[note: following contains ASCII art in the middle, and footnoted links at the
end]
summary: I need to tunnel one SSL VPN (F5, running on one debian host) through
another (OpenVPN, running on another debian host), but lose networking (e.g.,
`ping`) after the F5 VPN connects. I'm not sure whether this is due to my
firewall/iptables or VPN configuration, but suspect the former. Unfortunately I
am not knowledgeable regarding networking, so I'd appreciate any assistance you
could provide.
details:
I need to remotely (off the physical LAN) SSH into some firewalled compute
clusters to do environmental modeling (e.g., this[1]). Formerly I could do this
from my debian laptop using the cluster-provider-mandated F5VPN[2]. However,
access policy changed[3] (notably to require a single registered IP#), so I can
no longer do this "directly" (i.e., just running the F5VPN from my laptop). I
seek to adapt to the new policy (and resume work on my project) by implementing
a VPN tunnel "through" a debian linode. Design details here[4], but my design
can be roughly summarized with the following ASCII art (appropriately rendered
here[4]):
<-MY CONTROL AGENCY CONTROLLED->
firewall
+----------+ +-----------+ +---------------+ | +---------+
| laptop + | | linode + | | remote-access | | | cluster |
| F5NAP + | <--> | OpenVPN + | <--> | website + | <-|-> | node(s) |
| OpenVPN | | security | | F5VPN | | | |
+----------+ +-----------+ +---------------+ | +---------+
(Implementation details here[5]) The good news is, the following sequence
works: I can
1. start an OpenVPN server on the linode[6]
2. start an OpenVPN client on my laptop[7], after which
http://www.whatismyip.com shows the IP# of my linode (which is registered)
3. start the F5VPN client (an F5NAP'ed Firefox[8]), and from that still see my
linode's IP#.
4. using the F5VPN client, login to the agency's remote-access website, and
bring up the F5VPN's control UI (e.g., to start/stop/logout).
The bad news is[9], as soon as I start the F5VPN, and see status==Connected in
its web UI, I lose IP networking. I had originally thought this was just a DNS
problem, but I cannot even `ping` IP#s, e.g.,
$ ping -c 4 141.101.120.15 # == www.whatismyip.com
PING 141.101.120.15 (141.101.120.15) 56(84) bytes of data.
--- 141.101.120.15 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3022ms
(The only consolation here is that the network failure kills the tunnel, which
causes my client to regain its networking ... but also its access to the
registered IP#.)
I had thought that this problem was due to OpenVPN misconfiguration on my part,
but now suspect that I need to tweak my server firewall[10] (which is
`iptables`, running on Debian 7.8) in order to allow my OpenVPN configuration
to work. Unfortunately I don't know enough about IP/TCP/UDP/Linux/Debian
networking, so I'd appreciate assistance from someone more knowledgeable.
Apologies if this is a FAQ or LMGTFY, but my websearches have not found
anything that seems to matching my usecase. Pointers to doc or other
educational resources are also appreciated.
TIA, Tom Roche <[email protected]>
[1]: https://bitbucket.org/tlroche/aqmeii-na_n2o/wiki/Home
[2]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-access
[3]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-aug-2014-policy-change
[4]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[5]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-id6
[6]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-server-startup
[7]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-client-startup
[8]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap
[9]:
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-network-problem
[10]:
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: https://lists.debian.org/[email protected]
