Author Topic: VPN Client configuration problems  (Read 5644 times)

NickA

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: VPN Client configuration problems
« Reply #15 on: April 29, 2013, 02:10:32 am »
Hi Christian and Sam, thanks for the clarification; I think it has highlighted where my problem is - traffic is not getting from the modem to the external interface.   I'm still not sure how I fix it.   

In my current scenario, my internal interface is 192.168.0.1, and external is 192.168.1.4, with the modem being 192.168.1.1

Option 1: no NAT on the modem:
If I turn off NAT on the modem and configure my external interface with my public ip address, what address do I use for the modem, because I can't use on in the range of my public ip address?

Option 2: NAT on the modem:
The WAN address of the modem is set to my public ip address, the modem and the external interface are on the same segment, so I can get to my modem.   What I can't seem to get right is how to forward traffic from the modem to the external interface?   (The modem is a Dynalink RTA1329v6)

christian

  • Guest
Re: VPN Client configuration problems
« Reply #16 on: April 29, 2013, 04:13:20 am »
I would personally suggest that you keep NAT at modem level. This avoid to receive all unwanted flow at Zentyal level.
Minor drawback is that you have to define want you need to forward.
This is done connecting directly to your modem with your browser.
connect to http://192.168.1.1
login is admin and pwd is... admin too  :-X
do not change anything but go to the advanced tab where you should find setting to open port or forward incoming flow to 192.168.1.4 (I don't have such modem neither document to be more accurate here. Sorry.

You can either forward everything or only forward ports you need (which is my advice)

One hint: depending on your proxy configuration, you might not be able to connect to 192.168.1.1 from your local browser. YOu may have to do it either from Zentyal server or connecting your laptop on this 192.168.1.0 segment.

NickA

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: VPN Client configuration problems
« Reply #17 on: April 30, 2013, 01:25:01 pm »
Hi Christian, thanks for continuing to take the time to respond.

I have spent several days on this and still no joy.   I did have the modem set up as you suggested with NAT enabled and forwarding all TCP and UDP ports to Zentyal, but I could still get no remote connectivity through to any of the servers on the LAN.   I finally had to go back to putting the ipCop firewall back in place.

The setup is now Internet->Model->ipCop Firewall->Switch->Zentyal
                                                                                            |->Windows Server

With the modem left exactly as I had tried with Zentyal, I can at least get external access to our SimpleHelp server running on the Windows server on the LAN.   This leads me to believe that the problem isn't with the modem setup.

I have ipCop set up to forward all requests on port 1194 to Zentyal, and I have disabled the firewall in Zentyal, but I still get a TLS authentication error.    I currently have only one interface configured in Zentyal, and this obviously doesn't have the External (WAN) checkbox ticked.   I have set my VPN server to listen on this internal interface.   I notice though that in the VPN documentation it says "As you can see, the VPN server will be listening on all external interfaces.   Therefore, you must set at least one of your interfaces as external ..."   Will the VPN server work listening on the internal interface?

If this setup is acceptable, then I think I must make sure that my certificates are okay.   In the VPN server configuration I have selected the certificate created by Zentyal (vpn-xxx)   I created a certificate with the Certification Authority called Client-vpn, which I select when I create the Client Bundle.   Does this all sound correct?

My only other thought is that I installed Zentyal on top of an existing 12.04 server, and I wonder if this could have caused any problems.

Sam Graf

  • Guest
Re: VPN Client configuration problems
« Reply #18 on: April 30, 2013, 01:56:13 pm »
Yes, a complication for you here is that a "typical" scenario (like I described earlier and like the current documentation describes) puts Zentyal as the default gateway for the LAN so with a minimum of two interfaces. The rational is that Zentyal is providing all the key infrastructure services in a "one stop shopping" manner, which is a tidy and great approach for small businesses.

But there are people who do VPN with a single interface. The Zentyal 2.0 documenation also describes a single interface scenario.

NickA

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: VPN Client configuration problems
« Reply #19 on: April 30, 2013, 11:41:10 pm »
Hi Sam, thanks for those 2 links.   

Following the instructions in "people who do VPN ..." I set up a static route from my modem for the ip range of the VPN clients (192.168.160.0)   Because I also have a firewall machine between the modem and Zentyal, I set up a route on the modem with the gateway being the ipCop machine, and then I created a similar static route on the ipCop machine with the gateway being the Zentyal machine.   This didn't resolve the problem.

The second link to the Zentyal 2.0 documentation describes the need for Port Redirection, which I am assuming has been renamed to port forwarding in v3.0.   Unfortunately the documentation doesn't describe more than the labels and dropdown options on the input screen. 
 "The Original source (which can be the Zentyal server, a source IP or an object), the Original source port (which can be Any, a Default port or Port range), the Protocol and the Source (which can be also Any, an IP address or an Object). You will also specify the IP address of the Destination and finally the Port where the destination host will receive the requests. This can be same as the original or not"

Should "Original destination" be set to an object - the openVPN server,  the ip address of Zentylal, or the ip address range of the VPN clients?   I assume that "Original destination port" can be left at "any".   Should "Source" be left on "any", or set to the ip address of the gateway?   Is "Destination IP" the ip address of Zentyal?

If I look at Connection Tracking in ipCop, I can see the requests coming in for remote help (which is the only way I can currently get remote access) that get correctly forwarded to the Windows server on the LAN.   These have a connection status of ESTABLISHED and are marked as ASSURED.   I can see my VPN client and SSH requests coming in, getting routed from the red interface to the green on ipCOP, and then being forwarded to Zentyal's ip address, but connection status is blank, and they are marked as UNREPLIED.   I have tried disabling the firewall in Zentyal (uncheck the firewall in modules, and "sudo sfw disable") but it still seems as though Zentyal is refusing connections.

christian

  • Guest
Re: VPN Client configuration problems
« Reply #20 on: May 01, 2013, 06:20:42 am »
NickA,

If you definitely can't have Zentyal set up with 2 interfaces, acting as LAN default gateway, well, to make it short, deployed as it is initially designed, then you could still achieve it but it will requires to have everything aligned in term of configuration.

As an example, if you decide, for some reason, to disable Zentyal firewall, then it will obviously not work. Read 2.2 documentation again:
Quote
If you need a VPN server that is not the gateway of the local network, i.e., the host does not have any external interfaces, then you need to use the Port redirection with Zentyal. As this is one of the firewall options, you must ensure that the firewall module is enabled, otherwise you can not enable this option.

I never tried such implementation but my understanding is that VPN service listens on Zentyal "external" interface only. (UPD port 1194)
As there is no such interface in case of internal Zentyal, you need to forward (port redirect) incoming requests so that it reaches VPN service but this won't work with FW off (see above and 2.2 doc)

At this stage and given the complexity level it brings, I wonder if Zentyal is the right solution for you. Why not having "simple" VPN server running on this server? You will at least get rid of all this port forwarding stuff, doubts about firewall blocking requests, potential problems with DNS, certificate authority, well all the stuff that is needed in Zentyal implementation and redundant in your implementation.

NickA

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: VPN Client configuration problems
« Reply #21 on: May 01, 2013, 07:56:20 am »
Hi Christian,

I would certainly be happy to use Zentyal with 2 interfaces, but I've tried everything that has been suggested here to get that to work and I simply can't get Zentyal to accept any requests for VPN, SSH, or even to forward traffic to other servers on the LAN.   I'm pretty happy that I've got the modem configured okay, because if I plug in ipCOP instead of Zentyal, then I do get forwarding to other servers on the LAN, so I don't t think that the modem is blocking anything.

At this stage I'm going round in circles.

I really appreciate all of the time you and Sam have devoted to answering my continual questions.

christian

  • Guest
Re: VPN Client configuration problems
« Reply #22 on: May 01, 2013, 08:30:10 am »
I don't think there is any issue with modem neither.
I don't understand why you cant use Zentyal with 2 interfaces. Is it because it doesn't work or because you have some other constraints ?

If there is no specific constraints, then Zentyal with 2 NICs is really the best option.
Problem, if any and as far as I can understand it, is that when you try to set it up and as soon as you face problem, you try to implement solutions that are not expected and that are bringing some mess. I hope to be wrong but I've this really strong feeling.
e.g. with VPN, there is no need to forward traffic to any server on the LAN as, thanks to VPN, VPN clients will works "as if connected to LAN"

I'm using VPN (in server-to-server mode) without any problem.
Lot of users here are using VPN, so no doubt it works  ;)

I would suggest, as I did it at the beginning of this thread spending time investigating deployment of simple solution (Zentyal as FW) rather than switching to something that look easier because ipCop permits access to LAN but bringing Zentyal in the picture with only one NIC is far too complex for you and overkilling for your needs.

christian

  • Guest
Re: VPN Client configuration problems
« Reply #23 on: May 01, 2013, 09:31:09 am »
Tentative to describe, high level view, VPN using Zentyal  8)

Assumption:
- Zentyal is your firewall, DNS and DHCP server, thus also default route for all devices on your LAN
- it has 2 interfaces, one internal one external
- front-end edge router is forwarding to Zentyal (external IP) either all incoming flow or at least protocols exposed on Zentyal external interface (listening services like mail server, VPN server, HTTP server)

Configuration:
- configure VPN server as per documentation. This means defining and configuring VPN server and create certificate for client(s)
- once server is up and running, download client bundle using previously create certificate
- install and run this bundle client side.

It works  ;) (however read further)

What I mean to explain here is that there is not need for specific FW rules, port forwarding or other strange settings.
This is really straightforward (or at least supposed to be  ;))

If it doesn't work, then do not change anything but try to identify where failure occurs. Workaround like "disabling FW" doesn't help. Better to add some FW rules like accept any-to-any if you think FW may be faulty.

When I wrote "it works", I meant that client should be able to launch VPN client and build tunnel.
Accessing services running on LAN is another step that requires tunnel to be enabled first. This means, if I may rephrase it "do not focus on internal server access but first ensure that tunnel is there, up and running.

Once you have reach this point, then you can try to access your internal server and focus on potential problems (and there is potentially a lot  :()
- route to your LAN is known client side because your LAN is advertised thus once tunnel is up, this route is added client side.
- this doesn't permit to access myserver.mydomain transparently because DNS is not changed client side, thus myserver.mydomain might not be resolved as expected.

What I try to highlight is that "I can't access my server" might not be due to VPN related issues only, reason why I suggest you progress step by step without introducing workaround a soon as something doesn't bring expect result. Once you have the big picture in mind, investigating should not be that complex (especially because it does work when done properly)

« Last Edit: May 01, 2013, 09:43:59 am by christian »

NickA

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: VPN Client configuration problems
« Reply #24 on: May 01, 2013, 01:40:33 pm »
Hi Christian,

Thanks for that.   I can only get back to the main office to make physical changes in 2 days time, but I will go back to first principles and start again.

sandy3269

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: VPN Client configuration problems
« Reply #25 on: July 01, 2013, 05:53:52 pm »
The issue you are talking about "This bundle is not a valid Zentyal-to-Zentyal configuration bundle." is easy to solve. It is saying that the bundle storage format is incorrect. I use 7-zip too compress for too tar format, than same from tar to gunzip so that your final package = xxxxx.tar.gz.

Now for what goes inside this is and issue for me. I'm trying too connect Zentyal with an outside "Free" VPN server, too provide a tunnel identifying all my servers with US IP address.

Any suggestions?

calipso1929

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: VPN Client configuration problems
« Reply #26 on: June 18, 2015, 07:22:19 pm »
Good afternoon,
I have the problem you mention the UNDEF . Specifically , if I connect with OPENVPN there is no problem , the problem comes when trying to connect asus rt- n16 , your vpn tunneling . When I try to connect the router vpn zentyal tell me the UNDEF . ,
I 'm crazy, I do not know where to look. I can help or give an idea?