Author Topic: site-to-site OpenVPN problem  (Read 3862 times)

EricBaenen

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +2/-0
    • View Profile
site-to-site OpenVPN problem
« on: February 11, 2008, 06:21:20 pm »
Hello,

As a new eBox user - my emphatic compliments to the development team - eBox is an incredible package!

For my problem -- I have set up the following test configuration.   Any advice would be most appreciated.

following http://www.ebox-platform.com/usersguide/en/html-chunk/ch17s02.html

four hosts with ethernet cross-over cables between them

client A1 -> 192.168.1.2

'lan A' -> 192.168.1.0/255.255.255.0

ebox 0.11.2 server A
ebox lan A port -> 192.168.1.1
ebox openvpn server - Allow eBox to eBox tunnels is checked
ebox openvpn address pool -> 192.168.2.0/255.255.255.0
ebox openvpn advertised network -> 192.168.1.0/255.255.255.0
ebox wan port -> 192.168.3.2

ebox 0.11.2 server B
ebox wan port -> 192.168.3.3
ebox openvpn client with certificates and keys from ebox A
ebox openvpn client points to 192.168.3.2 for its openvpn server
ebox lan B port -> 192.168.4.1

'lan B' -> 192.168.4.0/255.255.255.0

client B1 -> 192.168.4.2

client A1 can ping ebox server A and the wan port of ebox server B
client B1 can ping ebox server B and the wan port of ebox server A
ebox server A can ping client A1 and the wan port of ebox server B
ebox server B can ping client B1 and the wan port of ebox server A

in the OpenVPN logs of ebox server A - ebox server B appears to connect and authenticate correctly to ebox server A - however...

client A1 cannot ping client B1
client B1 cannot ping client A1
ebox server A cannot ping client B1
ebox server B cannot ping client A1

Do I need to set up any firewall rules to allow traffic from the 192.168.2.* virtual address space to talk to hosts in the 192.168.1.* address space?

Do I need to set up any firewall rules to allow traffic from the 192.168.1.* address space to talk to hosts in the 192.168.4.* address space?

Does anything get logged when host B1 would access resources in lan A?

Does anything get logged when host A1 would access resources in lan B?

From the documentation it would appear host B1 should be able to see any resource in the advertised lan A - however, should host A1 be able to see any resource in lan B?

Thank you very much for any advice you can offer.

Eric

snypher

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: site-to-site OpenVPN problem
« Reply #1 on: February 15, 2008, 10:32:59 pm »
Hello Eric, unfortunately i don't have the answers for your questions, however i think i would have this doubts in the future, because i'm going to set the same scenario in my work.

Currently i configured the schema "road warriors" of OpenVPN as described here:

http://ebox-platform.com/usersguide/en/html/ebox-userguide-book.html#sect-roadwarrior

Initially i want to test this scenario but i can't configure my client machine, which is located outside the LAN where my server Ebox resides. The description of this machine and the scenario is this:

Ebox OpenVPN server
ebox 0.11.2
ebox LAN interface => 192.168.3.102
ebox WAN interface => 192.168.1.20
ebox openvpn network => 192.168.13.0/24
ebox advertised network => 192.168.3.0/24

OpenVPN Cliente
Ubuntu 7.04
LAN interface => 192.168.1.3
Network Manager Program => NetworkManager 0.6.4
VPN Client Manager Program => NetworkManager 0.6.4 (with VPN plugin for openvpn)

In the Ebox server i created two certificates. One for the server and one for the client.

I configured openvpn on the client machine with the VPN plugin of NetworkManager application and i used the certificates and keys that i downloaded from Ebox server. I did not use exactly the same openvpn configuration file that i downloaded from Ebox server because NetworkManager application doesn't import this type of file, so i used the options and data defined in this file to create my own VPN NetworkManager profile.

When i tried to activate this profile and connect to the VPN i get this log message in the syslog file (/var/log/syslog)

Code: [Select]
Feb 15 16:36:23 coral03 NetworkManager: <information>^IWill activate VPN connection 'VPN Coral - Sede Las Acacias (Caracas - cs3)', service 'org.freedesktop.NetworkManager.openvpn', user_name 'kzambrano', vpn_data 'connection-type / x509 / dev / tap / remote / 192.168.1.20 / port / 1194 / proto / tcp-client / ca / /home/kzambrano/vpn coral/configuracion/svpn-client-linux/cacert.pem / cert / /home/kzambrano/vpn coral/configuracion/svpn-client-linux/141D3FA01AACAAF7.pem / key / /home/kzambrano/vpn coral/configuracion/svpn-client-linux/coral03.coralvision.int.pem / comp-lzo / yes / shared-key /  / local-ip /  / remote-ip /  / username / ', route ''.

Feb 15 16:36:23 coral03 NetworkManager: <WARNING>^I nm_vpn_manager_activate_vpn_connection (): nm_vpn_manager_activate_vpn_connection(): no currently active network device, won't activate VPN.

I review the OpenVPN log file in the Ebox server but i did not see anything strange, therefore i think that it is a problem configuring the VPN client.

My questions are:

  • How i must configure the VPN client or how did you do that?
  • What other program could i use to configure the VPN client or what did you use?

Thank you very much for any advice you can offer.
Kevin Josue Zambrano Chavez

Linux Counter #395394 -> http://counter.li.org/

Si la base de la sociedad es ayudar a los demas, porque decir no a la libertad

de modificar y compartir el software? (Richard Stallman)

La imaginacion es mas importante que el conocimiento (Albert Einstein)

snypher

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: site-to-site OpenVPN problem
« Reply #2 on: February 25, 2008, 04:38:09 am »
Problem resolved in client - site environment of OpenVPN. The Network Manager OpenVPN plugin have problems with wireless cards, because i had to used OpenVPN standart configuration (copy files to /etc/openvpn).

Soon i'm goint to test site - site configuration.
Kevin Josue Zambrano Chavez

Linux Counter #395394 -> http://counter.li.org/

Si la base de la sociedad es ayudar a los demas, porque decir no a la libertad

de modificar y compartir el software? (Richard Stallman)

La imaginacion es mas importante que el conocimiento (Albert Einstein)

EricBaenen

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +2/-0
    • View Profile
Re: site-to-site OpenVPN problem
« Reply #3 on: March 06, 2008, 07:41:24 pm »
Still having trouble with site to site OpenVPN connections - also posted this to the email list...

I think I am following all the docs and forum post suggestions but I just can't seem to get site to site OpenVPN connections to work.  I have a feeling I'm missing something obvious (or doing something really stupid).

Here is my test setup - four machines...

System A
- Ubuntu 7-10
- IP: 192.168.2.2
- Gateway: 192.168.2.1

System B
- eBox 0.11.99
- Int IP: 192.168.2.1
- Ext IP: 192.168.4.2
- DHCP running - serving: 192.168.2.2 - 192.168.2.10
- OpenVPN service running and active
- CA established
- certificates generated for self and system C
- VPN network address: 192.168.3.0
- VPN network netmask: 255.255.255.0
- OpenVPN network advertised: 192.168.2.0/255.255.255.0
- Protocol: TCP
- Port: 1194
- Client authorization by common name: disabled
- Allow eBox-to-eBox tunnels: checked
- Allow client-to-client connections: not checked
- OpenVPN Interface: eth1 (external - 192.168.4.2)

System C
- eBox 0.11.99
- Ext IP: 192.168.4.3
- Int IP: 192.168.5.1
- DHCP running - serving: 192.168.5.2 - 192.168.5.10
- OpenVPN service running and active
- OpenVPN client config
- OpenVPN server address: 192.168.4.2
- OpenVPN server protocol: TCP
- OpenVPN port: 1194
- CA certificate set to that from system B
- Client certificate set to that generated from system B
- Client private key set to that generated from system B

System D
- Ubuntu 7-10
- IP: 192.168.5.2
- Gateway: 192.168.5.1

In the OpenVPN logs on system B I get
Event: Client connection initiated
Daemon: SystemB
Type: server
Remote IP: 192.168.4.3
Remote Certificate: systemc.testdomain.net

System A can ping 192.168.2.1 (eBox B int)
System A can ping 192.168.4.2 (eBox B ext)
System A can ping 192.168.4.3 (eBox C ext)
System A cannot ping 192.168.5.1 (eBox C int) (Destination Host Unreachable)
System A cannot ping 192.168.5.2 (System D) (Destination Host Unreachable)

System D can ping 192.168.5.1 (eBox C int)
System D can ping 192.168.4.3 (eBox C ext)
System D can ping 192.168.4.2 (eBox B ext)
System D cannot ping 192.168.2.1 (eBox B int) (Packets just dropped - no error message)
System D cannot ping 192.168.2.2 (System A) (Packets just dropped - no error message)

There are no firewall rules set in any section.

Do I need to create a firewall rule on eBox B to allow traffic from 192.168.3.0/24 to 192.168.2.0/24?
Do I need to create a firewall rule on eBox B to allow traffic from 192.168.2.0/24 to 192.168.3.0/24?
Do I need to create a firewall rule on eBox B to allow traffic from 192.168.2.0/24 to 192.168.5.0/24?
Do I need to create a firewall rule on eBox B to allow traffic from 192.168.3.0/24 to 192.168.5.0/24?
Do I need to create a firewall rule on eBox C to allow traffic from 192.168.5.0/24 to 192.168.2.0/24?
Do I need to create a firewall rule on eBox C to allow traffic from 192.168.5.0/24 to 192.168.3.0/24?

Everything seems like it should work - but it doesn't.  Any suggestions would be greatly appreciated.

If I can get this to work - if there is a way, I would like to volunteer to help improve the documentation - particularly the section on OpenVPN and CA.  The documentation doesn't appear to be set up as a wiki so not sure how to submit changes or updates.

Thanks,

Eric

EricBaenen

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +2/-0
    • View Profile
Re: site-to-site OpenVPN problem
« Reply #4 on: March 07, 2008, 08:24:08 pm »
Ok, it's still not working but here is my new config...

System A
- Ubuntu 7-10
- IP: 192.168.2.2
- Gateway: 192.168.2.1

System B
- eBox 0.11.99
- Int IP: 192.168.2.1
- Ext IP: 192.168.4.2
- DHCP running - serving: 192.168.2.2 - 192.168.2.10
- OpenVPN service running and active
- CA established
- certificates generated for self and system C
- VPN network address: 192.168.3.0
- VPN network netmask: 255.255.255.0
- OpenVPN network advertised: 192.168.2.0/255.255.255.0
- Protocol: TCP
- Port: 1194
- Client authorization by common name: disabled
- Allow eBox-to-eBox tunnels: checked
- Allow client-to-client connections: not checked
- OpenVPN Interface: eth1 (external - 192.168.4.2)
- OpenVPN client config
- OpenVPN server address: 192.168.4.3
- OpenVPN server protocol: TCP
- OpenVPN port: 1194
- CA certificate set to that from system C
- Client certificate set to that generated from system C
- Client private key set to that generated from system C
- Firewall rules
-- in Filtering rules from internal networks to eBox
--- default rules
-- in Filtering rules for internal networks
--- allow any service from 192.168.2.0/24 to any address
--- allow any service from 192.168.3.0/24 to 192.168.2.0/24
--- allow any service from 192.168.5.0/24 to 192.168.2.0/24
-- in Filtering rules for traffic coming out from eBox
--- no rules
-- in Filtering rules from external networks to eBox
--- no rules
-- in Filtering rules from external networks to internal networks
--- no rules

System C
- eBox 0.11.99
- Ext IP: 192.168.4.3
- Int IP: 192.168.5.1
- DHCP running - serving: 192.168.5.2 - 192.168.5.10
- OpenVPN service running and active
- CA established
- certificates generated for self and system B
- VPN network address: 192.168.6.0
- VPN network netmask: 255.255.255.0
- OpenVPN network advertised: 192.168.5.0/255.255.255.0
- Protocol: TCP
- Port: 1194
- Client authorization by common name: disabled
- Allow eBox-to-eBox tunnels: checked
- Allow client-to-client connections: not checked
- OpenVPN Interface: eth1 (external - 192.168.4.3)
- OpenVPN client config
- OpenVPN server address: 192.168.4.2
- OpenVPN server protocol: TCP
- OpenVPN port: 1194
- CA certificate set to that from system B
- Client certificate set to that generated from system B
- Client private key set to that generated from system B
- Firewall rules
-- in Filtering rules from internal networks to eBox
--- default rules
-- in Filtering rules for internal networks
--- allow any service from 192.168.5.0/24 to any address
--- allow any service from 192.168.6.0/24 to 192.168.5.0/24
--- allow any service from 192.168.2.0/24 to 192.168.5.0/24
-- in Filtering rules for traffic coming out from eBox
--- no rules
-- in Filtering rules from external networks to eBox
--- no rules
-- in Filtering rules from external networks to internal networks
--- no rules

System D
- Ubuntu 7-10
- IP: 192.168.5.2
- Gateway: 192.168.5.1
 
In the OpenVPN logs on system B I get

Event: Client connection initiated
Type: server
Remote IP: 192.168.4.3

In the OpenVPN logs on system C I get

Event: Client connection initiated
Type: server
Remote IP: 192.168.4.2

Event: Connection to server initiated
Type: client
Remote IP: 192.168.4.2

Event: Initialization sequence completed
Type: client

System A can ping 192.168.2.1 (eBox B int)
System A can ping 192.168.4.2 (eBox B ext)
System A can ping 192.168.4.3 (eBox C ext)
System A cannot ping 192.168.5.1 (eBox C int) (Packets just dropped - no error message)
System A cannot ping 192.168.5.2 (System D) (Packets just dropped - no error message)
 
System D can ping 192.168.5.1 (eBox C int)
System D can ping 192.168.4.3 (eBox C ext)
System D can ping 192.168.4.2 (eBox B ext)
System D cannot ping 192.168.2.1 (eBox B int) (Packets just dropped - no error message)
System D cannot ping 192.168.2.2 (System A) (Packets just dropped - no error message)
 

> hi!
>
> I did site to site test and this works fine. The only diference in my
>
> configuration about your is that:
>
> 1) I configured the system B for server OpenVPN and client OpenVPN of
>
> system C.
>
> 2) I configured the system C for server OpenVPN and client OpenVPN of
>
> system B
>