Issue with open vpn

oneitonitram · September 20, 2018, 2:08pm

NethServer Version: curent
Module: open vpn.

I have configured nethserver as a vpn server, but there is something I can not understand.
I followed the guides on the page https://wiki.nethserver.org/doku.php?id=howto:howto_set_up_a_vpn
My ip address remains the same, instead of it changing to the ip address of the server.
is there something I have configured wrongly.

I am able to connect via OpenVPN client on my windows machine

stephdl · September 21, 2018, 8:09am

absolutely no idea of what you are occuring, but to debug we need logs, please got to the openvpn log and catch the errors

oneitonitram · September 22, 2018, 9:26am

Sat Sep 22 12:21:04 2018 154.79.7.70:60418 TLS: Initial packet from [AF_INET]154.79.7.70:60418 (via [AF_INET]80.211.161.17%eth0), sid=23390c95 736b8ad6
Sat Sep 22 12:21:09 2018 154.79.7.70:60418 VERIFY OK: depth=1, CN=NethServer, O=Example Org, ST=SomeState, OU=Main, emailAddress=root@login., C=--, L=Hometown
Sat Sep 22 12:21:09 2018 154.79.7.70:60418 VERIFY OK: depth=0, C=--, ST=SomeState, L=Hometown, O=Example Org, OU=Main, CN=martin, emailAddress=admin@login.genius.ke
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_VER=2.4.6
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_PLAT=win
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_PROTO=2
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_NCP=2
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_LZ4=1
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_LZ4v2=1
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_LZO=1
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_COMP_STUB=1
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_COMP_STUBv2=1
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_TCPNL=1
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 peer info: IV_GUI_VER=OpenVPN_GUI_11
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sat Sep 22 12:21:10 2018 154.79.7.70:60418 [martin] Peer Connection Initiated with [AF_INET]154.79.7.70:60418 (via [AF_INET]80.211.161.17%eth0)
Sat Sep 22 12:21:10 2018 martin/154.79.7.70:60418 OPTIONS IMPORT: reading client specific options from: ccd/martin
Sat Sep 22 12:21:10 2018 martin/154.79.7.70:60418 Options error: in --iroute 10.10.0.1 255.255.255.0 : Bad network/subnet specification
Sat Sep 22 12:21:10 2018 martin/154.79.7.70:60418 MULTI_sva: pool returned IPv4=10.10.0.6, IPv6=(Not enabled)
Sat Sep 22 12:21:10 2018 martin/154.79.7.70:60418 MULTI: Learn: 10.10.0.6 -> martin/154.79.7.70:60418
Sat Sep 22 12:21:10 2018 martin/154.79.7.70:60418 MULTI: primary virtual IP for martin/154.79.7.70:60418: 10.10.0.6
Sat Sep 22 12:21:11 2018 martin/154.79.7.70:60418 PUSH: Received control message: 'PUSH_REQUEST'
Sat Sep 22 12:21:11 2018 martin/154.79.7.70:60418 SENT CONTROL [martin]: 'PUSH_REPLY,dhcp-option DOMAIN genius.ke,dhcp-option DNS 10.10.0.1,dhcp-option WINS 10.10.0.1,dhcp-option NBDD 10.10.0.1,dhcp-option NBT 2,route 80.211.161.0 255.255.255.0,route 10.10.0.0 255.255.255.0,topology net30,ping 20,ping-restart 120,ifconfig 10.10.0.6 10.10.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Sat Sep 22 12:21:11 2018 martin/154.79.7.70:60418 Data Channel: using negotiated cipher 'AES-256-GCM'
Sat Sep 22 12:21:11 2018 martin/154.79.7.70:60418 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Sat Sep 22 12:21:11 2018 martin/154.79.7.70:60418 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

stephdl · September 22, 2018, 12:17pm

you got me lost…what is the key of the issue ?

mrmarkuz · September 22, 2018, 6:04pm

A virtual interface gets the OpenVPN IP, you may check it with ipconfig under windows. Your configuration is ok.

oneitonitram · September 23, 2018, 6:38am

@stephdl I am able to connect, but the ip address remains the same local ip of my isp instead of the server ip.

this is basically what I am trying to achieve.
users on the network connect to the internet via the configured vpn, then for some server access, limit the connection to the fixed ip of the server.

stephdl · September 23, 2018, 6:44am

like @mrmarkuz said, you get an IP address on a virtual NIC but you still keep the default IP of your isp. It depend also of what vpn you look for, routed( you got an IP in a different network of the server) or bridged (you got the same IP range of the server)

oneitonitram · September 23, 2018, 6:50am

I used routed, as I saw the bridged being abit cumbersome to setup… not sure where I got things wrong, but ill keep finding out.

and what do you mean by ip range… if the server has on ip?

stephdl · September 23, 2018, 6:55am

in bridged mode, let’s assume the server IP is 192.168.56.1 with a network 192.168.56.0/24, the ip will be that network but only on the virtual nic called tap0 generally speaking

oneitonitram · September 23, 2018, 6:59am

for this case i am using a hosted vps to achieve this, and the server has only the ip like
80.211.0.25

stephdl · September 23, 2018, 7:06am

I did it but you need two nics, since it is a proxmox OS I have I can do what I want…I bridged on the green nic. I need it because I want to hide the samba AD VM behind the firewall

stephdl · September 23, 2018, 7:10am

this is what I did