Author Topic: Zentyal-to-Zentyal tunnel connecting 2 LAN's  (Read 8268 times)

jbo5112

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Zentyal-to-Zentyal tunnel connecting 2 LAN's
« on: April 13, 2013, 11:55:52 pm »
I'm trying to run a Zentyal-to-Zentyal tunnel that will connect two different LAN's, where both Zentyal servers (v3.0 & v2.2) are acting as routers.  The tunnel is up and running, and the Zentyal servers can talk to each other just fine.  However, they do not route the LAN traffic across the tunnel.  The Zentyal server running v2.2 is at our data center, and hosting the VPN.  The v3.0 server is at a software development office, and runs a client.  I can only get it half-way working.

Server 1 (data center - Zentyal 2.2)
LAN IP: 192.168.1.1
VPN IP: 192.168.250.1
Advertised network: 192.168.1.0/24

Server 2 (dev office - Zentyal 3.0)
LAN IP: 192.168.2.1
VPN IP: 192.168.250.2

I've added the code to the firewall.postservice hook on each of the services.
Code: [Select]
iptables -t nat -A POSTROUTING -o <vpn-interface> -j MASQUERADE
The 192.168.1.x network can ping anything on the 192.168.2.x network, including Server 2's ip address for another VPN (192.168.122.1).  Server 2 can ping anything on the 192.168.1.x network.  Anything on the 192.168.2.x network can ping 192.168.250.1, but not the 192.168.1.x network.  If I disable the rule on Server 1 and reboot the server, then computers on 192.168.2.x can ping servers on the 192.168.1.x network, but it obviously disables the 192.168.1.x network pinging servers on the 192.168.2.x network, except I think Server 1 itself can ping 192.168.2.x.  Just deleting the rule or restarting the firewall doesn't seem to work.  I think restarting the VPN on Server 1 might fix it, once the rule is removed, but I don't remember.  I'd like to get this sorted out so I can sync a demo and development database.

*updated Server information*
« Last Edit: April 16, 2013, 12:03:01 am by jbo5112 »

christian

  • Guest
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #1 on: April 14, 2013, 06:24:17 am »
Perhaps a stupid question but I don't understand why you want VPN network to be able to ping LANs.
What does it bring in term of feature?

Another stupid question: have you advertised what you intend to reach ?

Sam Graf

  • Guest
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #2 on: April 14, 2013, 04:03:37 pm »
As a side note, it might be interesting some day to see how the Zentyal community understands and uses (or at least tries to use) Zentyal's VPN services--as a server-client network or as a peer-to-peer network, and why.

christian

  • Guest
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #3 on: April 14, 2013, 04:55:11 pm »
I suppose both are used.

I've set-up some month ago full test-bed made of 3 Zentyal servers (2.x) for IRC use (and also forum member) wiling to connect via internet 2 remote locations to central location in order to get rid of satellite based leased lines.

Zentyal to Zentyal VPN was the obvious answer to his problem.

Building test-bed locally and having it working was quite easy but then explaining how to reproduce this in real life with remote deployment to admin not getting all concepts clear in mind appeared to be much more challenging.  :-X

Sam Graf

  • Guest
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #4 on: April 14, 2013, 07:54:00 pm »
I suppose both are used.

I suppose the same thing. But after reading posts over the years I find myself not always understanding what people are trying to accomplish across a VPN. Some of the things I don't understand are surely out of my ignorance of such things, and some I was not able to get to work (again, maybe because of my ignorance) as a learning experience.

For my part I always thought of VPN along the lines of a client-server model--accessing centrally located services remotely and administrating remote devices centrally. After reading this topic and not understanding the goal, I thought once again about the fact that people must view VPN itself differently.

christian

  • Guest
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #5 on: April 14, 2013, 09:07:49 pm »
You perhaps react also to my question to jbo5112: "What does it bring in term of feature?"

I often refrain myself to ask such question, not only with VPN but also other services while reading some posts here as I've the feeling that some users are trying to implement services for which they do not really understand what it brings or what it is supposed to bring.

Like you, I see VPN as a kind of, "client-server" aiming to extend your LAN over potentially insecure line by building secure tunnel.
So this is "many-to-one" service.
Zentyal to Zentyal tunnel makes no exception as one Zentyal is acting as server while the other is acting as client. This is perhaps not always understood, especially because there is no mechanism populating routing table over you extended LAN. As a result, VPN server side is known from VPN client side but the opposite is not true unless you advertise this client network.

To be noticed that this only works if Zentyal server, VPN server side, is either de default route for devices on the LAN or if specific route "through Zentyal server" is published.

With above explanation, I don't see where there is e need to check connectivity from VPN segment itself to either server side LAN or client side LAN, therefore my question to jbo5112

jbo5112

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #6 on: April 15, 2013, 06:01:20 pm »
I have servers at our data center that I need to access from the development office.  I also have servers at the development office that need to be accessible from the data center, though not quite as urgent.  It would also be nice if, at some later point (should we grow), a second development office could be added to the mix, where everyone can see each other.  Enabling this would allow any server or workstation to run a service that is listening for a remote connection from any location for things like file transfers, syncing mostly read-only databases, git pushes/pulls, etc..  It may not be the most professional, enterprise setup, but with a small, trusted development group and slow upload speeds at remote offices, it seems an easy and reliable way to keep everything up to date, including a live demo of our development efforts.

The data center, acting as host, has its network listed as advertised, client-to-client connections are on, Zentyal-toZentyal tunnels are on, and I've tried both settings for NAT.  The client does not have any configuration that I can find for advertising a network.  Once the tunnel is running, the two Zentyal servers could connect to anything on the remote LAN, without any hooks, but as for the other servers and workstations, they could only talk to their own LAN and addresses on the VPN (the remote and local Zentyal servers).  I can only see a limited use for this configuration, and I cannot imagine that this was the intended purpose of a Zentyal-to-Zentyal VPN.

I was expecting to run a standard VPN server on both Zentyal machines and making each of them a client for the other VPN.  I think I even untarred a standard Linux client bundle on the office router, without it being noticed by Zentyal's OpenVPN.  Seeing an option for a Zentyal-to-Zentyal tunnel, my expectation is it would make the two networks operate like connected peers (i.e. automatically route/NAT traffic between them).

Sam Graf

  • Guest
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #7 on: April 15, 2013, 06:28:11 pm »
Seeing an option for a Zentyal-to-Zentyal tunnel, my expectation is it would make the two networks operate like connected peers (i.e. automatically route/NAT traffic between them).

Exactly the kind of observation I think it would be helpful to collect in a more organized way if only because it would help us as a community to understand user expectations better. We're not all on the same page when it comes to VPN for a variety of reasons (including choice of the underlying technology). Even small businesses aren't all cast from the same mold, so needs and expectations will differ.

Better yet, hopefully a more robust community understanding of both the technologies involved and the expectations of administrators will yield better community support and better feature suggestions. Thank you for taking the time to fill insome of the details. :)

christian

  • Guest
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #8 on: April 15, 2013, 06:47:31 pm »
I was expecting to run a standard VPN server on both Zentyal machines and making each of them a client for the other VPN.  .../...  Seeing an option for a Zentyal-to-Zentyal tunnel, my expectation is it would make the two networks operate like connected peers (i.e. automatically route/NAT traffic between them).

Sure but if you read carefully this documentation, you will notice:

Quote
When the connection is complete, the host with the server role has access to all routes of the client hosts through the VPN. However, the hosts with client roles will only have access to those routes the server has explicitly advertised.

which means that it doesn't provide exact peer-to-peer (in term of routing).
Notice I'm not saying you can't achieve it but you do need to advertise what you want to reach.

While writing this, I'm wondering if it makes sense to configure on each Zentyal (meaning on each side) one VPN server and one VPN client...  ::)
I'll try to play with this in order to improve my understanding.

jbo5112

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #9 on: April 16, 2013, 12:31:22 am »
Glad I could help, Sam Graf.

I'm looking at two copies of the documentation, both with and without the section you quoted Christian.  The first few times I opened the page, it cut off before the section on "Configuration of a VPN server for interconnecting networks", but I'm looking at it now.  I'm pretty sure the two hosts are behaving just like you said in the quote.  I'm able to give each Zentyal Server secure remote access to a remote LAN.  However, "The goal is to connect multiple offices, their Zentyal servers and their internal networks so that one, single network infrastructure can be created in a secure way and through Internet."  The documentation in version 2.2 stated:  "The goal is to connect the client 1 on the LAN 1 with client 2 on the LAN 2 as if they were in the same local network."  Their instructions are rather similar

Using the networking image from the 2.2 documentation to help explain my situation:


Client 1 can connect to any service on LAN 1, ZENTYAL OpenVPN Server, or ZENTYAL OpenVPN Client (via the Zentyal-to-Zentyal VPN IP address), but client 1 cannot connect to client 2.
Client 2 can connect to any service on LAN 2, ZENTYAL OpenVPN Client, or ZENTYAL OpenVPN Server (via the Zentyal-to-Zentyal VPN IP address), but client 2 cannot connect to client 1.
ZENTYAL OpenVPN Server and Client can both access anything pictured.

I have the proper LAN advertised by the OpenVPN server, and I updated the configuration in my first post to reflect that.  I can also apply extra hooks into Zentyal that fixes the problem for either client 1 or client 2, but not for both at the same time (probably my lack of knowledge).  However, it sounds like this should be done automatically.  Left alone, the VPN doesn't connect client 1 to client 2.

Am I misunderstanding the Zentyal-to-Zentyal tunnel?  Are only the Zentyal machines supposed to see both clients, and the two client computers (client 1 & client 2) not talk to each other?  I had to manually reconfigure the Zentyal 2.2 machine to push DHCP options for DNS and domain (via a customized copy of openvpn.conf.mas in /etc/zentyal/stubs/openvpn/openvpn.conf.mas), which I seem to only be able to apply to all VPN's, but that shouldn't affect anything, especially since I'm using IP addresses for testing.  Could my problem be a bug in Zentyal 2.2, where I should upgrade ASAP and ignore the problem until then?

christian

  • Guest
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #10 on: April 16, 2013, 01:56:55 am »
Zentyal to Zentyal documentation in V 3.0 section was not previously published. It has been fixed yesterday, reason why, except if you refreshed cache, it didn't appeared first.

Anyway, to me documentation is clear enough: such design aims at permitting devices on LAN 2 to access devices on LAN 1, no need for any hook and if it doesn't work (of course with the right settings) then there is a bug to be reported.
If you also want devices on LAN 1 to be able to reach devices on LAN 2, then special setting is needed (advertising)

In term of feature, again, documentation is clear, at least from my standpoint  ::)

Because of this, I suggest we focus on the technical aspect and instigation steps to identify what works for you and what doesn't (without introducing any hook and workaround) so that you can:
- report a bug if there is one
- find solution fitting your needs

I would like, before we drill down, clarify 2 more aspects that may lead to some confusion:
- for what I tested some moth ago, Zentyal server-to-server VPN doesn't handle any DNS and DHCP service. Thus I suggest we, at least temporarily, keep it out of the scope and then come back on it once VPN permits device to device connectivity.

I'm going to build here you example with 2.2 and 3.0 Zentyal servers and I'll come back to you once done.

jbo5112

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #11 on: April 16, 2013, 05:14:22 pm »
I wanted to make sure that I'm clear on what it should be doing and what it is actually doing, and I agree with your suggestions on how to proceed.

You are correct on the DNS and DHCP services.  I think the push statements are merely suggestions, but either way, the Linux client program defaults to ignoring any DNS and DHCP options that are pushed.  The Windows client program defaults to accepting the pushed statements.  I just brought it up because I have had problems in other situations that were caused small customizations that I didn't think mattered.

Thank you for looking in to this.  I'm sorry if I'm not more help in the problem, but my primary job is with software development.

christian

  • Guest
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #12 on: April 16, 2013, 05:21:17 pm »
I just achieved few minutes ago testbed deployment and tests based on here attached picture.
Without any specific set-up, I can, from B, access web servers in location A.
I also installed nginx on A (which is a laptop) and can connect from workstation in B

So I'm wondering what is not working on your side  ???

Notice I'm not currently trying to access using names as DNS is not set yet.

jbo5112

  • Zen Apprentice
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #13 on: April 16, 2013, 10:57:16 pm »
I'll try configuring everything with fresh installs, using a virtualized environment.  If my virtual setup works, then I know I've probably done something wrong with the systems that is breaking things.  With the other projects I have going, it might be a day or two before I get everything finished.

Once I get the VPN up, I'll probably just manually clone the important parts of the two DNS zones.

christian

  • Guest
Re: Zentyal-to-Zentyal tunnel connecting 2 LAN's
« Reply #14 on: April 17, 2013, 08:45:17 am »
As I previously wrote, what really matters with such investigation is to really distinguish between the various components and layers.

Test I made is showing the evidence that Zentyal server-to-server works as expected and permits to enable, through VPN tunnel, site to site communication, both ways (even mixing 2.2 & 3.0 Zentyal servers)

Then, from an end-user standpoint, this is not the end of the story. If you don't look further, you may not be able to reach service on the other side.
- everything needs to be perfectly aligned in term of default route
- you may obviously want to access service name, not IP, thus DNS content does matter and might be tricky if both sides share same IP domain name

That's the reason why I suggested that you split investigation into slices, not trying to solve end-user issue introducing workaround like iptables rules but identifying where problem lies.

Let us know the outcome of your test but be caution if you connect everything on same LAN because of routes  ;)