Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: tropicalview on April 06, 2011, 12:11:03 AM
-
Dear all,
I'm continuing on my previous post, but desided to start a new topic as this is becoming to far offtopic of the previous one.
i have now coova chili working but i want to connect to a server in the network with windows VPN or openvpn
both don't connect while i'm now able to ping all the addresses.
see configuration of my coova chili:
db configuration show chilli
chilli=service
AllowedOutgoing=udp:any:2009,tcp:any:2009,tcp:abeltasmancur.com:2009,tcp:abeltasmancur.com:80,tcp:190.122.228.170:any,udp:abeltasmancur.com:2009,udp:any:2009,192.168.1.2:2009,tcp:192.168.1.2:2009,udp:192.168.1.2:2009,tcp:any:1723,udp:any:1723,tcp:any:47,udp:any:49,tcp:any:50,udp:any:50,tcp:any:500,udp:any:500
AllowedServices=udp:200x,tcp:200x,200x,ssh,openvpn-bridge
RedirectToChilli=Public-ip,internalIPSME,VPNSERVERIP
TCPPort=3990
WebRequests=direct
access=private
defidletimeout=900
defsessiontimeout=7200
dhcpend=254
dhcpif=eth2
dhcpstart=10
dns1=212.73.209.226
dns2=194.206.120.1
guestAccess=disabled
guestDownLink=400
guestUpLink=64
macallowed=00:0C:29:84:41:71
net=10.1.0.0/255.255.255.0
noc2c=enabled
status=enabled
tundev=tun0
uamallowed=
uamsecret=GjL/rvoutZzF6r0MlsKux+keURYfDhReYPJZjkQqHt4yv0XKCZ9eVnSDDWtO4ojMGRjTzp4CC61EH0iW
does anybody know what i do wrong, why i can't connect with vpn nor OpenVPN?
see my previous somewhat related post:
http://forums.contribs.org/index.php/topic,47339.0.html (http://forums.contribs.org/index.php/topic,47339.0.html)
-
Hi.
This won't work, and it's by design. I've made everything to ensure hotspot clients cannot reach the internal network (See /etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom). You can get it to work if your SME Server is the openvpn server, but not if the server is in the local network.
Regards, Daniel
-
Hi Daniel,
I surely understand the importance of the security and that the clients of the wireless do not get access to the internal network(s).
but when a half trusted network as the wireless have less access possibilities to the internal network than the total not trusted uncontrolled network "The internet" then i think the security of the wireless is overkill.
What i mean is when i connect from outside the building via internet (completely untrusted, uncontrolled) i can get more access than when I'm in the wireless (half trusted, semi controlled)
is there some way to get around this security? and make use of port forwarding to get to that machine?
Kind regards,
-
you'll have to create a custom templates, overriding /etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom, to allow access to the internal server. For example, if your VPN server is 192.168.1.10 in your local network, and is running OpenVPN on port 1194 / UDP, something like this should work:
# Forward from chilli (from the wireless clients to the internet)
forwardFromChilli()\{
/sbin/iptables -N FORWARD_FROM_CHILLI
/sbin/iptables -A FORWARD_FROM_CHILLI -j state_chk
/sbin/iptables -A FORWARD_FROM_CHILLI -s ! $net -j denylog
# Allow access to the internal VPN server
/sbin/iptables -A FORWARD_FROM_CHILLI -d 192.168.1.10 -p udp --dport 1194 -j ACCEPT
/sbin/iptables -A FORWARD_FROM_CHILLI -o ! \$OUTERIF -j denylog
/sbin/iptables -A FORWARD_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
# Allow http for un-authenticated clients so uamallowed works
# Https need to be allowed in AllowedOutgoing
/sbin/iptables -A FORWARD_FROM_CHILLI -p tcp --dport 80 -j ACCEPT
HERE
[...]
(I've not tested this, but I think it will work)
Regards, Daniel
-
Hi Daniel,
Thanks again for your reply.
you'll have to create a custom templates, overriding /etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom, to allow access to the internal server.
Now i know this is a question that has been explained a lot before.
i checked this:
http://wiki.contribs.org/Template_Tutorial (http://wiki.contribs.org/Template_Tutorial)
but i cannot exactly link your reply in actions to make the custom template.
I assume this is just a few command line entries, can you point me in the direction to do this?
Kind regards,
-
mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
cp -a /etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
Then, you just have to edit /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom, and it'll take precedence over /etc/e-smith/templates/etc/rc.d/init.d/masq/00Functions01Chilli40forwardFrom
-
Hi Daniel,
Thanks again, i tried it but i still cannot connect to the machine.
before your reply i did do DB updates and managed to make the machine pingable from the wireless.
can your configuration and my DB updates conflikt?
see info below.
db configuration show chilli
chilli=service
AllowedOutgoing=udp:any:2009,tcp:any:2009,tcp:abeltasmancur.com:2009,tcp:abeltasmancur.com:80,tcp:190.122.228.170:any,udp:abeltasmancur.com:2009,udp:any:2009,192.168.1.2:2009,tcp:192.168.1.2:2009,udp:192.168.1.2:2009,tcp:any:1723,udp:any:1723,tcp:any:47,udp:any:49,tcp:any:50,udp:any:50,tcp:any:500,udp:any:500
AllowedServices=udp:2009,tcp:2009,2009,ssh,openvpn-bridge
RedirectToChilli=190.112.228.170,192.168.1.4,192.168.1.2
TCPPort=3990
WebRequests=direct
access=private
defidletimeout=900
defsessiontimeout=7200
dhcpend=254
dhcpif=eth2
dhcpstart=10
dns1=212.73.209.226
dns2=194.206.120.1
guestAccess=disabled
guestDownLink=400
guestUpLink=64
macallowed=00:0C:29:84:41:71,00:13:e8:cc:a6:25,00:16:cf:8f:61:19,b4:82:fe:dc:10:ae
net=10.1.0.0/255.255.255.0
noc2c=enabled
status=enabled
tcp:abeltasmancur.com:80=tcp:190.122.228.170:any
tcp:any:2009=tcp:abeltasmancur.com:2009
tundev=tun0
uamallowed=
uamsecret=GjL/rvoutZzF6r0MlsKux+keURYfDhReYPJZjkQqHt4yv0XKCZ9eVnSDDWtO4ojMGRjTzp4CC61EH0iW
udp:abeltasmancur.com:2009=udp:any:2009
-
well, I guess 192.168.1.2 or 192.168.1.4 is your VPN server, so you need to remove it from the RedirectToChilli list
-
Hi Daniel,
I did try what you told me, and removed the IP (192.168.1.2) from the redirect list.
but i still cannot get access to the machine with the VPN..
To make the test a little simpler i did change the port number to port 80 and the protocol to TCP
then i would get the welcome to SME server page from the wireless page right?
but that does not work..
what else can i try?
# Forward from chilli (from the wireless clients to the internet)
forwardFromChilli()\{
/sbin/iptables -N FORWARD_FROM_CHILLI
/sbin/iptables -A FORWARD_FROM_CHILLI -j state_chk
/sbin/iptables -A FORWARD_FROM_CHILLI -s ! $net -j denylog
/sbin/iptables -A FORWARD_FROM_CHILLI -o ! \$OUTERIF -j denylog
/sbin/iptables -A FORWARD_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
# Allow access to the internal VPN server
/sbin/iptables -A FORWARD_FROM_CHILLI -d 192.168.1.2 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A FORWARD_FROM_CHILLI -o ! \$OUTERIF -j denylog
/sbin/iptables -A FORWARD_FROM_CHILLI -p icmp --icmp-type echo-request -j ACCEPT
# Allow http for un-authenticated clients so uamallowed works
# Https need to be allowed in AllowedOutgoing
/sbin/iptables -A FORWARD_FROM_CHILLI -p tcp --dport 80 -j ACCEPT
-
You haven't changed the rules like I told you, you need to insert the rule to accept the traffic to your VPN server before this one:
/sbin/iptables -A FORWARD_FROM_CHILLI -o ! \$OUTERIF -j denylog
-
Hi Daniel,
Thank you, i did copy a line to much...
It's working fine, thank you very much..
-
No prob, glad it's working for you.
Regards, Daniel