both sides a openVPN tunnel Server and Client?

do I need to open anything on the firewall?

Thank you for your help
Peter

giacomo · July 16, 2017, 7:04am

Yes, every client should be able to see any other client.
The firewall is automatically configured to allow the traffic.

pnemenz · July 16, 2017, 7:45am

well, then its not working

on my local site I use 192.168.178.0/24 network,remote is 192.168.0.0/24
on the local Nethserver:

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.3     0.0.0.0         UG    0      0        0 ens34
10.150.206.0    0.0.0.0         255.255.255.0   U     0      0        0 tunschwimu
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 ens34
169.254.0.0     0.0.0.0         255.255.0.0     U     1006   0        0 br0
192.168.0.0     10.150.206.2    255.255.255.0   UG    0      0        0 tunschwimu
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 ens34
192.168.177.0   192.168.177.2   255.255.255.0   UG    0      0        0 tunrw
192.168.177.2   0.0.0.0         255.255.255.255 UH    0      0        0 tunrw
192.168.178.0   0.0.0.0         255.255.255.0   U     0      0        0 br0

the Network 192.168.177.0/24 is used for openVPN Roadwarrior
on the OpenVPN tunnel page under Server the State is green
I cant ping any host, not even the Nethserver on the remote site.

on the Remote Site:
# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eno1 10.150.206.0 0.0.0.0 255.255.255.0 U 0 0 0 tuncschwimu 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eno1 169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eno2 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eno2 192.168.2.0 192.168.2.2 255.255.255.0 UG 0 0 0 tunrw 192.168.2.2 0.0.0.0 255.255.255.255 UH 0 0 0 tunrw 192.168.178.0 10.150.206.1 255.255.255.0 UG 0 0 0 tuncschwimu

When I connect to the Remote Site with roadwarrior then I cann “see” the hosts on my local net.

EDIT: I can see only from the Nethserver everything on my local net, with my Laptop connected via Roadwarrior I can’t.

pnemenz · July 19, 2017, 1:00pm

has anyone an idea what could be wrong?

filippo_carletti · July 19, 2017, 2:27pm

Look in /etc/openvpn/ccd/<vpn_name>. If you find route <lan> <netmask> change route to iroute (add an i at the beginning).
Then restart the vpn and let us know if it fixes.

pnemenz · July 19, 2017, 9:50pm

I found route and changed it to iroute.

did’nt change anything

EDIT:
after a reboot it works.
Thank you for your great help

filippo_carletti · July 20, 2017, 8:40am

Thank you for the feedback.
Please, could you post your vpn configuration?
Either a screenshot of the web UI or the output of the command db vpn show (erase your psk).

pnemenz · July 21, 2017, 5:25am

still not working as expected
from my laptop I cannot accsess the other net. as soon as I’m at the other location I’ll try the other way.

Thomas_Spalovsky · July 24, 2017, 5:57pm

Hi!
I’m new here (sorry about my English). I have the same problem. Anyone with a solution?

giacomo · July 25, 2017, 8:23am

I just released a testing rpm, see: https://github.com/NethServer/nethserver-openvpn/pull/22

Try to install the update:

yum --enablerepo=nethserver-testing update nethserver-openvpn

Then access the web interface and try to make a change, then click the submit button.

@Thomas_Spalovsky @pnemenz could you check if the update works?

pnemenz · July 25, 2017, 9:17am

did not change anything for me.
now I have a red exclamation on the openVPN tunnels page

btw. I did the update on both nethserver installations.

in wich log could I see whats wrong?

Peter

giacomo · July 25, 2017, 9:34am

Please check the content of /etc/openvpn/ccd/ files.

Logs are available here:

pnemenz · July 25, 2017, 12:10pm

in /etc/openvpn/ccd/ there is a tunnel file with content iroute and then the correct network and mask

I find in the logs of the client:

TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:58482 (via [AF_INET]192.168.0.3%eno1), sid=a8e4cdf9 4f0db9d7
VERIFY ERROR: depth=0, error=certificate revoked: C=–, ST=SomeState, L=XXX, O=xxxx, OU=xxxx, CN=xxxx, emailAddress=xx@xxx.xx.xx
OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
BIO read tls_read_plaintext error
XXX.XXX.XXX.XXX:58482 TLS Error: TLS object → incoming plaintext read error
TLS handshake failed
XXX.XXX.XXX.XXX:58482 SIGUSR1[soft,tls-error] received, client-instance restarting

I don’t see anything on the server side.

giacomo · July 25, 2017, 12:30pm

You’re client is using a revoked certificate.
It could happen if the other end point is a NethServer and you changed the certificate values.
In this case, download again the certificate and copy it to the client.

pnemenz · July 25, 2017, 12:40pm

I already did this.twice

pnemenz · July 25, 2017, 2:38pm

after I deleted the tunnel and made a new one,opend the port on the router it seems like the tunnel is now working from one net to the other.

what NOT is working right now:
If I am connected to either of the nethserver via roadworrier, I see only the net behind the nethserver I’m connected to. What do I have to do to see the other net?

Peter

giacomo · July 26, 2017, 7:10am

If you want to reach another VPN network behind your firewall, you need to manually add a route to your client.