Author Topic: Upgrade to 6.1 issues: Firewall & VPN access [SOLVED]  (Read 580 times)

bettercallme

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +1/-0
    • View Profile
Upgrade to 6.1 issues: Firewall & VPN access [SOLVED]
« on: January 19, 2020, 11:13:22 am »
Hi there,
I upgraded my Zentyal 6.0.1 to 6.1 but the update broke the access to the VPN. All clients connects successfully, but no access to any resource. Firewall filters out all connections with DENY.

I've add a rule with ICMP allow to all firewall sections:
- Filtering rules from internal networks to Zentyal
- Filtering rules for internal networks
- Filtering rules from external networks to Zentyal
- Filtering rules for traffic coming out from Zentyal
When I connecting to vpn, recieved an IP address, trying to ping any host in my LAN (include zentyal). All attemps failed with "0 packets received, 100.0% packet loss"

Can you help me understand what type of traffic a VPN connection belongs to? I've lost remote connection to my server after upgrade to 6.1 :(
Thanks!
« Last Edit: January 26, 2020, 09:09:00 am by bettercallme »

royceb

  • Guest
Re: Upgrade to 6.1 issues: Firewall & VPN access
« Reply #1 on: January 19, 2020, 04:26:09 pm »
Is the network still in the advertised section of the VPN settings?

bettercallme

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +1/-0
    • View Profile
Re: Upgrade to 6.1 issues: Firewall & VPN access
« Reply #2 on: January 19, 2020, 05:12:04 pm »
Yes, I've got 2 interfaces and they're in the Advertised: OpenVPN-xxx-net1 & OpenVPN-yyy-net2
When client connected to zentyal, it's displayed in dashboard view with address 192.168.160.x as connected user.

But I no longer understand the network he belongs to. In which section should I set up access rules for him? Is it an internal network?
I think it should be in both:
- Filtering rules from internal networks to Zentyal
- Filtering rules for internal networks

But there is still no ping from client to any internal resource(

doncamilo

  • Zen Samurai
  • ****
  • Posts: 427
  • Karma: +134/-1
    • View Profile
Re: Upgrade to 6.1 issues: Firewall & VPN access
« Reply #3 on: January 19, 2020, 11:27:30 pm »
 :)

So, can I assume that your users are able to connect to your VPN?

Code: [Select]
sudo grep 'SENT CONTROL'  /var/log/openvpn/yourvpnname.log

You sould see some record similar to this:

Code: [Select]
Sun Jan 19 22:45:20 2020 vpn-test-client-a/192.168.1.53:58490 SENT CONTROL [vpn-test-client-a]: 'PUSH_REPLY,redirect-gateway def1,route 192.168.6.0 255.255.255.0,route-gateway 192.168.160.1,ping 10,ping-restart 120,ifconfig 192.168.160.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

Check your iptables too.

Code: [Select]
iptables -vL -t filter | grep openvpn
iptables -vL -t nat

From you client apparently connected to the openvpn server do ping to the virtual interface of your server and other machines in the published networks. Did it work?

I assume your system upgrading process was successful.

Cheers!

- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

royceb

  • Guest
Re: Upgrade to 6.1 issues: Firewall & VPN access
« Reply #4 on: January 20, 2020, 05:02:56 am »
:)

So, can I assume that your users are able to connect to your VPN?

Code: [Select]
sudo grep 'SENT CONTROL'  /var/log/openvpn/yourvpnname.log

You sould see some record similar to this:

Code: [Select]
Sun Jan 19 22:45:20 2020 vpn-test-client-a/192.168.1.53:58490 SENT CONTROL [vpn-test-client-a]: 'PUSH_REPLY,redirect-gateway def1,route 192.168.6.0 255.255.255.0,route-gateway 192.168.160.1,ping 10,ping-restart 120,ifconfig 192.168.160.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)

Check your iptables too.

Code: [Select]
iptables -vL -t filter | grep openvpn
iptables -vL -t nat

From you client apparently connected to the openvpn server do ping to the virtual interface of your server and other machines in the published networks. Did it work?

I assume your system upgrading process was successful.

Cheers!

Odd my network sounds similar to yours but I go off 1 nic and define my firewall rules in internal networks section like you have suggested without problems.

doncamilo

  • Zen Samurai
  • ****
  • Posts: 427
  • Karma: +134/-1
    • View Profile
Re: Upgrade to 6.1 issues: Firewall & VPN access
« Reply #5 on: January 20, 2020, 06:57:13 pm »
 :P

I think this is the moment to give an opportunity to Wireshark (or Tcpdump) to show us the real traffic there is in your networks.

I recommend you to use Wireshark. Here you have a pretty good tutorial: https://wiki.wireshark.org/OpenVPN.

I don't think so, but, if you think this is a firewall issue, could be useful to disable the firewall a few seconds to check if the issue doesn't be reproduced.

Code: [Select]
sudo zs firewall stop

Remember to enable te firewall after the trial.

Code: [Select]
sudo zs firewall start

 Cheers!
« Last Edit: January 20, 2020, 07:34:34 pm by doncamilo »
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

bettercallme

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +1/-0
    • View Profile
Re: Upgrade to 6.1 issues: Firewall & VPN access
« Reply #6 on: January 26, 2020, 09:08:07 am »
:)
So, can I assume that your users are able to connect to your VPN?

Thanks for answer and sorry for delay.
I'm using macOS with Viscosity app to connect to server.

I've tried your suggestions, but nothing changed. Here's the solution that helped:
- added one more vpn server;
- switch to use new server on same port;
- download client bundle with new server certificates;
- successfully connected to the network;
- remove previous VPN server;

Thanks!

doncamilo

  • Zen Samurai
  • ****
  • Posts: 427
  • Karma: +134/-1
    • View Profile
Re: Upgrade to 6.1 issues: Firewall & VPN access [SOLVED]
« Reply #7 on: January 26, 2020, 01:48:41 pm »
 :)

It's actually bizarre that logs don't have shown any fingerprint about some kind of certificates issue, tls, crl, etc.

If I understood correctly your problem, your users were able to connect to the server, isn't it?

So another possibility is that internal networks weren't correctly published. Did you change the openvpn virtual internal network when created the new server?

Cheers!

I feel happy because you fixed your problem. But i would be happiest if you paste here the old server logs. I would like to understand what the error was!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,