openvpn road warrior works No issues.
But a site2site setup connects but the clients on server B can ping the Server A Ip addresses but can not join or login to the domain. Even after joining the domain using a road warrior account, then disconnect the road warrior account, the ad.domainname is not available.
Both servers NS7.9.2009 and both have 2 NICs red and green
Server A AD controller 192.168.238.1
Server B minimum services. 192.168.239.1
Roll to be VPN Server client to Server A via OpenVPN tunnel. Server B clients to be part of the AD domain at Server A.
Server A **shed2office** 1207 (UDP) **SUBNET** 192.168.238.0/24 192.168.239.0/24 Running Connected (10.5.43.2)
Server B **cshed2office** 1207 (UDP) **SUBNET** Server A public IP 192.168.239.0/24 Running Connected (10.5.43.2)
Server A
tunshed2office: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.5.43.1/24 brd 10.5.43.255 scope global tunshed2office
valid_lft forever preferred_lft forever
inet6 fe80::2165:c4ce:923d:acf2/64 scope link flags 800
valid_lft forever preferred_lft forever
Server B
tuncshed2office: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.5.43.2/24 brd 10.5.43.255 scope global tuncshed2office
valid_lft forever preferred_lft forever
inet6 fe80::3a59:a70c:e943:baae/64 scope link flags 800
valid_lft forever preferred_lft forever
Both servers report Tunnel is up and both route -n return routes to the other server
Server A route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.5.43.0 0.0.0.0 255.255.255.0 U 0 0 0 tunshed2office
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.238.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.239.0 10.5.43.2 255.255.255.0 UG 0 0 0 tunshed2office
Should Server A be 10.5.43.1 but it shows the same as Server B 10.5.43.2?
I have tried in the conf file for the tunnel
push “dhcp-option DNS 192.168.238.1”
Any suggestions? What have I missed, thanks.
I should add that from a client on Server B I can
\192.168.238.1\ access the shares but I am challenged for username\password even though logged in as admin account created via Road warrior
but
\srv-sb fails as it resolves to the external IP of Server A and not the internal IP 192.168.238.1
I might be on the wrong track but suspect this systemctl status on the vpn has a clue
-- Unit openvpn@shed2office.service has begun starting up.
May 30 14:40:31 srv-sb.domain.name openvpn-startup[18183]: Sun May 30 14:40:31 2021 ERROR: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16)
May 30 14:40:31 srv-sb.domain.name openvpn-startup[18183]: Sun May 30 14:40:31 2021 Exiting due to fatal error
May 30 14:40:31 srv-sb.domain.name systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On shed2office.
-- Subject: Unit openvpn@shed2office.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openvpn@shed2office.service has finished starting up.
The Cannot ioctl TUNSETIFF tap0 but the config has a tun device any tap device would be used by the Road warriors on port 1194.
#
# 10base
#
dev tunshed2office
dev-type tun
persist-tun
lport 1207
proto udp
topology subnet
server 10.5.43.0 255.255.255.0
push "topology subnet"
float
multihome
daemon
#
# 20routes
#
push "route 192.168.238.0 255.255.255.0"
push "dhcp-option DNS 192.168.238.1"
route 192.168.239.0 255.255.255.0
Thanks Andy
I did not set the dev name and the conf file suggests otherwise. But Server A is the “server” and B the client. we had comms and cloud ping but no rights to see shares or scripts.
For site2Site connections the forward maybe required and I did not see it in the instructions.
@Andy_Wismer
Thanks.
Yes we had done that and as I said we could ping IP addresses and could open shares via \\ip address\share. But not by URL \\server\share.
Also had to check Threat Shield and fail2ban settings.
The server manager openvpn page gives the impression that it is all good, but in reality not usable. Will have to setup a new clean installation and make sure what adjustments are needed and some of what I did can be removed.
So from scratch I would
Setup the tunnel
modify the dnsmasq settings
add the end networks and the tunnel to trusted networks
monitor other firewall stuff like fail2ban, threat shield for blockages
Other than that I am impressed with the performance of the link.
Generally, if possible, I tend to use IPsec (V2) for Site2Site connections and OpenVPN for RoadWarrior links.
I mostly use an OPNsense box as seperate firewall, but for some of my clients / friends I helped to setup VPNs using at least one NethServer on one side, sometimes also a NethServer on both sides.
In Germany, it’s often not possible to use IPsec, but OpenVPN works without issues. In Switzerland, IPsec works almost everywhere.
Both VPNs work very well, with NethServer or in combination NethServer <-> OPNsense…