OpenVPN over 7050

JPAdie

Neuer User
Mitglied seit
20 Sep 2006
Beiträge
74
Punkte für Reaktionen
0
Punkte
0
I spoke too soon in a recent thread, when i thought I had openvpn working properly. In fact it seems that it is working inside my LAN but not from outside. I cannot reach it from a static IP to the router.

my internal lan is all on the 10.8.0.0/24 subnet. I'm trying to establish the VON in bridge mode with the following topology:

router: 10.8.0.1
vpn gateway: 10.8.0.2
dhcp server: 10.8.0.5 (also serves DNS and WINS)

the dhcp will lease addresses to vpn clients.

all this works if i try to connect to the 10.8.0.2 gateway inside the network (or 10.8.0.1, in fact). it doesn't work outside.

i have set an ipforwarding rule in the ar7.cfg file to point all incoming traffic on port 1194 to 10.8.0.1, which should do the trick, but seemingly not.

my server conf, debug.cfg are

server.conf
Code:
daemon
proto tcp-server
port 1194
dev tap0
dev-node /dev/misc/net/tun
mode server
tls-server
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig 10.8.0.2 255.255.255.0
client-to-client
keepalive 10 60
comp-lzo
persist-key
persist-tun
verb 3
debug.cfg
Code:
cd /var/tmp
mkdir vpn
cd vpn
wget ftp://10.8.0.5/brctl
wget ftp://10.8.0.5/ca.crt
wget ftp://10.8.0.5/dh1024.pem
wget ftp://10.8.0.5/fritz.conf
wget ftp://10.8.0.5/openvpn
wget ftp://10.8.0.5/server.conf
wget ftp://10.8.0.5/server.crt
wget ftp://10.8.0.5/server.key
chmod 0600 ./*
chmod +x ./openvpn
chmod +x ./brctl
/var/tmp/vpn/openvpn --config /var/tmp/vpn/fritz.conf
/var/tmp/vpn/brctl addif lan tap0
an ifconfig gives the following output
Code:
dsl       Link encap:Point-Point Protocol
          inet addr:192.168.179.1  P-t-P:192.168.179.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:1724 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2078 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:278391 (271.8 KiB)  TX bytes:430953 (420.8 KiB)

eth0      Link encap:Ethernet  HWaddr 00:15:0C:97:46:1E
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:4078 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3054 errors:0 dropped:0 overruns:0 carrier:0
          collisions:1367 txqueuelen:100
          RX bytes:2603889 (2.4 MiB)  TX bytes:505053 (493.2 KiB)

eth1      Link encap:Ethernet  HWaddr 00:15:0C:97:46:1F
          UP BROADCAST ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Base address:0x2800

lan       Link encap:Ethernet  HWaddr 00:15:0C:97:46:1E
          inet addr:10.8.0.1  Bcast:10.255.255.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:4098 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3029 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2555254 (2.4 MiB)  TX bytes:496047 (484.4 KiB)

lan:0     Link encap:Ethernet  HWaddr 00:15:0C:97:46:1E
          inet addr:192.168.178.254  Bcast:192.168.178.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:223 errors:0 dropped:0 overruns:0 frame:0
          TX packets:223 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:30170 (29.4 KiB)  TX bytes:30170 (29.4 KiB)

tap0      Link encap:Ethernet  HWaddr 00:FF:F6:AD:A2:76
          inet addr:10.8.0.2  Bcast:10.8.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:27006 (26.3 KiB)

usbrndis  Link encap:Ethernet  HWaddr 00:15:0C:97:46:22
          UP BROADCAST ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
the addition to ar7.cfg was
Code:
"tcp 0.0.0.0:1194 10.8.0.1:1194 0 #openvpn",
do i, perhaps, need to explicitly bridge the tap0 interface? or what else am i doing wrong? all help gratefully received.

thanks
justin
 

AndreR

Aktives Mitglied
Mitglied seit
4 Jan 2006
Beiträge
1,579
Punkte für Reaktionen
0
Punkte
0
Hi

I don't know if I read correctly what you want, but the forward-rule seesm a bit tricky. Try changing this:
Code:
"tcp 0.0.0.0:1194 10.8.0.1:1194 0 #openvpn",
to this
Code:
"tcp 0.0.0.0:1194 0.0.0.0:1194 0 #openvpn",
could you post the client-config too? And what does OpenVPN say, when you start on the client? The message should say the problem.

and last but not least: you download the certificates "on the fly" - you know that your security is gone so far? ;)

EDIT: Oh, I see, you load from your intranet, that's okay
 

JPAdie

Neuer User
Mitglied seit
20 Sep 2006
Beiträge
74
Punkte für Reaktionen
0
Punkte
0
Thanks

i will try your suggestion.

open vpn client just says it can't connect. it can connect if the i point the tunnel at the internal address of the server (10.8.0.1 or 10.8.0.2).

i don't think that the security is bad as the "on the fly" certificate download is taken from an ftp server inside the private subnet. if someone is already inside the subnet then everything is open anyway. or am i missing something?

the client config is this:
Code:
client
proto tcp-client
port 1194
remote www.no3.co.uk
ns-cert-type server
dev tap0
nobind
persist-key
persist-tun
ca ca.crt
cert toshiba.crt
key toshiba.key
comp-lzo
verb 3
will post back with results of your suggestion.
 

AndreR

Aktives Mitglied
Mitglied seit
4 Jan 2006
Beiträge
1,579
Punkte für Reaktionen
0
Punkte
0
Another idea: you use lzo-comp
do you also use a FBF binary that has lzo-comp support? Where did you take it from?

But my idea: if it works internal (bad testing environment) it should be an issue with the port-forwarding
 

JPAdie

Neuer User
Mitglied seit
20 Sep 2006
Beiträge
74
Punkte für Reaktionen
0
Punkte
0
i was not aware that it needed a separate binary. the howto in the openvpn site does not suggest so, nor does the tutorial in http://www.wehavemorefun.de/fritzbox/OpenVPN (although I am guessing at a lot of the german)

but i don't think this is the problem as the tunnel works internally, just won't connect externally. therefore somehow I need to get the FBF listening on 1194 and transferring the request to the tap0 interface.
 

JPAdie

Neuer User
Mitglied seit
20 Sep 2006
Beiträge
74
Punkte für Reaktionen
0
Punkte
0
i have tried changing the IP forwarding rule as you suggested but the same behaviour is exhibited.

the error message from the client vpn console is the following:

Code:
Mon Oct 02 12:02:05 2006 OpenVPN 2.0.8 Win32-MinGW [SSL] [LZO] built on Sep 11 2006
Mon Oct 02 12:02:05 2006 LZO compression initialized
Mon Oct 02 12:02:05 2006 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Oct 02 12:02:05 2006 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Oct 02 12:02:05 2006 Local Options hash (VER=V4): '31fdf004'
Mon Oct 02 12:02:05 2006 Expected Remote Options hash (VER=V4): '3e6d1056'
Mon Oct 02 12:02:05 2006 Attempting to establish TCP connection with 217.66.125.225:1194
Mon Oct 02 12:02:26 2006 TCP: connect to 217.66.125.225:1194 failed, will try again in 5 seconds
... and it continues every 5 seconds.

if i connect to the internal address i get the following message
Code:
Mon Oct 02 12:05:14 2006 OpenVPN 2.0.8 Win32-MinGW [SSL] [LZO] built on Sep 11 2006
Mon Oct 02 12:05:14 2006 LZO compression initialized
Mon Oct 02 12:05:14 2006 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Oct 02 12:05:14 2006 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Oct 02 12:05:14 2006 Local Options hash (VER=V4): '31fdf004'
Mon Oct 02 12:05:14 2006 Expected Remote Options hash (VER=V4): '3e6d1056'
Mon Oct 02 12:05:14 2006 Attempting to establish TCP connection with 10.8.0.2:1194
Mon Oct 02 12:05:14 2006 TCP connection established with 10.8.0.2:1194
Mon Oct 02 12:05:14 2006 TCPv4_CLIENT link local: [undef]
Mon Oct 02 12:05:14 2006 TCPv4_CLIENT link remote: 10.8.0.2:1194
Mon Oct 02 12:05:14 2006 TLS: Initial packet from 10.8.0.2:1194, sid=df9d8e84 a42500ff
Mon Oct 02 12:05:15 2006 VERIFY OK: depth=1, /C=UK/ST=LND/L=London/O=Adie_and_Co/CN=adieco.lan/[email protected]
Mon Oct 02 12:05:15 2006 VERIFY OK: nsCertType=SERVER
Mon Oct 02 12:05:15 2006 VERIFY OK: depth=0, /C=UK/ST=LND/O=Adie_and_Co/CN=server/[email protected]
Mon Oct 02 12:05:16 2006 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 02 12:05:16 2006 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 02 12:05:16 2006 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Oct 02 12:05:16 2006 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 02 12:05:16 2006 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Oct 02 12:05:16 2006 [server] Peer Connection Initiated with 10.8.0.2:1194
Mon Oct 02 12:05:17 2006 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Mon Oct 02 12:05:17 2006 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 60'
Mon Oct 02 12:05:17 2006 OPTIONS IMPORT: timers and/or timeouts modified
Mon Oct 02 12:05:17 2006 TAP-WIN32 device [Local Area Connection 8] opened: \\.\Global\{B9059475-E6DC-4C6E-A12D-EA8D4C6774DA}.tap
Mon Oct 02 12:05:17 2006 TAP-Win32 Driver Version 8.1 
Mon Oct 02 12:05:17 2006 TAP-Win32 MTU=1500
Mon Oct 02 12:05:18 2006 Successful ARP Flush on interface [5] {B9059475-E6DC-4C6E-A12D-EA8D4C6774DA}
Mon Oct 02 12:05:18 2006 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Mon Oct 02 12:05:18 2006 Route: Waiting for TUN/TAP interface to come up...
Mon Oct 02 12:05:19 2006 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Mon Oct 02 12:05:19 2006 Route: Waiting for TUN/TAP interface to come up...
Mon Oct 02 12:05:19 2006 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
Mon Oct 02 12:05:19 2006 Route: Waiting for TUN/TAP interface to come up...
Mon Oct 02 12:05:20 2006 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
Mon Oct 02 12:05:20 2006 Initialization Sequence Completed
 

AndreR

Aktives Mitglied
Mitglied seit
4 Jan 2006
Beiträge
1,579
Punkte für Reaktionen
0
Punkte
0
Hi,

I don't know if the used binary supports comp-lzo...but it seems so, because you can connect internally.

Your forward rule seems to be defective, because there is no connection to the used port..
do you use your FBF as an ATA? Is there another modem/router switched before?
And (would not be the first time:)) have you rebooted the box after changing the forward-rule?

If you want to try: the latest OpenVPN Version (2.1beta15 with OpenSSL 0.9.8d) is here
 

JPAdie

Neuer User
Mitglied seit
20 Sep 2006
Beiträge
74
Punkte für Reaktionen
0
Punkte
0
Thanks AndreR

i agree that the forward rule appears wrong. i always find it difficult to get my head around bridging. basically i need to direct all incoming traffic on the dsl interface on port 1194 to the internal interface on which the openvpn server is located (10.8.0.2).

btw, i do reboot after changing this file (/sbin/reboot).
 

AndreR

Aktives Mitglied
Mitglied seit
4 Jan 2006
Beiträge
1,579
Punkte für Reaktionen
0
Punkte
0
Could you please post the specific part of the ar7.cfg where your forward-rules are shown?

And: do you use the FBF as an ATA?
 

JPAdie

Neuer User
Mitglied seit
20 Sep 2006
Beiträge
74
Punkte für Reaktionen
0
Punkte
0
sorry. have been absent. thanks for your patience.

the relevant portion of the ar7.cfg is as follows
Code:
dslifaces {
               enabled = yes;
               name = "internet";
               dsl_encap = dslencap_inherit;
               ppptarget = "internet";
               etherencapcfg {
                       use_dhcp = yes;
                       ipaddr = 0.0.0.0;
                       netmask = 0.0.0.0;
                       gateway = 0.0.0.0;
                       dns1 = 0.0.0.0;
                       dns2 = 0.0.0.0;
               }
               stay_always_online = yes;
               redial_delay_after_auth_failure = 1m;
               redial_limit = 3;
               redial_after_limit_reached = 1h;
               username_prefix_after_auth_failure = "";
               redial_delay_after_low_error = 10s;
               dsldpconfig {
                       security = dpsec_firewall;
                       lowinput {
                               policy = "permit";
                               accesslist = 
                                            "deny ip any 242.0.0.0 255.0.0.0", 
                                            "deny ip any host 255.255.255.255", 
                                            "deny udp any any eq 135", 
                                            "deny tcp any any eq 135", 
                                            "deny udp any any range 137 139", 
                                            "deny tcp any any range 137 139", 
                                            "deny udp any any range 161 162", 
                                            "deny udp any any eq 520", 
                                            "deny udp any any eq 111", 
                                            "deny udp any any eq 22289", 
                                            "deny udp any any eq 1710", 
                                            "deny udp any any eq 1048", 
                                            "deny udp any any eq 158", 
                                            "deny udp any any eq 515";
                       }
                       lowoutput {
                               policy = "permit";
                       }
                       highinput {
                               policy = "permit";
                       }
                       highoutput {
                               policy = "permit";
                               accesslist = 
                                            "reject ip any 242.0.0.0 255.0.0.0", 
                                            "deny ip any host 255.255.255.255", 
                                            "reject ip any 169.254.0.0 255.255.0.0", 
                                            "reject udp any any eq 135", 
                                            "reject tcp any any eq 135", 
                                            "reject udp any any range 137 139", 
                                            "reject tcp any any range 137 139", 
                                            "reject udp any any range 161 162", 
                                            "reject udp any any eq 520", 
                                            "reject udp any any eq 111", 
                                            "reject udp any any eq 22289", 
                                            "reject udp any any eq 1710", 
                                            "reject udp any any eq 1048", 
                                            "reject udp any any eq 158", 
                                            "reject udp any any eq 515", 
                                            "reject icmp any 149.1.1.0 255.255.255.0", 
                                            "reject tcp any host 202.106.185.127 eq 25";
                       }
                       forwardrules = "tcp 0.0.0.0:0 0.0.0.0:0 1 out", 
                                      "udp 0.0.0.0:0 0.0.0.0:0 1 out", 
                                      "udp 0.0.0.0:5060 0.0.0.0:5060", 
                                      "udp 0.0.0.0:7078 0.0.0.0:7078", 
                                      "udp 0.0.0.0:7079 0.0.0.0:7079", 
                                      "udp 0.0.0.0:7080 0.0.0.0:7080", 
                                      "udp 0.0.0.0:7081 0.0.0.0:7081", 
                                      "udp 0.0.0.0:7082 0.0.0.0:7082", 
                                      "udp 0.0.0.0:7083 0.0.0.0:7083", 
                                      "udp 0.0.0.0:7084 0.0.0.0:7084", 
                                      "udp 0.0.0.0:7085 0.0.0.0:7085", 
                                      "tcp 0.0.0.0:8089 0.0.0.0:8089", 
                                      "tcp 0.0.0.0:3389 10.8.0.5:3389 0 # MS Remotedesktop", 
                                      "tcp 0.0.0.0:25 10.8.0.5:25 0 # SMTP", 
                                      "tcp 0.0.0.0:80 10.8.0.5:80 0 # HTTP-Server", 
                                      "tcp 0.0.0.0:443 10.8.0.5:443 0 # HTTP-Server SSL", 
                                      "tcp 0.0.0.0:5678+2 10.8.0.5:5678 0 # ActiveSync", 
                                      "tcp 0.0.0.0:999 10.8.0.5:999 0 # Time Server", 
                                      "tcp 0.0.0.0:990 10.8.0.5:990 0 # RAPI", 
                                      "tcp 0.0.0.0:21 10.8.0.5:21 0 # FTP-Server", 
                                      "tcp 0.0.0.0:1149 0.0.0.0:1149 0 # openpvn";
                       shaper = "globalshaper";
               }
on the ATA side: yes: i use the 7050 in combination with a gigaset SX353 to run my telephony.

I am, however, getting multiple DSL de-synchs with this box. several per hour and nearly always when there is burst traffic. Contrast this with my old Draytek which used to maintain the DSL connection for weeks at a time. This may lead me to start using the 7050 JUST as an ATA and hook it up to a different dsl modem and pppoE client.
 

AndreR

Aktives Mitglied
Mitglied seit
4 Jan 2006
Beiträge
1,579
Punkte für Reaktionen
0
Punkte
0
JPAdie schrieb:
sorry. have been absent. thanks for your patience
No problem at all, that's what forums are for

JPAdie schrieb:
the relevant portion of the ar7.cfg is as follows
Looks good

JPAdie schrieb:
on the ATA side: yes: i use the 7050 in combination with a gigaset SX353 to run my telephony.

I am, however, getting multiple DSL de-synchs with this box. several per hour and nearly always when there is burst traffic. Contrast this with my old Draytek which used to maintain the DSL connection for weeks at a time. This may lead me to start using the 7050 JUST as an ATA and hook it up to a different dsl modem and pppoE client.
There's the hook. What kind of modem runs the internet connection? If it's a router, than you have to forward the port 1194 (tcp) on that machine to the FBF
 

JPAdie

Neuer User
Mitglied seit
20 Sep 2006
Beiträge
74
Punkte für Reaktionen
0
Punkte
0
at the moment the 7050 is acting as the DSL modem and gateway router.

I was just mentioning that it was de-synching alot out of interest.

so ... any thoughts why the openvpn server may not be receiving port 1194 traffic from outside the subnet?
 

JPAdie

Neuer User
Mitglied seit
20 Sep 2006
Beiträge
74
Punkte für Reaktionen
0
Punkte
0
Resolved

the openssl mod is now working fine. i reran the /bin/ar7cfgchanged binary and this time the routing stuck properly.
 

3CX PBX - GRATIS
Linux / Win / Cloud

Statistik des Forums

Themen
232,901
Beiträge
2,027,943
Mitglieder
351,037
Neuestes Mitglied
st3phan