Topic: openvpn client problem

[dwater]

I have my SME server set up as an OpenVPN client. It seems to join the VPN without any problems, and the routes are all added etc.

However, none of the SME server services are available from the VPN i/f.

I have all the services configured to only run on the private i/f of the server, and the only other option is to make them available to the public interface.

How can I make services available to the VPN interface?

It is really a matter of altering each service's config file?

I previously had the OpenVPN client running on a machine on the private side of the SME server, and that worked fine; but that machine was borrowed and I needed to return it. Is there no way to route from the VPN i/f into the private i/f?

It also looks like I am getting 'denylog' entries in /var/log/messages for each ssh attempt from the VPN. How can I avoid this too?

Max.

[darryl]

Have you added the VPN IP address range to the local networks in server manager?

[dwater]

Have you added the VPN IP address range to the local networks in server manager?

I did do that before, when the VPN client was via a different machine, but I figured it wasn't necessary when it is on the same machine.

I did look at doing that though, but couldn't figure out what to put for 'router'. Should that be 'localhost'?

Max.

[darryl]

I am a little confused about what you are trying to do and your setup.  I had assumed that your SEE server was set up as an OpenVPN client connecting to another SME server acting as an OpenVPN server.  I had a similar setup between two SME servers using a tun interface, though this was a peer to peer rather  than client/server type connection  To get this working I had to add the VPN IP range to the Local Network on each of the servers and modify the firewall rules to allow the VPN traffic.

Where is the server running, where is the client running and what are you trying to do?

regards,

Darryl

[duncan]

I am guessing you are doing a SME<->SME setup.

You need to add local networks for both the tunnel addresses and the remote lan address. Just use your local IP address as the router. You will need to delete the routes it adds as per the how to.

[dwater]

I am a little confused about what you are trying to do and your setup.  I had assumed that your SEE server was set up as an OpenVPN client connecting to another SME server acting as an OpenVPN server.  I had a similar setup between two SME servers using a tun interface, though this was a peer to peer rather  than client/server type connection  To get this working I had to add the VPN IP range to the Local Network on each of the servers and modify the firewall rules to allow the VPN traffic.

Where is the server running, where is the client running and what are you trying to do?

Sounds pretty similar to what you describe, except this is the only computer running SME server. The VPN server is running FC3 and is in Tianjin.

So, from what you say, I need to :

1) add the VPN as a local network,
2) allow VPN traffic through the firewall

A couple of questions :

1) when I add the VPN as a local network, what should I use as the 'gateway'?
2) why would a VPN client machine need modifications to the firewall? Note that it already connects fine, and I can ssh into the VPN server w/o any problem.

Thanks!

Max.

NB. My VPN is designed such there will eventually be two servers, one in Tianjin.cn, and one in Atlanta.us. The SME server is in Bejing.cn, and it is one of what will be many clients located at various sites around China. This infrastructure is to join the many sites of a company. We will also allow individual computers to connect as clients.
I will be using the SME server as an imaps server, plus various other services over time. It is already providing various services to the local networks (including internet access).
The reason we only have a single server is because China is short of public/routable IP addresses, and they are expensive and difficult to get.

[dwater]

I am guessing you are doing a SME<->SME setup.

kinda

You need to add local networks for both the tunnel addresses

"Both"?

and the remote lan address.

"Remote lan"? I only have the VPN. The VPN server controls the routes to other lans connected to it using it's 'pushing' mechanism.

Am I missing something?

Just use your local IP address as the router.

Hrm, when I try that, it gives me an error :

"
Error: network (derived from network and subnet mask ) has already been added. Did not add new network.
"

I am guessing this is because OpenVPN has already added the route?

You will need to delete the routes it adds as per the how to.

Huh? So, I have to shut down the VPN first...then add the network...then delete the routes...then start up VPN again?

Wow.

Max.

[dwater]

...as per the how to.

Which 'how to' is that? Can you point me to it? The only one I found was adding VPN as a server.

Max.

[darryl]

In this configuration you probably don't need to add the VPN to the local networks at the client end.  But the server must be set up to give access to the services you want.

Most ports are blocked by default on SME.  SSH connects on a different port.  I would suggest you open whatever port your VPN is using for traffic in both directions.  If you visit http://sme.swerts-knudsen.dk there is a faq on installing openvpn as a server, which has instructions on how to open ports and a link to a package to install to allow this.  To summarise, forget adding to local networks, make sure access to services is enabled on the server and open the applicable ports.  Gook luck and let me know how you go.  I won't be near a computer for the next couple of hours.

regards,

Darryl

[duncan]

Have a look here - this is a classic Lan to Lan setup.

In this instance you have two network ranges to add - the tunnel and the remote network.

Ignore the firewall stuff.

[dwater]

Have a look here - this is a classic Lan to Lan setup.

In this instance you have two network ranges to add - the tunnel and the remote network.

Ignore the firewall stuff.

I am confused.

This working fine on another computer (it was actually set up by James Yonan). I now want to move it onto onto my SME server, so I install openvpn and copy over the /etc/openvpn files.

I don't see why this is anything to do with the OpenVPN config. It would automatically add routes as directed by the VPN server. There was no additional configuration necessary on the OS.

It must be to do with SME server.

1) SME server is routing to the VPN OK. I can ssh into the VPN server from a computer on the LAN.
2) I can ping the VPN client (on SME) from the VPN server.

However, I cannot ssh (or anything else) to the VPN client machine, because either the services are not running on those interfaces or they are being blocked (hence the deny messages in /var/log/messages).

1) How can I can I make all services that are available to the private LAN also available to the VPN?
2) How can I unblock the VPN so that I don't get these deny messages?

Max.

[duncan]

Adding a local network to SME does two things

It sets up a route to the remote network

It opens the firewall to allow traffic from that remote network and adds that remote network to the hosts.allow file.

[dwater]

Adding a local network to SME does two things

It sets up a route to the remote network

It opens the firewall to allow traffic from that remote network and adds that remote network to the hosts.allow file.

Hrm. OK, I think.

I guess what is confusing me is that I didn't need any alterations to the firewall when I have the OpenVPN client running on a different computer on the LAN. I guess SME (sensibly) assumes interfaces are to be blocked until told otherwise; which wasn't the case on FC3.

...and, you are saying to add it as a local network so that I get the benefits of the second part, above, and I have to manually reverse the first effect. I can only assume that it is easier to do this than to manually do the changes needed to do the second part.

Am I right?

I'll have a go anyway...

Thanks!

Max.

[dwater]

I'll have a go anyway...

It keeps complaining about adding the local network :

"Error: network (derived from network and subnet mask ) has already been added. Did not add new network."

This is when using the ip address of the LAN interface as gateway.

Any idea?

Max.

[duncan]

I am guessing that because the vpn is up and the "server has handed a route to the client (SME) you cannot add the same route again (via the web interface).

Drop the Vpn, Make sure there are no routes other than default and try again.

Then you will need to delete that route (usually done in the .up script) because SME will bind the route to eth0 (lan side) - whereas you need it to point to the vpn interface.

I cant give you advice on the finer points. Normally I let both ends do there own bit (peer to peer).