I’m trying the OpenVPN client in NS 7.3 and I think I must be doing something wrong because the computers on my LAN can’t see the other network, however when I SSH into the NS, it is able to ping computers on the remote network without issue.
Here is how I set it up: I am using a fresh install of NS 7.3 (1611) and activated DHCP and installed OpenVPN from the software center. I then created a client using certificates and pointed it to an Ubuntu server running OpenVPN server at another location using routed mode.
At this point, the NS can ping remote addresses just fine (192.168.0.x), but computers on the LAN (192.168.20.x) are unable to see the remote network. I’m assuming I need to add a route somewhere, but I don’t know where…
Ok, so I added a static route and added the remote network to the trusted networks, but I’m still unable to ping from clients on my network. Meanwhile the NS console (via SSH) has no problem reaching the remote network.
Is your NethServer also your primary router/gateway?
If it is you probably need to add a firewall rule at the remote location permitting access from your local subnet to the remote subnet.
If your NS is not your default gateway, you will have to add a static route to your local workstation also specifying the remote network and a gateway of your Nethserver.
I’m using NS as my primary router/gateway, and the remote location is just an Ubuntu server on another network behind a router with no firewall installed on that server. Also, the NS has no problem reaching that network, I just need the NS to share that network with the rest of the computers on the LAN that are connecting through it to the internet. If I switch back to my dd-wrt router, the computers on my LAN are able to connect just fine to the remote network.
On my pfSense router, I did have to do an outbound NAT rule to get access to the remote network from the LAN, is there something like that I’m supposed to do here? The problem is that I can’t see the tun0 interface in the NS web gui, even though it shows in ifconfig.
Also, the OpenVPN connection is good, I am able to ping the other network from the NS, and it shows up on the OpenVPN server as a connected client. It’s just that packets on the green interface don’t get routed to IPs on the remote network.
Actually 192.168.20.x is the red interface. I’ve been testing it, so it’s behind another router. I have a laptop connected to it’s green interface (192.168.1.x) to test the routing.
Here is an updated log with it directly connected to the internet (no double NAT).
Mon Feb 27 12:50:24 2017 SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1) Mon Feb 27 12:50:24 2017 PUSH: Received control message: ‘PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.1,sndbuf 393216,rcvbuf 393216,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5’ Mon Feb 27 12:50:24 2017 OPTIONS IMPORT: timers and/or timeouts modified Mon Feb 27 12:50:24 2017 OPTIONS IMPORT: --sndbuf/–rcvbuf options modified Mon Feb 27 12:50:24 2017 Socket Buffers: R=[212992->425984] S=[212992->425984] Mon Feb 27 12:50:24 2017 OPTIONS IMPORT: --ifconfig/up options modified Mon Feb 27 12:50:24 2017 OPTIONS IMPORT: route options modified Mon Feb 27 12:50:24 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Mon Feb 27 12:50:24 2017 ROUTE_GATEWAY 50.39.96.1/255.255.240.0 IFACE=enp2s0 HWADDR=44:8a:5b:ff:99:00 Mon Feb 27 12:50:24 2017 TUN/TAP device tun0 opened Mon Feb 27 12:50:24 2017 TUN/TAP TX queue length set to 100 Mon Feb 27 12:50:24 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Mon Feb 27 12:50:24 2017 /usr/sbin/ip link set dev tun0 up mtu 1500 Mon Feb 27 12:50:24 2017 /usr/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Mon Feb 27 12:50:24 2017 /usr/sbin/ip route add 192.168.0.0/24 via 10.8.0.5 Mon Feb 27 12:50:24 2017 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.5 Mon Feb 27 12:50:24 2017 Initialization Sequence Completed
Hi, i think that everything with vpn is ok. what happens when You ping from Home computer >remote vpn ? What reply form NS? Routes looks fine but with this routing table NS is using local conection to the internet not the remote vpn internet connection.
So answer to:
Should it be routing the gateway through the wan gateway?
is:
yes if You want
Also, are You sure shorewall is not blocking the traffic?
I have also problem with shorewall blocking traffic even from NS or green to established vpn connection and no solution till now, no solution (maybe i’m missing something/ misconfigure shorewall, dontn’t know).
Home computer (192.168.20.0/24) -> remote vpn (192.168.0.0/24), no response.
Home computer -> NS vpn ip address (10.8.0.6) responds perfectly
NS (via SSH) -> remote vpn responds perfectly
So either shorewall is blocking access to the vpn from the green interface, or the routes are not working. But I don’t know enough about configuring shorewall or routes to know where the issue is.
Check firewall.log then You have answer for at least one question, 2 ways to achive this:
send desired ping and check:
-GUI log viever firewall.log
or
-watch "tail /var/log/firewall.log"
from console one NS