how to tunnel proprietary VPN through OpenVPN jumpbox?

[TomRoche]

background:

• If there is a better forum for this question, please let me know.
• Apologies if this is tl;dr (1300 words) but the problem seems somewhat complex (at least to me)

summary: I seek to tunnel an F5 SSL VPN (hard requirement) through an OpenVPN server (apparently required) in order to shell into a compute cluster behind a firewall. I can access the required F5 remote-access website (RAW) through the OpenVPN tunnel, but lose DNS once I activate the F5VPN using the RAW's web GUI. I suspect this is due to a problem with my OpenVPN configuration, since direct access using the F5VPN (unfortunately now disallowed) worked for me in the past; specifically I suspect my OpenVPN server is not enabling my F5VPN client to see/use the DNS server(s) inside the firewall.

How to fix? Alternatively,

• what else do I need to learn/discover before a fix can be applied?
• where else should I go for help?
• is there a better way to do what I need?

details:

This seems pretty complicated (to me, anyway), and I'm hoping to make whatever I discover available for others, so I'm maintaining my code/configs as project=linode_jumpbox_config and documenting @ that project's wiki (which has a glossary which may clarify terms used below).

The details on what I'm trying to do are hopefully summarized by this ASCII art:

Code: Select all

                     <-MY CONTROL  AGENCY CONTROLLED-> 
                                                      firewall
+----------+      +-----------+      +---------------+   |   +---------+
| laptop + |      | linode  + |      | remote-access |   |   | cluster |
| F5NAP  + | <--> | OpenVPN + | <--> | website +     | <-|-> | node(s) |
| OpenVPN  |      | security  |      | F5VPN         |   |   |         |
+----------+      +-----------+      +---------------+   |   +---------+

Both laptop and linode are running Debian, configured by me. I know almost nothing about what agency==US EPA (part of the US Federal government) runs, and have even less control. The agency requires me to run an F5NAP==F5 Network Access Plugin in order to access the agency's F5VPN which enables access to compute clusters on which I need to do research (I'm a student). In the past I could run the F5NAP directly from my laptop to access the F5VPN, but this was recently broken by access-policy change.

To accommodate the new policies, I'm trying to tunnel through a linode jumpbox, such that the linode satisfies all the new requirements (notably, static IP#). Most of the linode's pre-OpenVPN networking is configured by this bash script, which (hopefully) automates this manual procedure. (Details on the entire networking+OpenVPN install+configuration starts here, and is mostly automated. The automating scripts unfortunately need more structure and commenting, but should be relatively readable. Questions are welcomed; pull requests even more so.)

My implementation of my design works only for the following sequence (details here), after which it fails:

1. I can start an OpenVPN server on my linode (via SSH from my laptop) apparently successfully.

2. On my laptop, if I browse to (e.g.) http://www.whatismyip.com , I see a "normal" (for my ISP) IP#.

3. I can then start an OpenVPN client on my laptop (in a bash shell/terminal), again apparently successfully.

4. On my laptop, if I browse to http://www.whatismyip.com (using my normal, Debian-packaged browser=Firefox), as expected I now see the IP# of my linode. This is essential, since that IP# is on the agency's whitelist.

5. On my laptop, I can start my F5NAP'ed Firefox, and with that browse to http://www.whatismyip.com/ , and still see my linode's IP#.

6. Using the F5NAP'ed Firefox (on my laptop), I can browse to the agency's remote-access website and login normally.

7. Using (from the F5NAP'ed Firefox on my laptop) the web GUI provided (post-authentication) by the remote-access website, I can start the F5VPN, and see status==Connected in the F5VPN UI. This is what I expect from "the good old days" when I could run the F5VPN directly from my laptop.

At this point, in "the good old days," I could go to any shell/gnome-terminal on my laptop, utter `ssh fqdn.for.a.cluster.login.node.at.epa.gov`, and get to work. But not now :-(

Currently I am broken at this point in the sequence, as detailed here. Specifically, I lose DNS, which

• (immediately) causes SSH to fail, preventing me from running SSH to any cluster login node (which is the whole point of this exercise).
• (eventually) breaks the OpenVPN tunnel, which means the F5VPN no longer sees the registered/whitelisted IP#, causing it to drop my connection.

How to fix or debug? Complications for debugging/support include:

1. F5 (the agency's VPN vendor) is completely proprietary, and barely supports Linux. My attempts to get support from them have been mostly ignored.

2. The agency barely supports Linux internally, for users. (Of course the scientific-research clusters which we seek to use are all Linux, but they're supported by separate contractors who only support the clusters themselves, not access to the clusters.) The agency barely tolerates Linux for remote access, and especially by non-employees like me. (I'm a student.)

Net: I suspect I can get answers to some direct, specific questions from agency support, but I know (from bitter experience) that I cannot get support if I just say to them (as I am to you now) "this isn't working--what should I do?" I know especially that I cannot get help with anything related to a Linux client: agency client-side support is (AFAICS) strictly limited to Windows XP (no lie!)

How to fix this problem? (FWIW, I will document the fix @ project wiki, and my effusive praise for anyone who provides any assistance will last ... as long as its git repo does :-) Alternatively,

• what else do I need to learn/discover before a fix can be applied?
• where else should I go for help?
• is there a better way to do what I need?

[Traffic]

Apologies if this is tl;dr (1300 words) but the problem seems somewhat complex (at least to me)

No kidding !

but lose DNS once I activate the F5VPN using the RAW's web GUI.

Ask the admins of the F5VPN what DNS they configure for you.

If you summarize your OpenVPN setup we may be able to verify that for you - configs and logs.

[TomRoche]

[it loses] DNS once I activate the F5VPN using the RAW's web GUI.

Ask the admins of the F5VPN what DNS they configure for you.

I will ask again--it's hard to find agency people who both know relevant IT information and are willing to help :-(

If you summarize your OpenVPN setup we may be able to verify that for you

Thanks in advance! I need to get back to the clusters to finish my masters' thesis, so help is much appreciated.

- configs and logs.

The configs are already here:

• server.conf
• client.conf

and I should be able to add the logs today.

[TomRoche]

[give] configs and logs.

I should be able to add the logs today.

OK, that took quite a bit longer than anticipated :-) The good news is, I have just finished

1. clarifying logging. Main log no longer goes to syslog, status log path is no longer default, both paths are set explicitly in client.conf and server.conf.
2. documenting logging. The evolution of the logs through the various stages of my problem are now hopefully documented helpfully for both client and server.
3. improving code (hopefully) by increasing parameterization (most variables should only get set once, and more get set by the user's private.properties) and automating some setup/cleanup.
4. rebuilding server and relevant bits of the client.
5. carefully rerunning the scenario

and have updated

• problem description
• server.conf
• server logs
• client.conf
• client logs

The bad news is, I still cannot tunnel the proprietary F5VPN over my OpenVPN, which appears required for my usecase. Hence any assistance you can provide (and tolerance of newbie stumbling) would be much appreciated!

[Traffic]

Server.conf (relevant parts):

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 10.8.0.1"

Client log (relevant parts):

Sat Nov 8 17:29:47 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8 [Edit: missing options ?],route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'

Your configs and logs do not match up .. ?

[TomRoche]

Server.conf (relevant parts):

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 10.8.0.1"

Client log (relevant parts):

Sat Nov 8 17:29:47 2014 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8 [Edit: missing options ?],route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'

Your configs and logs do not match up .. ?

Apologies for misleading (details below), but, actually, the configs and logs do match: the problem is that

• you are looking at old/manual-process stuff on the wiki, and not at the new/currently-in-use scripted process.
• I don't make that sufficiently clear in the wiki.

Details:

In my OpenVPN_install wikipage, I have material on a manual install/config process (which is now old, and which I'm no longer using, except for some bits I reuse as noted) and material on the scripted install/config (which I'm actually using). I just checked my server.conf (on the linode), and it matches what I link from the wiki, particularly

Code: Select all

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
# next line required by https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7#tunneling-all-connections-through-the-vpn to fix ultra-VPN routing
# (i.e., not provided by https://wiki.debian.org/openvpn%20for%20server%20and%20client )
push "dhcp-option DNS 10.8.0.1"
# next line also required by https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7#tunneling-all-connections-through-the-vpn to fix ultra-VPN routing
# (i.e., also provided by https://wiki.debian.org/openvpn%20for%20server%20and%20client )
push "redirect-gateway def1 bypass-dhcp"

And my client's main log, immediately after client startup (which is after server startup) has

Code: Select all

Sun Jan 18 18:57:38 2015 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,dhcp-option DNS 10.8.0.1,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'

Which matches the server.conf (no?), unlike what you are looking at (in step=2 here), which was console output from the old manual process.

So the lessons-learned are:

1. When looking at server logs or client logs, please use the ones linked from the wiki (also available via the downloads page), and not the listings from the manual process

2. I should (hopefully today) on the wikipage either clearly deprecate the manual process, or make the manual-process listings match what I'm now doing with the scripted process.

So again, apologies for the noise, and your assistance is appreciated!

[TomRoche]

1. When looking at server logs or client logs, please use the ones linked from the wiki (also available via the downloads page), and not the listings from the manual process

I have removed the console-spew from the manual-process docs, which have also largely been relocated to a page where they are clearly deprecated.

2. I should (hopefully today) on the wikipage either clearly deprecate the manual process

Also done.

Hopefully the wiki is now more readable and less confusing!

[TomRoche]

Also, the project wiki now has additional information about the server firewall and more client-side debugging.

[TomRoche]

the project wiki now has additional information about the server firewall and more client-side debugging.

... which now seems very much to point to a conflict between the server's `iptables` (through which I want to tunnel) and the `route` changes imposed by the F5VPN (that I want to tunnel through the server): see state#=4 in the client-side debugging session. Does that seem reasonable? If so, how to fix?

[Traffic]

Continued ...
topic18397.html