Re: OpenVPN problem.
Hi Simen. Then 10.0.8.1 and 10.0.8.2 are allocate by openvpn server and in the client are 10.0.8.6 and 10.0.8.5 they appear in ifconfing of tun0 on client and server side in this form: 10.0.8.1 - 10.0.8.2 10.0.8.6 - 10.0.8.5 My purpose is to study VPN with openvpn and i've not a remote place to get this setup and then I've reproduced a little reality. Simen Stavdal wrote: Ciao Alessandro, So, from the server, the client gets allocated 10.0.8.5/32 (btw, probably a minor thing, but in your server conf file, you have a mismatch on the host/mask when you push the routes- it reads push route 10.1.1.1 255.255.0.0 while it should read 10.1.0.0) (doesn't seem to bother the client too much, but it might be worth a try to correct it). Also, on the server side routing table, you have the following : 192.168.7/24 10.0.8.2 UGS0 175 - 8 tun0 Where is 10.0.8.2? This is from the pool of client addresses, but does not exist anywhere? You also have som route statements in your server conf file, like this one : route 192.168.7.0 255.255.255.0 It doesn't have a gateway, and is not locally connected This tells the client host to route 192.168.7.0 to nowhere (even though it is locally connected on the client side). On my config, the client side routing table looks like this (windows host) : 10.10.177.0255.255.255.0 10.10.177.5 10.10.177.6 1 10.10.177.4 255.255.255.252 10.10.177.6 10.10.177.6 30 Also, the two hosts are not connected with public addresses, can I ask why you want to use NAT between to RFC1918 networks that don't overlap? I am trying to understand your objective and the purpose of the setup, maybe there is a different way of setting it up? Cheers, Simon. Alessandro Baggi wrote: Simen Stavdal wrote: and... do you have the routing table for some of the hosts that can/cannot ping each other? Are there other gateways out of the networks, other than the openvpn box? S. I'm trying openvpn in my internal network: internet | primary node 192.168.1.1 / \ OBSD OBSD 2 192.168.1.33 192.168.1.2 10.1.0.0/16 192.168.7.0/24 | | . .
Re: OpenVPN problem.
On Mon, Jan 25, 2010 at 5:45 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list! I'm setting up a vpn between two openbsd firewall: This is the scenario: FW1 FW2 $ext 192.168.1.33 $ext 192.168.1.2 $int 10.1.1.1 $int 192.168.7.1 $host 10.1.3.53 $host2 192.168.7.2 then I've made the certificate, client can contact the server, and from the client I can ping a Linux Machine behind the server, and from linux machine to client. Then I've tried to get communication with LAN clients behind the VPN client gw. Then, 192.168.7.2 of FW2's VPN can comunicate with 10.1.3.53, but not viceversa. Are you permitting traffic from $host through the firewall? What's your pf.conf? Have you verified that your firewalls pass other traffic normally?
Re: OpenVPN problem.
On Mon, Jan 25, 2010 at 10:05 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Johan Beisser wrote: Hi Johan. Thanks for the answer. I've reduced my pf.conf on client and server side to: ext=rl0 int=rl1 nat on $ext from $int:network - $ext:0 nat on tun0 from $int:network - tun0:0 pass all What version of OpenBSD are you running? I can ping from client LAN of the vpn client the entire Server side lan, but not viceversa. Are you certain your packets are being natted properly?
Re: OpenVPN problem.
Johan Beisser wrote: On Mon, Jan 25, 2010 at 5:45 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list! I'm setting up a vpn between two openbsd firewall: This is the scenario: FW1 FW2 $ext 192.168.1.33 $ext 192.168.1.2 $int 10.1.1.1 $int 192.168.7.1 $host 10.1.3.53 $host2 192.168.7.2 then I've made the certificate, client can contact the server, and from the client I can ping a Linux Machine behind the server, and from linux machine to client. Then I've tried to get communication with LAN clients behind the VPN client gw. Then, 192.168.7.2 of FW2's VPN can comunicate with 10.1.3.53, but not viceversa. Are you permitting traffic from $host through the firewall? What's your pf.conf? Have you verified that your firewalls pass other traffic normally? Hi Johan. Thanks for the answer. I've reduced my pf.conf on client and server side to: ext=rl0 int=rl1 nat on $ext from $int:network - $ext:0 nat on tun0 from $int:network - tun0:0 pass all I can ping from client LAN of the vpn client the entire Server side lan, but not viceversa.
Re: OpenVPN problem.
Johan Beisser wrote: On Mon, Jan 25, 2010 at 10:05 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Johan Beisser wrote: Hi Johan. Thanks for the answer. I've reduced my pf.conf on client and server side to: ext=rl0 int=rl1 nat on $ext from $int:network - $ext:0 nat on tun0 from $int:network - tun0:0 pass all What version of OpenBSD are you running? I can ping from client LAN of the vpn client the entire Server side lan, but not viceversa. Are you certain your packets are being natted properly? On server side 4.5 updated to 4.6 and client side 4.6. Packet from server side network are natted, with tcpdump on tun0, I get 10.0.8.1 - 192.168.7.2 but I don't receive an answer. I can ping client side (10.0.8.6) from server (10.0.8.1) I can ping and ssh to client server side (10.1.0.0/16) from 192.168.7.0/24
Re: OpenVPN problem.
and... do you have the routing table for some of the hosts that can/cannot ping each other? Are there other gateways out of the networks, other than the openvpn box? S. Alessandro Baggi wrote: Johan Beisser wrote: On Mon, Jan 25, 2010 at 10:05 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Johan Beisser wrote: Hi Johan. Thanks for the answer. I've reduced my pf.conf on client and server side to: ext=rl0 int=rl1 nat on $ext from $int:network - $ext:0 nat on tun0 from $int:network - tun0:0 pass all What version of OpenBSD are you running? I can ping from client LAN of the vpn client the entire Server side lan, but not viceversa. Are you certain your packets are being natted properly? On server side 4.5 updated to 4.6 and client side 4.6. Packet from server side network are natted, with tcpdump on tun0, I get 10.0.8.1 - 192.168.7.2 but I don't receive an answer. I can ping client side (10.0.8.6) from server (10.0.8.1) I can ping and ssh to client server side (10.1.0.0/16) from 192.168.7.0/24
Re: OpenVPN problem.
Simen Stavdal wrote: and... do you have the routing table for some of the hosts that can/cannot ping each other? Are there other gateways out of the networks, other than the openvpn box? S. I'm trying openvpn in my internal network: internet | primary node 192.168.1.1 / \ OBSD OBSD 2 192.168.1.33 192.168.1.2 10.1.0.0/16 192.168.7.0/24 | | . .
Re: OpenVPN problem.
Simen Stavdal wrote: Hello Alessandro, Can you see any of the traffic on the inside LAN on the client side with tcpdump? I.e set tcpdump on $int with tcpdump -i nameofinternalinterface proto icmp and then try to ping from a server? Silly suggestion, but What about client side firewalls? Do they allow to be pinged? What is your server.conf file for openvpn and the client conf file? Simon. Alessandro Baggi wrote: Johan Beisser wrote: On Mon, Jan 25, 2010 at 5:45 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list! I'm setting up a vpn between two openbsd firewall: This is the scenario: FW1 FW2 $ext 192.168.1.33 $ext 192.168.1.2 $int 10.1.1.1 $int 192.168.7.1 $host 10.1.3.53 $host2 192.168.7.2 then I've made the certificate, client can contact the server, and from the client I can ping a Linux Machine behind the server, and from linux machine to client. Then I've tried to get communication with LAN clients behind the VPN client gw. Then, 192.168.7.2 of FW2's VPN can comunicate with 10.1.3.53, but not viceversa. Are you permitting traffic from $host through the firewall? What's your pf.conf? Have you verified that your firewalls pass other traffic normally? Hi Johan. Thanks for the answer. I've reduced my pf.conf on client and server side to: ext=rl0 int=rl1 nat on $ext from $int:network - $ext:0 nat on tun0 from $int:network - tun0:0 pass all I can ping from client LAN of the vpn client the entire Server side lan, but not viceversa. Hi simon. I've already tried this. I've putted tcpdump also on openvpn client on tun0 interface, and on rl0 (interlan interface) and on (tun0) of server openvpn side. When I try to ping from lan client side I get from openvpn client tcpdump on tun0: 10.0.8.6 - 10.1.3.53 10.1.3.53 - 10.0.8.6 on internal interface nothing and on tun0 of openvpn server the previous result. When I ping from this network (10.1.0.0/16) to 192.168.7.0/24 I get result from tcpdump only on server openvpn, with natted address: 10.0.8.1 - 192.168.7.2: icmp: echo request 10.0.8.1 - 192.168.7.2: icmp: echo request 10.0.8.1 - 192.168.7.2: icmp: echo request and so on... Those are my configuration file: server.conf: -- proto udp port 1194 dev tun0 ca /etc/openvpn/ca.crt cert /etc/openvpn/192.168.1.33.crt key /etc/openvpn/private/192.168.1.33.key dh /etc/openvpn/dh1024.pem server 10.0.8.0 255.255.255.0 keepalive 10 120 comp-lzo user _openvpn group _openvpn daemon openvpn persist-key persist-tun client-config-dir ccd push route 10.1.1.1 255.255.0.0 route 192.168.7.0 255.255.255.0 status /var/openvpn/openvpn-status.log log-append /var/openvpn/openvpn.log verb 8 ccd/client: - iroute 192.168.7.0 255.255.255.0 client.conf: -- client dev tun0 proto udp remote 192.168.1.33 1194 nobind user _openvpn group _openvpn persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/client.crt key /etc/openvpn/private/client.key comp-lzo verb 8 mute 20 log-append /var/openvpn/openvpn.log This is the routing table of the openvpn server: default192.168.1.1UGS2 145394 - 8 vr0 10.0.8/24 10.0.8.2 UGS0 206 - 8 tun0 10.0.8.2 10.0.8.1 UH 30 - 4 tun0 10.1/16link#1 UC 30 - 4 rl0 10.1/1610.0.8.2 UGS00 - 8 tun0 10.1.3.53 00:1d:60:ec:a5:14 UHLc 210834 - 4 rl0 192.168.7/24 10.0.8.2 UGS0 175 - 8 tun0 loopback localhost UGRS 00 33200 8 lo0 localhost localhost UH 10 33200 4 lo0 192.168.1/24 link#3 UC 20 - 4 vr0 192.168.1.100:13:49:cb:fa:75 UHLc 10 - 4 vr0 192.168.1.200:19:66:65:53:1c UHLc 1 1158 - 4 vr0 BASE-ADDRESS.MCAST localhost URS00 33200 8 lo0 This is the routing table of the openvpn client: default192.168.1.1UGS1 141 - 8 re0 10.0.8.1/3210.0.8.5 UGS00 - 8 tun0 10.0.8.5 10.0.8.6 UH 20 - 4 tun0 10.1/1610.0.8.5 UGS1 105 - 8 tun0 192.168.7/24 link#2 UC 10 - 4 rl0 192.168.7.2 00:1f:c6:7e:35:75 UHLc 02 - 4 rl0 loopback localhost UGRS 00 33200 8 lo0 localhost localhost UH 10 33200 4 lo0 192.168.1/24 link#1 UC 20 - 4 re0 192.168.1.1
Re: OpenVPN problem.
Hello Alessandro, Can you see any of the traffic on the inside LAN on the client side with tcpdump? I.e set tcpdump on $int with tcpdump -i nameofinternalinterface proto icmp and then try to ping from a server? Silly suggestion, but What about client side firewalls? Do they allow to be pinged? What is your server.conf file for openvpn and the client conf file? Simon. Alessandro Baggi wrote: Johan Beisser wrote: On Mon, Jan 25, 2010 at 5:45 AM, Alessandro Baggi alessandro.ba...@gmail.com wrote: Hi list! I'm setting up a vpn between two openbsd firewall: This is the scenario: FW1 FW2 $ext 192.168.1.33 $ext 192.168.1.2 $int 10.1.1.1 $int 192.168.7.1 $host 10.1.3.53 $host2 192.168.7.2 then I've made the certificate, client can contact the server, and from the client I can ping a Linux Machine behind the server, and from linux machine to client. Then I've tried to get communication with LAN clients behind the VPN client gw. Then, 192.168.7.2 of FW2's VPN can comunicate with 10.1.3.53, but not viceversa. Are you permitting traffic from $host through the firewall? What's your pf.conf? Have you verified that your firewalls pass other traffic normally? Hi Johan. Thanks for the answer. I've reduced my pf.conf on client and server side to: ext=rl0 int=rl1 nat on $ext from $int:network - $ext:0 nat on tun0 from $int:network - tun0:0 pass all I can ping from client LAN of the vpn client the entire Server side lan, but not viceversa.
Re: OpenVPN problem.
Ciao Alessandro, So, from the server, the client gets allocated 10.0.8.5/32 (btw, probably a minor thing, but in your server conf file, you have a mismatch on the host/mask when you push the routes- it reads push route 10.1.1.1 255.255.0.0 while it should read 10.1.0.0) (doesn't seem to bother the client too much, but it might be worth a try to correct it). Also, on the server side routing table, you have the following : 192.168.7/24 10.0.8.2 UGS0 175 - 8 tun0 Where is 10.0.8.2? This is from the pool of client addresses, but does not exist anywhere? You also have som route statements in your server conf file, like this one : route 192.168.7.0 255.255.255.0 It doesn't have a gateway, and is not locally connected This tells the client host to route 192.168.7.0 to nowhere (even though it is locally connected on the client side). On my config, the client side routing table looks like this (windows host) : 10.10.177.0255.255.255.0 10.10.177.5 10.10.177.6 1 10.10.177.4 255.255.255.252 10.10.177.6 10.10.177.6 30 Also, the two hosts are not connected with public addresses, can I ask why you want to use NAT between to RFC1918 networks that don't overlap? I am trying to understand your objective and the purpose of the setup, maybe there is a different way of setting it up? Cheers, Simon. Alessandro Baggi wrote: Simen Stavdal wrote: and... do you have the routing table for some of the hosts that can/cannot ping each other? Are there other gateways out of the networks, other than the openvpn box? S. I'm trying openvpn in my internal network: internet | primary node 192.168.1.1 / \ OBSD OBSD 2 192.168.1.33 192.168.1.2 10.1.0.0/16 192.168.7.0/24 | | . .