Routing: Configuring for accessing subnet clients +iptables

[haggismn]

Hi everyone,
I have been involved with this problem for a number of days now. I have been converting my tap server-bridge so that machines attached to any VPN client routers can also be accessed. I have multiple router clients as well as PC clients connecting. I have gotten so far that a connection is established, however I can only get one way communication to the server. It will not talk back to the clients. This leads me to believe I have a routing or firewall issue. For the IP assignment, my aim is to have connecting clients get a dynamic IP from the Ifconfig pool. Any connecting routers are configured to assign IPs within the 172.18.0.0 range. The clients should use the VPN server as an internet gateway, primarily, but be able to communicate with each other, even if behind routers.

Server Config - removed unnecessary parts

Code: Select all

port 1194
dev tun0
dev-type tun 
client-to-client
push "redirect-gateway"
mode server
client-config-dir /tmp/etc/ccd
push "topology subnet"
push "route-gateway 172.18.219.220"
up /tmp/etc/up.sh
push "route 172.18.219.208 255.255.255.240"
push "route 172.18.21.64 255.255.255.224"
down /tmp/etc/down.sh
ifconfig-pool-persist /tmp/etc/persistip
ifconfig-pool 172.18.219.209 172.18.219.212 255.255.255.240

I cannot launch route or ifconfig commands from openvpn on this server router, I must use a script. the up script performs "ifconfig 172.18.219.220 255.255.255.240" and "route 172.18.21.64 255.255.255.224 172.18.219.220"

I have one router configured to connect for testing, so in ccd/client1

Code: Select all

iroute 172.18.21.64 255.255.255.224

.
It then has a DHCP server assigning in this range, obviously.

Client config

Code: Select all

dev tun0
proto udp 
remote ..... 1194
redirect-gateway
pull

When I was using server-bridge I had a masquerade rule in the firewall of the client router. If I remove this and then ping the VPN server, the VPN server sees the client as its VPN client DHCP assigned IP, however it won't talk back.

I have separately configured a PC (client2) to connect to the VPN remotely, in an effort to dodge potential client router issues. Again, authentication is successful and the server sees the client and receives pings, but no pong is received by the client. ifconfig tun0 in both the router client and PC client shows 0kB data received but plenty of data sent - the pings. The tun interface on the VPN server similar. Note however that VPN clients can ping each other - (but not the server, and they cant go online) in the off chance i have access to them both at the same time. This is the only thing that works.


The following is observed on the VPN server when the client server connects remotely (through my phone).

Code: Select all

Wed Dec 21 02:43:31 2011 212.183.128.88:17905 [client1] Peer Connection Initiated with 212.183.128.88:17905
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 OPTIONS IMPORT: reading client specific options from: /tmp/etc/ccd/client1
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 MULTI: Learn: 172.18.219.209 -> client1/212.183.128.88:17905
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 MULTI: primary virtual IP for client1/212.183.128.88:17905: 172.18.219.209
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 MULTI: internal route 172.18.21.64/27 -> client1/212.183.128.88:17905
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 MULTI: Learn: 172.18.21.64/27 -> client1/212.183.128.88:17905
Wed Dec 21 02:43:31 2011 client1/212.183.128.88:17905 REMOVE PUSH ROUTE: 'route 172.18.21.64 255.255.255.224'
Wed Dec 21 02:43:33 2011 client1/212.183.128.88:17905 PUSH: Received control message: 'PUSH_REQUEST'
Wed Dec 21 02:43:33 2011 client1/212.183.128.88:17905 SENT CONTROL [client1]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 87.194.255.154,dhcp-option DNS 208.67.220.220,redirect-gateway,topology subnet,route-gateway 172.18.219.220,route 172.18.219.208 255.255.255.240,ping 10,ping-restart 30,ifconfig 172.18.219.209 255.255.255.240' (status=1)
Wed Dec 21 02:43:43 2011 client1/212.183.128.88:17905 MULTI: Learn: 172.18.21.84 -> client1/212.183.128.88:17905

Is this a routing issue? I have read this page about using "topology subnet".


Here is the routing table of the vpn server. br0 contains the tun interface.

Code: Select all

172.18.219.208  *               255.255.255.240 U     0      0        0 br0
172.18.219.208  *               255.255.255.240 U     0      0        0 tun0
172.18.21.64    172.18.219.220 255.255.255.224 UG    0      0        0 br0
remotenet     *               255.255.255.0   U     0      0        0 nas0
239.0.0.0       *               255.0.0.0       U     0      0        0 br0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default        remotegw 0.0.0.0         UG    0      0        0 nas0

Now for the VPN client router. Here is its routing table - I have to use route -n.

Code: Select all

remote ip   192.168.0.1     255.255.255.255 UGH   0      0        0 vlan1
192.168.0.1     0.0.0.0         255.255.255.255 UH    0      0        0 vlan1
172.18.219.208  172.18.219.220  255.255.255.240 UG    0      0        0 tun0
172.18.219.208  0.0.0.0         255.255.255.240 U     0      0        0 tun0
172.18.21.64    0.0.0.0         255.255.255.224 U     0      0        0 br0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 vlan1
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         172.18.219.220  0.0.0.0         UG    0      0        0 tun0

If I use redirect-gateway DEF1 I receive no warning, but I prefer to completely redirect. Either way it doesnt work.

Code: Select all

Wed Dec 21 03:49:39 2011 us=849079 [server] Peer Connection Initiated with IP:1194
Wed Dec 21 03:49:41 2011 us=945653 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
WRRWRWRWRWed Dec 21 03:49:42 2011 us=881480 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 87.194.255.154,dhcp-option DNS 208.67.220.220,redirect-gateway,topology subnet,route-gateway 172.18.219.220,route 172.18.219.208 255.255.255.240,ping 10,ping-restart 30,ifconfig 172.18.219.209 255.255.255.240'
Wed Dec 21 03:49:42 2011 us=882832 OPTIONS IMPORT: timers and/or timeouts modified
Wed Dec 21 03:49:42 2011 us=883074 OPTIONS IMPORT: --ifconfig/up options modified
Wed Dec 21 03:49:42 2011 us=883263 OPTIONS IMPORT: route options modified
Wed Dec 21 03:49:42 2011 us=883448 OPTIONS IMPORT: route-related options modified
Wed Dec 21 03:49:42 2011 us=883627 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Wed Dec 21 03:49:42 2011 us=905619 TUN/TAP device tun0 opened
Wed Dec 21 03:49:42 2011 us=905952 TUN/TAP TX queue length set to 100
Wed Dec 21 03:49:42 2011 us=906603 /sbin/ifconfig tun0 172.18.219.209 netmask 255.255.255.240 mtu 1500 broadcast 172.18.219.223
Wed Dec 21 03:49:42 2011 us=926136 /sbin/route add -net IP netmask 255.255.255.255 gw 192.168.0.1
Wed Dec 21 03:49:42 2011 us=933598 /sbin/route del -net 0.0.0.0 netmask 0.0.0.0
Wed Dec 21 03:49:42 2011 us=941355 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw 172.18.219.220
Wed Dec 21 03:49:42 2011 us=950055 WARNING: potential route subnet conflict between local LAN [172.18.219.0/255.255.255.0] and remote VPN [172.18.219.208/255.255.255.240]
Wed Dec 21 03:49:42 2011 us=950573 /sbin/route add -net 172.18.219.208 netmask 255.255.255.240 gw 172.18.219.220
Wed Dec 21 03:49:43 2011 us=19134 Initialization Sequence Completed

The one area I am uneasy about is the firewall in the VPN server. When I was using a tap interface previously, tap0 was in bridge br0. I have manually ifconfiged tun0 up and cannot add it to a bridge. I have set up some firewall rules to implement it but they may well be wrong;

Code: Select all

iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

tun0 is also set to the same ip as br0; 172.18.219.220. That can't be right can it?

Finally, is there any overhaul of the configuration I should make? Optimally, I would like the client configuration to be simple, as it is here, and for IPs to be assigned dynamically. Is using topology subnet correct?

Thanks in advance for any help. And please let me know if there is more info you need.

[maikcat]

for start replace this:

mode server
push "topology subnet"
push "route-gateway 172.18.219.220"
ifconfig-pool-persist /tmp/etc/persistip
ifconfig-pool 172.18.219.209 172.18.219.212 255.255.255.240

with this

server 172.18.219.209 255.255.255.240
push "redirect-gateway def1"
topology subnet

restart server and try again..

also on client remove this

redirect-gateway
pull

and add this

client



ps: i assume that you DONT bridge any interface anymore..
ps2: what up/down scripts actually do?

Michael.

[haggismn]

Thanks for your response Michael
The router I am setting up does not allow route or ifconfig to be run in the openvpn application, so I need to use the up script to achieve this. Using the Server option carries an ifconfig statement in it, so I must define all the options manually to avoid problems. The up script contains, as of now

Code: Select all

/sbin/ifconfig tun0 172.18.219.209 netmask 255.255.255.240 mtu 1500 broadcast 172.18.219.223
/sbin/route add -net 172.18.21.64 netmask 255.255.255.224 gw 172.18.219.209

Am I correct in thinking you meant use "server 172.18.219.208 255.255.255.240"(not 209)?

I have all the eqivalent options specified according to this

Code: Select all

push "topology subnet"
ifconfig-pool 172.18.219.210 172.18.219.212 255.255.255.240
push "route-gateway 172.18.219.209"

This is a little complex, I know, but I believe the same overall function is achieved as "server 172.18.219.208 255.255.255.240", isn't it?

It's unrelated at the moment, but is using redirect-gateway "def1" required? For security reasons I prefer to avoid def1, since it avoided the risk of the original route being restored, and unencrypted data being sent if the VPN went down without the user's knowledge.

Set up like this, def1 or not, I have the same function as before. clients can ping each other, I can ping clients on the 172.18.21.64 network from other clients, but I cannot communicate directly with the server. If I try pinging, the lights flash but nothing comes back. Here is ifconfig tun0

Code: Select all

tun0      Link encap:UNSPEC  HWaddr 00-64-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.18.219.209  P-t-P:172.18.219.209  Mask:255.255.255.240
          UP POINTOPOINT RUNNING NOARP PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:214 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:16632 (16.2 KiB)  TX bytes:0 (0.0 B)

Finally, I have no bridge set up. I cannot add tun0 to br0 on the server. I believe this is normal for tun interfaces

Code: Select all

brctl addif br0 tun0
can't add tun0 to bridge br0: Invalid argument

dmesg shows "device tun0 entered promiscuous mode" as the last entry.

Thanks once again, I really appreciate your help.

Edit: I can in fact ping clients from the server successfully. So client-client and server-client is fine, just not client-server (and gateway)

[haggismn]

Well I am very close to getting things optimal. Turns out I just needed to add 2 rules to the firewall

Code: Select all

iptables -A INPUT -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT

However I have one remaining problem, that is with DNS. When I was using tap0 as the interface within br0, everyone connecting to the VPN had no problem using DNS. However now I must manually specify it. The relevant (I think) part in the firewall for br0 is this

Code: Select all

Chain BASIC_DNS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNS        udp  --  br0    *       0.0.0.0/0            172.18.219.220     udp dpt:53 

I have researched and tried the following command, however it doesn't work

Code: Select all

iptables -t nat -A PREROUTING -i tun0 -p udp --dport 53 -j DNAT --to 172.18.21
9.220

Is there any way I can allow clients to use the server's DNS, rather than having to manually input it on each client?
This isn't a problem so much for client routers but it is a big problem for client PCs and mobile devices.
Thanks again

[janjust]

in the server config you can add

Code: Select all

push "dhcp-option DNS x.x.x.x"

to push a DNS server to the clients; not all clients automagically pick this up, but Windows clients certainly do, as well as Linux clients that have 'resolv-conf' installed.

[haggismn]

I think I spoke too soon!

For DNS, I think the client router was using what was passed to its WAN port by DHCP. The DHCP server in this situation is my desktop, which is routed through my phone to the internet. This didn't have any DHCP settings specified.

Whatever the case it doesn't matter too much, however I have a bigger problem which I didn't see. When I use the VPN from a client router, there is no problem. However I have discovered that I cannot go online from my PC when it is connected over the VPN. Please note that both are not being used at the same time.

PC>Client router>internet<VPN server - This setup is fine
Client PC>internet<VPN server - Not working. I can't ping anyone, except the client router's PC if connected

This may be something to do with the IP's assigned. Here is the server log for when the router client connects (which has a ccd iroute and a route specified) You can see it learning the PC's IP at the end.

Code: Select all

Thu Dec 22 01:01:40 2011 212.183.128.43:5872 [client1] Peer Connection Initiated with 212.183.128.43:5872
Thu Dec 22 01:01:40 2011 client1/212.183.128.43:5872 OPTIONS IMPORT: reading client specific options from: /tmp/etc/ccd/client1
Thu Dec 22 01:01:40 2011 client1/212.183.128.43:5872 MULTI: Learn: 172.18.219.211 -> client1/212.183.128.43:5872
Thu Dec 22 01:01:40 2011 client1/212.183.128.43:5872 MULTI: primary virtual IP for client1/212.183.128.43:5872: 172.18.219.211
Thu Dec 22 01:01:40 2011 client1/212.183.128.43:5872 MULTI: internal route 172.18.21.64/27 -> client1/212.183.128.43:5872
Thu Dec 22 01:01:40 2011 client1/212.183.128.43:5872 MULTI: Learn: 172.18.21.64/27 -> client1/212.183.128.43:5872
Thu Dec 22 01:01:40 2011 client1/212.183.128.43:5872 REMOVE PUSH ROUTE: 'route 172.18.21.64 255.255.255.224'
Thu Dec 22 01:01:42 2011 client1/212.183.128.43:5872 PUSH: Received control message: 'PUSH_REQUEST'
Thu Dec 22 01:01:42 2011 client1/212.183.128.43:5872 SENT CONTROL [client1]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 87.194.255.154,dhcp-option DNS 208.67.220.220,redirect-gateway,topology subnet,route 172.18.219.208 255.255.255.240,route-gateway 172.18.219.209,ping 10,ping-restart 30,ifconfig 172.18.219.211 255.255.255.240' (status=1)
Thu Dec 22 01:01:50 2011 client1/212.183.128.43:5872 MULTI: Learn: 172.18.21.65 -> client1/212.183.128.43:5872

This is what happens when the PC client connects. I dont think the warning means much, I had been connected only a minute or two earlier

Code: Select all

Thu Dec 22 01:12:24 2011 212.183.128.138:14405 [client2] Peer Connection Initiated with 212.183.128.138:14405
Thu Dec 22 01:12:24 2011 MULTI: new connection by client 'client2' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Thu Dec 22 01:12:24 2011 MULTI: Learn: 172.18.219.210 -> client2/212.183.128.138:14405
Thu Dec 22 01:12:24 2011 MULTI: primary virtual IP for client2/212.183.128.138:14405: 172.18.219.210
Thu Dec 22 01:12:26 2011 client2/212.183.128.138:14405 PUSH: Received control message: 'PUSH_REQUEST'
Thu Dec 22 01:12:26 2011 client2/212.183.128.138:14405 SENT CONTROL [client2]: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 87.194.255.154,dhcp-option DNS 208.67.220.220,redirect-gateway,topology subnet,route 172.18.21.64 255.255.255.224,route 172.18.219.208 255.255.255.240,route-gateway 172.18.219.209,ping 10,ping-restart 30,ifconfig 172.18.219.210 255.255.255.240' (status=1)

This "MULTI" statement seems to be a bit out of place. Do I need to specify any CCDs for other clients who don't use a different subnet?

Thanks Again.

[janjust]

I dont think the warning means much, I had been connected only a minute or two earlier

you can get rid of this warning by adding

Code: Select all

explicit-exit-notify 3

to the client config.

as for the not-working instance: after the PC connects directly to the VPN server , can you
* ping the server's VPN IP
* ping the server's LAN IP
* run a traceroute on 8.8.8.8

Code: Select all

tracert -d 8.8.8.8