[SOLVED] problem setting up routing in openvpn

[uwe.bartels@gmail.com]

Hi,

I'm having problems setting up the routing for openvpn.

first I'd like to tell you my network layout:

client -> firewall with publich ip and nat -> openvpn with private network
client: comes from anywhere in the internet

this is my server config:
#####################################################
local 172.22.104.32
port 24577
proto udp
dev tun

ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret

dh keys/dh1024.pem

# means 10.0.6.32/28 10.0.6.33 - 46
server 10.0.6.32 255.255.255.240

ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

push "route 172.22.104.0 255.255.255.0"
management localhost 7505
#####################################################

this is my client config:
#####################################################
#
# local openvpn.conf
#
dev tun

remote <<public-ip>>
client
#tls-client

ca dedipower/ca.crt
cert dedipower/uwebartels.crt
key dedipower/uwebartels.key

port 24577

#user nobody
#group nogroup

comp-lzo
key-method 2
ping 45
ping-restart 600
ping-timer-rem
persist-tun
persist-key
verb 3

pull
route 172.22.104.0 255.255.255.0 vpn_gateway
#####################################################

connecting to the openvpn works fine.
connecting from the client to the ssh daemon via the private network works as well. <<root@client # ssh root@172.22.104.32>>
connecting from 172.22.104.32 to a ssh daemon in the same private network works. <<root@server # ssh root@172.22.104.33>>
connecting from the client to a ssh daemon in the same private network does not work. <<root@client # ssh root@172.22.104.33>>

pinging from the client to a ssh daemon in the same private network does not work. <<root@client # ping 172.22.104.33>>

I raised verbosity level to 6 over the management interface and these lines came out during the ing above. 34.23.12.67 corresponds to the public ip in the firewall which is nat'ed to the private ip 172.22.104.32
Jun 3 10:48:47 localhost openvpn[32337]: uwebartels/34.23.12.67:55469 UDPv4 READ [53] from 34.23.12.67:55469: P_DATA_V1 kid=0 DATA len=52
Jun 3 10:48:55 localhost openvpn[32337]: uwebartels/34.23.12.67:55469 UDPv4 WRITE [53] to 34.23.12.67:55469: P_DATA_V1 kid=0 DATA len=52
Jun 3 10:49:05 localhost openvpn[32337]: uwebartels/34.23.12.67:55469 UDPv4 WRITE [53] to 34.23.12.67:55469: P_DATA_V1 kid=0 DATA len=52
Jun 3 10:49:07 localhost openvpn[32337]: uwebartels/34.23.12.67:55469 UDPv4 READ [53] from 34.23.12.67:55469: P_DATA_V1 kid=0 DATA len=52
Jun 3 10:49:15 localhost openvpn[32337]: uwebartels/34.23.12.67:55469 UDPv4 WRITE [53] to 34.23.12.67:55469: P_DATA_V1 kid=0 DATA len=52
Jun 3 10:49:17 localhost openvpn[32337]: uwebartels/34.23.12.67:55469 UDPv4 READ [53] from 34.23.12.67:55469: P_DATA_V1 kid=0 DATA len=52
Jun 3 10:49:25 localhost openvpn[32337]: uwebartels/34.23.12.67:55469 UDPv4 WRITE [53] to 34.23.12.67:55469: P_DATA_V1 kid=0 DATA len=52

the ping packets are not received by the pinged server 172.22.104.33 - checked with tcpdump.
bit there are packet coming in on the openvpnserver - checked with tcpdump.

So for me it looks like the packets are sent to openvpn, and openvpn does not send them to the given ip - it sends them back to the public ip accoring to the log above. however I don't know what's wrong. Any idea?

All the ip addresses are changed for security reasons of course.

best regards,
Uwe

[maikcat]

hi there,

first remove these from your client config

pull
route 172.22.104.0 255.255.255.0 vpn_gateway

you are using client directive in your clients config so pull is not necessary.


second

did you enabled ip forwarding on your openvpn server?

did you have firewall enabled on you openvpn server?

Michael.

[uwe.bartels@gmail.com]

Hi Michael,

Thanks for your anser.
I removed the lines and I disabled temporarily the the firewall for ipv4 and ipv6.

But
connecting from the client to a ssh daemon in the same private network still does not work. <<root@client # ssh root@172.22.104.33>>

Best Regards,
Uwe

[maikcat]

hi there,

can you ping the server from the vpn client?

did you enabled ip forwarding on your openvpn server?

Michael.

[uwe.bartels@gmail.com]

Hi Michael,

sorry, but that still does not work.
below is some vpn client and server output.

best regards,
Uwe

vpn-server:
------------
[root@dwh-adm01 ~]# /etc/init.d/iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
[root@dwh-adm01 ~]# /etc/init.d/ip6tables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading ip6tables modules: [ OK ]
[root@dwh-adm01 ~]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@dwh-adm01 ~]#
[root@dwh-adm01 ~]# sysctl -a|grep ip_forward
net.ipv4.ip_forward = 1
[root@dwh-adm01 ~]#

vpn-client:
------------
macbookpro:~ uwe$ ping dwh-db01
PING dwh-db01 (172.22.104.34): 56 data bytes
^C
--- dwh-db01 ping statistics ---
6 packets transmitted, 0 packets received, 100% packet loss
macbookpro:~ uwe$

macbookpro:~ uwe$ netstat -r
Routing tables

Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.1.1 UGSc 13 4 en1
10.0.1/24 link#5 UCS 2 0 en1
10.0.1.1 0:3:93:e1:58:30 UHLW 14 335 en1 1036
macbookpro.uwebart localhost UHS 0 0 lo0
10.0.1.255 ff:ff:ff:ff:ff:ff UHLWb 0 4 en1
10.0.6.33/32 10.0.6.41 UGSc 0 0 tun0
10.0.6.41 10.0.6.42 UH 2 0 tun0
10.37.129/24 link#8 UCS 1 0 en3
10.37.129.2 localhost UHS 0 0 lo0
10.37.129.255 ff:ff:ff:ff:ff:ff UHLWb 0 4 en3
10.211.55/24 link#9 UCS 1 0 en2
10.211.55.2 localhost UHS 0 0 lo0
10.211.55.255 link#9 UHLWb 1 14 en2
127 localhost UCS 0 0 lo0
localhost localhost UH 4 348 lo0
169.254 link#5 UCS 0 0 en1
172.22.104/24 10.0.6.41 UGSc 0 6 tun0

Internet6:
Destination Gateway Flags Netif Expire
localhost link#1 UHL lo0
fe80::%lo0 localhost Uc lo0
localhost link#1 UHL lo0
fe80::%en3 link#8 UC en3
Uwes-MacBook-Pro.l 0:1c:42:0:0:0 UHL lo0
fe80::%en2 link#9 UC en2
Uwes-MacBook-Pro.l 0:1c:42:0:0:1 UHL lo0
ff01:: localhost U lo0
ff02:: localhost UC lo0
ff02:: link#8 UC en3
ff02:: link#9 UC en2
macbookpro:~ uwe$

[janjust]

just to make sure : what does

Code: Select all

cat /proc/sys/net/ipv4/ip_forward

return?

and what happens if you enable masqueradering on the server

Code: Select all

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

?

[uwe.bartels@gmail.com]

Cool. that works. I switched on iptables again. And run the iptables again. And ping still works.
ssh works as well. I persisted the rule in /etc/sysconfig/iptables.

I checked the man page of iptables for the masquerade option, but I'm still not that convinced that I understand, why this works now. So I'd be glad If you could explain to my why this works or what happens with this masquerading.

Thanks and have a nice Whit Monday.
Uwe


[root@dwh-adm01 ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@dwh-adm01 ~]# iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

macbookpro:~ uwe$ ping dwh-db01
PING dwh-db01 (172.22.104.34): 56 data bytes
64 bytes from 172.22.104.34: icmp_seq=0 ttl=63 time=316.842 ms
64 bytes from 172.22.104.34: icmp_seq=1 ttl=63 time=291.940 ms
64 bytes from 172.22.104.34: icmp_seq=2 ttl=63 time=353.747 ms
^C
--- dwh-db01 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 291.940/320.843/353.747/25.391 ms

[janjust]

when your VPN client connects it is assigned an address in the 10.0.6.0/24 range.
when you're then pinging a host on your server-side LAN the source address of the ping packets is this 10.0.6.0/24 address; unless the LAN-side machine knows where to send packets back to (i.e. it has a route for 10.0.6.0/24 to the VPN server) then these packets will get lost. By using iptables masquerading you're making all packets appear as if they're coming from the OpenVPN server itself, that is, the source address is rewritten to that of the 'eth0' address of the server.

[uwe.bartels@gmail.com]

OK. I understand, but I thought, that this was one of the standard tasks of a vpn.
but here I'm very likely wrong

Thanks, that helped a lot.
Uwe

[janjust]

yes, you're wrong
In my view, a VPN is about setting up endpoint to endpoint connectivity, routing (and nat'ting) is left to the operating system. That's the way it works for most VPN types (IPsec, PPTP, OpenVPN). Also, considering the fact that you have two options (1) set up masquerading 2) set up a return route for VPN traffic).

[uwe.bartels@gmail.com]

Hi,

I'd like to ask one more question.
now I'm able to ssh + ping the server behind the openvpn machine from my notebook which is located somewhere in the internet.
macbookpro:~ uwe$ ping 172.22.104.34
PING 172.22.104.34 (172.22.104.34): 56 data bytes
64 bytes from 172.22.104.34: icmp_seq=0 ttl=63 time=32.143 ms
64 bytes from 172.22.104.34: icmp_seq=1 ttl=63 time=32.020 ms
^C
--- 172.22.104.34 ping statistics ---
3 packets transmitted, 2 packets received, 33% packet loss
round-trip min/avg/max/stddev = 32.020/32.082/32.143/0.061 ms

macbookpro:~ uwe$ telnet 172.22.104.34 22
Trying 172.22.104.34...
Connected to dwh-db01.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3
^]
Protocol mismatch.
Connection closed by foreign host.
macbookpro:~ uwe$


I'm able to connect to the postgres server from the openvpn server (dwh-adm01).
[root@dwh-adm01 ~]# telnet 172.22.104.34 5432
Trying 172.22.104.34...
Connected to dwh-db01 (172.22.104.34).
Escape character is '^]'.
^]
Connection closed by foreign host.
[root@dwh-adm01 ~]#

But I'm not able to connect to the postges server from the vpnclient.
macbookpro:~ uwe$ telnet 172.22.104.34 5432
Trying 172.22.104.34...
telnet: connect to address 172.22.104.34: Connection refused
telnet: Unable to connect to remote host

Any idea what could be wrong?
Does the traffic which comes through openvpn has to pass through iptables?
If so what would be a command to open up this connection?

I'd like to allow any traffic which passes through openvpn into the subnet 172.22.104.0/24.

Best Regards,
Uwe

[maikcat]

hi there,

>Does the traffic which comes through openvpn has to pass through iptables?

yeap...

iptables -A INPUT -i tun+ -j ACCEPT (or tap+ if you use tap)

please disable for testing purposes firewall,
if you cant reach your server then check out postgres config files and logs.

Michael

[janjust]

if

telnet 172.22.104.34 22

works and

telnet 172.22.104.34 5432

then this is a firewall issue on the SQL server ; however, instead of doinga 'telnet ... 22' try ssh'ing to the IP address - are you really ending up on the host you were expecting?

[uwe.bartels@gmail.com]

HI Michael,

this did not work.

best regards,
Uwe

[root@dwh-adm01 ~]# iptables -A INPUT -i tun+ -j ACCEPT
[root@dwh-adm01 ~]# echo $?
0
[root@dwh-adm01 ~]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT udp -- anywhere anywhere state NEW udp dpt:24577
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
[root@dwh-adm01 ~]#


macbookpro:~ uwe$ telnet 172.22.104.34 5432
Trying 172.22.104.34...
telnet: connect to address 172.22.104.34: Connection refused
telnet: Unable to connect to remote host

[uwe.bartels@gmail.com]

ok. I got it. I had to put the rule into another chain.
now it works fine.

thanks everybody for your help.
Uwe