Access a server through VPN on a firewall from outside

[fishcustard]

This is going to sound horribly complicated, and probably is, but I inherited the setup from the previous system administrator (who died in March, so I can't ask him anything.)

I've got a LAN on the safe side of a firewall (the firewall runs OpenBSD), with a server running Windows Small Business Server 2003 and about 30 machines (a mix of Windows (XP, 7, 2000) and Linux) connected to it. The server is also the mail server (through Windows Exchange). There's also a nas, which exports several filesystems to machines on the LAN, though they're not repeated through the sbs. The sbs is at static address 10.1.70.4, and the firewall at 10.1.70.1. The OpenVPN server runs on the firewall; here's the config file (sans comments):

port 1194
proto udp
dev tun1
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/companyfw.crt
key /etc/openvpn/keys/companyfw.key # This file is secret
dh /etc/openvpn/keys/dh1024.pem
server 10.20.0.0 255.255.255.0
push "route 10.1.2.0 255.255.255.0"
push "route 10.1.70.0 255.255.255.0"
push "route 10.1.75.0 255.255.255.0"
duplicate-cn
keepalive 10 60
comp-lzo
max-clients 100
status /var/local/log/openvpn-status.log
log-append /var/local/log/openvpn.log
writepid /var/local/log/openvpn.pid
verb 3
crl-verify /etc/openvpn/keys/crl.pem

# ls -l /dev/tun1
crw------- 1 root wheel 40, 1 Oct 13 19:52 /dev/tun1

The firewall rules contain the lines:

pass in on tun1 no state label "tun1_in"
pass out on tun1 no state label "tun1_out"

I have several client machines outside (one at my house, one in East Timor, and two in China) who all want to connect to the LAN (and use the shares on the nas and receive email from the exchange server) across the internet. Here's the config file for my machine:

client
dev tun
dev-node tap-company
proto udp
remote incoming.company.com.au 1194
resolv-retry infinite
nobind
ca keys\\company\\\ca.crt
cert keys\\company\\fishcustard.crt
key keys\\company\\fishcustard.key
ns-cert-type server
comp-lzo
verb 4

The external machines can reach the firewall, and /dev/tun1 changes its access times as it's accessed. /var/local/log/openvpn-status.log shows accesses appropriate to who's trying to access it eg:

# cat /var/local/log/openvpn-status.log
OpenVPN CLIENT LIST
Updated, Thu Oct 13 20:06:30 2011
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
fishcustard,192.168.100.100:1670,343908,454275,Thu Oct 13 14:42:34 2011
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.20.0.10,fishcustard,192.168.100.100:1670, Thu Oct 13 20:06:26 2011
GLOBAL STATS
Max bcast/mcast queue length,0
END

tcpdump -nS -i tun1 shows access every few seconds from 10.20.0.10 to 10.1.70.4 and back, including icmp packets. I can ping 10.1.70.4, but not cosbs (cosbs is the name of the sbs; .company.local is appended internally.)

So, I can connect from outside, and get a valid IP address. I can't access any of the nas shares (the nas is called nas1 and is on 10.1.70.5) or the email server.

I can post the output of the tcpdump command, or the logs of either the server or clients (or both) if they'll help.

Any suggestions?

[maikcat]

what OS your clients has?

please post the output of netstat -nr on your clients.

can you ping the vpn interface of your server from your clients?

Michael.

[fishcustard]

what OS your clients has?

Sorry, I meant to say in the original question. All are running Windows of one flavour or another; mine runs W7, the ones in China run XP/SP3, the one in East Timor runs Vista. There are a handful of others, mostly running XP.

please post the output of netstat -nr on your clients.

Code: Select all

Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\fishcustard>netstat -nr
===========================================================================
Interface List
 30...00 a0 c6 00 00 00 ......Vodafone Mobile Broadband Network Adapter (ZTE)
 32...00 ff 3d 03 d7 87 ......TAP-Win32 Adapter V9
 21...08 00 27 00 40 78 ......VirtualBox Host-Only Ethernet Adapter
 27...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1
 28...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
 29...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7
 31...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0   120.17.102.169   120.17.102.170    296
         10.1.2.0    255.255.255.0        10.20.0.5        10.20.0.6     30
        10.1.70.0    255.255.255.0        10.20.0.5        10.20.0.6     30
        10.1.75.0    255.255.255.0        10.20.0.5        10.20.0.6     30
        10.20.0.1  255.255.255.255        10.20.0.5        10.20.0.6     30
        10.20.0.4  255.255.255.252         On-link         10.20.0.6    286
        10.20.0.6  255.255.255.255         On-link         10.20.0.6    286
        10.20.0.7  255.255.255.255         On-link         10.20.0.6    286
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.19.0    255.255.255.0         On-link      192.168.19.1    276
     192.168.19.1  255.255.255.255         On-link      192.168.19.1    276
   192.168.19.255  255.255.255.255         On-link      192.168.19.1    276
     192.168.56.0    255.255.255.0         On-link      192.168.56.1    276
     192.168.56.1  255.255.255.255         On-link      192.168.56.1    276
   192.168.56.255  255.255.255.255         On-link      192.168.56.1    276
     192.168.70.0    255.255.255.0         On-link      192.168.70.1    276
     192.168.70.1  255.255.255.255         On-link      192.168.70.1    276
   192.168.70.255  255.255.255.255         On-link      192.168.70.1    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.56.1    276
        224.0.0.0        240.0.0.0         On-link         10.20.0.6    286
        224.0.0.0        240.0.0.0         On-link      192.168.19.1    276
        224.0.0.0        240.0.0.0         On-link      192.168.70.1    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.56.1    276
  255.255.255.255  255.255.255.255         On-link         10.20.0.6    286
  255.255.255.255  255.255.255.255         On-link      192.168.19.1    276
  255.255.255.255  255.255.255.255         On-link      192.168.70.1    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 31   1140 ::/0                     2002:c058:6301::c058:6301
  1    306 ::1/128                  On-link
 31   1040 2002::/16                On-link
 31    296 2002:7811:66aa::7811:66aa/128
                                    On-link
 21    276 fe80::/64                On-link
 32    286 fe80::/64                On-link
 27    276 fe80::/64                On-link
 28    276 fe80::/64                On-link
 30    296 fe80::/64                On-link
 21    276 fe80::1945:e51b:31e4:36f2/128
                                    On-link
 27    276 fe80::8051:fb73:2ff7:c637/128
                                    On-link
 32    286 fe80::8894:e804:de51:4672/128
                                    On-link
 30    296 fe80::8c87:3543:c5b4:cac0/128
                                    On-link
 28    276 fe80::c403:c9f9:5117:2949/128
                                    On-link
  1    306 ff00::/8                 On-link
 21    276 ff00::/8                 On-link
 32    286 ff00::/8                 On-link
 27    276 ff00::/8                 On-link
 28    276 ff00::/8                 On-link
 30    296 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\fishcustard>

can you ping the vpn interface of your server from your clients?

Michael.

I'm not sure what you mean. I can ping the VPN machine (the firewall, 10.1.70.1) and the server (10.1.70.4) from outside. As far as I can tell the connection from 10.1.70.1 to 10.1.70.4 is through a tunnel (/dev/tun1). I can't find a running OpenVPN - or indeed and kind of VPN - daemon on the server (cosbs).

Thanks for your comments

[maikcat]

your client has received the routes as displayed by netstat command..

you still need to run openvpn as administrator in win 7 clients.

did you check firewalling on SBS itself?

Michael.

[Mimiko]

The sbs is at static address 10.1.70.4

I can ping 10.1.70.4, but not cosbs (cosbs is the name of the sbs; .company.local is appended internally.)

You are hidding something definately. First you say that the SBS has IP 70.4, then that IP 70.4 is pingable, and then that SBS is not pingable. It's ilogical. If you mean that "ping cosbs" does not resolve to IP, then you have to push WINS if you have any at the LAN. If not, then remote clients has no means how to resolve NetBIOS names to IP in a routed mode.

All your clients will have to use LAN IPs (10.1.70.x) to access nas and other services.

[fishcustard]

Thanks for your help, everyone. The problem was that WINS wasn't configured properly in the client machines. It's all fixed now.