Simplimus
(my usual self)
March 9, 2017, 12:20pm
10
Excuse me, I am obviously incompetent. When I am logged into the NS via ssh as root, of cource I can ping everything. From my ouside PC I still can not. No router, no Google, only the nethserver at home.
I am not using squid and there are no such log files listed in the server manager.
ssabbath
(Walter Ferry Dissmann)
March 9, 2017, 1:03pm
11
Your gateway must be wrong in the client configurations. That is really awkward.
Simplimus
(my usual self)
March 9, 2017, 1:04pm
12
I use a Fritzbox, which should be a name to anyone in Germany.
Tell me what to look for, please.
I’m sorry, but I can’t figure out your problem.
I connect via openvpn in the evening when I’m at home, I never had problems.
Could you please sen me the output of config show openvpn@host-to-net
so that I can reproduce your setup?
Thank you.
Hi, I think You should try this scenario for checking conectivity:
-check routes on vpn client pc and nethserver:
route
-check if dns works:
ping 188.226.251.154 what response?
ping nethserver.org what response?
-check where ping goes:
mtr nethserver.org
mtr188.226.251.154
-check sysctl net.ipv4.ip_forward gives You “1”
Maybe solution is bridged insteed of routed mode on nethserver if You have only one NIC but i didn’t check that.
But it seems the problem is similar to my problem from my forgotten post:
Hi, as in topic I have problem with ping/connect host from nethserver over sslvpn. When i:
ping remote_host_address trough tunnel ppp0 with inet_ppp_address
i’m getting:
OUTPUT:REJECT:IN= OUT=ppp0 src=inet_ppp_address dst=remote_host_address
in firewall.log
I’ve added a firewall rule in GUI:
ACCEPT fw -> remote_host_address
but that rule appears in fw2net chain which is not included in OUTPUT chain so i think that’s why pings are blocked. Any advice how allow pings/ftp/telnet to remote h…
diagnose: GUI is not creating rules properly or I miss something, any help very appreciated.
Try to post output from:
shorewall show (the ovpn2net chain and related)
Bug found, thank you for your help.
You can fix it now, I will release an update tomorrow.
Run:
cp -p /etc/e-smith/templates/etc/openvpn/host-to-net.conf/00template_vars /etc/e-smith/templates/etc/shorewall/policy/
expand-template /etc/shorewall/policy
shorewall restart
1 Like
Simplimus
(my usual self)
March 10, 2017, 7:12am
17
I don’t think I quit understood. But I will try anyway.
I did the following:
ran update through nethserver server manager (6 items, no shorewall included)
openvpn and ssh into nethserver
cp -p /etc/e-smith/templates/etc/openvpn/host-to-net.conf/00template_vars /etc/e-smith/templates/etc/shorewall/policy/
expand-template /etc/shorewall/policy
shorewall restart
disconnect from vpn
reconnect to vpn
ping google from client
0% of success.
Steps 6-8 were not necessary, you should have had it working after shorewall restart without disconnecting.
Now I’m completely lost. Could you please post /etc/shorewall/policy
?
Simplimus
(my usual self)
March 10, 2017, 7:35am
21
Chain ovpn2net (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1580 101K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* RULE#2 */
Everything seems in order.
Can you show the output of traceroute/tracert to 8.8.8.8?
Simplimus
(my usual self)
March 10, 2017, 9:08am
23
Did it. Results as expected. Sorry, it’s in german, but you will get the gist.
Would it be possible to let me connect to your server and test the vpn?
Simplimus
(my usual self)
March 10, 2017, 9:37am
25
Definitely. I did PM you.
Simplimus
(my usual self)
March 13, 2017, 11:32am
26
@JOduMonT What is your status on this?
The problem is that the system has only a green interface. OpenVPN needs a green+red two interfaces system to masquerade traffic going to the internet.
We could probably add masq for the openvpn network, but I’m not sure it could be automated.
1 Like
@Simplimus Do you agree? Could you solve that topic?
Simplimus
(my usual self)
March 14, 2017, 3:12pm
29
I added the necessary iptables config line. Checking again if it exists. Then restarting shorewall
[root@nessie ~]# tail -1 /etc/shorewall/started
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
[root@nessie ~]# shorewall restart
Then reconnecting to the VPN but no success. Still no route out of the server.
Simplimus
(my usual self)
March 14, 2017, 3:16pm
30
I checked to see if the routes are added in /etc/openvpn/host-to-net.conf.
push "dhcp-option DOMAIN example.org"
push "dhcp-option DNS 10.0.0.1"
push "dhcp-option WINS 10.0.0.1"
push "dhcp-option NBDD 10.0.0.1"
push "dhcp-option NBT 2"
push "route 192.168.1.0 255.255.255.0"
It is there. Dead end, too.
(of course it does not say example.org )
How do I tell which config is active?
I aggree that it must have something to do with the single NIC. However, that is the classic case with running an openvpn on a RasPi. It is possible.