Creating OpenVPN roadwarrior leads to inaccessible server - on nic [Solved]

Support
,
1

NethServer Version: 7.6.1810
Module: nethserver-openvpn

Hi there,

after successfully getting a lot of services up and running, I wanted to install and configure the openvpn roadwarrior.

Server

  • KVM server from netcup (provider)
  • eth0 on green which has the public ip of the server

Nethserver

# db networks  show
eth0=ethernet
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    gateway=37.xxx.xxx.1
    ipaddr=37.xxx.xxx.xxx
    netmask=255.255.252.0
    role=green

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway.netcup. 0.0.0.0         UG    0      0        0 eth0
37.xxx.xxx.0    0.0.0.0         255.255.252.0   U     0      0        0 eth0

Wanted OpenVPN roadwarrior configuration

  • Use username, password and certificate
  • Routed mode: 192.168.160.0/24
  • Enable LZO
  • Push all static routes

DHCP options: empty

Connection parameters:

  • public host: mydomain.tld
  • UDP port: 1194

Problem description

When clicking on “SUBMIT”, the server is unresponsive.
The server/network is not not reachable any more.

That’s it. I had similar problems trying to use AD in the first run - now I am using LDAP which will not create a bridge.

Solution
I will post the solution here. I think, this might be a misconfiguration in routing?!

[UPDATE 2019-05-19][SOLVED]
The problem was that I only had one nic and this was configured to green (which is a security flaw and firewall could not work in this case! OMG.).

So I created a new virtual nic eth0.1 as vlan with an IP number +1 over eth0 under Configuration->Network.

I gave wanted eth0 the public ip:

db networks setprop eth0 ipaddr 37.xxx.xxx.xx5 role red
db networks setprop eth0.1 ipaddr 37.xxx.xxx.xx6 role green
signal-event interface-update

#db networks show
eth0=ethernet 
    bootproto=none
    gateway=37.xxx.xxx.1
    ipaddr=37.xxx.xxx.35              <- Public IP
    netmask=255.255.252.0
    role=red
eth0.1=vlan                     
    bootproto=none
    gateway=37.xxx.xxx.1
    ipaddr=37.xxx.xxx.36             <- Vlan       
    netmask=255.255.252.0
    role=green

I rebooted the server.

Then I configured openvpn roadwarrior and everything was OK!

red1=provider  
    interface=eth0
    weight=1

Thanks for your appreciated help.
Thanks Ralf.

Weird :nerd_face:

Cheers
Axel

2

Hi Axel,

sorry, but I don’t understand your setup. Green interface with public IP?
Do you have only one nic? Do you just want to reach your server via vpn?
Shouldn’t than be the role of the public nic “red”?

What I can say is that LZO compression is deprecated with openvpn.
It’s not supported anymore. Please disabled it.

BR Ralf

3

Hi Ralf,

thanks for your answer.

Yes the server has only one nic. The setup is only 2 days old and you are completely right!

  1. Green with public IP. OMG :sleeping: Too less sleep.

  2. Yes, only one nic. I set a vlan (eth0.1) with green and changed eth0 to red which is now the public IP.

    #db networks show
    eth0=ethernet
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    gateway=37.xxx.xxx.1
    ipaddr=37.xxx.xxx.x5
    netmask=255.255.252.0
    role=red
    eth0.1=vlan
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    gateway=37.xxx.xxx.1
    ipaddr=37.xxx.xxx.36
    netmask=255.255.252.0
    role=green

But I cannot reach the server then.

  1. Yes, I like to reach the server via VPN. I like to reach nextcloud only with vpn tunnel. I had this setup at my last server (Zentyal with ownloud).

  2. Right, did it! But I cannot reach the server When I add the green label to eth0, I can reach the server.

    #db networks show
    eth0=ethernet
    […]
    role=green

What I also tried is setting vlan (eth0.1) to the public IP. But here also i hve to assign it “red, label_green”. If not, I cannot reach the server.

Any clue? What am I missing?

Cheers
Axel

4

Server is reachable now with public IP on vlan (eth0.1) after serveral reboots.

#db networks show
eth0=ethernet
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    gateway=37.xxx.xxx.1
    ipaddr=37.xxx.xxx.36
    netmask=255.255.252.0
    role=green
eth0.1=vlan                     
    FwInBandwidth=
    FwOutBandwidth=
    bootproto=none
    gateway=37.xxx.xxx.1
    ipaddr=37.xxx.xxx.35        <- Public IP
    netmask=255.255.252.0
    role=red

I’ll try again … Fingers crossed :wink:

=> did not work, see solution on first post.

Cheers Axel