Bizarre open vpn roadwarrior issue

Matthew99 · 2018-03-27 20:06:09 UTC

Hi all

I have run into a truly baffling issue, we run a nethserver openvpn basic roadwarrior setup, all was working swimmingly until just recently i am having trouble connecting to anything on the network like the vpn server for example or our crm system.

we use open vpn client with the standard vpn config file with only the remote ip adjusted.

now when i run the client on my laptop right click connect i log in icon goes green and all looks connected fine but i keep getting really intermittent issues continuous pings run but i can’t connect to the device then pings drop then i can connect to the web interfaces.

i have at least 2 other users who are working fine without problems but have now started to get other people experience the same.

as a sanity check and here is where is gets really weird, i built a new server and put it on an isolated network, so that is new server, new router, new switch, new user new config file,

and guess what same issue, has something changed for road warrior set up?

my ip range is 192.168.30.x/23 subnet 255.255.254.0

client config:

######### NethServer OpenVPN client configuration #########

dev tap
client
remote xxx.xxx.xx.xx
port 1194
float
auth-user-pass

-----BEGIN CERTIFICATE-----
MIIEAjCCAuqgAwIBAgIEWlN90DANBgkqhkiG9w0BAQsFADCBmTETMBEGA1UEAwwK
TmV0aFNlcnZlcjEUMBIGA1UECgwLRXhhbXBsZSBPcmcxEjAQBgNVBAgMCVNvbWVT
dGF0ZTENMAsGA1UECwwETWFpbjEpMCcGCSqGSIb3DQEJARYacm9vdEBsb2NhbGhv
c3QubG9jYWxkb21haW4xCzAJBgNVBAYTAi0tMREwDwYDVQQHDAhIb21ldG93bjAe
Fw0xODAxMDgxNDE4NTZaFw0yODAxMDYxNDE4NTZaMIGZMRMwEQYDVQQDDApOZXRo
U2VydmVyMRQwEgYDVQQKDAtFeGFtcGxlIE9yZzESMBAGA1UECAwJU29tZVN0YXRl
MQ0wCwYDVQQLDARNYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9zdC5s
b2NhbGRvbWFpbjELMAkGA1UEBhMCLS0xETAPBgNVBAcMCEhvbWV0b3duMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWDpjFnuNNJ25siI4EuAPS/5MPvh
BpYSi8lWTAJnz2eZMWEBLC2U1+0DMF4H6XlQxjZWHyf19dhqVXK4akc7OZRD17x5
cwZWfytD1RWnnoXnlwFAmn9DGQLHyTTQqafJtT4oV/x7DNIetaLz8VOaizqfgFLE
f0gObtWftyKYG7ddMXLWhu6B0FUpAd25NNQf/sv4FUpPZtqs52wiWw/IeN/7lz+U
3HgBsJZaw6ziYiLiohcQLRFxbI/XSTxgQii5LBs5JsMKqKaJU7ZAjL5p9OUqUecN
56m2Eni/4Zm9DrsA7cR3JGHLB4HNKqtc/arkFenxuAFnb+Zptyk1nD2vgwIDAQAB
o1AwTjAdBgNVHQ4EFgQUT5na9kIDkYMonc01x7nypsMjM7cwHwYDVR0jBBgwFoAU
T5na9kIDkYMonc01x7nypsMjM7cwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsF
AAOCAQEAed9c4uHA3vKuxuOSkDxTJ+qCkFbqghlx/ORJxv9ysxujZ3Kly5PB16I+
ADTGAz12fNuBfnDHTCbaFKecLtKbF3SDmx+M22ti5pLNV6prM4g/qAu8yI/WZNmz
3Z7g1UCANN93VhcAmBAhsNXyucsuNMboek6AnfPIs9Wnmv3xKbdQfmpkJaHLfr1W
lODt5g9OYcmJsgaP21SWy3QuTdtoA3OgS0ii1+dxL2sIn89rIiO354FRqY0CNaif
dea+al8gennoZ4O9NQa0I8y65IconhJrL8gRzHSO3G8hcrP5xsyUYPuOl2+xirmd
hmfDJT3Upa1rK9kJOV3qWNl2bYWbwQ==
-----END CERTIFICATE-----

comp-lzo
explicit-exit-notify 1
verb 3
persist-key
persist-tun
nobind

Matthew99 · 2018-03-27 20:08:14 UTC

Server config

dev tap0
server-bridge 192.168.30.19 255.255.254.0 192.168.30.101 192.168.30.105
ifconfig-pool-persist host-to-net.pool 0

port 1194
script-security 3
float
multihome
dh /var/lib/nethserver/certs/dh1024.pem
ca /etc/pki/tls/certs/NSRV.crt
cert /etc/pki/tls/certs/NSRV.crt
key /etc/pki/tls/private/NSRV.key
crl-verify /var/lib/nethserver/certs/crl.pem
push "dhcp-option DOMAIN localdomain"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option WINS 8.8.8.8"
push "dhcp-option NBDD 8.8.8.8"
push "dhcp-option NBT 2"

# Authentication: password
auth-user-pass-verify /usr/libexec/nethserver/openvpn-pam-auth via-env
client-cert-not-required
username-as-common-name

status /var/log/openvpn/host-to-net-status.log
log-append /var/log/openvpn/openvpn.log
comp-lzo
keepalive 20 120
client-config-dir ccd
persist-key
persist-tun
management /var/spool/openvpn/host-to-net unix
verb 3

I’m out of ideas

saitobenkei · 2018-03-28 06:11:51 UTC

Do you using same user/password for every Roadwarrior client?
I had issues like yours (with a very old Nethsercurity 1.5.x products) when some users connected at the same time utilizing same credentials.

Matthew99 · 2018-03-28 06:50:02 UTC

Hi Saito

Every user has a separate username and password. It’s very strange

pike · 2018-03-28 22:58:32 UTC

Why TAP?

AFAICR NethServer from 6.5 used TUN setup for OpenVPN…

Matthew99 · 2018-03-29 05:53:23 UTC

Hi Michael

Tbh no preference on my part. This is the set up I inherited.

You think I should change this? Happy to look at that. Just throwing me
slightly that it has been working fine up until now and weirder still is I
still have people working with thus set up without issues.

Has anything changed on nethserver recently that makes thus set up
redundant currently running on v6.8

I moved to a 6.9 build and same issue just finishing off 7.4 build this
morning will test an confirm.

How would I change to run set up what are the advantages of this over tap?
Will go over the documentation of course just interested from someone that
has experience.

pike · 2018-03-29 09:39:52 UTC

I used TAP into a different linux network appliance.
It was “fast and fun”, because in 2-3 steps i was member of the green network, laying on a bridge. It was easier, because i could access to resources on GREEN without routing problems,internet access issues, routing thinking of what i were looking for. But if TAP segment has the same subnetting of the network i am member (192.168.1.0, for instance, and this is the same subnet of the network used by the VPN client) it can not work.

TUN has quite more headaches, but a bit more of control about network access, firewalling (even user-based rules) and also can achieve hub-and-spoke architecture, therefore you can access from your OpenVPN connection to IPSEC/OpenVPN/DMZ/BLUE network resources.

At the end of the line, i think you should take a chance to try and verify if the TUN setup could solve the issue you are experiencing.
Also: do not forget that NAT could help you to ground to zero the network addressing issue.

Matthew99 · 2018-03-29 14:35:43 UTC

ok will give tun a shot.

so steps to take keep network adapter as green but not bridged

choose routed option in roadwarrior mode.

for network settings what would i put in network box if my ip range is 192.168.30.x/23 (vpn server is 192.168.30.19) woud it look like this

the port is already forwarded to on firewall to vpn server

any other steps i need to take?

pike · 2018-03-29 18:31:35 UTC

Is 192.168.30.0/23 the same subnet of GREEN network interface?
If the answer is yes, you are playing it wrong, IMHO

Matthew99 · 2018-03-31 07:30:10 UTC

Yes it is same subnet as green. Am I supposed to choose a random on ie 10.0.1.0? Does it matter what I choose?

mrmarkuz · 2018-03-31 07:46:01 UTC

Hi @Matthew99,

@pike is right, you have to choose a different network, 10.0.1.0 should be ok. I have just another 192.168.x.0 network for instance. I recommend to use a network you usually don’t use to avoid problems like having same networks on local/remote and vpn side.

Matthew99 · 2018-04-03 09:08:27 UTC

ok so i’m back at the test machine, so the server that was running vpn was running bridged Tap setup only 1 network card

can i run tun routed on the same box with 1 card?

pike · 2018-04-03 14:34:58 UTC

It does. You should not use subnets which could be used by the OpenVPN Clients.

Matthew99 · 2018-04-03 14:51:04 UTC

Thanks Michael the current server has 1 nic is that ok

pike · 2018-04-03 15:35:33 UTC

I don’t know, never tried that setup.
TUN/TAP adapter is a virtual adapter, therefore it should work, but i have no direct experience about that.

Matthew99 · 2018-04-04 12:34:37 UTC

Hey Markus

Could you assist me with advice on your set up.

I think I am maybe missing something fundamental in the interface config.

How many nics are required for this setup?

Do I need red interface setup?

I see loads of documentation but no step by step config for that bit

mrmarkuz · 2018-04-04 12:50:49 UTC

I have two NICs red and green.

It works with only green network too but you have to port forward the right port (default UDP/1194) to your internal VPN server.

I found this:

https://wiki.nethserver.org/doku.php?id=howto:howto_set_up_a_vpn

My config but I plan to use passwords too in future…

Matthew99 · 2018-04-04 13:48:01 UTC

Thanks for the info Markus

Ok so I have my green interface set up with static 192.168.30.19/23 sub
255.255.254.0 gateway 192.168.30.1

Under Roadwarrior I have username and password checked and route 10.0.1.0

I run the client and icon goes green it says connected with ip 10.0.1.1 but
doesn’t let me connect to any devices on network,

I’m guessing its because I now have ip of 10.0.1.1

What am I missing? Am I supposed to add a route somewhere? Or should that
be working at this point.

mrmarkuz · 2018-04-04 13:57:37 UTC

It should work at this point, NethServer does the routing. I actually use an Android openvpn client, which client do you use? Maybe I can reproduce the problem…

How did you setup your client? Easiest way is to download the config and import it in the client.

Matthew99 · 2018-04-04 14:02:46 UTC

ok i’m re building new netserver just for Sanity.

i use the openvpn client v 2.4 https://openvpn.net/index.php/open-source/downloads.html on Windows Laptop and download the .vpn file and place in config folder.