So another function of this Multi Wan Router was to setup a VPN link to the Head office. before this setup, each Branch LAN user had to connect to the Head Office through individual Remote Desktop connection (using Head office static IPs). With the Multi Wan router, I was able to setup an OpenVPN server at the Head office, and the Multi Wan router provided the VPN link to the Head office. Once this was setup and tested, the Branch LAN users now could connect to the Head office through their own Remote Desktop apps, using Head office LAN IPs.
Tunnel between Head Office and Branch office is now secure (vs the setup before wherein each Branch LAN user had to use Remote Desktop app directly to the Head office without any VPN link between the two)
The applications at the Head office mainly involves DB calls to a MS SQL server. However.. when we tried launching the app itself (coded in PowerBuilder) on the Branch LAN machines, we couldn’t get it to work properly so we had to go back to using Remote Desktop (but ideally, I prefer to have the main app just use the VPN link to to the DBs.. but that is a separate issue to trouble shoot)… (on a side note.. when I use VPN link to do DQ queries directly..I don’t experience problems.. I guess I need to optimize the network settings to make this work for the other LAN users.. )
Currently, there are only 4 Branch LAN users being supported to access the Head Office server.. but in the coming weeks.. we will be expanding to a possible total of about 10 to 15 users at the Branch LAN… I am planning that if the available bandwidth at the Branch LAN doesn’t allow us to support 10 to 15 users.. backup plan will be to setup the server at the Branch itself.. so all 15 users will be accessing locally… while the Head Office users who need to “interact” with the data (about 2 or 3) will just use a VPN link from the Head Office to the Branch Office to access the data…
In line with this… I am preparing for that setup now (OpenVPN server at the Branch office, separate from the VPN link existing between Branch and Head office… - I can use the existing VPN link between Head office and Branch office for this.. but setting up its own VPN server would allow me and other support team members access wherever they are into the Branch Office network through the VPN link.. )
here are the relevant information:
Code: Select all
kss1x@JFINCRROUTER:~$ ifconfig
enp1s0 Link encap:Ethernet HWaddr 7c:8b:ca:01:45:d7
inet addr:192.168.15.254 Bcast:192.168.15.255 Mask:255.255.255.0
inet6 addr: fe80::7e8b:caff:fe01:45d7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:417 errors:0 dropped:0 overruns:0 frame:0
TX packets:415 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39532 (39.5 KB) TX bytes:38908 (38.9 KB)
enp2s0 Link encap:Ethernet HWaddr 1c:1b:0d:d6:b5:84
inet addr:192.168.111.1 Bcast:192.168.111.255 Mask:255.255.255.0
inet6 addr: fe80::1e1b:dff:fed6:b584/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:20160 errors:0 dropped:433 overruns:0 frame:0
TX packets:16363 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3320501 (3.3 MB) TX bytes:5419145 (5.4 MB)
enp3s0 Link encap:Ethernet HWaddr 7c:8b:ca:01:8e:8e
inet addr:192.168.2.254 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::7e8b:caff:fe01:8e8e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13531 errors:0 dropped:0 overruns:0 frame:0
TX packets:13081 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6273017 (6.2 MB) TX bytes:2768476 (2.7 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:3052 errors:0 dropped:0 overruns:0 frame:0
TX packets:3052 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:286964 (286.9 KB) TX bytes:286964 (286.9 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.9.0.1 P-t-P:10.9.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:44 (44.0 B) TX bytes:72 (72.0 B)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.249 P-t-P:10.8.0.249 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:2402 errors:0 dropped:0 overruns:0 frame:0
TX packets:2543 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:430989 (430.9 KB) TX bytes:327839 (327.8 KB)
enp3s0 is the WAN2 link
enp2s0 is the LAN link
tun0 is the new Openvpn Server tun interface
tun1 is the current Openvpn link with the Head office ( head office houses the server, the branch office is the client)
iptables output:
Code: Select all
kss1x@JFINCRROUTER:~$ sudo iptables -L -nv
[sudo] password for kss1x:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2988 286K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- enp1s0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1194
0 0 ACCEPT udp -- enp3s0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1194
5 410 ACCEPT udp -- enp2s0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:1194
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
331 27804 ACCEPT all -- enp1s0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4213 1819K ACCEPT all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1353 99106 ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
6194 604K ACCEPT all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
0 0 SSH_ROUTER tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
192 23931 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 28410 packets, 13M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12240 packets, 1573K bytes)
pkts bytes target prot opt in out source destination
Chain SSH_ROUTER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * w.x.y.z 0.0.0.0/0
0 0 ACCEPT all -- * * w1.x1.y1.z1 0.0.0.0/0
0 0 ACCEPT all -- * * w2.x2.y2.z2 0.0.0.0/0
0 0 ACCEPT all -- * * 10.9.0.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.8.0.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.6.0.0 0.0.0.0/0
0 0 ACCEPT all -- * * 10.6.1.0 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.111.0/24 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
kss1x@JFINCRROUTER:~$ sudo iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 2436 packets, 299K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1058 packets, 86301 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3094 packets, 215K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3245 packets, 226K bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * enp1s0 192.168.111.0/24 0.0.0.0/0 to:192.168.15.254
959 176K SNAT all -- * enp3s0 192.168.111.0/24 0.0.0.0/0 to:192.168.2.254
0 0 SNAT all -- * enp1s0 192.168.111.0/24 0.0.0.0/0 to:192.168.15.254
0 0 SNAT all -- * enp3s0 192.168.111.0/24 0.0.0.0/0 to:192.168.2.254
0 0 SNAT all -- * enp1s0 10.9.0.0/24 0.0.0.0/0 to:192.168.15.254
0 0 SNAT all -- * enp3s0 10.9.0.0/24 0.0.0.0/0 to:192.168.2.254
kss1x@JFINCRROUTER:~$ sudo iptables -L -nv -t mangle
Chain PREROUTING (policy ACCEPT 86546 packets, 51M bytes)
pkts bytes target prot opt in out source destination
86576 51M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
15 1817 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1
68 6036 MARK all -- enp1s0 * 0.0.0.0/0 0.0.0.0/0 state NEW mark match 0x0 MARK set 0x1
15 1812 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x2
73 13395 MARK all -- enp3s0 * 0.0.0.0/0 0.0.0.0/0 state NEW mark match 0x0 MARK set 0x2
86546 51M CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK save
Chain INPUT (policy ACCEPT 16027 packets, 2936K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 70402 packets, 48M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 12794 packets, 1645K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 83266 packets, 49M bytes)
pkts bytes target prot opt in out source destination
Code: Select all
kss1x@JFINCRROUTER:~$ ip route show table 1
default via 192.168.15.1 dev enp1s0
10.9.0.0/24 dev enp2s0 scope link
192.168.15.0/24 dev enp1s0 scope link src 192.168.15.254
192.168.111.0/24 dev enp2s0 scope link
kss1x@JFINCRROUTER:~$ ip route show table 2
default via 192.168.2.1 dev enp3s0
10.9.0.0/24 dev enp2s0 scope link
192.168.2.0/24 dev enp3s0 scope link src 192.168.2.254
192.168.111.0/24 dev enp2s0 scope link
Code: Select all
kss1x@JFINCRROUTER:~/scripts$ ip route show
default via 192.168.2.1 dev enp3s0
10.8.0.0/24 dev tun1 proto kernel scope link src 10.8.0.249
10.9.0.0/24 dev tun0 proto kernel scope link src 10.9.0.1
169.254.0.0/16 dev enp3s0 scope link metric 1000
192.168.2.0/24 dev enp3s0 proto kernel scope link src 192.168.2.254
192.168.15.0/24 dev enp1s0 proto kernel scope link src 192.168.15.254
192.168.100.0/24 via 10.8.0.1 dev tun1
192.168.111.0/24 dev enp2s0 proto kernel scope link src 192.168.111.1
a check on ports:
Code: Select all
kss1x@JFINCRROUTER:~$ netstat -atun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.111.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7505 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.111.1:53 0.0.0.0:* LISTEN
tcp 0 208 192.168.111.1:2222 192.168.111.204:65355 ESTABLISHED
tcp6 0 0 :::2222 :::* LISTEN
tcp6 0 0 ::1:53 :::* LISTEN
tcp6 0 0 fe80::1e1b:dff:fed6::53 :::* LISTEN
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:1194 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:36124 0.0.0.0:*
udp 0 0 0.0.0.0:34646 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 192.168.111.1:53 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp6 0 0 :::41584 :::*
udp6 0 0 :::5353 :::*
udp6 0 0 ::1:53 :::*
udp6 0 0 fe80::1e1b:dff:fed6::53 :::*
server config:
[oconf=]
management localhost 7505
port 1194
proto udp
dev tun
topology subnet
ca /etc/openvpn/ca.JFINCR.crt
cert /etc/openvpn/JFINCRSERVER.crt
key /etc/openvpn/JFINCRSERVER.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.111.0 255.255.255.0"
push "dhcp-option DNS 192.168.111.1"
keepalive 10 120
tls-auth ta.JFINCR.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC # AES
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
[/oconf]
client config:
[oconf=]client
dev tun
proto udp
remote www.xxx.yyy.zzz
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.JFINCR.crt
cert KSS1XMAC.crt
key KSS1XMAC.key
tls-auth ta.JFINCR.key 1
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
[/oconf]
currently.. when I try to connect through the LAN .. I am able to connect… but.. if I try to connect through the WAN (using 3G connection through my mobile phone)… I can’t seem to get past the WAN modem… there is no evidence on the server that the attempt to connect to the VPN server (udp port 1194) is making it through (basing on the packet count from iptables).. but when I access through the LAN.. the packet count is updated… a check with the 2 WAN modems however show that port forwarding is enabled for tcp/udp 1194 to 1195…
I am at a loss on how to proceed to trouble shoot this.. .