Hmm strange it still doesn't work with the separate LAN interface.
Another funny thing. I can SSH to it over the VPN and then when I type in a
command e.g. ifconfig I only get a portion of the output and then nothing and I
have to close the session:
MacBook-Pro:scripts MichaelKnill$ ssh root@172.30.1.1
1222-IBC-APP1 kd # ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:92:6A:1C
inet addr:103.241.6.47 Bcast:103.241.6.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
⇒ no more output (
Regards
Michael Knill
-----Original Message-----
From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
Date: Saturday, 27 May 2017 at 11:59 am
To: AstLinux List <astlinux-users@lists.sourceforge.net>
Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux
Michael,
You did not mention what OpenVPN server "Topology" you are using.
Using the loopback interface won't work since you need to forward traffic
to/from a LAN interface, without adding an additional interface create a vlan
off eth0 (ex. eth0.10) and use that as your LAN interface.
Lonnie
On May 26, 2017, at 8:36 PM, Michael Knill <michael.kn...@ipcsolutions.com.au>
wrote:
> Hi Lonnie
>
> Thanks for the info. I did a bit of testing this morning and I came to the
> conclusion that I don't understand how OpenVPN routing works (.
> E.g. here is the routing table:
> .....
> 172.16.16.0/24 via 172.30.253.1 dev tun0
> 172.30.253.0/24 dev tun0 proto kernel scope link src 172.30.253.1
>
> I still cant understand why the routing table does not show 172.16.16.0/24
> via 172.30.253.6 dev tun0 which is the VPN address of the device that has
> that subnet. Maybe the iroute does not actually change the routing table and
> there is a ‘magic happens here’ within Open VPN that routes it correctly.
>
> Anyway currently I cant route it to a LAN interface as this is a VM and its
> only got a single eth0. I can get another one added but can I set up a
> loopback or something to overcome this?
>
> Thanks so much.
>
> Regards
> Michael Knill
>
> -----Original Message-----
> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Date: Friday, 26 May 2017 at 10:27 pm
> To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux
>
> Michael,
>
> Personally I always use OpenVPN server "Topology: [subnet]" provided all your
> clients support that. The old [net30] topology can be confusing.
>
> If using an OpenVPN subnet IP for the web interface address is still a
> problem, you may try using the LAN internal address (assuming you have one
> defined)
>
> Network -> Firewall -> Firewall Options:
>
> _x_ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s)
>
> and on the OpenVPN server config ...
>
> "push" route 192.168.110.1 255.255.255.255
>
> so with the above and 192.168.110.1/24 was your 1st LAN interface on the
> server, have your remote OpenVPN clients use 192.168.110.1 to reach the
> server's web interface.
>
>
> On my lab bench test boxes I just tried this ...
>
> MacBook (192.168.222.215) -> (LAN eth3) AstLinux w/OpenVPN client -> AstLinux
> w/OpenVPN server (LAN eth1.10)
>
> AstLinux w/OpenVPN client (tun2):
> # ip r
> ...
> 10.8.1.0/24 dev tun2 proto kernel scope link src 10.8.1.2
> 192.168.222.0/24 dev eth3 proto kernel scope link src 192.168.222.1
> 192.168.110.0/24 via 10.8.1.1 dev tun2
> ...
>
> AstLinux w/OpenVPN server (tun0):
> # ip r
> ...
> 10.8.1.0/24 dev tun0 proto kernel scope link src 10.8.1.1
> 192.168.110.0/24 dev eth1.10 proto kernel scope link src 192.168.110.1
> 192.168.222.0/24 via 10.8.1.1 dev tun0
> ...
>
> OpenVPN Server config:
> "raw" client-config-dir /etc/openvpn/ccd
> /etc/openvpn/ccd/client: iroute 192.168.222.0 255.255.255.0
> "raw" route-gateway 10.8.1.1
> "raw" route 192.168.222.0 255.255.255.0
> "push" route 192.168.110.0 255.255.255.0
>
> Network -> Firewall -> Firewall Options:
> _x_ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s)
>
>
> In this test example I was able to reach the "AstLinux w/OpenVPN server" web
> interface from the MacBook (192.168.222.215) by using either 192.168.110.1 or
> 10.8.1.1 .
>
> Lonnie
>
>
>
> On May 25, 2017, at 11:08 PM, Michael Knill
> <michael.kn...@ipcsolutions.com.au> wrote:
>
>> Well yes and no. Some things work and Im not sure why as the return route is
>> wrong below. It should be pointing to .6 not .2. Not sure if you picked that
>> up sorry.
>>
>> Regards
>> Michael Knill
>>
>> -----Original Message-----
>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>> Date: Friday, 26 May 2017 at 1:56 pm
>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux
>>
>> Michael,
>>
>> Can your IBC_Office reach the AstLinux web interface at 172.30.253.1 ?
>>
>> If not, possibly the ERX is blocking it ?
>>
>> Lonnie
>>
>>
>> On May 25, 2017, at 6:45 PM, Michael Knill
>> <michael.kn...@ipcsolutions.com.au> wrote:
>>
>>> Hi Lonnie
>>>
>>> I don't need to push any routes to the client though.
>>> 172.16.16.0/24 is at IBC_Office but the server is routing this to
>>> 172.30.253.2 (A Yealink phone) rather than 172.30.253.6.
>>> So Im wondering how you set the routing to be correct?
>>>
>>> PS. I always use 172.30 as it is rarely used by customers so no overlap
>>> when I install a new system.
>>>
>>> Regards
>>> Michael Knill
>>>
>>> -----Original Message-----
>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>> Date: Friday, 26 May 2017 at 9:38 am
>>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux
>>>
>>> Michael,
>>>
>>> The ccd "iroute" and raw "route" are the remote (ERX) subnets. IBC_Office ?
>>> Looks correct.
>>>
>>> In order for your ERX to have a route to an AstLinux subnet you need to
>>> "push" 'route ...' so the client adds routes over the VPN.
>>>
>>> Though your VPN clients should be able to see the AstLinux web interface at
>>> 172.30.253.1 it would seem.
>>>
>>> Looks like you have it working, possibly lacking pushing routes to the
>>> clients.
>>>
>>> You know about the 10.0.0.0/8 private networks, they are there to use :-)
>>>
>>> Lonnie
>>>
>>>
>>> On May 25, 2017, at 6:03 PM, Michael Knill
>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>>
>>>> Hi Lonnie
>>>> Yes sorry for the ambiguity.
>>>>
>>>> 1) Yes
>>>> 2) No Im trying to connect to the Astlinux Web GUI on the OpenVPN server
>>>> interface e.g. .1 of the subnet. Im actually not routing any traffic to
>>>> any other subnets as its just used for telephony access.
>>>>
>>>> Ok I think I have found the problem but I don't know why its happening.
>>>> There are multiple clients connected to this server. For some reason the
>>>> route is pointing to the first client connected. Is this what iroute is
>>>> meant to sort out? Im not actually sure why it works at all!
>>>>
>>>> OpenVPN Server Status:
>>>> Common Name Real Address Virtual Address Bytes Received Bytes
>>>> Sent Connected Since
>>>> 001565AC4CB9 124.171.108.172:50893 172.30.253.4 4008 4947
>>>> Fri May 26 08:48:37 2017
>>>> 001565859116 124.171.108.172:39331 172.30.253.2 4024 4883
>>>> Fri May 26 08:48:35 2017
>>>> IBC_Office 115.187.181.61:49708 172.30.253.6 6384 7090 Fri May
>>>> 26 08:48:34 2017
>>>>
>>>> 1222-IBC-APP1 kd # ip route
>>>> default via 103.241.6.1 dev eth0
>>>> 103.241.6.0/24 dev eth0 proto kernel scope link src 103.241.6.47
>>>> 172.16.16.0/24 via 172.30.253.2 dev tun0
>>>> 172.30.253.0/24 dev tun0 proto kernel scope link src 172.30.253.1
>>>>
>>>> 172.16.16.0/24 is the subnet in IBC_Office.
>>>>
>>>> My raw commands are:
>>>> ifconfig-pool-linear
>>>> client-to-client
>>>> client-config-dir /mnt/kd/openvpn/ccd
>>>> route 172.16.16.0 255.255.255.0
>>>>
>>>> 1222-IBC-APP1 kd # ls -l /mnt/kd/openvpn/ccd
>>>> -rwxrwxrwx 1 root root 33 Apr 25 16:54 IBC_Office
>>>> 1222-IBC-APP1 kd # cat /mnt/kd/openvpn/ccd/IBC_Office
>>>> iroute 172.16.16.0 255.255.255.0
>>>> 1222-IBC-APP1 kd #
>>>>
>>>> How should I fix this?
>>>>
>>>> Regards
>>>> Michael Knill
>>>>
>>>> -----Original Message-----
>>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>>> Date: Thursday, 25 May 2017 at 10:04 pm
>>>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>>> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux
>>>>
>>>> Hi Michael,
>>>>
>>>> To be clear, are we talking about ...
>>>>
>>>> 1) Ubiquiti ERX OpenVPN client to AstLinux OpenVPN server
>>>>
>>>> 2) Ubiquiti ERX HTTPS outbound traffic is dropped
>>>>
>>>> Correct ?
>>>>
>>>> Is #2 to any destination ?
>>>>
>>>> Are you routing all ERX traffic over the VPN, or just selective pushed
>>>> routes ?
>>>>
>>>> Use "curl -LI ..." as a handy tool to follow redirects for HTTPS/HTTP
>>>> client requests.
>>>>
>>>> My first gues is the Ubiquiti ERX HTTPS has a firewall rule blocking
>>>> HTTPS, or routing it where you don't expect.
>>>>
>>>> Lonnie
>>>>
>>>>
>>>>
>>>> On May 25, 2017, at 1:28 AM, Michael Knill
>>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>>>
>>>>> Hi all
>>>>>
>>>>> I have an Ubiquiti ERX router connected to an Astlinux server using Open
>>>>> VPN. It works great by the way however I am unable to use HTTPS. HTTP is
>>>>> ok.
>>>>> Is this because its trying to use SSL over SSL? I wouldn’t have thought
>>>>> it mattered! Its using the standard port of 1194.
>>>>>
>>>>> Regards
>>>>> Michael Knill
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to
>>>> pay...@krisk.org.
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to
>>>> pay...@krisk.org.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to
>>> pay...@krisk.org.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to
>>> pay...@krisk.org.
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> pay...@krisk.org.
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
>> pay...@krisk.org.
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
> pay...@krisk.org.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
