helo
I just setup OpenVPN server on aws platform, all working perfect but i have no access to one of the company website via https protocol and have no idea why all website working fine and i have no access to only one of them which is important maybe i have to open some port in OpenVPN server or make some changes on the settings or in aws ?
Funny thing is that i have my private OpenVPN setup at home on my openwrt router and when i connect to that OpenVPN via Microsoft client all working prefect and that website is working without any problem .
Any one can help me with that issue ?
thank you
OpenVPN serve in AWS
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Mar 10, 2021 11:06 am
Re: OpenVPN serve in AWS
Config from home :
client
remote rafsade.noip.me 1194
dev tun
proto udp
status current_status
resolv-retry infinite
remote-cert-tls server
topology subnet
verb 3
cipher AES-128-CBC
nobind
persist-key
persist-tun
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=nazdenccrbmenor/name=nazdenccrbmenor/emailAddress=nazdenccrbmenor@jmpoqonxdkmdmml.com
Validity
Not Before: Feb 2 08:10:20 2021 GMT
Not After : Dec 27 08:10:20 2037 GMT
Subject: C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=work/name=work/emailAddress=work@qrgawcwdefjupgu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
[snip]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
[snip]
X509v3 Authority Key Identifier:
[snip]
[snip]
[snip]
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
[snip]
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[snip]
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[snip]
-----END OpenVPN Static key V1-----
</tls-auth>
config from aws
# Automatically generated OpenVPN client config file
# Generated on Wed Mar 10 11:39:20 2021 by ip-53.34.54.56
# Default Cipher
cipher AES-256-CBC
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=openvpn
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=openvpn@53.34.54.-/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=53.34.54.-:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
[snip]
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote 53.34.54.- 1194 udp
remote 53.34.54.- 1194 udp
remote 53.34.54.- 443 tcp
remote 53.34.54.- 1194 udp
remote 53.34.54.- 1194 udp
remote 53.34.54.- 1194 udp
remote 53.34.54.- 1194 udp
remote 53.34.54.- 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[snip]
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
[snip]
-----END OpenVPN Static key V1-----
</tls-auth>
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
[snip]
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
[snip]
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
[snip]
## -----END CERTIFICATE-----
both showing me when i connect ip fro home and aws which is correct and what i want
client
remote rafsade.noip.me 1194
dev tun
proto udp
status current_status
resolv-retry infinite
remote-cert-tls server
topology subnet
verb 3
cipher AES-128-CBC
nobind
persist-key
persist-tun
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
</ca>
<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=nazdenccrbmenor/name=nazdenccrbmenor/emailAddress=nazdenccrbmenor@jmpoqonxdkmdmml.com
Validity
Not Before: Feb 2 08:10:20 2021 GMT
Not After : Dec 27 08:10:20 2037 GMT
Subject: C=??, ST=UnknownProvince, L=UnknownCity, O=UnknownOrg, OU=UnknownOrgUnit, CN=work/name=work/emailAddress=work@qrgawcwdefjupgu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
[snip]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
[snip]
X509v3 Authority Key Identifier:
[snip]
[snip]
[snip]
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
[snip]
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[snip]
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[snip]
-----END OpenVPN Static key V1-----
</tls-auth>
config from aws
# Automatically generated OpenVPN client config file
# Generated on Wed Mar 10 11:39:20 2021 by ip-53.34.54.56
# Default Cipher
cipher AES-256-CBC
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=openvpn
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=openvpn@53.34.54.-/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=53.34.54.-:443
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
[snip]
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
setenv FORWARD_COMPATIBLE 1
client
server-poll-timeout 4
nobind
remote 53.34.54.- 1194 udp
remote 53.34.54.- 1194 udp
remote 53.34.54.- 443 tcp
remote 53.34.54.- 1194 udp
remote 53.34.54.- 1194 udp
remote 53.34.54.- 1194 udp
remote 53.34.54.- 1194 udp
remote 53.34.54.- 1194 udp
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[snip]
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
[snip]
-----END OpenVPN Static key V1-----
</tls-auth>
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
[snip]
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
[snip]
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
[snip]
## -----END CERTIFICATE-----
both showing me when i connect ip fro home and aws which is correct and what i want
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenVPN serve in AWS
Hello,
I'm sorry to say this but you have just destroyed a major part of the security of your OpenVPN setup. You posted your private keys and everything. As the file itself says in this line, that is not good:
Regarding the original problem you reported, the problem description is a little vague. You say that you don't have access to one of the company websites via HTTPS protocol. But I have no clue where this site is or how you have your Access Server configured. If this website is on the public Internet and you want it routed through the VPN tunnel and the VPN server, then if you just enable the "redirect all client VPN internet traffic through the VPN server" option in OpenVPN Access Server, and then connect your computer using OpenVPN Connect to that Access Server, then that should work just fine. If however the web server is an internal one in a private range on Amazon AWS you may need to configure access to that subnet using the settings in the VPN Settings page of the Access Server. Without knowing more details it will be extremely hard to provide some useful guidance.
At this point, also given the fact you posted vitally secure information in a public place, I would like to suggest you go to https://openvpn.net/support and open a support ticket there in the OpenVPN Access Server section and request assistance with your setup on Amazon AWS and getting access to the resources you want to get access to. There any information will be treated confidentially and securely.
Kind regards,
Johan
I'm sorry to say this but you have just destroyed a major part of the security of your OpenVPN setup. You posted your private keys and everything. As the file itself says in this line, that is not good:
However you did post the entire contents of your configuration file. I have mitigated the situation somewhat by editing your post and removing most sensitive information. But it was public for some hours already now, so you should now consider your server compromised and you should deploy a new installation of OpenVPN Access Server to remedy this situation. And please don't ever post your private keys anywhere public.Note: this config file contains inline private keys and therefore should be kept confidential!
Regarding the original problem you reported, the problem description is a little vague. You say that you don't have access to one of the company websites via HTTPS protocol. But I have no clue where this site is or how you have your Access Server configured. If this website is on the public Internet and you want it routed through the VPN tunnel and the VPN server, then if you just enable the "redirect all client VPN internet traffic through the VPN server" option in OpenVPN Access Server, and then connect your computer using OpenVPN Connect to that Access Server, then that should work just fine. If however the web server is an internal one in a private range on Amazon AWS you may need to configure access to that subnet using the settings in the VPN Settings page of the Access Server. Without knowing more details it will be extremely hard to provide some useful guidance.
At this point, also given the fact you posted vitally secure information in a public place, I would like to suggest you go to https://openvpn.net/support and open a support ticket there in the OpenVPN Access Server section and request assistance with your setup on Amazon AWS and getting access to the resources you want to get access to. There any information will be treated confidentially and securely.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Mar 10, 2021 11:06 am
Re: OpenVPN serve in AWS
Thank you Johan for answer, dont worry i change private and public keys and delete some part i will not put full keys and all config to public
Anyway i will try to open ticket with AWS and we will see also i add to host file on windows and Linux ip and dns for that website and i will test new appliance of openvpn in aws and azure tomorrow
Anyway i will try to open ticket with AWS and we will see also i add to host file on windows and Linux ip and dns for that website and i will test new appliance of openvpn in aws and azure tomorrow
Last edited by sat4all on Fri Mar 12, 2021 11:22 pm, edited 2 times in total.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Mar 10, 2021 11:06 am
Re: OpenVPN serve in AWS
ACCESS SERVER is configure like in the config file , website in on private network and is accessible via my openvpn setting up at openwrt router at home but via amazon or azure openvpn this website is not accessible.Regarding the original problem you reported, the problem description is a little vague. You say that you don't have access to one of the company websites via HTTPS protocol. But I have no clue where this site is or how you have your Access Server configured. If this website is on the public Internet and you want it routed through the VPN tunnel and the VPN server, then if you just enable the "redirect all client VPN internet traffic through the VPN server" option in OpenVPN Access Server, and then connect your computer using OpenVPN Connect to that Access Server, then that should work just fine. If however the web server is an internal one in a private range on Amazon AWS you may need to configure access to that subnet using the settings in the VPN Settings page of the Access Server. Without knowing more details it will be extremely hard to provide some useful guidance.
i think i tick that option i try many option already
"redirect all client VPN internet traffic through the VPN server"
what i saw when i connect on aws or azure this website works when i put ip instead of domain .
I can give you access to my openvpn server is not production than i dont mind is for me to connect from one country to another
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Mar 10, 2021 11:06 am
Re: OpenVPN serve in AWS
Issue sorted
Windows\System32\drivers\etc\host, i edit host file and add ip address and domain that fix the issue.
Windows\System32\drivers\etc\host, i edit host file and add ip address and domain that fix the issue.
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenVPN serve in AWS
Hello sat4all,
Alright. It sounds to me like you were using some internal-only domain. If that internal-only domain does resolve within the Amazon AWS DNS system then most likely you could have made the VPN clients resolve it too by using the option to push DNS server and then pushing the .2 IP in the range on AWS. On Amazon AWS usually the .2 address is a DNS server. For example if your VPC subnet range is 192.168.70.0/24 then the DNS server would be at 192.168.70.2 usually.
In any case, a local hosts file entry would also make the resolution of name to IP work on your computer.
Kind regards,
Johan
Alright. It sounds to me like you were using some internal-only domain. If that internal-only domain does resolve within the Amazon AWS DNS system then most likely you could have made the VPN clients resolve it too by using the option to push DNS server and then pushing the .2 IP in the range on AWS. On Amazon AWS usually the .2 address is a DNS server. For example if your VPC subnet range is 192.168.70.0/24 then the DNS server would be at 192.168.70.2 usually.
In any case, a local hosts file entry would also make the resolution of name to IP work on your computer.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support