Hi Lonnie Thanks for the info. I did a bit of testing this morning and I came to the conclusion that I don't understand how OpenVPN routing works (. E.g. here is the routing table: ..... 172.16.16.0/24 via 172.30.253.1 dev tun0 172.30.253.0/24 dev tun0 proto kernel scope link src 172.30.253.1
I still cant understand why the routing table does not show 172.16.16.0/24 via 172.30.253.6 dev tun0 which is the VPN address of the device that has that subnet. Maybe the iroute does not actually change the routing table and there is a ‘magic happens here’ within Open VPN that routes it correctly. Anyway currently I cant route it to a LAN interface as this is a VM and its only got a single eth0. I can get another one added but can I set up a loopback or something to overcome this? Thanks so much. Regards Michael Knill -----Original Message----- From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> Date: Friday, 26 May 2017 at 10:27 pm To: AstLinux List <astlinux-users@lists.sourceforge.net> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux Michael, Personally I always use OpenVPN server "Topology: [subnet]" provided all your clients support that. The old [net30] topology can be confusing. If using an OpenVPN subnet IP for the web interface address is still a problem, you may try using the LAN internal address (assuming you have one defined) Network -> Firewall -> Firewall Options: _x_ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s) and on the OpenVPN server config ... "push" route 192.168.110.1 255.255.255.255 so with the above and 192.168.110.1/24 was your 1st LAN interface on the server, have your remote OpenVPN clients use 192.168.110.1 to reach the server's web interface. On my lab bench test boxes I just tried this ... MacBook (192.168.222.215) -> (LAN eth3) AstLinux w/OpenVPN client -> AstLinux w/OpenVPN server (LAN eth1.10) AstLinux w/OpenVPN client (tun2): # ip r ... 10.8.1.0/24 dev tun2 proto kernel scope link src 10.8.1.2 192.168.222.0/24 dev eth3 proto kernel scope link src 192.168.222.1 192.168.110.0/24 via 10.8.1.1 dev tun2 ... AstLinux w/OpenVPN server (tun0): # ip r ... 10.8.1.0/24 dev tun0 proto kernel scope link src 10.8.1.1 192.168.110.0/24 dev eth1.10 proto kernel scope link src 192.168.110.1 192.168.222.0/24 via 10.8.1.1 dev tun0 ... OpenVPN Server config: "raw" client-config-dir /etc/openvpn/ccd /etc/openvpn/ccd/client: iroute 192.168.222.0 255.255.255.0 "raw" route-gateway 10.8.1.1 "raw" route 192.168.222.0 255.255.255.0 "push" route 192.168.110.0 255.255.255.0 Network -> Firewall -> Firewall Options: _x_ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s) In this test example I was able to reach the "AstLinux w/OpenVPN server" web interface from the MacBook (192.168.222.215) by using either 192.168.110.1 or 10.8.1.1 . Lonnie On May 25, 2017, at 11:08 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> wrote: > Well yes and no. Some things work and Im not sure why as the return route is > wrong below. It should be pointing to .6 not .2. Not sure if you picked that > up sorry. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Friday, 26 May 2017 at 1:56 pm > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux > > Michael, > > Can your IBC_Office reach the AstLinux web interface at 172.30.253.1 ? > > If not, possibly the ERX is blocking it ? > > Lonnie > > > On May 25, 2017, at 6:45 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > >> Hi Lonnie >> >> I don't need to push any routes to the client though. >> 172.16.16.0/24 is at IBC_Office but the server is routing this to >> 172.30.253.2 (A Yealink phone) rather than 172.30.253.6. >> So Im wondering how you set the routing to be correct? >> >> PS. I always use 172.30 as it is rarely used by customers so no overlap when >> I install a new system. >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Date: Friday, 26 May 2017 at 9:38 am >> To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux >> >> Michael, >> >> The ccd "iroute" and raw "route" are the remote (ERX) subnets. IBC_Office ? >> Looks correct. >> >> In order for your ERX to have a route to an AstLinux subnet you need to >> "push" 'route ...' so the client adds routes over the VPN. >> >> Though your VPN clients should be able to see the AstLinux web interface at >> 172.30.253.1 it would seem. >> >> Looks like you have it working, possibly lacking pushing routes to the >> clients. >> >> You know about the 10.0.0.0/8 private networks, they are there to use :-) >> >> Lonnie >> >> >> On May 25, 2017, at 6:03 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >>> Hi Lonnie >>> Yes sorry for the ambiguity. >>> >>> 1) Yes >>> 2) No Im trying to connect to the Astlinux Web GUI on the OpenVPN server >>> interface e.g. .1 of the subnet. Im actually not routing any traffic to any >>> other subnets as its just used for telephony access. >>> >>> Ok I think I have found the problem but I don't know why its happening. >>> There are multiple clients connected to this server. For some reason the >>> route is pointing to the first client connected. Is this what iroute is >>> meant to sort out? Im not actually sure why it works at all! >>> >>> OpenVPN Server Status: >>> Common Name Real Address Virtual Address Bytes Received Bytes Sent >>> Connected Since >>> 001565AC4CB9 124.171.108.172:50893 172.30.253.4 4008 4947 >>> Fri May 26 08:48:37 2017 >>> 001565859116 124.171.108.172:39331 172.30.253.2 4024 4883 >>> Fri May 26 08:48:35 2017 >>> IBC_Office 115.187.181.61:49708 172.30.253.6 6384 7090 Fri May >>> 26 08:48:34 2017 >>> >>> 1222-IBC-APP1 kd # ip route >>> default via 103.241.6.1 dev eth0 >>> 103.241.6.0/24 dev eth0 proto kernel scope link src 103.241.6.47 >>> 172.16.16.0/24 via 172.30.253.2 dev tun0 >>> 172.30.253.0/24 dev tun0 proto kernel scope link src 172.30.253.1 >>> >>> 172.16.16.0/24 is the subnet in IBC_Office. >>> >>> My raw commands are: >>> ifconfig-pool-linear >>> client-to-client >>> client-config-dir /mnt/kd/openvpn/ccd >>> route 172.16.16.0 255.255.255.0 >>> >>> 1222-IBC-APP1 kd # ls -l /mnt/kd/openvpn/ccd >>> -rwxrwxrwx 1 root root 33 Apr 25 16:54 IBC_Office >>> 1222-IBC-APP1 kd # cat /mnt/kd/openvpn/ccd/IBC_Office >>> iroute 172.16.16.0 255.255.255.0 >>> 1222-IBC-APP1 kd # >>> >>> How should I fix this? >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >>> Date: Thursday, 25 May 2017 at 10:04 pm >>> To: AstLinux List <astlinux-users@lists.sourceforge.net> >>> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux >>> >>> Hi Michael, >>> >>> To be clear, are we talking about ... >>> >>> 1) Ubiquiti ERX OpenVPN client to AstLinux OpenVPN server >>> >>> 2) Ubiquiti ERX HTTPS outbound traffic is dropped >>> >>> Correct ? >>> >>> Is #2 to any destination ? >>> >>> Are you routing all ERX traffic over the VPN, or just selective pushed >>> routes ? >>> >>> Use "curl -LI ..." as a handy tool to follow redirects for HTTPS/HTTP >>> client requests. >>> >>> My first gues is the Ubiquiti ERX HTTPS has a firewall rule blocking >>> HTTPS, or routing it where you don't expect. >>> >>> Lonnie >>> >>> >>> >>> On May 25, 2017, at 1:28 AM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au> wrote: >>> >>>> Hi all >>>> >>>> I have an Ubiquiti ERX router connected to an Astlinux server using Open >>>> VPN. It works great by the way however I am unable to use HTTPS. HTTP is >>>> ok. >>>> Is this because its trying to use SSL over SSL? I wouldn’t have thought it >>>> mattered! Its using the standard port of 1194. >>>> >>>> Regards >>>> Michael Knill >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
