Michael, You did not mention what OpenVPN server "Topology" you are using.
Using the loopback interface won't work since you need to forward traffic to/from a LAN interface, without adding an additional interface create a vlan off eth0 (ex. eth0.10) and use that as your LAN interface. Lonnie On May 26, 2017, at 8:36 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> wrote: > Hi Lonnie > > Thanks for the info. I did a bit of testing this morning and I came to the > conclusion that I don't understand how OpenVPN routing works (. > E.g. here is the routing table: > ..... > 172.16.16.0/24 via 172.30.253.1 dev tun0 > 172.30.253.0/24 dev tun0 proto kernel scope link src 172.30.253.1 > > I still cant understand why the routing table does not show 172.16.16.0/24 > via 172.30.253.6 dev tun0 which is the VPN address of the device that has > that subnet. Maybe the iroute does not actually change the routing table and > there is a ‘magic happens here’ within Open VPN that routes it correctly. > > Anyway currently I cant route it to a LAN interface as this is a VM and its > only got a single eth0. I can get another one added but can I set up a > loopback or something to overcome this? > > Thanks so much. > > Regards > Michael Knill > > -----Original Message----- > From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> > Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> > Date: Friday, 26 May 2017 at 10:27 pm > To: AstLinux List <astlinux-users@lists.sourceforge.net> > Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux > > Michael, > > Personally I always use OpenVPN server "Topology: [subnet]" provided all your > clients support that. The old [net30] topology can be confusing. > > If using an OpenVPN subnet IP for the web interface address is still a > problem, you may try using the LAN internal address (assuming you have one > defined) > > Network -> Firewall -> Firewall Options: > > _x_ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s) > > and on the OpenVPN server config ... > > "push" route 192.168.110.1 255.255.255.255 > > so with the above and 192.168.110.1/24 was your 1st LAN interface on the > server, have your remote OpenVPN clients use 192.168.110.1 to reach the > server's web interface. > > > On my lab bench test boxes I just tried this ... > > MacBook (192.168.222.215) -> (LAN eth3) AstLinux w/OpenVPN client -> AstLinux > w/OpenVPN server (LAN eth1.10) > > AstLinux w/OpenVPN client (tun2): > # ip r > ... > 10.8.1.0/24 dev tun2 proto kernel scope link src 10.8.1.2 > 192.168.222.0/24 dev eth3 proto kernel scope link src 192.168.222.1 > 192.168.110.0/24 via 10.8.1.1 dev tun2 > ... > > AstLinux w/OpenVPN server (tun0): > # ip r > ... > 10.8.1.0/24 dev tun0 proto kernel scope link src 10.8.1.1 > 192.168.110.0/24 dev eth1.10 proto kernel scope link src 192.168.110.1 > 192.168.222.0/24 via 10.8.1.1 dev tun0 > ... > > OpenVPN Server config: > "raw" client-config-dir /etc/openvpn/ccd > /etc/openvpn/ccd/client: iroute 192.168.222.0 255.255.255.0 > "raw" route-gateway 10.8.1.1 > "raw" route 192.168.222.0 255.255.255.0 > "push" route 192.168.110.0 255.255.255.0 > > Network -> Firewall -> Firewall Options: > _x_ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s) > > > In this test example I was able to reach the "AstLinux w/OpenVPN server" web > interface from the MacBook (192.168.222.215) by using either 192.168.110.1 or > 10.8.1.1 . > > Lonnie > > > > On May 25, 2017, at 11:08 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > >> Well yes and no. Some things work and Im not sure why as the return route is >> wrong below. It should be pointing to .6 not .2. Not sure if you picked that >> up sorry. >> >> Regards >> Michael Knill >> >> -----Original Message----- >> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Date: Friday, 26 May 2017 at 1:56 pm >> To: AstLinux List <astlinux-users@lists.sourceforge.net> >> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux >> >> Michael, >> >> Can your IBC_Office reach the AstLinux web interface at 172.30.253.1 ? >> >> If not, possibly the ERX is blocking it ? >> >> Lonnie >> >> >> On May 25, 2017, at 6:45 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >>> Hi Lonnie >>> >>> I don't need to push any routes to the client though. >>> 172.16.16.0/24 is at IBC_Office but the server is routing this to >>> 172.30.253.2 (A Yealink phone) rather than 172.30.253.6. >>> So Im wondering how you set the routing to be correct? >>> >>> PS. I always use 172.30 as it is rarely used by customers so no overlap >>> when I install a new system. >>> >>> Regards >>> Michael Knill >>> >>> -----Original Message----- >>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >>> Date: Friday, 26 May 2017 at 9:38 am >>> To: AstLinux List <astlinux-users@lists.sourceforge.net> >>> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux >>> >>> Michael, >>> >>> The ccd "iroute" and raw "route" are the remote (ERX) subnets. IBC_Office ? >>> Looks correct. >>> >>> In order for your ERX to have a route to an AstLinux subnet you need to >>> "push" 'route ...' so the client adds routes over the VPN. >>> >>> Though your VPN clients should be able to see the AstLinux web interface at >>> 172.30.253.1 it would seem. >>> >>> Looks like you have it working, possibly lacking pushing routes to the >>> clients. >>> >>> You know about the 10.0.0.0/8 private networks, they are there to use :-) >>> >>> Lonnie >>> >>> >>> On May 25, 2017, at 6:03 PM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au> wrote: >>> >>>> Hi Lonnie >>>> Yes sorry for the ambiguity. >>>> >>>> 1) Yes >>>> 2) No Im trying to connect to the Astlinux Web GUI on the OpenVPN server >>>> interface e.g. .1 of the subnet. Im actually not routing any traffic to >>>> any other subnets as its just used for telephony access. >>>> >>>> Ok I think I have found the problem but I don't know why its happening. >>>> There are multiple clients connected to this server. For some reason the >>>> route is pointing to the first client connected. Is this what iroute is >>>> meant to sort out? Im not actually sure why it works at all! >>>> >>>> OpenVPN Server Status: >>>> Common Name Real Address Virtual Address Bytes Received Bytes >>>> Sent Connected Since >>>> 001565AC4CB9 124.171.108.172:50893 172.30.253.4 4008 4947 >>>> Fri May 26 08:48:37 2017 >>>> 001565859116 124.171.108.172:39331 172.30.253.2 4024 4883 >>>> Fri May 26 08:48:35 2017 >>>> IBC_Office 115.187.181.61:49708 172.30.253.6 6384 7090 Fri May >>>> 26 08:48:34 2017 >>>> >>>> 1222-IBC-APP1 kd # ip route >>>> default via 103.241.6.1 dev eth0 >>>> 103.241.6.0/24 dev eth0 proto kernel scope link src 103.241.6.47 >>>> 172.16.16.0/24 via 172.30.253.2 dev tun0 >>>> 172.30.253.0/24 dev tun0 proto kernel scope link src 172.30.253.1 >>>> >>>> 172.16.16.0/24 is the subnet in IBC_Office. >>>> >>>> My raw commands are: >>>> ifconfig-pool-linear >>>> client-to-client >>>> client-config-dir /mnt/kd/openvpn/ccd >>>> route 172.16.16.0 255.255.255.0 >>>> >>>> 1222-IBC-APP1 kd # ls -l /mnt/kd/openvpn/ccd >>>> -rwxrwxrwx 1 root root 33 Apr 25 16:54 IBC_Office >>>> 1222-IBC-APP1 kd # cat /mnt/kd/openvpn/ccd/IBC_Office >>>> iroute 172.16.16.0 255.255.255.0 >>>> 1222-IBC-APP1 kd # >>>> >>>> How should I fix this? >>>> >>>> Regards >>>> Michael Knill >>>> >>>> -----Original Message----- >>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com> >>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net> >>>> Date: Thursday, 25 May 2017 at 10:04 pm >>>> To: AstLinux List <astlinux-users@lists.sourceforge.net> >>>> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux >>>> >>>> Hi Michael, >>>> >>>> To be clear, are we talking about ... >>>> >>>> 1) Ubiquiti ERX OpenVPN client to AstLinux OpenVPN server >>>> >>>> 2) Ubiquiti ERX HTTPS outbound traffic is dropped >>>> >>>> Correct ? >>>> >>>> Is #2 to any destination ? >>>> >>>> Are you routing all ERX traffic over the VPN, or just selective pushed >>>> routes ? >>>> >>>> Use "curl -LI ..." as a handy tool to follow redirects for HTTPS/HTTP >>>> client requests. >>>> >>>> My first gues is the Ubiquiti ERX HTTPS has a firewall rule blocking >>>> HTTPS, or routing it where you don't expect. >>>> >>>> Lonnie >>>> >>>> >>>> >>>> On May 25, 2017, at 1:28 AM, Michael Knill >>>> <michael.kn...@ipcsolutions.com.au> wrote: >>>> >>>>> Hi all >>>>> >>>>> I have an Ubiquiti ERX router connected to an Astlinux server using Open >>>>> VPN. It works great by the way however I am unable to use HTTPS. HTTP is >>>>> ok. >>>>> Is this because its trying to use SSL over SSL? I wouldn’t have thought >>>>> it mattered! Its using the standard port of 1194. >>>>> >>>>> Regards >>>>> Michael Knill >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Astlinux-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> pay...@krisk.org. >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Astlinux-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> pay...@krisk.org. >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> >> ------------------------------------------------------------------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.