OpenVPN

Iad Scoot wrote:
> Hi all,
>  
> New OpenVPN build and I'm using the sample "firewall.sh" to bring up
> iptables. It's working fine but I would like to restrict the traffic
> that will pass through the tunnel to ports 3389, 443, and 22. I am not
> well-versed in iptables so if anyone has a good example, I'd appreciate
> it if you would share.
>  

Even though this technically speaking is a iptables issue more than a
openvpn issue, I'll give you some hints.

I presume those ports you mention here are TCP ports, and the follow
example will therefore be focused on TCP only, but it's the same solution
for UDP as well, just replacing tcp with udp.

iptables -I FORWARD -i <your tun/tap> -o <your internal eth> -j DROP
iptables -I FORWARD -i <your tun/tap> -o <your internal eth> -p tcp
--dport 3389 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i <your tun/tap> -o <your internal eth> -p tcp
--dport 443 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i <your tun/tap> -o <your internal eth> -p tcp
--dport 22 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i <your tun/tap> -o <your internal eth> -m state
--state RELATED,ESTABLISHED -j ACCEPT

To check your iptables setup, use iptables -vxnL FORWARD

Please note:  This example is just a minimal working example.  It provides
statefull firewalling (SPI), but only between your tun/tap device and your
internal network.   You really should go through the iptables config in
your setup and make it fit better into your needs.  These rules here is
also inserted at the top of (before) your already existing rules, if you
have any.  So when you list them out, they should be listed in the reverse
order as I've shown you here.

And to be absolutely clear: Do not change iptables unless you have
physical console access to it, especially if you are inexperienced.  Doing
this remotely can lock you out pretty easy and quickly.


By the way, these rules can be set static before openvpn is started on the
server.  They don't need to be configured by a firewall.sh run by openvpn.


kind regards,

David Sommerseth

...
> I've been trying to set up a VPN these last days, but I'm 
> having trouble: I can't access shared file on the server machine.
> 
> Client and server are both running on Windows XP pro.
> The server is behind a router, I opened the port 1194 I use 
> for the VPN connection.
> The connection goes process well, no error or something. The 
> server can ping the client; the client can ping the server.
> 
> I can't access shared files from the client though. Windows 
> answers me the path cannot be found when I type the server address.
> Strange thing is that I do can access shared files on client 
> from the server machine!
> 
> So, I assume the problem is the client, I should probably 
> configure something else, something I haven't thought of so far.
...

The problem is not on the client or the server.  There is no return
route for the 10.8.0.0 network from your target machine back to your
client.  You can either add a static route to your router on the LAN
side pointing 10.8.0.0 255.255.255.0 back to your vpn server machine
(then it will magically work for all machines), or add the same static
route to the windows server machine (then it will only work for that
machine.

Or you could try bridging and not worry about it all all.

-Dave

> The problem is not on the client or the server.  There is no return
> route for the 10.8.0.0 network from your target machine back to your
> client.  You can either add a static route to your router on the LAN
> side pointing 10.8.0.0 255.255.255.0 back to your vpn server machine
> (then it will magically work for all machines), or add the same static
> route to the windows server machine (then it will only work for that
> machine.
> 
> Or you could try bridging and not worry about it all all.
> 
> -Dave
> 

First of, thank you for your answer. ;)

Well, I've added a static route on the router.
Unfortunately, I still can't access the server files.
The point is, I'm setting up this VPN for a small business; I'm not familiar
with the gear yet, so I hope I did well when I added the route on the router. 

Here's what I added: (the router is a Netgear FVS124G)
Destination IP @: 10.8.0.0
Subnet mask: 255.255.255.0
Interface : LAN
Gateway IP @ : server LAN IP @

Oh and I forgot to mention something this morning: I have the following message
in the server log:

client/xxx.xxx.xxx.xxx:2593 MULTI: bad source address from client
[yyy.yyy.yyy.yyy], packet dropped

Where xxx.xxx.xxx.xxx is the client public IP @
and yyy.yyy.yyy.yyy is the client LAN IP @.

A routing VPN fits better with the business needs, that's why I chose it.

Setting up VPN is brand new for me, but I didn't think I would have so much
trouble with it...
This stuff is going to drive me crazy...

...
> > The problem is not on the client or the server.  There is no return
> > route for the 10.8.0.0 network from your target machine back to your
> > client.  You can either add a static route to your router on the LAN
> > side pointing 10.8.0.0 255.255.255.0 back to your vpn server machine
...
> First of, thank you for your answer. ;)
> 
> Well, I've added a static route on the router.
> Unfortunately, I still can't access the server files.
> The point is, I'm setting up this VPN for a small business; 
> I'm not familiar
> with the gear yet, so I hope I did well when I added the 
> route on the router. 
> 
> Here's what I added: (the router is a Netgear FVS124G)
> Destination IP @: 10.8.0.0
> Subnet mask: 255.255.255.0
> Interface : LAN
> Gateway IP @ : server LAN IP @
> 
> Oh and I forgot to mention something this morning: I have the 
> following message
> in the server log:
> 
> client/xxx.xxx.xxx.xxx:2593 MULTI: bad source address from client
> [yyy.yyy.yyy.yyy], packet dropped
> 
> Where xxx.xxx.xxx.xxx is the client public IP @
> and yyy.yyy.yyy.yyy is the client LAN IP @.
> 
> A routing VPN fits better with the business needs, that's why 
> I chose it.
...

You're welcome.  Truthfully I should not make so assertive statement as
'this is what your problem is' when I don't have enough familiarity to
give such a strong statement, however this problem is so common that I
feel fairly confident that is what it is.

Oh, and is ip forwarding turned on your vpn server.  Whoops that's a
common one too.

It's mildly tricky to diagnose.  I can't speak for the particular router
you are using.  It may help to have access to the server side machines
while testing it out.  Tracert can be helpful in seeing where the
packets go, and croak, to figure out what needs fixin'.

In this scenario, the path from the remote client to the smb server is
different than the route back from the smb server to the remote client.

Pretending this is  your setup:

Local lan:  192.168.200.0/24
Router:     192.168.200.1
Vpn server: 192.168.200.50, 10.8.0.1
Smb server: 192.168.200.60
Remote client:  10.8.0.30

The route from the remote client to the smb server would be:
Out of client, into vpn server
Out of vpn server, into smb server

But the route back to the client would be:
Out of smb server into default gateway (presumably the router)
Out of default gateway into vpn server
Out of vpn server into remote client.

i.e. the return route takes an extra hop at the router (default
gateway).  This because, although the vpn server knows about the
10.8.0.0/24 subnet, the rest of the machines on the lan do not, and they
send those to the default gateway.  The default gateway doesn't know
about 10.8.0.0/24, unless you set the static route for that subnet back
to the vpn server, who will then route them appropriately out the vpn
interface.

(OK, you probably understood this already)

You could try some things:
*  Add a static route directly on the smb server:
    route add 18.8.0.0 mask 255.255.255.0 192.168.200.50
   (or whatever works for your OS)
   this will only work for that one machine though
*  add that same route to your default gateway machine (router).  You
believe you did this already, so we should test.
If you can access the smb server, tracert from that machine to, say,
10.8.0.30.  It doesn't really matter if the client is connected, the
important thing is to see that the packet at least gets to the vpn
server at 192.168.200.50 before dying.  If it doesn't get there,
question your static route on the router.  If it does, then the vpn
router should forward the packet onto the client (when connected), if
you do have ip forwarding enabled (please double-check I should have
mentioned before).

-Dave

> 
> You could try some things:
> *  Add a static route directly on the smb server:
>     route add 18.8.0.0 mask 255.255.255.0 192.168.200.50
>    (or whatever works for your OS)
>    this will only work for that one machine though
> *  add that same route to your default gateway machine (router).  You
> believe you did this already, so we should test.
> If you can access the smb server, tracert from that machine to, say,
> 10.8.0.30.  It doesn't really matter if the client is connected, the
> important thing is to see that the packet at least gets to the vpn
> server at 192.168.200.50 before dying.  If it doesn't get there,
> question your static route on the router.  If it does, then the vpn
> router should forward the packet onto the client (when connected), if
> you do have ip forwarding enabled (please double-check I should have
> mentioned before).
> 
> -Dave

Gee, nothing I did is working. Adding static route on the server, on the
router... Nothing.
IP forwarding is enabled on both client and server. I triple-checked! :)

I think I'm gonna try to connect to the VPN through a Linux client tonight. I
know that's not what the business want, but then I could at least use Linux
tools to debug this mess...

You told me earlier that a bridged VPN would solve the problem? I've been
focused on routed VPN since I started. Could a bridge VPN cause security lack?
I'm afraid about the idea to connect a LAN to a LAN. Let's say one of the guy
working here has to move and he wants to access data on the main server. Let's
say he's connected to internet in a cybercafe. Is there a problem with that? Of
course, the point is we don't want people to be able to see and connect to the
VPN, and therefore to see the private business data. Do you see what I mean?

...
> Gee, nothing I did is working. Adding static route on the 
> server, on the
> router... Nothing.
> IP forwarding is enabled on both client and server. I 
> triple-checked! :)
...

Perhap then the problem is that I have failed to give you the useful
advice!  Anyway, it can be made to work, so don't despair.

> You told me earlier that a bridged VPN would solve the 
> problem? I've been
> focused on routed VPN since I started. Could a bridge VPN 
> cause security lack?
> I'm afraid about the idea to connect a LAN to a LAN. Let's 
> say one of the guy
...

Bridging is an alternative that would obviate the return path problem I
described before.  In the bridging configuration, you aren't joining the
two LANs.  Rather the client's vpn adapter is being made part of the
remote LAN, because the server is bridging it's vpn adapter to the lan.
Machines on the client's local lan would not have access to the remote
vpn lan without additional effort on the client's part:  i.e. routing
between the two, and somehow advertising to the other machines that it
is the gateway for the remote network.  But this is equally the same for
the routed configuration.

You can make the routing work, the bridging is just an alternative that
obviates that one problem.  Oh, and another one it sidesteps is
firewalling, al la iptables.  Do you have any firewalling turned on your
vpn server machine?  You will need to permit tun to pass packets back
and forth with the lan interface if you do.

Something like this I think (please double check as I'm not an iptables
master)
#vpn interface can communicate with lan
  iptables -A FORWARD -i eth0 -o tun+ -j ACCEPT
  iptables -A FORWARD -i tun+ -o eth0 -j ACCEPT


In the worse case you may have to break down and use wireshark/etc to
see where communications is breaking down.

-Dave

> ...
> Bridging is an alternative that would obviate the return path problem I
> described before.  In the bridging configuration, you aren't joining the
> two LANs.  Rather the client's vpn adapter is being made part of the
> remote LAN, because the server is bridging it's vpn adapter to the lan.
> Machines on the client's local lan would not have access to the remote
> vpn lan without additional effort on the client's part:  i.e. routing
> between the two, and somehow advertising to the other machines that it
> is the gateway for the remote network.  But this is equally the same for
> the routed configuration.
> ...

Well you see, I misunderstood the purpose of the bridged VPN. I was so convinced
the routed one was what we needed... Actually no, now that I've read your
explanation, it turns out that the bridged VPN is more suitable (not to mention
the fact that there's no need to bother about routing! :D)

Anyway, I've changed my configuration. I created a bridge between my tap and
ethernet adapters, and now it works fine. My remote client is part of the local
business network, I can see the shared files, I can even ping the other
machines. That's perfect.

So, I just wanted to say thanks. You helped me a lot and that's cool!! :-)

NM - I found it.  net_gateway is what I wanted

On Tue, Apr 28, 2009 at 9:16 AM, Sean Leach <kickdaddy@...> wrote:
> Hey folks,
>
> Is there a macro like "vpn_gateway" that I can reference in the
> openvpn.conf that represents the default gateway of the machine?
>
> i.e. if i have in my openvpn config:
>
> route 2.3.4.0 255.255.255.0 vpn_gateway
> route 2.3.4.5 255.255.255.255 gateway
>
> to get that more specific /32 to not route over the VPN?  I know I can
> do it with the "up" statement and a shell script, but would be much
> cleaner if i could do it in the config
>
> thanks!
>

unix3 wrote:
> Hello,
> 
> I have the following:
> 
> *network topology*:
> 
> Computer on 172.16.1.200 (desktop A) -- connected to a NIC on --> Server
> running two simulteanous VPN clients (known as client gateway machine).
> Computer on 172.16.2.200 (desktop B) -- connected to a NIC on --> Server
> running two VPN clients , same as above.
> Third NIC (internet) --- connected to a NIC on --> The client gateway
> machine used to establish the connection to the two remote VPN servers.
> 
> To wrap up: the "client gateway machine " has three NICS , one for the
> internet, the other to connect to the LAN where Desktop A/B is.
> 
> 
> *What I intend to do*:
> 
> I want to be able to set Desktop A to access the internet via one route on
> the client machine, and Desktop B use the other route. I do not want to use
> --redirect-gateway because they will conflict and I always want the "client
> gateway machine" to have the default destination as the internet.
> 
> 
> *How far Ive gone*:
> 
> Desktop A/B now use the "client gateway machine" as their default gateway
> (172.16.1.1, and 172.16.2.1 respectively). Iam able to ping them.
> I have added in the server.conf in the remote VPNs the following two lines.
> 
> route 172.16.1.0 255.255.255.0 / route 172.16.2.0 255.255.255.0
> respectively.
> client-config-dir /etc/openvpn/ccd  
> 
> INside the CCd I have added the file that matches the common name of each
> respective client with: iroute 172.16.1.0 255.255.255.0 / iroute 172.16.2.0
> 255.255.255.0 respectively.
> 
> IN the remote servers I have added a NAT.. to route the traffic from the
> 172.16.X.X ips to its external interface.
> 
> Currently in the Desktop A and B i can ping my endpoint (10.0.1.1) without
> any problem.. I can even SSH in..however I cannot access any other IP.
> 
> 
> Please somebody suggest me what iam doing wrong, else if you know how to do
> this config please disregard what Ive done so far and advise me from
> scratch?

I'm missing something from your description.   Are the destinations 
different for connections from desktop A and B?  The gateway machine is 
going to route packets according to the destination and if it doesn't 
have specific routes into the tunnels it is going to go to its default 
(internet) instead - and unless you have configured NAT there, things 
won't come back to your private address sources.

-- 
   Les Mikesell
    lesmikesell@...

Michael Miller wrote:
> Ok, here's the routing table after I start OpenVPN.  
> 
> C:\>route print
> ===========================================================================
> Interface List
> 0x1 ........................... MS TCP Loopback interface
> 0x2 ...00 0c 29 af b1 7a ...... AMD PCNET Family PCI Ethernet Adapter - Packet S
> cheduler Miniport
> 0x3 ...00 ff 04 1b c0 ed ...... TAP-Win32 Adapter V9 - Packet Scheduler Miniport
> 
> ===========================================================================
> ===========================================================================
> Active Routes:
> Network Destination        Netmask          Gateway       Interface  Metric
>           0.0.0.0        128.0.0.0     10.141.142.5    10.141.142.6       1
>           0.0.0.0          0.0.0.0    141.142.228.1  141.142.228.231      10
>      10.141.142.1  255.255.255.255     10.141.142.5    10.141.142.6       1
>      10.141.142.4  255.255.255.252     10.141.142.6    10.141.142.6       30
>      10.141.142.6  255.255.255.255        127.0.0.1        127.0.0.1       30
>    10.255.255.255  255.255.255.255     10.141.142.6    10.141.142.6       30
>         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
>         128.0.0.0        128.0.0.0     10.141.142.5    10.141.142.6       1
>       141.142.2.2  255.255.255.255    141.142.228.1  141.142.228.231      1
>    141.142.224.40  255.255.255.255    141.142.228.1  141.142.228.231      1
>     141.142.228.0    255.255.255.0  141.142.228.231  141.142.228.231      10
>   141.142.228.231  255.255.255.255        127.0.0.1       127.0.0.1       10
>   141.142.255.255  255.255.255.255  141.142.228.231  141.142.228.231      10
>         224.0.0.0        240.0.0.0     10.141.142.6    10.141.142.6       30
>         224.0.0.0        240.0.0.0  141.142.228.231  141.142.228.231      10
>   255.255.255.255  255.255.255.255     10.141.142.6    10.141.142.6       1
>   255.255.255.255  255.255.255.255  141.142.228.231  141.142.228.231      1
> Default Gateway:      10.141.142.5
> ===========================================================================
> Persistent Routes:
>   None
> 
> 
> I know just enough to be dangerous.  I have tried:
> route add 0.0.0.0 MASK 0.0.0.0 10.141.142.5 IF 3  METRIC 1
> which adds the following at line 2 in the routing table, but appears to have no effect.  
>           0.0.0.0          0.0.0.0     10.141.142.5    10.141.142.6       1
> 
> Should the route take effect immediately? or do I need to restart my apps? or does it depend on the app?

Yes, it should take effect immediately, but it doesn't automatically 
delete any existing route and the most specific route is the one that 
wins. These 2 entries:

   0.0.0.0        128.0.0.0     10.141.142.5    10.141.142.6       1
128.0.0.0        128.0.0.0     10.141.142.5    10.141.142.6       1

Should apply to everything except for the more specific (narrower 
netmask) entries.  Just be careful when manually adding routes that you 
don't try to route the target of the tunnel packets into the tunnel 
itself.  And you didn't answer my question about the destination address 
of the packets you think are going to the wrong interface.

-- 
   Les Mikesell
    lesmikesell@...

On Apr 25, 2009, at 8:03 PM, jgomez@... wrote:

> Hi all.
>
> Im new itn vpn and im trying to install a vpn between to nets. The  
> server
> lan has a range of 192.168.1.0/24 and the client lan as a  
> 192.168.0.0/24
> range. the vpn connects fine and i can reach the server lan from the
> client. That is what i have:
>
>> From 192.168.0.4 (client) to 192.168.1.X (server lan) OK
>> From 192.168.1.X (server lan) to 192.168.0.4 (client) OK
>> From 192.168.1.X (server lan) to 192.168.0.X (client lan) No OK

> The client is a windows vista Home Premium. I have deactivated the  
> windows
> firewall for the Tap device and enabled IPEnableRouter in the  
> registry.
> Has anybody success in a configuration like the one i want?. What  
> can be
> wrong?. I really apreciate any idea who can help me becase im really  
> lost.
> Thank you in advance.
>

Hey,
I have 2 suggestions for you:
1) make sure your ccd file is being read when your client connects.   
You should see something in the servers logs about the ccd file being  
read and the iroute entry being added if it is.
2) make sure that the default router for the 192.168.0.x lan knows  
that for any traffic headed to 192.168.1.x and 10.0.1.x needs to be  
directed to 192.168.0.4

#2 is explained in more detail in my routing writeup, right below the  
network diagram, in the section titled "ROUTES TO ADD OUTSIDE  
OPENVPN" . http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing

-krzee

I think the closes thing there is is to have a tunnel terminated after
there has been no data-transit for X seconds. You can control this
with --inactive. Apart from this you can control active sessions via
the management interface, see --management, this however would require
you to create a script that queries the connection-data and terminates
the tunnels that has been connected for too long.

/Jonathan

2009/4/26 Furkan ÇALIŞKAN <caliskanfurkan@...>:
> Is there any conventional method for killing clients after a specific time,
> lets say 1 hour after connected  clients to system? I'm planning to use it
> for a reservation based e-learning system.
>
> I'm planning to do it with a python script that is set by auth script, which
> will wait for 1 hour than connect management interface via telnet and than
> kill it. And idea?
>
> Thanks.
>
> --
>
> Furkan Çalışkan
> <caliskanfurkan [at| gmail.com >
>
>
> ------------------------------------------------------------------------------
> Crystal Reports &#45; New Free Runtime and 30 Day Trial
> Check out the new simplified licensign option that enables unlimited
> royalty&#45;free distribution of the report engine for externally facing
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@...
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>