OpenVPN Client Question

Keith_Haines · February 20, 2017, 9:24pm

I’m trying the OpenVPN client in NS 7.3 and I think I must be doing something wrong because the computers on my LAN can’t see the other network, however when I SSH into the NS, it is able to ping computers on the remote network without issue.

Here is how I set it up: I am using a fresh install of NS 7.3 (1611) and activated DHCP and installed OpenVPN from the software center. I then created a client using certificates and pointed it to an Ubuntu server running OpenVPN server at another location using routed mode.

At this point, the NS can ping remote addresses just fine (192.168.0.x), but computers on the LAN (192.168.20.x) are unable to see the remote network. I’m assuming I need to add a route somewhere, but I don’t know where…

Any help would be greatly appreciated!

EddieA · February 21, 2017, 6:37am

I only use RoadWarrior mode, so not really that familiar with net2net, but isn’t it usually the server that pushes the routes down to the client.

Cheers.

giacomo · February 21, 2017, 10:42am

The server (in this case Ubuntu), should push the static route to the client.

If the server doesn’t provide the push option, try to set a static route using the “Static routes” .

Keith_Haines · February 22, 2017, 1:01am

I already have the server pushing the route in the config file:

push “route 192.168.0.0 255.255.255.0”

192.168.0.0/24 is the remote (ubuntu server) network.

This configuration already works with several dd-wrt routers I am using as well as a pfsense router. Should I manually add a static route in NS?

Keith_Haines · February 22, 2017, 8:19am

Ok, so I added a static route and added the remote network to the trusted networks, but I’m still unable to ping from clients on my network. Meanwhile the NS console (via SSH) has no problem reaching the remote network.

I feel like I must be missing something here.

GOB · February 22, 2017, 1:56pm

Is your NethServer also your primary router/gateway?
If it is you probably need to add a firewall rule at the remote location permitting access from your local subnet to the remote subnet.

If your NS is not your default gateway, you will have to add a static route to your local workstation also specifying the remote network and a gateway of your Nethserver.

Keith_Haines · February 22, 2017, 7:45pm

I’m using NS as my primary router/gateway, and the remote location is just an Ubuntu server on another network behind a router with no firewall installed on that server. Also, the NS has no problem reaching that network, I just need the NS to share that network with the rest of the computers on the LAN that are connecting through it to the internet. If I switch back to my dd-wrt router, the computers on my LAN are able to connect just fine to the remote network.

On my pfSense router, I did have to do an outbound NAT rule to get access to the remote network from the LAN, is there something like that I’m supposed to do here? The problem is that I can’t see the tun0 interface in the NS web gui, even though it shows in ifconfig.

Do I need to do something in the console?

Thanks guys for all your help so far

giacomo · February 23, 2017, 1:52pm

You shouldn’t.

Could you take a look at logs and report if anything is wrong?
You can check /var/log/openvpn.log and “journalct -u openvpb@”

Keith_Haines · February 24, 2017, 4:29am

Here’s my openvpn log

Thu Feb 23 20:25:30 2017 PUSH: Received control message: ‘PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,sndbuf 393216,rcvbuf 393216,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5’
Thu Feb 23 20:25:30 2017 OPTIONS IMPORT: timers and/or timeouts modified
Thu Feb 23 20:25:30 2017 OPTIONS IMPORT: --sndbuf/–rcvbuf options modified
Thu Feb 23 20:25:30 2017 Socket Buffers: R=[212992->425984] S=[212992->425984]
Thu Feb 23 20:25:30 2017 OPTIONS IMPORT: --ifconfig/up options modified
Thu Feb 23 20:25:30 2017 OPTIONS IMPORT: route options modified
Thu Feb 23 20:25:30 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Feb 23 20:25:30 2017 ROUTE_GATEWAY 192.168.20.1/255.255.255.0 IFACE=enp2s0 HWADDR=44:8a:5b:ff:99:00
Thu Feb 23 20:25:30 2017 TUN/TAP device tun0 opened
Thu Feb 23 20:25:30 2017 TUN/TAP TX queue length set to 100
Thu Feb 23 20:25:30 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Feb 23 20:25:30 2017 /usr/sbin/ip link set dev tun0 up mtu 1500
Thu Feb 23 20:25:30 2017 /usr/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Thu Feb 23 20:25:30 2017 /usr/sbin/ip route add 192.168.0.0/24 via 10.8.0.5
Thu Feb 23 20:25:30 2017 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.5
Thu Feb 23 20:25:30 2017 Initialization Sequence Completed

Keith_Haines · February 24, 2017, 4:44am

journalctl -u openvpb@ comes back with:

– No entries –

Also, the OpenVPN connection is good, I am able to ping the other network from the NS, and it shows up on the OpenVPN server as a connected client. It’s just that packets on the green interface don’t get routed to IPs on the remote network.

giacomo · February 24, 2017, 8:06am

So, you have this remote network 192.168.0.0/24 and your green interface is this 192.168.20.x.
Also everything seems fine on the OpenVPN.

I can’t see the problem.
Are you there is no clash between network address?

You could need two more debug steps:

check the routes using route -n
send a ping from a client inside the lan to a remote client, check the traffic flow using tcpdump

Keith_Haines · February 27, 2017, 8:53pm

Actually 192.168.20.x is the red interface. I’ve been testing it, so it’s behind another router. I have a laptop connected to it’s green interface (192.168.1.x) to test the routing.

Here is an updated log with it directly connected to the internet (no double NAT).

Mon Feb 27 12:50:24 2017 SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1) Mon Feb 27 12:50:24 2017 PUSH: Received control message: ‘PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,sndbuf 393216,rcvbuf 393216,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5’ Mon Feb 27 12:50:24 2017 OPTIONS IMPORT: timers and/or timeouts modified Mon Feb 27 12:50:24 2017 OPTIONS IMPORT: --sndbuf/–rcvbuf options modified Mon Feb 27 12:50:24 2017 Socket Buffers: R=[212992->425984] S=[212992->425984] Mon Feb 27 12:50:24 2017 OPTIONS IMPORT: --ifconfig/up options modified Mon Feb 27 12:50:24 2017 OPTIONS IMPORT: route options modified Mon Feb 27 12:50:24 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Mon Feb 27 12:50:24 2017 ROUTE_GATEWAY 50.39.96.1/255.255.240.0 IFACE=enp2s0 HWADDR=44:8a:5b:ff:99:00 Mon Feb 27 12:50:24 2017 TUN/TAP device tun0 opened Mon Feb 27 12:50:24 2017 TUN/TAP TX queue length set to 100 Mon Feb 27 12:50:24 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Feb 27 12:50:24 2017 /usr/sbin/ip link set dev tun0 up mtu 1500 Mon Feb 27 12:50:24 2017 /usr/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Mon Feb 27 12:50:24 2017 /usr/sbin/ip route add 192.168.0.0/24 via 10.8.0.5 Mon Feb 27 12:50:24 2017 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.5 Mon Feb 27 12:50:24 2017 Initialization Sequence Completed

Keith_Haines · February 27, 2017, 8:55pm

Here is route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 | 50.39.96.1 | 0.0.0.0 | UG | 0 0 0 | enp2s0
10.8.0.0 | 10.8.0.5 | 255.255.255.0 | UG | 0 0 0 | tun0
10.8.0.5 | 0.0.0.0 | 255.255.255.255 | UH | 0 0 0 | tun0
50.39.96.0 | 0.0.0.0 | 255.255.240.0 | U | 0 0 0 | enp2s0
169.254.0.0 | 0.0.0.0 | 255.255.0.0 | U | 1002 0 0 | enp2s0
169.254.0.0 | 0.0.0.0 | 255.255.0.0 | U | 1003 0 0 | enp0s20u4
192.168.0.0 | 10.8.0.5 | 255.255.255.0 | UG | 0 0 0 | tun0
192.168.20.0 | 0.0.0.0 | 255.255.255.0 | U | 0 0 0 | enp0s20u4

Keith_Haines · February 27, 2017, 10:57pm

I did a tcpdump with the ICMP option to show echo requests and here is the result.

14:54:41.491814 IP 192.168.20.112 > 192.168.0.31: ICMP echo request, id 1, seq 16454, length 40

It does that 4 times (from the cmd line on a Windows computer) with no reply.

Currently my setup is:

internet (Public WAN IP) → red interface → NS → green interface → 192.168.20.0/24 → 192.168.20.112 - Home computer.

giacomo · March 1, 2017, 2:30pm

Honestly I don’t have any further ideas…probably something is missing somewhere but I can’t reproduce right now.

Any one has any idea?

Keith_Haines · March 1, 2017, 5:58pm

In the OpenVPN logs, is this correct? Should it be routing the gateway through the wan gateway? Or the tun0 gateway (10.8.0.5)?

Keith_Haines · March 1, 2017, 6:34pm

Does anyone use their NethServer as a VPN client?

dj_marian · March 1, 2017, 7:36pm

Hi, i think that everything with vpn is ok. what happens when You ping from Home computer >remote vpn ? What reply form NS? Routes looks fine but with this routing table NS is using local conection to the internet not the remote vpn internet connection.
So answer to:

Should it be routing the gateway through the wan gateway?

is:
yes if You want

Also, are You sure shorewall is not blocking the traffic?
I have also problem with shorewall blocking traffic even from NS or green to established vpn connection and no solution till now, no solution (maybe i’m missing something/ misconfigure shorewall, dontn’t know).

Keith_Haines · March 1, 2017, 9:53pm

Home computer (192.168.20.0/24) -> remote vpn (192.168.0.0/24), no response.
Home computer -> NS vpn ip address (10.8.0.6) responds perfectly
NS (via SSH) -> remote vpn responds perfectly

So either shorewall is blocking access to the vpn from the green interface, or the routes are not working. But I don’t know enough about configuring shorewall or routes to know where the issue is.

dj_marian · March 1, 2017, 10:01pm

Check firewall.log then You have answer for at least one question, 2 ways to achive this:
send desired ping and check:
-GUI log viever firewall.log
or
-watch "tail /var/log/firewall.log"
from console one NS