OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Access Linux OpenVPN server from XP on parallels

https://forums.openvpn.net/viewtopic.php?t=10361

Page 1 of 1

Access Linux OpenVPN server from XP on parallels

Posted: Mon Apr 23, 2012 1:01 pm
by McLinux
I have installed OpenVPN on Ubuntu Server
ip 192.168.1.65
OpenVPN 10.8.0.1

From XP I can ping both ip's.

When I configure in client.conf remote = 192.168.1.65 1194 I can ssh 10.8.0.1.
When I configure my internet ip and start the client it stops with:

Mon Apr 23 14:53:47 2012 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)

I disabled the XP firewall.

On Windows route print:
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 ff 1e b0 5d ab ...... TAP-Win32 Adapter V9
0x10004 ...00 1c 42 81 6d 24 ...... Parallels Ethernet Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.211.55.1 10.211.55.9 10
10.211.55.0 255.255.255.0 10.211.55.9 10.211.55.9 10
10.211.55.9 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.211.55.9 10.211.55.9 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.211.55.9 10.211.55.9 10
255.255.255.255 255.255.255.255 10.211.55.9 10.211.55.9 1
255.255.255.255 255.255.255.255 10.211.55.9 2 1
Default Gateway: 10.211.55.1
===========================================================================
Persistent Routes:
None

On my Router (Huawei) poort forwarding:

protocol: udp
van poort: 1194
tot poort: 1194
lokaal ip-adres: 192.168.1.65
naar poort:1194
naam vpn

Parallels has shared networking.
root@file-server:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:rootd
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:openvpn
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp dpts:33434:33523
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:rootd
ACCEPT tcp -- anywhere anywhere tcp dpt:rootd

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.1.0/24 10.8.0.0/24
ACCEPT all -- 10.8.0.0/24 192.168.1.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:rootd

Re: Access Linux OpenVPN server from XP on parallels

Posted: Mon Apr 23, 2012 7:02 pm
by frankuit
Hi Mclinux,

Code: Select all

https://forum.openwrt.org/viewtopic.php?pid=22193
Suggests:

Code: Select all


iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
This might be needed because your iptables does not seem to allow traffic input on your tun device.

if you flush your iptables firewall, can you connect to vpn then ?
For the users of parallels on mac (using windows xp) openvpn client works better in "BRIDGING" mode if i remember correctly.

Good luck,

Frank Uittenbosch

Re: Access Linux OpenVPN server from XP on parallels

Posted: Mon Apr 23, 2012 8:49 pm
by McLinux
Hi Frank,

When I flush iptables I cannot connect. I also can't ping or ssh to the server.

This script is for configuring iptables with your lines added:

Code: Select all


!/bin/sh
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
iptables -t nat -F
iptables -t mangle -F

#
# Allow SSH connections on tcp port 22 (or whatever port you want to use)
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP                #using DROP for INPUT is not always recommended. Change to ACCEPT if you prefer. 
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#
#Accept connections on 1094 for vpn access from clients
#Take note that the rule says "UDP", and ensure that your OpenVPN server.conf says UDP too
#
iptables -A INPUT -p udp --dport 1094 -j ACCEPT

#
#Apply forwarding for OpenVPN Tunneling
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT     #10.8.0.0 ? Check your OpenVPN server.conf to be sure
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

#
#Enable forwarding
# 
echo 1 > /proc/sys/net/ipv4/ip_forward

#
# Some generally optional rules. Enable and disable these as per your requirements
# 

# Accept traffic with the ACK flag set
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Accept responses to DNS queries
iptables -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to our pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
iptables -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
iptables -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
iptables -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
# Accept traceroutes
iptables -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT

# iptables -A INPUT -i tun0 -j ACCEPT
# iptables -A OUTPUT -o tun0 -j ACCEPT
# iptables -A FORWARD -i tun0 -j ACCEPT
# iptables -A FORWARD -i tun0 -s 192.168.1.0/24 -d 10.8.0.0/24 -j ACCEPT
# iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 192.168.1.0/24 -j ACCEPT
#
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
# List rules
#
iptables -L -v
iptables -L

root@file-server:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:rootd
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp dpts:33434:33523
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.8.0.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

What I not understand is that in the the output of iptables is no tun interface.

Kind regards,
McLinux

Re: Access Linux OpenVPN server from XP on parallels

Posted: Tue Apr 24, 2012 7:56 am
by frankuit
McLinux wrote:Hi Frank,

When I flush iptables I cannot connect. I also can't ping or ssh to the server.
Hi Mclinux,

The reason you can't connect is because your default iptables policy on your input interface is DROP.
Ergo, if you dont specify allow rules, everything is denied.

in order to test this you should try:

Code: Select all

#These 3 lines reset the default policy to ACCEPT on interfaces
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables --flush
iptables --table filter --flush
iptables --table nat --flush
iptables --table mangle --flush

iptables --table filter --delete-chain
iptables --table nat --delete-chain
iptables --table mangle --delete-chain

iptables --table filter --zero
iptables --table nat --zero
iptables --table mangle --zero
and now try to connect & ping the server again.
You SHOULD at least be able to ping it now.

If that works, you have localized the problem in your iptables configuration.

i noticed you had 1094 as openvpn in your firewall config, is that correct ? shouldnt that be 1194 ? (UDP)

Re: Access Linux OpenVPN server from XP on parallels

Posted: Tue Apr 24, 2012 9:22 am
by McLinux
Hi Frank,

Now I can indeed ping the server on both 10.8.0.1 and 192.168.1.65.
I have added the next lines for logging:

Code: Select all

# Log the rest of the incoming messages (all of which are dropped)
# with a maximum of 15 log entries per minute
/sbin/iptables -A INPUT -m limit --limit 15/minute -j LOG \
    --log-level 7 --log-prefix "Dropped by firewall: "
/sbin/iptables -A OUTPUT -m limit --limit 15/minute -j LOG \
    --log-level 7 --log-prefix "Dropped by firewall: "
The log:

Apr 24 11:08:18 file-server kernel: [478673.584207] Dropped by firewall: IN=eth0 OUT= MAC=00:12:3f:b9:a9:b7:00:1f:5b:eb:2a:08:08:00 SRC=192.168.1.66 DST=192.168.1.65 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=24272 DF PROTO=TCP SPT=49417 DPT=22 WINDOW=65535 RES=0x00 ACK URGP=0
Apr 24 11:08:18 file-server kernel: [478673.687326] Dropped by firewall: IN=eth0 OUT= MAC=00:12:3f:b9:a9:b7:00:1f:5b:eb:2a:08:08:00 SRC=192.168.1.66 DST=192.168.1.65 LEN=100 TOS=0x10 PREC=0x00 TTL=64 ID=4006 DF PROTO=TCP SPT=49417 DPT=22 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Apr 24 11:08:18 file-server kernel: [478673.687499] Dropped by firewall: IN= OUT=eth0 SRC=192.168.1.65 DST=192.168.1.66 LEN=100 TOS=0x10 PREC=0x00 TTL=64 ID=19700 DF PROTO=TCP SPT=22 DPT=49417 WINDOW=1598 RES=0x00 ACK PSH URGP=0
Apr 24 11:08:18 file-server kernel: [478673.687678] Dropped by firewall: IN=eth0 OUT= MAC=00:12:3f:b9:a9:b7:00:1f:5b:eb:2a:08:08:00 SRC=192.168.1.66 DST=192.168.1.65 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=63643 DF PROTO=TCP SPT=49417 DPT=22 WINDOW=65535 RES=0x00 ACK URGP=0
Apr 24 11:08:18 file-server kernel: [478673.991699] Dropped by firewall: IN= OUT=eth0 SRC=192.168.1.65 DST=192.168.1.66 LEN=100 TOS=0x10 PREC=0x00 TTL=64 ID=19701 DF PROTO=TCP SPT=22 DPT=49417 WINDOW=1598 RES=0x00 ACK PSH URGP=0
Apr 24 11:08:18 file-server kernel: [478674.175793] Dropped by firewall: IN= OUT=eth0 SRC=192.168.1.65 DST=192.168.1.66 LEN=100 TOS=0x10 PREC=0x00 TTL=64 ID=19702 DF PROTO=TCP SPT=22 DPT=49417 WINDOW=1598 RES=0x00 ACK PSH URGP=0

The ip-address if the Mac is 192.168.1.66. Strange that not 10.8.0.1 comes to the server.

Regards McLinux

Re: Access Linux OpenVPN server from XP on parallels

Posted: Tue Apr 24, 2012 9:27 am
by McLinux
The port number 1094 in the firewall is correct. I tried another port. I have changed the server and cllient to this port and UDP.

Re: Access Linux OpenVPN server from XP on parallels

Posted: Tue Apr 24, 2012 10:07 am
by frankuit
Hi Mclinux,

In your log, i'm only seeing ssh (22) traffic and return ports !
Im not seeing any openvpn connection attempt!

2 questions,
Did you try to connect to openvpn with this log active ?
you might want to do:

Code: Select all

tail -f /var/log/messages
while trying to connect with vpn.
Be sure to stop your ssh connection, otherwise you might flood your logs.

and,
please do :

Code: Select all

netstat -ano |grep 1194 (or 1094, depending on the port you've activated it on.

That should return something like:

Code: Select all

udp        0      0 0.0.0.0:1194            0.0.0.0:*                           off (0.00/0/0)
if not, your openvpn server might not be running

Re: Access Linux OpenVPN server from XP on parallels

Posted: Tue Apr 24, 2012 12:29 pm
by McLinux
Hi Frank,

I have no /var/log/messages

netstat -ano |grep 1094
udp 0 0 0.0.0.0:1094 0.0.0.0:* off (0.00/0/0)
root@file-server:/var/log#

Maybe this is a problem. I installed OpenVPN on Ubuntu with apt-get and have version 2.2.
On Windows I have version 2.0.

Regards,
McLinux

Re: Access Linux OpenVPN server from XP on parallels

Posted: Tue Apr 24, 2012 12:32 pm
by McLinux
When I start the client I get this in a dos-box:

Tue Apr 24 14:15:55 2012 NOTE: --user option is not implemented on Windows
Tue Apr 24 14:15:55 2012 NOTE: --group option is not implemented on Windows
Tue Apr 24 14:15:55 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built
on Dec 15 2011
Tue Apr 24 14:15:55 2012 MANAGEMENT: TCP Socket listening on 10.211.55.9:7505
Tue Apr 24 14:15:55 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig
her to call user-defined scripts or executables
Tue Apr 24 14:15:55 2012 LZO compression initialized
Tue Apr 24 14:15:55 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:
0 EL:0 ]
Tue Apr 24 14:15:55 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 24 14:15:55 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:
0 EL:0 AF:3/1 ]
Tue Apr 24 14:15:55 2012 Local Options hash (VER=V4): '41690919'
Tue Apr 24 14:15:55 2012 Expected Remote Options hash (VER=V4): '530fdded'
Tue Apr 24 14:15:55 2012 UDPv4 link local: [undef]
Tue Apr 24 14:15:55 2012 UDPv4 link remote: 81.71.37.109:1094
Tue Apr 24 14:15:55 2012 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Tue Apr 24 14:15:57 2012 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)
Tue Apr 24 14:16:01 2012 read UDPv4: Connection reset by peer (WSAECONNRESET) (c
ode=10054)

Re: Access Linux OpenVPN server from XP on parallels

Posted: Tue Apr 24, 2012 12:55 pm
by frankuit
Hi McLinux,

So try to download the new client of openvpn then.
And try to find out on your server where the openvpn log is, that will make your life a lot easy-er when trying to troubleshoot issues like this.

Re: Access Linux OpenVPN server from XP on parallels

Posted: Tue Apr 24, 2012 9:40 pm
by McLinux
Hi Frank,

Sorry that I did not pay attention to the version numbers. But now I have version OpenVPN 2.3-alpha1 on both server (Ubuntu server) and client (Windows XP).
I have now a log openvpn logfile.
So I started the server successfully:


Tue Apr 24 23:09:12 2012 us=995575 Diffie-Hellman initialized with 1024 bit key
Tue Apr 24 23:09:12 2012 us=996501 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 24 23:09:12 2012 us=996636 Socket Buffers: R=[114688->131072] S=[114688->131072]
Tue Apr 24 23:09:12 2012 us=996933 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=00:12:3f:b9:a9:b7
Tue Apr 24 23:09:13 2012 us=6455 TUN/TAP device tun1 opened
Tue Apr 24 23:09:13 2012 us=6674 TUN/TAP TX queue length set to 100
Tue Apr 24 23:09:13 2012 us=6797 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr 24 23:09:13 2012 us=6985 /sbin/ifconfig tun1 10.8.0.1 pointopoint 10.8.0.2 mtu 1500
Tue Apr 24 23:09:13 2012 us=8719 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2
Tue Apr 24 23:09:13 2012 us=9752 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Apr 24 23:09:13 2012 us=10553 GID set to nobody
Tue Apr 24 23:09:13 2012 us=10679 UID set to nobody
Tue Apr 24 23:09:13 2012 us=10786 UDPv4 link local (bound): [undef]
Tue Apr 24 23:09:13 2012 us=10888 UDPv4 link remote: [undef]
Tue Apr 24 23:09:13 2012 us=11051 MULTI: multi_init called, r=256 v=256
Tue Apr 24 23:09:13 2012 us=11201 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Apr 24 23:09:13 2012 us=11336 IFCONFIG POOL LIST
Tue Apr 24 23:09:13 2012 us=11507 Initialization Sequence Completed

I started the client successfull:
Tue Apr 24 23:32:55 2012 VERIFY OK: nsCertType=SERVER
Tue Apr 24 23:32:55 2012 VERIFY OK: depth=0, C=NL, ST=Noord-Holland, L=Beverwij
, O=AK Administratie, OU=Administratie, CN=OpenVPN-CA, name=Ak, emailAddress=ak
akadministratie.workgroup
Tue Apr 24 23:32:55 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with
128 bit key
Tue Apr 24 23:32:55 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1
for HMAC authentication
Tue Apr 24 23:32:55 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with
128 bit key
Tue Apr 24 23:32:55 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1
for HMAC authentication
Tue Apr 24 23:32:55 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES
56-SHA, 1024 bit RSA
Tue Apr 24 23:32:55 2012 [OpenVPN-CA] Peer Connection Initiated with [AF_INET]1
2.168.1.65:1194
Tue Apr 24 23:32:57 2012 SENT CONTROL [OpenVPN-CA]: 'PUSH_REQUEST' (status=1)
Tue Apr 24 23:32:57 2012 PUSH: Received control message: 'PUSH_REPLY,route 192.
68.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifc
nfig 10.8.0.6 10.8.0.5'
Tue Apr 24 23:32:57 2012 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 24 23:32:57 2012 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 24 23:32:57 2012 OPTIONS IMPORT: route options modified
Tue Apr 24 23:32:57 2012 ROUTE_GATEWAY 10.211.55.1/255.255.255.0 I=65540 HWADDR
00:1c:42:81:6d:24
Tue Apr 24 23:32:57 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Apr 24 23:32:57 2012 open_tun, tt->ipv6=0
Tue Apr 24 23:32:57 2012 TAP-WIN32 device [Local Area Connection 5] opened: \\.
Global\{B3936A04-A546-4C41-BD0D-7955F34B09F7}.tap
Tue Apr 24 23:32:57 2012 TAP-Win32 Driver Version 9.9
Tue Apr 24 23:32:57 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of
0.8.0.6/255.255.255.252 on interface {B3936A04-A546-4C41-BD0D-7955F34B09F7} [DH
P-serv: 10.8.0.5, lease-time: 31536000]
Tue Apr 24 23:32:57 2012 Successful ARP Flush on interface [131074] {B3936A04-A
46-4C41-BD0D-7955F34B09F7}
Tue Apr 24 23:33:02 2012 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Tue Apr 24 23:33:02 2012 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255
255.255.0 10.8.0.5
Tue Apr 24 23:33:02 2012 Route addition via IPAPI succeeded [adaptive]
Tue Apr 24 23:33:02 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.25
.255.255 10.8.0.5
Tue Apr 24 23:33:02 2012 Route addition via IPAPI succeeded [adaptive]
Tue Apr 24 23:33:02 2012 Initialization Sequence Completed

On the server iptables -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
5 260 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:openvpn
0 0 ACCEPT tcp -- any any anywhere anywhere tcp flags:ACK/ACK
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:domain dpts:1024:65535
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT udp -- any any anywhere anywhere udp dpts:33434:33523
0 0 ACCEPT all -- tun+ any anywhere anywhere
0 0 ACCEPT all -- tun+ any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- any any 10.8.0.0/24 anywhere
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
0 0 ACCEPT all -- tun+ any anywhere anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Now I can not ping or ssh to 192.168.1.65 or 10.8.0.1.

Re: Access Linux OpenVPN server from XP on parallels

Posted: Wed Apr 25, 2012 7:01 am
by frankuit
Hi Mclinux,

We are getting there! :)
so if i understand correctly by the logs, you have a connection now, but you can't ping BEYOND the openvpn server ?
Can you ping the server itself ?

And did you enable ip_forwarding on your openvpn server ? (Depending on your linux distro)

ow, and:

Code: Select all

REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
rejects all forwarding, you might want to split this project up in at least 2 things,
phase 1, get your openvpn connection going, and setup your rules just for that.
phase 2, build your actual firewall with iptables.

Hope this helps!

Re: Access Linux OpenVPN server from XP on parallels

Posted: Wed Apr 25, 2012 8:42 am
by McLinux
Hi Frank,

I did indeed ip_forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

The next code i do not understand why I should use it:

Code: Select all

REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Can OpenVPN function without port any forwarding?

When OpenVPN is not running on the client I can both ping 192.168.1.65 and 10.8.0.1. After starting I can't ping them both, even when the Windows firewall is disabled.

On my Windows machine route print:

===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.211.55.1 10.211.55.9 10
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 1
10.8.0.4 255.255.255.252 10.8.0.6 10.8.0.6 30
10.8.0.6 255.255.255.255 127.0.0.1 127.0.0.1 30
10.211.55.0 255.255.255.0 10.211.55.9 10.211.55.9 10
10.211.55.9 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.8.0.6 10.8.0.6 30
10.255.255.255 255.255.255.255 10.211.55.9 10.211.55.9 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 10.8.0.5 10.8.0.6 1
224.0.0.0 240.0.0.0 10.8.0.6 10.8.0.6 30
224.0.0.0 240.0.0.0 10.211.55.9 10.211.55.9 10
255.255.255.255 255.255.255.255 10.8.0.6 10.8.0.6 1
255.255.255.255 255.255.255.255 10.211.55.9 10.211.55.9 1
Default Gateway: 10.211.55.1
===========================================================================
Persistent Routes:
None

Regards,
McLinux

Re: Access Linux OpenVPN server from XP on parallels

Posted: Wed Apr 25, 2012 10:18 am
by frankuit
Hi Mclinux.

Well, that puts me kinda out of options to explore.
You might try to use a NAT forwarding on your server, this would help if your server doesn't know the way back properly.

something like:

Code: Select all

iptables -t nat -A POSTROUTING -d 10.8.0.1/24 -j MASQUERADE
Otherwise i'll need to take a look at it by trying it myself...
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/