Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[AndrewR]

I have had this working great running om SME 7.1, since doing the upgrade to SME 7.1.3 it has stopped
I also upgraded to smeserver-openvpn-bridge-fws-1.1-1.noarch.rpm from smeserver-openvpn-bridge-fws-1.0-3.noarch.rpm

the strange part is i did this to 2 different servers one works and the other dosn't

Last few lines of the log

Wed Mar 28 09:07:27 2007 us=897776 OpenVPN 2.0.7 Win32-MinGW [SSL] [LZO] built on Apr 12 2006
Wed Mar 28 09:07:35 2007 us=38990 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Mar 28 09:07:35 2007 us=39031 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 28 09:07:35 2007 us=39046 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 28 09:07:35 2007 us=39072 LZO compression initialized
Wed Mar 28 09:07:35 2007 us=39166 Control Channel MTU parms [ L:1574 D:166 EF:66 EB:0 ET:0 EL:0 ]
Wed Mar 28 09:07:35 2007 us=46043 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar 28 09:07:35 2007 us=46101 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Wed Mar 28 09:07:35 2007 us=46115 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Wed Mar 28 09:07:35 2007 us=46146 Local Options hash (VER=V4): '13a273ba'
Wed Mar 28 09:07:35 2007 us=46165 Expected Remote Options hash (VER=V4): '360696c5'
Wed Mar 28 09:07:35 2007 us=46195 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Mar 28 09:07:35 2007 us=50827 UDPv4 link local: [undef]
Wed Mar 28 09:07:35 2007 us=50853 UDPv4 link remote: 150.101.103.143:1194

it then restarts again
any ideas please

Sits:  What mode are your servers running in? Is one in Server-only, and another in server-gateway? It seems that 7.1.2 seems to have some problems with server-only.... unknown at this time, but a lot of people had their openvpn break, much like above, when 7.1.2 was released. Me personally, I had to rebuild the server, and disable updates. mine was in server-only.

What is different besides name between the two servers? Any other contribs running? Mail? Web? Ibays?

[sits]

Both servers are running in server only mode, Mail, Web, DHCP, VPN, pretty much what SME is used for.
same motherboards and network cards, 2 hard drives mirrored
behind Netgear routers, with portforwarding setup to the SME boxes.
the only mods installed on them are:
smeserver-dar2-0.0.1-0dmay
smeserver-vacation-1.0-11
smeserver-mailsorting-1.2-5
perl-Unicode-IMAPUtf7-2.01-1
smeserver-openvpn-bridge-fws-1.1-1
dmc-mitel-portopening-0.0.1-4

Edit:
One of the servers was upgraded to 7.1.2 a week ago. then upgraded to 7.1.3 2 days ago.
the other I upgraded 2 days ago from 7.1 straight to 7.1.3

[sits]

OK found the difference between the servers

the server that was working had a local network defined for my IP address
the one that was not working didn't
after adding the local network for my IP it started to work.

So with the upgrade to SME 7.1.3 there must have been some new rule added. since they both worked fine running under SME 7.1

This is all well and good, but i don't want to add local networks for all the vpn connections, as quite a few of my client travel overseas and connect through hotels using their laptop, so the network IP will be different.

Is the only answer going to be to setup server/gateway mode?

[AndrewR]

OK found the difference between the servers

the server that was working had a local network defined for my IP address
the one that was not working didn't
after adding the local network for my IP it started to work.

So with the upgrade to SME 7.1.3 there must have been some new rule added. since they both worked fine running under SME 7.1

This is all well and good, but i don't want to add local networks for all the vpn connections, as quite a few of my client travel overseas and connect through hotels using their laptop, so the network IP will be different.

Is the only answer going to be to setup server/gateway mode?

Hmm.. I sure as hell hope not. That's something that ought to be added automagically. Not to mention.. the whole point of a VPN is to now become a part of the network you're connecting to, in essence, making the remote network "local" in terms of how your computer sees it.

Just so I understand...when you mean the server that was working had a local network defined for my IP... you mean something like below:

Office Network: 192.168.1.0 /24
Your network (laptop from home) 192.168.2.0 / 24

yes? or something else....

[sits]

Hmm.. I sure as hell hope not. That's something that ought to be added automagically. Not to mention.. the whole point of a VPN is to now become a part of the network you're connecting to, in essence, making the remote network "local" in terms of how your computer sees it.

Just so I understand...when you mean the server that was working had a local network defined for my IP... you mean something like below:

Office Network: 192.168.1.0 /24
Your network (laptop from home) 192.168.2.0 / 24

yes? or something else....

no, I mean, I had to add my ISP assigned address (203.133.145.0 subnet 255.255.255.0/256) to the local network in the remote SME i'm VPNing to, to get it to work, not my  (laptop from home) 192.168.2.0 / 24 and this is my concern as well.

(203.133.145.0 subnet 255.255.255.0) this is not my real address just example

[Daniel B.]

Hi everyone. Sorry for being away so long, I was searching the problem of iptables rejecting packets I I've found the problem. It occures only in server-only mode, since SME 7.1.2. I've open a bug report (no 2812) and I think it'll be corrected in SME 7.2. Waiting for this release, here's a temp fix:

Code: [Select]


mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
cp -a /etc/e-smith/templates/etc/rc.d/init.d/masq/00Definitions /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
vim /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/00Definitions


and change the line 16 from

Code: [Select]

if (defined $ExternalInterface{Name})

to

Code: [Select]

if($SystemMode ne "serveronly")

then

Code: [Select]

signal-event remoteaccess-update

Then openvpn will work again.
Don't forget to remove this custom template when 7.2 is released (if the bug is corrected)

Cheers, Daniel

[sits]

Thanks VIP-ire

That solved my issue with having to add a local network

[AndrewR]

Hi everyone. Sorry for being away so long, I was searching the problem of iptables rejecting packets I I've found the problem. It occures only in server-only mode, since SME 7.1.2. I've open a bug report (no 2812) and I think it'll be corrected in SME 7.2. Waiting for this release, here's a temp fix:

Code: [Select]


mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
cp -a /etc/e-smith/templates/etc/rc.d/init.d/masq/00Definitions /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
vim /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/00Definitions


and change the line 16 from

Code: [Select]

if (defined $ExternalInterface{Name})

to

Code: [Select]

if($SystemMode ne "serveronly")

then

Code: [Select]

signal-event remoteaccess-update

Then openvpn will work again.
Don't forget to remove this custom template when 7.2 is released (if the bug is corrected)

Cheers, Daniel

Daniel,

thanks for your diligent research. I think I'll wait and see if this bug gets fixed in 7.2 before I update. Probably safer that way.

[hordeusr]

For whatever reason, this didn't fix mine.  I still must add the remote network address to the "local networks" on the server....then it works great.  Anything I should check?

This is in the SME logfile over and over again:
2007-04-03 11:42:35.368118500 Apr  3 11:42:35 intranet denylog: IN=br0 OUT= MAC=00:0c:29:dd:8a:80:00:18:19:eb:9b:w8:08:00  SRC=68.113.xxx.xxx DST=192.168.0.7 LEN=70 TOS=00 PREC=0x00 TTL=115 ID=61397 CE PROTO=UDP SPT=62908 DPT=1194 LEN=50

[hordeusr]

OK, the fix works for me.  I had tried to change to server-gateway and it failed because it didn't see my other interface (using vmware, this is on a server 2003 host).  I backed out of the config...however it saved the server-gateway setting.  Switched it back to serveronly and it works great!!!  This makes VPN very easy, especially when using vmware (no additional computer)

[Franco]

After applying the fix a

Code: [Select]

signal-event post-upgrade ; signal-event reboot is required

[Daniel B.]

No, signal-event post-upgrade && signal-event reboot are not requiered. The signal-event remoteaccess-update will expand the templates for /etc/init.d/masq, and then, will restart the firewall. That's the only changes so, rebooting won't be usefull

[tec]

Hi ich have the same Problem, my server is working in Server Only Mode and after applying your workaround it still doesnt work when I connect from outside
This is what appears in my Iptables log
2007-04-04 18:45:51.494116500 Apr  4 18:45:51 master denylog: IN=br0 OUT= MAC=00:02:b3:30:fc:3f:00:02:a5:ad:cc:3c:08:00  SRC=217.232.225.45 DST=192.168.0.252 LEN=70 TOS=00 PREC=0x00 TTL=55 ID=55544 CE PROTO=UDP SPT=61592 DPT=1194 LEN=50

However it works when I am inside my lan and open an connection to see if the Setup is working.
Any other ideas?

UPDATE
I dont know why a remote access update didnt work but a reconfigure and a reboot did work.

[Franco]

No, signal-event post-upgrade && signal-event reboot are not requiered. The signal-event remoteaccess-update will expand the templates for /etc/init.d/masq, and then, will restart the firewall. That's the only changes so, rebooting won't be usefull

I had to do it in 02 of my installations! Otherwise no dice.

[KaiNeR]

so are there any full working steps to get this working in server-gateway mode since all these updates ?