Topic: openvpn client problem

[dwater]

I have my SME server set up as an OpenVPN client. It seems to join the VPN without any problems, and the routes are all added etc.

However, none of the SME server services are available from the VPN i/f.

I have all the services configured to only run on the private i/f of the server, and the only other option is to make them available to the public interface.

How can I make services available to the VPN interface?

It is really a matter of altering each service's config file?

I previously had the OpenVPN client running on a machine on the private side of the SME server, and that worked fine; but that machine was borrowed and I needed to return it. Is there no way to route from the VPN i/f into the private i/f?

It also looks like I am getting 'denylog' entries in /var/log/messages for each ssh attempt from the VPN. How can I avoid this too?

Max.

[darryl]

Have you added the VPN IP address range to the local networks in server manager?

[dwater]

Have you added the VPN IP address range to the local networks in server manager?

I did do that before, when the VPN client was via a different machine, but I figured it wasn't necessary when it is on the same machine.

I did look at doing that though, but couldn't figure out what to put for 'router'. Should that be 'localhost'?

Max.

[darryl]

I am a little confused about what you are trying to do and your setup.  I had assumed that your SEE server was set up as an OpenVPN client connecting to another SME server acting as an OpenVPN server.  I had a similar setup between two SME servers using a tun interface, though this was a peer to peer rather  than client/server type connection  To get this working I had to add the VPN IP range to the Local Network on each of the servers and modify the firewall rules to allow the VPN traffic.

Where is the server running, where is the client running and what are you trying to do?

regards,

Darryl

[duncan]

I am guessing you are doing a SME<->SME setup.

You need to add local networks for both the tunnel addresses and the remote lan address. Just use your local IP address as the router. You will need to delete the routes it adds as per the how to.

[dwater]

I am a little confused about what you are trying to do and your setup.  I had assumed that your SEE server was set up as an OpenVPN client connecting to another SME server acting as an OpenVPN server.  I had a similar setup between two SME servers using a tun interface, though this was a peer to peer rather  than client/server type connection  To get this working I had to add the VPN IP range to the Local Network on each of the servers and modify the firewall rules to allow the VPN traffic.

Where is the server running, where is the client running and what are you trying to do?

Sounds pretty similar to what you describe, except this is the only computer running SME server. The VPN server is running FC3 and is in Tianjin.

So, from what you say, I need to :

1) add the VPN as a local network,
2) allow VPN traffic through the firewall

A couple of questions :

1) when I add the VPN as a local network, what should I use as the 'gateway'?
2) why would a VPN client machine need modifications to the firewall? Note that it already connects fine, and I can ssh into the VPN server w/o any problem.

Thanks!

Max.

NB. My VPN is designed such there will eventually be two servers, one in Tianjin.cn, and one in Atlanta.us. The SME server is in Bejing.cn, and it is one of what will be many clients located at various sites around China. This infrastructure is to join the many sites of a company. We will also allow individual computers to connect as clients.
I will be using the SME server as an imaps server, plus various other services over time. It is already providing various services to the local networks (including internet access).
The reason we only have a single server is because China is short of public/routable IP addresses, and they are expensive and difficult to get.

[dwater]

I am guessing you are doing a SME<->SME setup.

kinda

You need to add local networks for both the tunnel addresses

"Both"?

and the remote lan address.

"Remote lan"? I only have the VPN. The VPN server controls the routes to other lans connected to it using it's 'pushing' mechanism.

Am I missing something?

Just use your local IP address as the router.

Hrm, when I try that, it gives me an error :

"
Error: network (derived from network and subnet mask ) has already been added. Did not add new network.
"

I am guessing this is because OpenVPN has already added the route?

You will need to delete the routes it adds as per the how to.

Huh? So, I have to shut down the VPN first...then add the network...then delete the routes...then start up VPN again?

Wow.

Max.

[dwater]

...as per the how to.

Which 'how to' is that? Can you point me to it? The only one I found was adding VPN as a server.

Max.

[darryl]

In this configuration you probably don't need to add the VPN to the local networks at the client end.  But the server must be set up to give access to the services you want.

Most ports are blocked by default on SME.  SSH connects on a different port.  I would suggest you open whatever port your VPN is using for traffic in both directions.  If you visit http://sme.swerts-knudsen.dk there is a faq on installing openvpn as a server, which has instructions on how to open ports and a link to a package to install to allow this.  To summarise, forget adding to local networks, make sure access to services is enabled on the server and open the applicable ports.  Gook luck and let me know how you go.  I won't be near a computer for the next couple of hours.

regards,

Darryl

[duncan]

Have a look here - this is a classic Lan to Lan setup.

In this instance you have two network ranges to add - the tunnel and the remote network.

Ignore the firewall stuff.

[dwater]

Have a look here - this is a classic Lan to Lan setup.

In this instance you have two network ranges to add - the tunnel and the remote network.

Ignore the firewall stuff.

I am confused.

This working fine on another computer (it was actually set up by James Yonan). I now want to move it onto onto my SME server, so I install openvpn and copy over the /etc/openvpn files.

I don't see why this is anything to do with the OpenVPN config. It would automatically add routes as directed by the VPN server. There was no additional configuration necessary on the OS.

It must be to do with SME server.

1) SME server is routing to the VPN OK. I can ssh into the VPN server from a computer on the LAN.
2) I can ping the VPN client (on SME) from the VPN server.

However, I cannot ssh (or anything else) to the VPN client machine, because either the services are not running on those interfaces or they are being blocked (hence the deny messages in /var/log/messages).

1) How can I can I make all services that are available to the private LAN also available to the VPN?
2) How can I unblock the VPN so that I don't get these deny messages?

Max.

[duncan]

Adding a local network to SME does two things

It sets up a route to the remote network

It opens the firewall to allow traffic from that remote network and adds that remote network to the hosts.allow file.

[dwater]

Adding a local network to SME does two things

It sets up a route to the remote network

It opens the firewall to allow traffic from that remote network and adds that remote network to the hosts.allow file.

Hrm. OK, I think.

I guess what is confusing me is that I didn't need any alterations to the firewall when I have the OpenVPN client running on a different computer on the LAN. I guess SME (sensibly) assumes interfaces are to be blocked until told otherwise; which wasn't the case on FC3.

...and, you are saying to add it as a local network so that I get the benefits of the second part, above, and I have to manually reverse the first effect. I can only assume that it is easier to do this than to manually do the changes needed to do the second part.

Am I right?

I'll have a go anyway...

Thanks!

Max.

[dwater]

I'll have a go anyway...

It keeps complaining about adding the local network :

"Error: network (derived from network and subnet mask ) has already been added. Did not add new network."

This is when using the ip address of the LAN interface as gateway.

Any idea?

Max.

[duncan]

I am guessing that because the vpn is up and the "server has handed a route to the client (SME) you cannot add the same route again (via the web interface).

Drop the Vpn, Make sure there are no routes other than default and try again.

Then you will need to delete that route (usually done in the .up script) because SME will bind the route to eth0 (lan side) - whereas you need it to point to the vpn interface.

I cant give you advice on the finer points. Normally I let both ends do there own bit (peer to peer).

[dwater]

I am guessing that because the vpn is up and the "server has handed a route to the client (SME) you cannot add the same route again (via the web interface).

Drop the Vpn, Make sure there are no routes other than default and try again.

Unfortunately, I anticipated that and stopped the openvpn service and checked the routes were gone before I even tried to add the local network

Then you will need to delete that route (usually done in the .up script) because SME will bind the route to eth0 (lan side) - whereas you need it to point to the vpn interface.

Yeah, saw that...understand that bit.

I cant give you advice on the finer points. Normally I let both ends do there own bit (peer to peer).

I think I'm gonna have to look through all the scripts to find out what the web page does; or just figure it out from the init files...

Thanks though.

Max.

[duncan]

Good luck  

[dwater]

Good luck  

No luck

I have progressively gone backwards, even to the point of uninstalling all the openvpn rpms, and I still cannot add a local network using the web interface.

Any ideas anyone?

Max.

[dwater]

OK. I think I've fixed it and am back at square one (ie no OpenVPN).

To force the removal of the networks, I had to edit the networks database manually :

Code: [Select]

[mwaterman@truth e-smith]# pwd
/sbin/e-smith
[mwaterman@truth e-smith]# ./db
usage:
    ./db dbfile keys
    ./db dbfile print [key]
    ./db dbfile show [key]
    ./db dbfile get key
    ./db dbfile set key type [prop1 val1] [prop2 val2] ...
    ./db dbfile setdefault key type [prop1 val1] [prop2 val2] ...
    ./db dbfile delete key
    ./db dbfile printtype [key]
    ./db dbfile gettype key
    ./db dbfile settype key type
    ./db dbfile printprop key [prop1] [prop2] [prop3] ...
    ./db dbfile getprop key prop
    ./db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] ...
    ./db dbfile delprop key prop1 [prop2] [prop3] ...
[mwaterman@truth e-smith]# ./db networks print
10.7.1.0=network-deleted|Mask|255.255.255.0|Router|192.168.189.13
10.7.7.0=network-deleted|Mask|255.255.255.0|Router|192.168.189.13
192.168.189.0=network|Mask|255.255.255.0|SystemLocalNetwork|yes
[mwaterman@truth e-smith]# ./db networks print 10.7.1.0
10.7.1.0=network-deleted|Mask|255.255.255.0|Router|192.168.189.13
[mwaterman@truth e-smith]# ./db networks delete 10.7.1.0
[mwaterman@truth e-smith]# ./db networks delete 10.7.7.0


(I'm curious why there is no external network listed-perhaps this is only local networks)

Anyway, while I was poking around, I tried to execute the /etc/e-smith/events/network-delete scripts. The S55proxy-conf one complained about a file /etc/e-smith/templates/etc/squid/squid.conf/core. It is/was a core file from squid. I moved it somewhere else (in case it might be useful to someone [doubtful]). I'll bet that was causing the problem.

Anyway, I think I'll stick with the current setup for a while - that attempt was just too hit-and-miss for a live system

Thanks anyway

Max.

[Franco]

dwater,
You certainly made my life easier, you process of deleting the networks by hand works perfectly. I was having a problem of connecting via VPN and not being able to access the server resources (routing issues, couldn't add previously deleted routes).

Thanks,

[dwater]

dwater,
You certainly made my life easier, you process of deleting the networks by hand works perfectly. I was having a problem of connecting via VPN and not being able to access the server resources (routing issues, couldn't add previously deleted routes).

Thanks,

Glad to know that even I can be of help

Max.

[nald]

I am guessing you are doing a SME<->SME setup.

You need to add local networks for both the tunnel addresses and the remote lan address. Just use your local IP address as the router. You will need to delete the routes it adds as per the how to.

Hi Duncan,

Excuse me... I tried to read this particular subject and i think it could help me on my VPN problem.

I do have a Windows 2000 Pro and it is behind SME 6.0.1 (server&gateway).

Im just confuse how come i can't connect VPN remotely to another SME box.  This is the error will appear in my screen.
'Error 619: The specified port is not connected'

My current configuration of my Windows 2000 is:

ip address: 192.168.xx.xx
subnet mask: 255.255.255.0
gateway: 192.168.xx.xx (from my SME box)

If i change my configuration into a public ip address which would not anymore pass to my SME box then i could connect VPN remotely to another SME server.

ip address: 203.167.xx.xx
subnet mask: 255.255.255.224
gateway: 203.167.xx.xx (directly from our ISP)

I heard some people form the forums to install OPENVPN. Here is the link...
http://sme.swerts-knudsen.dk/index.html?frame=http%3A//sme.swerts-knudsen.dk/howtos/howto_30.htm

If OPENVPN is the solution then I just want to ask on how OPENVPN works.  You are right...I am doing SME <-> SME setup but do i need to install OPENVPN both SME box?

Thanks...
Nald

[Tib]

dwater

When you tried to connect the two networks ... did you make sure the internal networks were on diff IP ranges??

eg 192.168.0.1 sme client and 192.168.1.1 sme server.

If both internal networks have the same internal IP range you will have problems I'm sure.

Just a thought

Tib

[nald]

Yes, it has different ip range.

Is there anyone can help me in regards to OPENVPN?

Thanks...

Nald

[Tib]

nald

Go to http://sme.swerts-knudsen.dk/index.html and look at the "Howto install OpenVPN Server and Client" link there and follow the instructions ... thats what I did and all works fine ... i even setup a linux box to log into my works sme server.

Regards,

Tib