Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: azop on April 13, 2008, 12:38:33 am
-
I'm using Openvpn on Hardy beta. I have the following setup in ebox's configuration:
VPN network address: 10.10.2.0
VPN network subnet: 10.10.0.0
Protocol: TCP
Client authorization by common name: no
Allow client-to-client connections: Unchecked
Allow eBox-to-eBox tunnels: Unchecked
eBox-to-eBox tunnel password: set (but I don't think this is a issue)
Listen on: eth0
I have the following "Advertised Networks":
10.10.5.0 255.255.255.0
10.10.10.0 255.255.255.0
I can connect to openvpn and authenticate:
Sat Apr 12 17:24:33 2008 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{B8CD89A3-8922-4161-9DB3-9A14923CF7FE}.tap
Sat Apr 12 17:24:33 2008 TAP-Win32 Driver Version 8.1
Sat Apr 12 17:24:33 2008 TAP-Win32 MTU=1500
Sat Apr 12 17:24:33 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.10.2.2/255.255.255.0 on interface {B8CD89A3-8922-4161-9DB3-9A14923CF7FE} [DHCP-serv: 10.10.2.0, lease-time: 31536000]
Sat Apr 12 17:24:33 2008 Successful ARP Flush on interface [327686] {B8CD89A3-8922-4161-9DB3-9A14923CF7FE}
Sat Apr 12 17:24:33 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Apr 12 17:24:33 2008 Route: Waiting for TUN/TAP interface to come up...
Sat Apr 12 17:24:34 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Apr 12 17:24:34 2008 Route: Waiting for TUN/TAP interface to come up...
Sat Apr 12 17:24:36 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Apr 12 17:24:36 2008 Route: Waiting for TUN/TAP interface to come up...
Sat Apr 12 17:24:37 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down
Sat Apr 12 17:24:37 2008 Route: Waiting for TUN/TAP interface to come up...
Sat Apr 12 17:24:38 2008 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sat Apr 12 17:24:38 2008 route ADD 10.10.5.0 MASK 255.255.255.0 10.10.2.1
Sat Apr 12 17:24:38 2008 Route addition via IPAPI succeeded
Sat Apr 12 17:24:38 2008 route ADD 10.10.10.0 MASK 255.255.255.0 10.10.2.1
Sat Apr 12 17:24:38 2008 Route addition via IPAPI succeeded
Sat Apr 12 17:24:38 2008 Initialization Sequence Completed
However I can not ping or access any host in 10.10.5.0/24 or 10.10.10.0/24 (specifically 10.10.10.250)
I _can_ ping 10.10.10.251 (eth1 internal IP). I thought it was a firewall issue...but I don't see anything in the ebox configuration that would be dening this...everything is set to allow all.
Any ideas would be great..
-
Your VPN network subnet (netmask) is wrong, it shoud be 255.255.255.0
If you still have issues we'd need more info, tell us your network configuration, external and internal interfaces, gateways...
-
It was setup correctly...I just miss typed it. But here's the current configuration:
VPN network address: 10.10.2.0
VPN network subnet: 255.255.255.0
Protocol: TCP
Client authorization by common name: no
Allow client-to-client connections: Unchecked
Allow eBox-to-eBox tunnels: Unchecked
eBox-to-eBox tunnel password:
Listen on: eth0
I have the following "Advertised Networks":
10.10.5.0 255.255.255.0
10.10.10.0 255.255.255.0
-----------
eth0 is a public ip address set to 'external' in the network configuration with a 255.255.255.252
eth1 Link encap:Ethernet HWaddr 00:1e:c9:3b:00:0b
inet addr:10.10.10.251 Bcast:10.10.10.255 Mask:255.255.255.0
tap0 Link encap:Ethernet HWaddr 00:ff:cd:f6:e5:ad
inet addr:10.10.2.1 Bcast:10.10.2.255 Mask:255.255.255.0
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
71.86.31.152 0.0.0.0 255.255.255.252 U 0 0 0 eth0
10.10.2.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
running tcpdump -n -i tap0 I see:
09:38:56.951966 IP 10.10.2.2 > 10.10.10.250: ICMP echo request, id 1280, seq 11, length 40
09:38:58.950841 IP 10.10.2.2 > 10.10.10.250: ICMP echo request, id 1280, seq 267, length 40
09:39:02.451496 IP 10.10.2.2 > 10.10.10.250: ICMP echo request, id 1280, seq 523, length 40
09:39:04.452512 IP 10.10.2.2 > 10.10.10.250: ICMP echo request, id 1280, seq 779, length 40
on eth1 I see:
09:40:54.122521 IP 10.10.10.250 > 10.10.10.251: ICMP echo request, id 55329, seq 49232, length 64
09:40:54.122541 IP 10.10.10.251 > 10.10.10.250: ICMP echo reply, id 55329, seq 49232, length 64
09:40:55.122551 IP 10.10.10.250 > 10.10.10.251: ICMP echo request, id 55329, seq 49233, length 64
09:40:55.122569 IP 10.10.10.251 > 10.10.10.250: ICMP echo reply, id 55329, seq 49233, length 64
I think it's a route issue now...but I'm not sure the correct route command to throw at it.
Thanks
Your VPN network subnet (netmask) is wrong, it shoud be 255.255.255.0
If you still have issues we'd need more info, tell us your network configuration, external and internal interfaces, gateways...
-
Does the internal machine (the one you are pinging from the vpn) have set eBox as its gateway?
If not, you can try this to see if works:
sudo iptables -t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE
-
Great...that worked. I did change one of the servers to the correct gateway and went ahead and added the iptables rule so I could access another server.
Is there a way I can add that rule into the firewall template so when ebox's firewall restarts I won't have to manually redo the rule?
Also...I don't believe I'm seeing SMB broadcasts...and I can't access \\domainname..however I can if I do \\ipaddress.
Any suggestions or should I just add that domain to the client's hosts file?
Does the internal machine (the one you are pinging from the vpn) have set eBox as its gateway?
If not, you can try this to see if works:
sudo iptables -t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE
-
You can edit the file /usr/share/perl5/EBox/Iptables.pm
Add the line pf '-t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE';
within sub start() function after the call to setStructure, it should look like this:
sub start
{
my $self = shift;
$self->_loadIptModules();
$self->setStructure();
pf '-t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE';
my @dns = @{$self->{net}->nameservers()};
foreach (@dns) {
$self->setDNS($_);
}
Save the file and run the following command to check there isn't any syntax error:
perl -c /usr/share/perl5/EBox/Iptables.pm
If everything looks ok, restart the firewall by executing:
/etc/init.d/ebox firewall restart
Regarding the SMB thing, you are saying that you are actually seeing SMB broadcast packets and stuff on your VPN client interface, right?
-
I can connect to a samba share with the ip address so everything _should_ working.
Thanks
You can edit the file /usr/share/perl5/EBox/Iptables.pm
Add the line pf '-t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE';
within sub start() function after the call to setStructure, it should look like this:
sub start
{
my $self = shift;
$self->_loadIptModules();
$self->setStructure();
pf '-t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE';
my @dns = @{$self->{net}->nameservers()};
foreach (@dns) {
$self->setDNS($_);
}
Save the file and run the following command to check there isn't any syntax error:
perl -c /usr/share/perl5/EBox/Iptables.pm
If everything looks ok, restart the firewall by executing:
/etc/init.d/ebox firewall restart
Regarding the SMB thing, you are saying that you are actually seeing SMB broadcast packets and stuff on your VPN client interface, right?
-
by the way, is your samba server running in eBox or on another machine within your LAN?
-
Currently running with ebox...however I may remove the module and edit the configuration file myself I'm not sure yet
by the way, is your samba server running in eBox or on another machine within your LAN?
-
Doesn't setting up static routes in eBox modify these IP table rules or should I just go ahead and do sudo iptables -t nat -I POSTROUTING -s IP_ADDRESS/SUB -o eth0 -j MASQUERADE? If I get an update to the firewall module, doesn't that mean it'll overwrite this change in Iptables.pm?
azop said he could doing \\10.10.2.6 for instance and s/he could access Samba shares, but doing \\hostname would not work. I'm experimenting with different settings to get this to work, but do you have any suggestions?
-
Javi, I need help in my OpenVPN. My OpenVPN connection is working, but I can ping or connect to clients in my internal network. I added the iptables line u posted in your above reply, but still doesnt work.
When I ping, it tells me.... Destination host unreachable.
Any help will be appreciated.
Thanks
-
sulazhy, what's your issue? A lot of us on the forums seemed to have solved our OpenVPN issues by editing the script file eBox loads to create the OpenVPN.conf file. While the changes don't stay if you upgrade OpenVPN or to a new eBox version that has a new OpenVPN, but you can copy and paste it back in regardless.
-
shulazy, I think that you mean you can _not_ ping or connect to clients in oyur internal network.
Do you have your internal network advertides?. If not or do you not know you can see in the server list, 'Advertised networks' cell
-
Hi Javi and Saturn,
thanks for the concern. Here is my situation..
OpenVPN Network = 10.0.2.0/24
OpenVPN Client = 10.0.2.2
eBox (Gateway) = 195.148.173.50 (Ext Interface) AND 10.0.1.0 (Internal Interface with DHCP)
Tap0 = 10.0.2.1/24
The situation now is:
OpenVPN Client: Can ping Tap0 and eBox External Interface, but can not ping any client in the internal network with eBox as gateway.
eBox (Gateway): Can ping OpenVPN Client and Tap0.
Internal Network Computers: Can not ping OpenVPN Client.
I ran sudo iptables -t nat -I POSTROUTING -s 10.10.2.0/24 -o eth1 -j MASQUERADE on command line, but still doesnt solve my problem.
But I will like to know if am to include the line in some configuration file.
Your help will be appraciated.
-
The internalnetwork is advertised? Which netmask it uses?
What is the routing table of your client?
-
Yes, the internal network (10.0.1.0) is advertised, and its uses 255.255.255.0.
Actually, i left the LAB now. but i can paste the routing table tomorrow.
But what exactly could be wrong with it?
Thanks
-
You can always try adding this information, formatted for your network, where it would match at the bottom of your openvpn.conf.mas file in /usr/share/ebox/stubs/openvpn/:
<%def advertisedNets>
<%args>
@nets
</%args>
% foreach my $net (@nets) {
% my ($net, $netmask) = @{ $net };
push "route <% $net %> <% $netmask %>"
push "dhcp-option GATEWAY 1.1.1.1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option WINS 1.1.1.1"
push "dhcp-option NBT 2"
push "dhcp-option DOMAIN octen"
%}
</%def>
Then restart OpenVPN in eBox and then your clients. I don't actually know if the GATEWAY line is correct.
-
Saturn,
Thanks very much, But i tried to get to the openvpn.conf.mas file but i couldnt find the share directory in the lib. (/usr/lib/share).
Can you give me a better description on how to go abt this?
Thank you
-
Javier Amor Garcia, Javi and Saturn2888. Pls, I need to attention to my earlier posts.
Thanks
-
If you could get the client's routing table you could post it there so we could see if something is wrong.
Another problem could that your internal clients could not return the packets to you vpn client. There are two possible solution to this:
a) assure that the eBox server is , and is the only, default gateway
b) you could try to turn on the Network Address Translation option in the VPN server.
Finally if you want to ty Saturn's suggestion, the file are located at the directory /usr/share/ebox/stubs/openvpn/:
-
I'm sorry, I fixed the directory address in my post. Nice catch Javier.
-
Javier,
Here is my client routing table. Please, can you check if everything is alright?
C:\Users\sulazhy>netstat -rn
===========================================================================
Interface List
19...00 ff 49 bc e7 6b ......TAP-Win32 Adapter V9
14...00 1a 6b 27 4e 2c ......Bluetooth Device (Personal Area Network)
12...00 19 b9 84 b2 a3 ......Broadcom NetXtreme 57xx Gigabit Controller
11...00 13 e8 48 07 59 ......Intel(R) Wireless WiFi Link 4965AGN
1...........................Software Loopback Interface 1
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.69.254 192.168.69.195 20
10.0.2.0 255.255.255.0 On-link 10.0.2.2 286
10.0.2.2 255.255.255.255 On-link 10.0.2.2 286
10.0.2.255 255.255.255.255 On-link 10.0.2.2 286
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.69.0 255.255.255.0 On-link 192.168.69.195 276
192.168.69.195 255.255.255.255 On-link 192.168.69.195 276
192.168.69.255 255.255.255.255 On-link 192.168.69.195 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.69.195 276
224.0.0.0 240.0.0.0 On-link 10.0.2.2 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.69.195 276
255.255.255.255 255.255.255.255 On-link 10.0.2.2 286
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 276 fe80::/64 On-link
19 286 fe80::/64 On-link
21 281 fe80::5efe:192.168.69.195/128
On-link
12 276 fe80::7493:ec36:8f37:f1ff/128
On-link
19 286 fe80::f58e:e57f:749a:3668/128
On-link
1 306 ff00::/8 On-link
12 276 ff00::/8 On-link
19 286 ff00::/8 On-link
===========================================================================
Persistent Routes:
None