Well yes and no. Some things work and Im not sure why as the return route is wrong below. It should be pointing to .6 not .2. Not sure if you picked that up sorry.
Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> Date: Friday, 26 May 2017 at 1:56 pm To: AstLinux List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux Michael, Can your IBC_Office reach the AstLinux web interface at 172.30.253.1 ? If not, possibly the ERX is blocking it ? Lonnie On May 25, 2017, at 6:45 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> wrote: > Hi Lonnie > > I don't need to push any routes to the client though. > 172.16.16.0/24 is at IBC_Office but the server is routing this to > 172.30.253.2 (A Yealink phone) rather than 172.30.253.6. > So Im wondering how you set the routing to be correct? > > PS. I always use 172.30 as it is rarely used by customers so no overlap when > I install a new system. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Friday, 26 May 2017 at 9:38 am > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux > > Michael, > > The ccd "iroute" and raw "route" are the remote (ERX) subnets. IBC_Office ? > Looks correct. > > In order for your ERX to have a route to an AstLinux subnet you need to > "push" 'route ...' so the client adds routes over the VPN. > > Though your VPN clients should be able to see the AstLinux web interface at > 172.30.253.1 it would seem. > > Looks like you have it working, possibly lacking pushing routes to the > clients. > > You know about the 10.0.0.0/8 private networks, they are there to use :-) > > Lonnie > > > On May 25, 2017, at 6:03 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > >> Hi Lonnie >> Yes sorry for the ambiguity. >> >> 1) Yes >> 2) No Im trying to connect to the Astlinux Web GUI on the OpenVPN server >> interface e.g. .1 of the subnet. Im actually not routing any traffic to any >> other subnets as its just used for telephony access. >> >> Ok I think I have found the problem but I don't know why its happening. >> There are multiple clients connected to this server. For some reason the >> route is pointing to the first client connected. Is this what iroute is >> meant to sort out? Im not actually sure why it works at all! >> >> OpenVPN Server Status: >> Common Name Real Address Virtual Address Bytes Received Bytes Sent >> Connected Since >> 001565AC4CB9 124.171.108.172:50893 172.30.253.4 4008 4947 Fri May >> 26 08:48:37 2017 >> 001565859116 124.171.108.172:39331 172.30.253.2 4024 4883 Fri May >> 26 08:48:35 2017 >> IBC_Office 115.187.181.61:49708 172.30.253.6 6384 7090 Fri May >> 26 08:48:34 2017 >> >> 1222-IBC-APP1 kd # ip route >> default via 103.241.6.1 dev eth0 >> 103.241.6.0/24 dev eth0 proto kernel scope link src 103.241.6.47 >> 172.16.16.0/24 via 172.30.253.2 dev tun0 >> 172.30.253.0/24 dev tun0 proto kernel scope link src 172.30.253.1 >> >> 172.16.16.0/24 is the subnet in IBC_Office. >> >> My raw commands are: >> ifconfig-pool-linear >> client-to-client >> client-config-dir /mnt/kd/openvpn/ccd >> route 172.16.16.0 255.255.255.0 >> >> 1222-IBC-APP1 kd # ls -l /mnt/kd/openvpn/ccd >> -rwxrwxrwx 1 root root 33 Apr 25 16:54 IBC_Office >> 1222-IBC-APP1 kd # cat /mnt/kd/openvpn/ccd/IBC_Office >> iroute 172.16.16.0 255.255.255.0 >> 1222-IBC-APP1 kd # >> >> How should I fix this? >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Date: Thursday, 25 May 2017 at 10:04 pm >> To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux >> >> Hi Michael, >> >> To be clear, are we talking about ... >> >> 1) Ubiquiti ERX OpenVPN client to AstLinux OpenVPN server >> >> 2) Ubiquiti ERX HTTPS outbound traffic is dropped >> >> Correct ? >> >> Is #2 to any destination ? >> >> Are you routing all ERX traffic over the VPN, or just selective pushed >> routes ? >> >> Use "curl -LI ..." as a handy tool to follow redirects for HTTPS/HTTP client >> requests. >> >> My first gues is the Ubiquiti ERX HTTPS has a firewall rule blocking HTTPS, >> or routing it where you don't expect. >> >> Lonnie >> >> >> >> On May 25, 2017, at 1:28 AM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >>> Hi all >>> >>> I have an Ubiquiti ERX router connected to an Astlinux server using Open >>> VPN. It works great by the way however I am unable to use HTTPS. HTTP is ok. >>> Is this because its trying to use SSL over SSL? I wouldn’t have thought it >>> mattered! Its using the standard port of 1194. >>> >>> Regards >>> Michael Knill >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
