Topic: Coova Chili VPN passtrough

[tropicalview]

Dear all,

I'm continuing on my previous post, but desided to start a new topic as this is becoming to far offtopic of the previous one.
i have now coova chili working but i want to connect to a server in the network with windows VPN or openvpn
both don't connect while i'm now able to ping all the addresses.

see configuration of my coova chili:

Code: [Select]

db configuration show chilli
chilli=service
    AllowedOutgoing=udp:any:2009,tcp:any:2009,tcp:abeltasmancur.com:2009,tcp:abeltasmancur.com:80,tcp:190.122.228.170:any,udp:abeltasmancur.com:2009,udp:any:2009,192.168.1.2:2009,tcp:192.168.1.2:2009,udp:192.168.1.2:2009,tcp:any:1723,udp:any:1723,tcp:any:47,udp:any:49,tcp:any:50,udp:any:50,tcp:any:500,udp:any:500
    AllowedServices=udp:200x,tcp:200x,200x,ssh,openvpn-bridge
    RedirectToChilli=Public-ip,internalIPSME,VPNSERVERIP
    TCPPort=3990
    WebRequests=direct
    access=private
    defidletimeout=900
    defsessiontimeout=7200
    dhcpend=254
    dhcpif=eth2
    dhcpstart=10
    dns1=212.73.209.226
    dns2=194.206.120.1
    guestAccess=disabled
    guestDownLink=400
    guestUpLink=64
    macallowed=00:0C:29:84:41:71
    net=10.1.0.0/255.255.255.0
    noc2c=enabled
    status=enabled
    tundev=tun0
    uamallowed=
    uamsecret=GjL/rvoutZzF6r0MlsKux+keURYfDhReYPJZjkQqHt4yv0XKCZ9eVnSDDWtO4ojMGRjTzp4CC61EH0iW

does anybody know what i do wrong, why i can't connect with vpn nor OpenVPN?

see my previous somewhat related post:

http://forums.contribs.org/index.php/topic,47339.0.html

[Daniel B.]

Hi.

This won't work, and it's by design. I've made everything to ensure hotspot clients cannot reach the internal network (See /etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom). You can get it to work if your SME Server is the openvpn server, but not if the server is in the local network.

Regards, Daniel

[tropicalview]

Hi Daniel,

I surely understand the importance of the security and that the clients of the wireless do not get access to the internal network(s).

but when a half trusted network as the wireless have less access possibilities to the internal network than the total not trusted uncontrolled network "The internet" then i think the security of the wireless is overkill.

What i mean is when i connect from outside the building via internet (completely untrusted, uncontrolled) i can get more access than when I'm in the wireless (half trusted, semi controlled)

is there some way to get around this security? and make use of port forwarding to get to that machine?

Kind regards,

[Daniel B.]

you'll have to create a custom templates, overriding /etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom, to allow access to the internal server. For example, if your VPN server is 192.168.1.10 in your local network, and is running OpenVPN on port 1194 / UDP, something like this should work:

Code: [Select]


# Forward from chilli (from the wireless clients to the internet)
forwardFromChilli()\{
    /sbin/iptables -N FORWARD_FROM_CHILLI
    /sbin/iptables -A FORWARD_FROM_CHILLI -j state_chk
    /sbin/iptables -A FORWARD_FROM_CHILLI -s ! $net -j denylog
    # Allow access to the internal VPN server
    /sbin/iptables -A FORWARD_FROM_CHILLI -d 192.168.1.10 -p udp --dport 1194 -j ACCEPT
    /sbin/iptables -A FORWARD_FROM_CHILLI -o ! \$OUTERIF -j denylog
    /sbin/iptables -A FORWARD_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
    # Allow http for un-authenticated clients so uamallowed works
    # Https need to be allowed in AllowedOutgoing
    /sbin/iptables -A FORWARD_FROM_CHILLI -p tcp --dport 80 -j ACCEPT

HERE
[...]

(I've not tested this, but I think it will work)

Regards, Daniel

[tropicalview]

Hi Daniel,

Thanks again for your reply.

you'll have to create a custom templates, overriding /etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom, to allow access to the internal server.

Now i know this is a question that has been explained a lot before.
i checked this:
http://wiki.contribs.org/Template_Tutorial
but i cannot exactly link your reply in actions to make the custom template.

I assume this is just a few command line entries, can you point me in the direction to do this?

Kind regards,

[Daniel B.]

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
cp -a /etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/

Then, you just have to edit /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom, and it'll take precedence over /etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom

[tropicalview]

Hi Daniel,

Thanks again, i tried it but i still cannot connect to the machine.

before your reply i did do DB updates and managed to make the machine pingable from the wireless.

can your configuration and my DB updates conflikt?

see info below.

Code: [Select]

db configuration show chilli
chilli=service
    AllowedOutgoing=udp:any:2009,tcp:any:2009,tcp:abeltasmancur.com:2009,tcp:abeltasmancur.com:80,tcp:190.122.228.170:any,udp:abeltasmancur.com:2009,udp:any:2009,192.168.1.2:2009,tcp:192.168.1.2:2009,udp:192.168.1.2:2009,tcp:any:1723,udp:any:1723,tcp:any:47,udp:any:49,tcp:any:50,udp:any:50,tcp:any:500,udp:any:500
    AllowedServices=udp:2009,tcp:2009,2009,ssh,openvpn-bridge
    RedirectToChilli=190.112.228.170,192.168.1.4,192.168.1.2
    TCPPort=3990
    WebRequests=direct
    access=private
    defidletimeout=900
    defsessiontimeout=7200
    dhcpend=254
    dhcpif=eth2
    dhcpstart=10
    dns1=212.73.209.226
    dns2=194.206.120.1
    guestAccess=disabled
    guestDownLink=400
    guestUpLink=64
    macallowed=00:0C:29:84:41:71,00:13:e8:cc:a6:25,00:16:cf:8f:61:19,b4:82:fe:dc:10:ae
    net=10.1.0.0/255.255.255.0
    noc2c=enabled
    status=enabled
    tcp:abeltasmancur.com:80=tcp:190.122.228.170:any
    tcp:any:2009=tcp:abeltasmancur.com:2009
    tundev=tun0
    uamallowed=
    uamsecret=GjL/rvoutZzF6r0MlsKux+keURYfDhReYPJZjkQqHt4yv0XKCZ9eVnSDDWtO4ojMGRjTzp4CC61EH0iW
    udp:abeltasmancur.com:2009=udp:any:2009


[Daniel B.]

well, I guess 192.168.1.2 or 192.168.1.4 is your VPN server, so you need to remove it from the RedirectToChilli list

[tropicalview]

Hi Daniel,

I did try what you told me, and removed the IP (192.168.1.2) from the redirect list.
but i still cannot get access to the machine with the VPN..

To make the test a little simpler i did change the port number to port 80 and the protocol to TCP
then i would get the welcome to SME server  page from the wireless page right?

but that does not work..


what else can i try?

Code: [Select]

# Forward from chilli (from the wireless clients to the internet)
forwardFromChilli()\{
    /sbin/iptables -N FORWARD_FROM_CHILLI
    /sbin/iptables -A FORWARD_FROM_CHILLI -j state_chk
    /sbin/iptables -A FORWARD_FROM_CHILLI -s ! $net -j denylog
    /sbin/iptables -A FORWARD_FROM_CHILLI -o ! \$OUTERIF -j denylog
    /sbin/iptables -A FORWARD_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
    # Allow access to the internal VPN server
    /sbin/iptables -A FORWARD_FROM_CHILLI -d 192.168.1.2 -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A FORWARD_FROM_CHILLI -o ! \$OUTERIF -j denylog
    /sbin/iptables -A FORWARD_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT

    # Allow http for un-authenticated clients so uamallowed works
    # Https need to be allowed in AllowedOutgoing
    /sbin/iptables -A FORWARD_FROM_CHILLI -p tcp --dport 80 -j ACCEPT



[Daniel B.]

You haven't changed the rules like I told you, you need to insert the rule to accept the traffic to your VPN server before this one:

/sbin/iptables -A FORWARD_FROM_CHILLI -o ! \$OUTERIF -j denylog

[tropicalview]

Hi Daniel,

Thank you, i did copy a line to much...

It's working fine, thank you very much..

[Daniel B.]

No prob, glad it's working for you.

Regards, Daniel