OpenVPN Server in a Multi WAN Ubuntu 16.04 Router

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
wowiesy
OpenVPN User
Posts: 25
Joined: Mon Jul 10, 2017 6:33 am

OpenVPN Server in a Multi WAN Ubuntu 16.04 Router

Post by wowiesy » Sat Feb 24, 2018 5:37 am

I have previously setup a multi wan router (using policy routing) . the intent for this router then was to provide load balancing / failover between 2 WAN links for the LAN. This setup is in a branch office.. and the LAN users in this branch needs to access applications (via Remote Desktop) at the Main office.

So another function of this Multi Wan Router was to setup a VPN link to the Head office. before this setup, each Branch LAN user had to connect to the Head Office through individual Remote Desktop connection (using Head office static IPs). With the Multi Wan router, I was able to setup an OpenVPN server at the Head office, and the Multi Wan router provided the VPN link to the Head office. Once this was setup and tested, the Branch LAN users now could connect to the Head office through their own Remote Desktop apps, using Head office LAN IPs.

Tunnel between Head Office and Branch office is now secure (vs the setup before wherein each Branch LAN user had to use Remote Desktop app directly to the Head office without any VPN link between the two)

The applications at the Head office mainly involves DB calls to a MS SQL server. However.. when we tried launching the app itself (coded in PowerBuilder) on the Branch LAN machines, we couldn’t get it to work properly so we had to go back to using Remote Desktop (but ideally, I prefer to have the main app just use the VPN link to to the DBs.. but that is a separate issue to trouble shoot)… (on a side note.. when I use VPN link to do DQ queries directly..I don’t experience problems.. I guess I need to optimize the network settings to make this work for the other LAN users.. )

Currently, there are only 4 Branch LAN users being supported to access the Head Office server.. but in the coming weeks.. we will be expanding to a possible total of about 10 to 15 users at the Branch LAN… I am planning that if the available bandwidth at the Branch LAN doesn’t allow us to support 10 to 15 users.. backup plan will be to setup the server at the Branch itself.. so all 15 users will be accessing locally… while the Head Office users who need to “interact” with the data (about 2 or 3) will just use a VPN link from the Head Office to the Branch Office to access the data…

In line with this… I am preparing for that setup now (OpenVPN server at the Branch office, separate from the VPN link existing between Branch and Head office… - I can use the existing VPN link between Head office and Branch office for this.. but setting up its own VPN server would allow me and other support team members access wherever they are into the Branch Office network through the VPN link.. )

here are the relevant information:

Code: Select all

kss1x@JFINCRROUTER:~$ ifconfig
enp1s0    Link encap:Ethernet  HWaddr 7c:8b:ca:01:45:d7  
          inet addr:192.168.15.254  Bcast:192.168.15.255  Mask:255.255.255.0
          inet6 addr: fe80::7e8b:caff:fe01:45d7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:417 errors:0 dropped:0 overruns:0 frame:0
          TX packets:415 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:39532 (39.5 KB)  TX bytes:38908 (38.9 KB)

enp2s0    Link encap:Ethernet  HWaddr 1c:1b:0d:d6:b5:84  
          inet addr:192.168.111.1  Bcast:192.168.111.255  Mask:255.255.255.0
          inet6 addr: fe80::1e1b:dff:fed6:b584/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20160 errors:0 dropped:433 overruns:0 frame:0
          TX packets:16363 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3320501 (3.3 MB)  TX bytes:5419145 (5.4 MB)

enp3s0    Link encap:Ethernet  HWaddr 7c:8b:ca:01:8e:8e  
          inet addr:192.168.2.254  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::7e8b:caff:fe01:8e8e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:13531 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13081 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:6273017 (6.2 MB)  TX bytes:2768476 (2.7 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:3052 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3052 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:286964 (286.9 KB)  TX bytes:286964 (286.9 KB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.9.0.1  P-t-P:10.9.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:44 (44.0 B)  TX bytes:72 (72.0 B)

tun1      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.249  P-t-P:10.8.0.249  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2402 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2543 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:430989 (430.9 KB)  TX bytes:327839 (327.8 KB)

enp1s0 is WAN1 link
enp3s0 is the WAN2 link
enp2s0 is the LAN link
tun0 is the new Openvpn Server tun interface
tun1 is the current Openvpn link with the Head office ( head office houses the server, the branch office is the client)


iptables output:

Code: Select all

kss1x@JFINCRROUTER:~$ sudo iptables -L -nv
[sudo] password for kss1x: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2988  286K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  enp1s0 *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:1194
    0     0 ACCEPT     udp  --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:1194
    5   410 ACCEPT     udp  --  enp2s0 *       0.0.0.0/0            0.0.0.0/0            state NEW udp dpt:1194
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
  331 27804 ACCEPT     all  --  enp1s0 *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 4213 1819K ACCEPT     all  --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 1353 99106 ACCEPT     all  --  enp2s0 *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 6194  604K ACCEPT     all  --  enp2s0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 SSH_ROUTER  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222
  192 23931 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 28410 packets, 13M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 12240 packets, 1573K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain SSH_ROUTER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       w.x.y.z              0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       w1.x1.y1.z1          0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       w2.x2.y2.z2          0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       10.9.0.0             0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       10.8.0.0             0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       10.6.0.0             0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       10.6.1.0             0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       192.168.111.0/24     0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0  


kss1x@JFINCRROUTER:~$ sudo iptables -L -nv -t nat
Chain PREROUTING (policy ACCEPT 2436 packets, 299K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 1058 packets, 86301 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3094 packets, 215K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 3245 packets, 226K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all  --  *      enp1s0  192.168.111.0/24     0.0.0.0/0            to:192.168.15.254
  959  176K SNAT       all  --  *      enp3s0  192.168.111.0/24     0.0.0.0/0            to:192.168.2.254
    0     0 SNAT       all  --  *      enp1s0  192.168.111.0/24     0.0.0.0/0            to:192.168.15.254
    0     0 SNAT       all  --  *      enp3s0  192.168.111.0/24     0.0.0.0/0            to:192.168.2.254
    0     0 SNAT       all  --  *      enp1s0  10.9.0.0/24          0.0.0.0/0            to:192.168.15.254
    0     0 SNAT       all  --  *      enp3s0  10.9.0.0/24          0.0.0.0/0            to:192.168.2.254

kss1x@JFINCRROUTER:~$ sudo iptables -L -nv -t mangle
Chain PREROUTING (policy ACCEPT 86546 packets, 51M bytes)
 pkts bytes target     prot opt in     out     source               destination         
86576   51M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK restore
   15  1817 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x1
   68  6036 MARK       all  --  enp1s0 *       0.0.0.0/0            0.0.0.0/0            state NEW mark match 0x0 MARK set 0x1
   15  1812 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x2
   73 13395 MARK       all  --  enp3s0 *       0.0.0.0/0            0.0.0.0/0            state NEW mark match 0x0 MARK set 0x2
86546   51M CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            CONNMARK save

Chain INPUT (policy ACCEPT 16027 packets, 2936K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 70402 packets, 48M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 12794 packets, 1645K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 83266 packets, 49M bytes)
 pkts bytes target     prot opt in     out     source               destination      
as mentioned.. I used policy routing to enable 2 WAN links side by side... here are the routing table contents:

Code: Select all

kss1x@JFINCRROUTER:~$ ip route show table 1
default via 192.168.15.1 dev enp1s0 
10.9.0.0/24 dev enp2s0  scope link 
192.168.15.0/24 dev enp1s0  scope link  src 192.168.15.254 
192.168.111.0/24 dev enp2s0  scope link 

kss1x@JFINCRROUTER:~$ ip route show table 2
default via 192.168.2.1 dev enp3s0 
10.9.0.0/24 dev enp2s0  scope link 
192.168.2.0/24 dev enp3s0  scope link  src 192.168.2.254 
192.168.111.0/24 dev enp2s0  scope link 
current routing table shows:

Code: Select all

kss1x@JFINCRROUTER:~/scripts$ ip route show
default via 192.168.2.1 dev enp3s0 
10.8.0.0/24 dev tun1  proto kernel  scope link  src 10.8.0.249 
10.9.0.0/24 dev tun0  proto kernel  scope link  src 10.9.0.1 
169.254.0.0/16 dev enp3s0  scope link  metric 1000 
192.168.2.0/24 dev enp3s0  proto kernel  scope link  src 192.168.2.254 
192.168.15.0/24 dev enp1s0  proto kernel  scope link  src 192.168.15.254 
192.168.100.0/24 via 10.8.0.1 dev tun1 
192.168.111.0/24 dev enp2s0  proto kernel  scope link  src 192.168.111.1 

a check on ports:

Code: Select all

kss1x@JFINCRROUTER:~$ netstat -atun
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.111.1:631       0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:7505          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN     
tcp        0      0 192.168.111.1:53        0.0.0.0:*               LISTEN     
tcp        0    208 192.168.111.1:2222      192.168.111.204:65355   ESTABLISHED
tcp6       0      0 :::2222                 :::*                    LISTEN     
tcp6       0      0 ::1:53                  :::*                    LISTEN     
tcp6       0      0 fe80::1e1b:dff:fed6::53 :::*                    LISTEN     
udp        0      0 0.0.0.0:631             0.0.0.0:*                          
udp        0      0 0.0.0.0:1194            0.0.0.0:*                          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                          
udp        0      0 0.0.0.0:36124           0.0.0.0:*                          
udp        0      0 0.0.0.0:34646           0.0.0.0:*                          
udp        0      0 127.0.0.1:53            0.0.0.0:*                          
udp        0      0 192.168.111.1:53        0.0.0.0:*                          
udp        0      0 0.0.0.0:67              0.0.0.0:*                          
udp6       0      0 :::41584                :::*                               
udp6       0      0 :::5353                 :::*                               
udp6       0      0 ::1:53                  :::*                               
udp6       0      0 fe80::1e1b:dff:fed6::53 :::*  
shows 1194 udp is listened in to by all interfaces

server config:
[oconf=]
management localhost 7505
port 1194
proto udp
dev tun
topology subnet
ca /etc/openvpn/ca.JFINCR.crt
cert /etc/openvpn/JFINCRSERVER.crt
key /etc/openvpn/JFINCRSERVER.key # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.111.0 255.255.255.0"
push "dhcp-option DNS 192.168.111.1"
keepalive 10 120
tls-auth ta.JFINCR.key 0 # This file is secret
key-direction 0
cipher AES-128-CBC # AES
auth SHA256
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
[/oconf]


client config:

[oconf=]client
dev tun
proto udp
remote www.xxx.yyy.zzz
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.JFINCR.crt
cert KSS1XMAC.crt
key KSS1XMAC.key
tls-auth ta.JFINCR.key 1
cipher AES-128-CBC
auth SHA256
key-direction 1
comp-lzo
verb 3
[/oconf]


currently.. when I try to connect through the LAN .. I am able to connect… but.. if I try to connect through the WAN (using 3G connection through my mobile phone)… I can’t seem to get past the WAN modem… there is no evidence on the server that the attempt to connect to the VPN server (udp port 1194) is making it through (basing on the packet count from iptables).. but when I access through the LAN.. the packet count is updated… a check with the 2 WAN modems however show that port forwarding is enabled for tcp/udp 1194 to 1195…

I am at a loss on how to proceed to trouble shoot this.. .

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Server in a Multi WAN Ubuntu 16.04 Router

Post by TinCanTech » Sat Feb 24, 2018 2:29 pm

I may be able to help ..

tincanteksup <at> gmail

Post Reply