Michael,

You did not mention what OpenVPN server "Topology" you are using.

Using the loopback interface won't work since you need to forward traffic 
to/from a LAN interface, without adding an additional interface create a vlan 
off eth0 (ex. eth0.10) and use that as your LAN interface.

Lonnie


On May 26, 2017, at 8:36 PM, Michael Knill <michael.kn...@ipcsolutions.com.au> 
wrote:

> Hi Lonnie
> 
> Thanks for the info. I did a bit of testing this morning and I came to the 
> conclusion that I don't understand how OpenVPN routing works (.
> E.g. here is the routing table:
> .....
> 172.16.16.0/24 via 172.30.253.1 dev tun0
> 172.30.253.0/24 dev tun0  proto kernel  scope link  src 172.30.253.1
> 
> I still cant understand why the routing table does not show 172.16.16.0/24 
> via 172.30.253.6 dev tun0 which is the VPN address of the device that has 
> that subnet. Maybe the iroute does not actually change the routing table and 
> there is a ‘magic happens here’ within Open VPN that routes it correctly.
> 
> Anyway currently I cant route it to a LAN interface as this is a VM and its 
> only got a single eth0. I can get another one added but can I set up a 
> loopback or something to overcome this?
> 
> Thanks so much.
> 
> Regards
> Michael Knill
> 
> -----Original Message-----
> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Date: Friday, 26 May 2017 at 10:27 pm
> To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux
> 
> Michael,
> 
> Personally I always use OpenVPN server "Topology: [subnet]" provided all your 
> clients support that.  The old [net30] topology can be confusing.
> 
> If using an OpenVPN subnet IP for the web interface address is still a 
> problem, you may try using the LAN internal address (assuming you have one 
> defined) 
> 
> Network -> Firewall -> Firewall Options:
> 
> _x_ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s)
> 
> and on the OpenVPN server config ...
> 
> "push" route 192.168.110.1 255.255.255.255
> 
> so with the above and 192.168.110.1/24 was your 1st LAN interface on the 
> server, have your remote OpenVPN clients use 192.168.110.1 to reach the 
> server's web interface.
> 
> 
> On my lab bench test boxes I just tried this ...
> 
> MacBook (192.168.222.215) -> (LAN eth3) AstLinux w/OpenVPN client -> AstLinux 
> w/OpenVPN server (LAN eth1.10)
> 
> AstLinux w/OpenVPN client (tun2):
> # ip r
> ...
> 10.8.1.0/24 dev tun2  proto kernel  scope link  src 10.8.1.2
> 192.168.222.0/24 dev eth3  proto kernel  scope link  src 192.168.222.1
> 192.168.110.0/24 via 10.8.1.1 dev tun2
> ...
> 
> AstLinux w/OpenVPN server (tun0):
> # ip r
> ...
> 10.8.1.0/24 dev tun0  proto kernel  scope link  src 10.8.1.1
> 192.168.110.0/24 dev eth1.10  proto kernel  scope link  src 192.168.110.1
> 192.168.222.0/24 via 10.8.1.1 dev tun0
> ...
> 
> OpenVPN Server config:
> "raw" client-config-dir /etc/openvpn/ccd
>  /etc/openvpn/ccd/client: iroute 192.168.222.0 255.255.255.0
> "raw" route-gateway 10.8.1.1
> "raw" route 192.168.222.0 255.255.255.0
> "push" route 192.168.110.0 255.255.255.0
> 
> Network -> Firewall -> Firewall Options:
> _x_ Allow OpenVPN Server tunnel to the [ 1st ] LAN Interface(s)
> 
> 
> In this test example I was able to reach the "AstLinux w/OpenVPN server" web 
> interface from the MacBook (192.168.222.215) by using either 192.168.110.1 or 
> 10.8.1.1 .
> 
> Lonnie
> 
> 
> 
> On May 25, 2017, at 11:08 PM, Michael Knill 
> <michael.kn...@ipcsolutions.com.au> wrote:
> 
>> Well yes and no. Some things work and Im not sure why as the return route is 
>> wrong below. It should be pointing to .6 not .2. Not sure if you picked that 
>> up sorry.
>> 
>> Regards
>> Michael Knill
>> 
>> -----Original Message-----
>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>> Date: Friday, 26 May 2017 at 1:56 pm
>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux
>> 
>> Michael,
>> 
>> Can your IBC_Office reach the AstLinux web interface at 172.30.253.1 ?
>> 
>> If not, possibly the ERX is blocking it ?
>> 
>> Lonnie
>> 
>> 
>> On May 25, 2017, at 6:45 PM, Michael Knill 
>> <michael.kn...@ipcsolutions.com.au> wrote:
>> 
>>> Hi Lonnie
>>> 
>>> I don't need to push any routes to the client though. 
>>> 172.16.16.0/24 is at IBC_Office but the server is routing this to 
>>> 172.30.253.2 (A Yealink phone) rather than 172.30.253.6.
>>> So Im wondering how you set the routing to be correct?
>>> 
>>> PS. I always use 172.30 as it is rarely used by customers so no overlap 
>>> when I install a new system.
>>> 
>>> Regards
>>> Michael Knill
>>> 
>>> -----Original Message-----
>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>> Date: Friday, 26 May 2017 at 9:38 am
>>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux
>>> 
>>> Michael,
>>> 
>>> The ccd "iroute" and raw "route" are the remote (ERX) subnets. IBC_Office ? 
>>>  Looks correct.
>>> 
>>> In order for your ERX to have a route to an AstLinux subnet you need to 
>>> "push" 'route ...' so the client adds routes over the VPN.
>>> 
>>> Though your VPN clients should be able to see the AstLinux web interface at 
>>> 172.30.253.1 it would seem.
>>> 
>>> Looks like you have it working, possibly lacking pushing routes to the 
>>> clients.
>>> 
>>> You know about the 10.0.0.0/8 private networks, they are there to use :-)
>>> 
>>> Lonnie
>>> 
>>> 
>>> On May 25, 2017, at 6:03 PM, Michael Knill 
>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>> 
>>>> Hi Lonnie
>>>> Yes sorry for the ambiguity. 
>>>> 
>>>> 1) Yes
>>>> 2) No Im trying to connect to the Astlinux Web GUI on the OpenVPN server 
>>>> interface e.g. .1 of the subnet. Im actually not routing any traffic to 
>>>> any other subnets as its just used for telephony access.
>>>> 
>>>> Ok I think I have found the problem but I don't know why its happening. 
>>>> There are multiple clients connected to this server. For some reason the 
>>>> route is pointing to the first client connected. Is this what iroute is 
>>>> meant to sort out? Im not actually sure why it works at all!
>>>> 
>>>> OpenVPN Server Status:
>>>> Common Name        Real Address    Virtual Address Bytes Received  Bytes 
>>>> Sent      Connected Since
>>>> 001565AC4CB9       124.171.108.172:50893   172.30.253.4    4008    4947    
>>>> Fri May 26 08:48:37 2017
>>>> 001565859116       124.171.108.172:39331   172.30.253.2    4024    4883    
>>>> Fri May 26 08:48:35 2017
>>>> IBC_Office 115.187.181.61:49708    172.30.253.6    6384    7090    Fri May 
>>>> 26 08:48:34 2017
>>>> 
>>>> 1222-IBC-APP1 kd # ip route
>>>> default via 103.241.6.1 dev eth0
>>>> 103.241.6.0/24 dev eth0  proto kernel  scope link  src 103.241.6.47
>>>> 172.16.16.0/24 via 172.30.253.2 dev tun0
>>>> 172.30.253.0/24 dev tun0  proto kernel  scope link  src 172.30.253.1
>>>> 
>>>> 172.16.16.0/24 is the subnet in IBC_Office.
>>>> 
>>>> My raw commands are:
>>>> ifconfig-pool-linear
>>>> client-to-client
>>>> client-config-dir /mnt/kd/openvpn/ccd
>>>> route 172.16.16.0 255.255.255.0
>>>> 
>>>> 1222-IBC-APP1 kd # ls -l /mnt/kd/openvpn/ccd
>>>> -rwxrwxrwx    1 root     root            33 Apr 25 16:54 IBC_Office
>>>> 1222-IBC-APP1 kd # cat /mnt/kd/openvpn/ccd/IBC_Office
>>>> iroute 172.16.16.0 255.255.255.0
>>>> 1222-IBC-APP1 kd #
>>>> 
>>>> How should I fix this?
>>>> 
>>>> Regards
>>>> Michael Knill
>>>> 
>>>> -----Original Message-----
>>>> From: Lonnie Abelbeck <li...@lonnie.abelbeck.com>
>>>> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>>> Date: Thursday, 25 May 2017 at 10:04 pm
>>>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>>> Subject: Re: [Astlinux-users] Problems with HTTPS over OpenVPN to Astlinux
>>>> 
>>>> Hi Michael,
>>>> 
>>>> To be clear, are we talking about ...
>>>> 
>>>> 1) Ubiquiti ERX OpenVPN client to AstLinux OpenVPN server
>>>> 
>>>> 2) Ubiquiti ERX HTTPS outbound traffic is dropped
>>>> 
>>>> Correct ?
>>>> 
>>>> Is #2 to any destination ?
>>>> 
>>>> Are you routing all ERX traffic over the VPN, or just selective pushed 
>>>> routes ?
>>>> 
>>>> Use "curl -LI ..." as a handy tool to follow redirects for HTTPS/HTTP 
>>>> client requests.
>>>> 
>>>> My first gues is the Ubiquiti ERX HTTPS  has a firewall rule blocking 
>>>> HTTPS, or routing it where you don't expect.
>>>> 
>>>> Lonnie
>>>> 
>>>> 
>>>> 
>>>> On May 25, 2017, at 1:28 AM, Michael Knill 
>>>> <michael.kn...@ipcsolutions.com.au> wrote:
>>>> 
>>>>> Hi all
>>>>> 
>>>>> I have an Ubiquiti ERX router connected to an Astlinux server using Open 
>>>>> VPN. It works great by the way however I am unable to use HTTPS. HTTP is 
>>>>> ok.
>>>>> Is this because its trying to use SSL over SSL? I wouldn’t have thought 
>>>>> it mattered! Its using the standard port of 1194.
>>>>> 
>>>>> Regards
>>>>> Michael Knill
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>> 
>>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>>> pay...@krisk.org.
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Astlinux-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>> 
>>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>>> pay...@krisk.org.
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>> 
>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>> pay...@krisk.org.
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>> 
>>> Donations to support AstLinux are graciously accepted via PayPal to 
>>> pay...@krisk.org.
>> 
>> 
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>> 
>> Donations to support AstLinux are graciously accepted via PayPal to 
>> pay...@krisk.org.
>> 
>> 
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>> 
>> Donations to support AstLinux are graciously accepted via PayPal to 
>> pay...@krisk.org.
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to