.titleBar { margin-bottom: 5px!important; }

OpenVPN over 7050

Dieses Thema im Forum "FRITZ!Box Fon: Modifikationen" wurde erstellt von JPAdie, 1 Okt. 2006.

  1. JPAdie

    JPAdie Neuer User

    Registriert seit:
    20 Sep. 2006
    Beiträge:
    74
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    I spoke too soon in a recent thread, when i thought I had openvpn working properly. In fact it seems that it is working inside my LAN but not from outside. I cannot reach it from a static IP to the router.

    my internal lan is all on the 10.8.0.0/24 subnet. I'm trying to establish the VON in bridge mode with the following topology:

    router: 10.8.0.1
    vpn gateway: 10.8.0.2
    dhcp server: 10.8.0.5 (also serves DNS and WINS)

    the dhcp will lease addresses to vpn clients.

    all this works if i try to connect to the 10.8.0.2 gateway inside the network (or 10.8.0.1, in fact). it doesn't work outside.

    i have set an ipforwarding rule in the ar7.cfg file to point all incoming traffic on port 1194 to 10.8.0.1, which should do the trick, but seemingly not.

    my server conf, debug.cfg are

    server.conf
    Code:
    daemon
    proto tcp-server
    port 1194
    dev tap0
    dev-node /dev/misc/net/tun
    mode server
    tls-server
    ca ca.crt
    cert server.crt
    key server.key
    dh dh1024.pem
    ifconfig 10.8.0.2 255.255.255.0
    client-to-client
    keepalive 10 60
    comp-lzo
    persist-key
    persist-tun
    verb 3
    
    debug.cfg
    Code:
    cd /var/tmp
    mkdir vpn
    cd vpn
    wget ftp://10.8.0.5/brctl
    wget ftp://10.8.0.5/ca.crt
    wget ftp://10.8.0.5/dh1024.pem
    wget ftp://10.8.0.5/fritz.conf
    wget ftp://10.8.0.5/openvpn
    wget ftp://10.8.0.5/server.conf
    wget ftp://10.8.0.5/server.crt
    wget ftp://10.8.0.5/server.key
    chmod 0600 ./*
    chmod +x ./openvpn
    chmod +x ./brctl
    /var/tmp/vpn/openvpn --config /var/tmp/vpn/fritz.conf
    /var/tmp/vpn/brctl addif lan tap0
    
    an ifconfig gives the following output
    Code:
    dsl       Link encap:Point-Point Protocol
              inet addr:192.168.179.1  P-t-P:192.168.179.1  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:1724 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2078 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:278391 (271.8 KiB)  TX bytes:430953 (420.8 KiB)
    
    eth0      Link encap:Ethernet  HWaddr 00:15:0C:97:46:1E
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:4078 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3054 errors:0 dropped:0 overruns:0 carrier:0
              collisions:1367 txqueuelen:100
              RX bytes:2603889 (2.4 MiB)  TX bytes:505053 (493.2 KiB)
    
    eth1      Link encap:Ethernet  HWaddr 00:15:0C:97:46:1F
              UP BROADCAST ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
              Base address:0x2800
    
    lan       Link encap:Ethernet  HWaddr 00:15:0C:97:46:1E
              inet addr:10.8.0.1  Bcast:10.255.255.255  Mask:255.255.255.0
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:4098 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3029 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:2555254 (2.4 MiB)  TX bytes:496047 (484.4 KiB)
    
    lan:0     Link encap:Ethernet  HWaddr 00:15:0C:97:46:1E
              inet addr:192.168.178.254  Bcast:192.168.178.255  Mask:255.255.255.0
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
    
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:223 errors:0 dropped:0 overruns:0 frame:0
              TX packets:223 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:30170 (29.4 KiB)  TX bytes:30170 (29.4 KiB)
    
    tap0      Link encap:Ethernet  HWaddr 00:FF:F6:AD:A2:76
              inet addr:10.8.0.2  Bcast:10.8.0.255  Mask:255.255.255.0
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:0 (0.0 B)  TX bytes:27006 (26.3 KiB)
    
    usbrndis  Link encap:Ethernet  HWaddr 00:15:0C:97:46:22
              UP BROADCAST ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    the addition to ar7.cfg was
    Code:
    "tcp 0.0.0.0:1194 10.8.0.1:1194 0 #openvpn",
    
    do i, perhaps, need to explicitly bridge the tap0 interface? or what else am i doing wrong? all help gratefully received.

    thanks
    justin
     
  2. AndreR

    AndreR Aktives Mitglied

    Registriert seit:
    4 Jan. 2006
    Beiträge:
    1,579
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Beruf:
    Fachinformatiker für Anwendungsentwicklung
    Hi

    I don't know if I read correctly what you want, but the forward-rule seesm a bit tricky. Try changing this:
    Code:
    "tcp 0.0.0.0:1194 10.8.0.1:1194 0 #openvpn",
    to this
    Code:
    "tcp 0.0.0.0:1194 0.0.0.0:1194 0 #openvpn",
    could you post the client-config too? And what does OpenVPN say, when you start on the client? The message should say the problem.

    and last but not least: you download the certificates "on the fly" - you know that your security is gone so far? ;)

    EDIT: Oh, I see, you load from your intranet, that's okay
     
  3. JPAdie

    JPAdie Neuer User

    Registriert seit:
    20 Sep. 2006
    Beiträge:
    74
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Thanks

    i will try your suggestion.

    open vpn client just says it can't connect. it can connect if the i point the tunnel at the internal address of the server (10.8.0.1 or 10.8.0.2).

    i don't think that the security is bad as the "on the fly" certificate download is taken from an ftp server inside the private subnet. if someone is already inside the subnet then everything is open anyway. or am i missing something?

    the client config is this:
    Code:
    client
    proto tcp-client
    port 1194
    remote www.no3.co.uk
    ns-cert-type server
    dev tap0
    nobind
    persist-key
    persist-tun
    ca ca.crt
    cert toshiba.crt
    key toshiba.key
    comp-lzo
    verb 3
    
    will post back with results of your suggestion.
     
  4. AndreR

    AndreR Aktives Mitglied

    Registriert seit:
    4 Jan. 2006
    Beiträge:
    1,579
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Beruf:
    Fachinformatiker für Anwendungsentwicklung
    Another idea: you use lzo-comp
    do you also use a FBF binary that has lzo-comp support? Where did you take it from?

    But my idea: if it works internal (bad testing environment) it should be an issue with the port-forwarding
     
  5. JPAdie

    JPAdie Neuer User

    Registriert seit:
    20 Sep. 2006
    Beiträge:
    74
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    i was not aware that it needed a separate binary. the howto in the openvpn site does not suggest so, nor does the tutorial in http://www.wehavemorefun.de/fritzbox/OpenVPN (although I am guessing at a lot of the german)

    but i don't think this is the problem as the tunnel works internally, just won't connect externally. therefore somehow I need to get the FBF listening on 1194 and transferring the request to the tap0 interface.
     
  6. JPAdie

    JPAdie Neuer User

    Registriert seit:
    20 Sep. 2006
    Beiträge:
    74
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    i have tried changing the IP forwarding rule as you suggested but the same behaviour is exhibited.

    the error message from the client vpn console is the following:

    Code:
    Mon Oct 02 12:02:05 2006 OpenVPN 2.0.8 Win32-MinGW [SSL] [LZO] built on Sep 11 2006
    Mon Oct 02 12:02:05 2006 LZO compression initialized
    Mon Oct 02 12:02:05 2006 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Mon Oct 02 12:02:05 2006 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
    Mon Oct 02 12:02:05 2006 Local Options hash (VER=V4): '31fdf004'
    Mon Oct 02 12:02:05 2006 Expected Remote Options hash (VER=V4): '3e6d1056'
    Mon Oct 02 12:02:05 2006 Attempting to establish TCP connection with 217.66.125.225:1194
    Mon Oct 02 12:02:26 2006 TCP: connect to 217.66.125.225:1194 failed, will try again in 5 seconds
    
    ... and it continues every 5 seconds.

    if i connect to the internal address i get the following message
    Code:
    Mon Oct 02 12:05:14 2006 OpenVPN 2.0.8 Win32-MinGW [SSL] [LZO] built on Sep 11 2006
    Mon Oct 02 12:05:14 2006 LZO compression initialized
    Mon Oct 02 12:05:14 2006 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Mon Oct 02 12:05:14 2006 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
    Mon Oct 02 12:05:14 2006 Local Options hash (VER=V4): '31fdf004'
    Mon Oct 02 12:05:14 2006 Expected Remote Options hash (VER=V4): '3e6d1056'
    Mon Oct 02 12:05:14 2006 Attempting to establish TCP connection with 10.8.0.2:1194
    Mon Oct 02 12:05:14 2006 TCP connection established with 10.8.0.2:1194
    Mon Oct 02 12:05:14 2006 TCPv4_CLIENT link local: [undef]
    Mon Oct 02 12:05:14 2006 TCPv4_CLIENT link remote: 10.8.0.2:1194
    Mon Oct 02 12:05:14 2006 TLS: Initial packet from 10.8.0.2:1194, sid=df9d8e84 a42500ff
    Mon Oct 02 12:05:15 2006 VERIFY OK: depth=1, /C=UK/ST=LND/L=London/O=Adie_and_Co/CN=adieco.lan/emailAddress=justin.adie@adieandco.com
    Mon Oct 02 12:05:15 2006 VERIFY OK: nsCertType=SERVER
    Mon Oct 02 12:05:15 2006 VERIFY OK: depth=0, /C=UK/ST=LND/O=Adie_and_Co/CN=server/emailAddress=justin.adie@adieandco.com
    Mon Oct 02 12:05:16 2006 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Oct 02 12:05:16 2006 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Oct 02 12:05:16 2006 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Oct 02 12:05:16 2006 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Oct 02 12:05:16 2006 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Mon Oct 02 12:05:16 2006 [server] Peer Connection Initiated with 10.8.0.2:1194
    Mon Oct 02 12:05:17 2006 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
    Mon Oct 02 12:05:17 2006 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 60'
    Mon Oct 02 12:05:17 2006 OPTIONS IMPORT: timers and/or timeouts modified
    Mon Oct 02 12:05:17 2006 TAP-WIN32 device [Local Area Connection 8] opened: \\.\Global\{B9059475-E6DC-4C6E-A12D-EA8D4C6774DA}.tap
    Mon Oct 02 12:05:17 2006 TAP-Win32 Driver Version 8.1 
    Mon Oct 02 12:05:17 2006 TAP-Win32 MTU=1500
    Mon Oct 02 12:05:18 2006 Successful ARP Flush on interface [5] {B9059475-E6DC-4C6E-A12D-EA8D4C6774DA}
    Mon Oct 02 12:05:18 2006 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Mon Oct 02 12:05:18 2006 Route: Waiting for TUN/TAP interface to come up...
    Mon Oct 02 12:05:19 2006 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Mon Oct 02 12:05:19 2006 Route: Waiting for TUN/TAP interface to come up...
    Mon Oct 02 12:05:19 2006 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down
    Mon Oct 02 12:05:19 2006 Route: Waiting for TUN/TAP interface to come up...
    Mon Oct 02 12:05:20 2006 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up
    Mon Oct 02 12:05:20 2006 Initialization Sequence Completed
    
     
  7. AndreR

    AndreR Aktives Mitglied

    Registriert seit:
    4 Jan. 2006
    Beiträge:
    1,579
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Beruf:
    Fachinformatiker für Anwendungsentwicklung
    Hi,

    I don't know if the used binary supports comp-lzo...but it seems so, because you can connect internally.

    Your forward rule seems to be defective, because there is no connection to the used port..
    do you use your FBF as an ATA? Is there another modem/router switched before?
    And (would not be the first time:)) have you rebooted the box after changing the forward-rule?

    If you want to try: the latest OpenVPN Version (2.1beta15 with OpenSSL 0.9.8d) is here
     
  8. JPAdie

    JPAdie Neuer User

    Registriert seit:
    20 Sep. 2006
    Beiträge:
    74
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Thanks AndreR

    i agree that the forward rule appears wrong. i always find it difficult to get my head around bridging. basically i need to direct all incoming traffic on the dsl interface on port 1194 to the internal interface on which the openvpn server is located (10.8.0.2).

    btw, i do reboot after changing this file (/sbin/reboot).
     
  9. AndreR

    AndreR Aktives Mitglied

    Registriert seit:
    4 Jan. 2006
    Beiträge:
    1,579
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Beruf:
    Fachinformatiker für Anwendungsentwicklung
    Could you please post the specific part of the ar7.cfg where your forward-rules are shown?

    And: do you use the FBF as an ATA?
     
  10. JPAdie

    JPAdie Neuer User

    Registriert seit:
    20 Sep. 2006
    Beiträge:
    74
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    sorry. have been absent. thanks for your patience.

    the relevant portion of the ar7.cfg is as follows
    Code:
    dslifaces {
                   enabled = yes;
                   name = "internet";
                   dsl_encap = dslencap_inherit;
                   ppptarget = "internet";
                   etherencapcfg {
                           use_dhcp = yes;
                           ipaddr = 0.0.0.0;
                           netmask = 0.0.0.0;
                           gateway = 0.0.0.0;
                           dns1 = 0.0.0.0;
                           dns2 = 0.0.0.0;
                   }
                   stay_always_online = yes;
                   redial_delay_after_auth_failure = 1m;
                   redial_limit = 3;
                   redial_after_limit_reached = 1h;
                   username_prefix_after_auth_failure = "";
                   redial_delay_after_low_error = 10s;
                   dsldpconfig {
                           security = dpsec_firewall;
                           lowinput {
                                   policy = "permit";
                                   accesslist = 
                                                "deny ip any 242.0.0.0 255.0.0.0", 
                                                "deny ip any host 255.255.255.255", 
                                                "deny udp any any eq 135", 
                                                "deny tcp any any eq 135", 
                                                "deny udp any any range 137 139", 
                                                "deny tcp any any range 137 139", 
                                                "deny udp any any range 161 162", 
                                                "deny udp any any eq 520", 
                                                "deny udp any any eq 111", 
                                                "deny udp any any eq 22289", 
                                                "deny udp any any eq 1710", 
                                                "deny udp any any eq 1048", 
                                                "deny udp any any eq 158", 
                                                "deny udp any any eq 515";
                           }
                           lowoutput {
                                   policy = "permit";
                           }
                           highinput {
                                   policy = "permit";
                           }
                           highoutput {
                                   policy = "permit";
                                   accesslist = 
                                                "reject ip any 242.0.0.0 255.0.0.0", 
                                                "deny ip any host 255.255.255.255", 
                                                "reject ip any 169.254.0.0 255.255.0.0", 
                                                "reject udp any any eq 135", 
                                                "reject tcp any any eq 135", 
                                                "reject udp any any range 137 139", 
                                                "reject tcp any any range 137 139", 
                                                "reject udp any any range 161 162", 
                                                "reject udp any any eq 520", 
                                                "reject udp any any eq 111", 
                                                "reject udp any any eq 22289", 
                                                "reject udp any any eq 1710", 
                                                "reject udp any any eq 1048", 
                                                "reject udp any any eq 158", 
                                                "reject udp any any eq 515", 
                                                "reject icmp any 149.1.1.0 255.255.255.0", 
                                                "reject tcp any host 202.106.185.127 eq 25";
                           }
                           forwardrules = "tcp 0.0.0.0:0 0.0.0.0:0 1 out", 
                                          "udp 0.0.0.0:0 0.0.0.0:0 1 out", 
                                          "udp 0.0.0.0:5060 0.0.0.0:5060", 
                                          "udp 0.0.0.0:7078 0.0.0.0:7078", 
                                          "udp 0.0.0.0:7079 0.0.0.0:7079", 
                                          "udp 0.0.0.0:7080 0.0.0.0:7080", 
                                          "udp 0.0.0.0:7081 0.0.0.0:7081", 
                                          "udp 0.0.0.0:7082 0.0.0.0:7082", 
                                          "udp 0.0.0.0:7083 0.0.0.0:7083", 
                                          "udp 0.0.0.0:7084 0.0.0.0:7084", 
                                          "udp 0.0.0.0:7085 0.0.0.0:7085", 
                                          "tcp 0.0.0.0:8089 0.0.0.0:8089", 
                                          "tcp 0.0.0.0:3389 10.8.0.5:3389 0 # MS Remotedesktop", 
                                          "tcp 0.0.0.0:25 10.8.0.5:25 0 # SMTP", 
                                          "tcp 0.0.0.0:80 10.8.0.5:80 0 # HTTP-Server", 
                                          "tcp 0.0.0.0:443 10.8.0.5:443 0 # HTTP-Server SSL", 
                                          "tcp 0.0.0.0:5678+2 10.8.0.5:5678 0 # ActiveSync", 
                                          "tcp 0.0.0.0:999 10.8.0.5:999 0 # Time Server", 
                                          "tcp 0.0.0.0:990 10.8.0.5:990 0 # RAPI", 
                                          "tcp 0.0.0.0:21 10.8.0.5:21 0 # FTP-Server", 
                                          "tcp 0.0.0.0:1149 0.0.0.0:1149 0 # openpvn";
                           shaper = "globalshaper";
                   }
    
    on the ATA side: yes: i use the 7050 in combination with a gigaset SX353 to run my telephony.

    I am, however, getting multiple DSL de-synchs with this box. several per hour and nearly always when there is burst traffic. Contrast this with my old Draytek which used to maintain the DSL connection for weeks at a time. This may lead me to start using the 7050 JUST as an ATA and hook it up to a different dsl modem and pppoE client.
     
  11. AndreR

    AndreR Aktives Mitglied

    Registriert seit:
    4 Jan. 2006
    Beiträge:
    1,579
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Beruf:
    Fachinformatiker für Anwendungsentwicklung
    No problem at all, that's what forums are for

    Looks good

    There's the hook. What kind of modem runs the internet connection? If it's a router, than you have to forward the port 1194 (tcp) on that machine to the FBF
     
  12. JPAdie

    JPAdie Neuer User

    Registriert seit:
    20 Sep. 2006
    Beiträge:
    74
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    at the moment the 7050 is acting as the DSL modem and gateway router.

    I was just mentioning that it was de-synching alot out of interest.

    so ... any thoughts why the openvpn server may not be receiving port 1194 traffic from outside the subnet?
     
  13. JPAdie

    JPAdie Neuer User

    Registriert seit:
    20 Sep. 2006
    Beiträge:
    74
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Resolved

    the openssl mod is now working fine. i reran the /bin/ar7cfgchanged binary and this time the routing stuck properly.