Nsdc and openvpn issue

Miziara · November 9, 2019, 6:15am

NethServer Version: latest
Module: samba

Dears,

I have at least 5 servers running Nethserver at different locations and all have the same issue that i could not fix.

Using the Samba DC controller with Openvpn Roadwarrior routed mode, all the clients connected cannot communicate with the Nsdc, not even ping it.
If i change the Openvpn to Bridge, it works, vpn clients resolve dns, talk with samba etc.

I could not find why this happens, but its the same issue on all 5 servers. They are not connected, some are on Aws, others on Ovh and others on a local HyperV.

Could not find any relevant information on the logs.

Any ideias? How can i debug this?

robb · November 9, 2019, 8:26am

It looks like the roadwarrior client can not find the nsdc instance. Could this be a DNS issue? As soon you connect with VPN, is NS configured as DNS server for the client?
Or alternatively, put an entry for the nsdc in your hosts file.

pike · November 9, 2019, 1:45pm

@dev_team do NSDC read routing table from the gateway?
Do NSDC have a gateway into it’s IPv4 configuration?

davidep · November 9, 2019, 2:47pm

The gateway assignment is defined here

github.com

NethServer/nethserver-dc/blob/6c206ea3479a946bf705a153ee61d0331d9fcd6c/root/etc/e-smith/templates/var/lib/machines/nsdc/etc/systemd/network/green.network/10base#L13


      
          Name=host0
          
          {
              use esmith::NetworksDB;
              use Net::IPv4Addr qw( :all );
              my $ndb = esmith::NetworksDB->open();
              my $bridge = $nsdc{'bridge'} || die ("[ERROR] There is no network bridge for NethServer domain controller");
              $OUT = "[Network]\n";
              $OUT .= "Address=" . $nsdc{'IpAddress'} . '/' . ipv4_msk2cidr($ndb->get_prop($bridge, 'netmask')). "\n\n";
          
              my $gateway = $ndb->get_prop($bridge, 'gateway');
              if(!$gateway || scalar $ndb->red()) {
                  # if the gateway is defined on a different network/interface, set our green IP:
                  $gateway = $ndb->get_prop($bridge, 'ipaddr');
              }
              
              $OUT .= "[Route]\n";
              $OUT .= "Gateway=$gateway\n";
          }

IIUC if a red is present gw is the NethServer green interface itself, otherwise gw is the same of the green interface.

pike · November 9, 2019, 5:15pm

So this could be a firewall issue on NSDC Container… Which don’t allow to be connected from the OpenVPN subnet.

Miziara · November 9, 2019, 5:37pm

Im trying to ping the nsdc ip address directly and there’s no response to vpn clients on routed mode, only on bridge mode.
VPN clients can ping any other host, including NS itself.
The Dns im talking about is samba dns. Without this working, vpn clients cannot resolve domain names

Miziara · November 9, 2019, 5:38pm

The container has its own firewall?
I tried everything on NS shorewall without luck

pike · November 9, 2019, 9:08pm

Interesting. @Miziara is your Nethserver the default router of the network AND the OpenVPN server?

Miziara · November 9, 2019, 9:36pm

@pike I have both cases, but all of them have 2 interfaces, public (red) and private (green)
At the cloud providers, its not the default router, but at my office it its.

This problem happens even if the OpenVPN is installed at a separate NethServer.
On OVH i have 2 nethservers for Samba with replication working, and a exclusive NethServer for OpenVpn RoadWarrior. The communication between Openvpn clients and NSDC on those servers only works on bridged mode.