for completeness, added server firewall settings below: Tom Roche Sat, 08 Nov 2014 21:07:03 -0500 https://lists.debian.org/debian-user/2014/11/msg00440.html > summary: I'm running [OpenVPN] from an LMDE [client through a Debian > jumpbox/server]. After I [start the server, start the client] most IP-based > applications seem to work from the client, but web browsing fails: e.g., > client's Firefox cannot connect to http://www.whatismyip.com/ . How to fix or > debug?
> details: > (Apologies in advance if you feel this is a question better asked elsewhere. > If so, please let me know where to ask. The OpenVPN forums are quite slow to > respond in my experience, hence I'm asking here first.) > I have a laptop running up-to-date LMDE (`cat > /etc/debian_version`=='jessie/sid'), including Firefox version=33.0. From > that laptop I need to access a compute cluster. The cluster formerly required > only an SSL VPN (enabled by a Firefox plugin) to access, but now has several > additional requirements, which I seek to satisfy by running the SSL VPN > through a jumpbox running an OpenVPN server. The jumpbox is a linode running > a "vanilla" Debian (`cat /etc/debian_version`=='7.7'). > Note that I have been using the laptop successfully for a few years with LMDE > and without network problems. Currently I have the client/laptop connected by > wire directly to an ISP-supplied modem/router. With `openvpn` NOT running on > my client/laptop, I see the following: > * `ifconfig` shows no entry='tun0' (just "the usual" entries for 'eth0', > 'lo', 'wlan0'), and shows the expected client IP# bound to 'eth0'. > * I can `ping` my jumpbox/server using its real IP#, but cannot `ping > 10.8.0.1` > * I can `ssh` to my jumpbox/server using its real IP#, but cannot `ssh > 10.8.0.1` > * `nslookup www.whatismyip.com` gives correct results > * browsing to http://www.whatismyip.com/ shows my client's IP# (as also shown > in `ifconfig`) > Both the client and server setups are quite generic OpenVPN-wise, and are > almost exactly as described on the Debian wiki here > https://wiki.debian.org/openvpn%20for%20server%20and%20client > Note particularly that my client and server configurations are currently > near-exact copies of those listed at that Debian wiki page: the only changes > are my server IP# (obfuscated below) and the name of my client: > me@jumpbox:~$ date ; cat /etc/openvpn/server.conf > Sat Nov 8 16:49:00 EST 2014 > port 1194 > proto udp > dev tun > ca /etc/openvpn/ca.crt > cert /etc/openvpn/server.crt > key /etc/openvpn/server.key > dh /etc/openvpn/dh1024.pem > server 10.8.0.0 255.255.255.0 > ifconfig-pool-persist ipp.txt > push "redirect-gateway def1 bypass-dhcp" > push "dhcp-option DNS 8.8.8.8" # google public DNS > keepalive 10 120 > comp-lzo > user nobody > group nogroup > persist-key > persist-tun > status openvpn-status.log > verb 3 > me@laptop:~$ date ; cat /etc/openvpn/client1.conf > Sat Nov 8 16:51:31 EST 2014 > client > dev tun > proto udp > remote ser.ver.IP.num 1194 > resolv-retry infinite > nobind > user nobody > group nogroup > persist-key > persist-tun > mute-replay-warnings > ca /etc/openvpn/ca.crt > cert /etc/openvpn/client1.crt > key /etc/openvpn/client1.key > ns-cert-type server > comp-lzo > verb 3 > up /etc/openvpn/update-resolv-conf > down /etc/openvpn/update-resolv-conf My jumpbox/server firewall is currently set to forward everything, using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`: me@jumpbox:~$ date ; sudo iptables -L Sat Nov 8 16:42:06 EST 2014 Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere > After I start `openvpn` on first the server and then the client, I see no > OpenVPN errors on either the server or the client: > me@jumpbox:~$ sudo openvpn --script-security 2 --config > /etc/openvpn/server.conf & > Sat Nov 8 17:48:25 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] > [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 > (2.2RC2)] built on Jun 18 2013 > Sat Nov 8 17:48:25 2014 NOTE: the current --script-security setting may > allow this configuration to call user-defined scripts > Sat Nov 8 17:48:25 2014 Diffie-Hellman initialized with 1024 bit key > Sat Nov 8 17:48:25 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 > ET:0 EL:0 ] > Sat Nov 8 17:48:25 2014 Socket Buffers: R=[212992->131072] > S=[212992->131072] > Sat Nov 8 17:48:25 2014 ROUTE default_gateway=ser.ver.gate.way > Sat Nov 8 17:48:25 2014 TUN/TAP device tun0 opened > Sat Nov 8 17:48:25 2014 TUN/TAP TX queue length set to 100 > Sat Nov 8 17:48:25 2014 do_ifconfig, tt->ipv6=0, > tt->did_ifconfig_ipv6_setup=0 > Sat Nov 8 17:48:25 2014 /sbin/ifconfig tun0 10.8.0.1 pointopoint > 10.8.0.2 mtu 1500 > Sat Nov 8 17:48:25 2014 /sbin/route add -net 10.8.0.0 netmask > 255.255.255.0 gw 10.8.0.2 > Sat Nov 8 17:48:25 2014 Data Channel MTU parms [ L:1542 D:1450 EF:42 > EB:135 ET:0 EL:0 AF:3/1 ] > Sat Nov 8 17:48:25 2014 GID set to nogroup > Sat Nov 8 17:48:25 2014 UID set to nobody > Sat Nov 8 17:48:25 2014 UDPv4 link local (bound): [undef] > Sat Nov 8 17:48:25 2014 UDPv4 link remote: [undef] > Sat Nov 8 17:48:25 2014 MULTI: multi_init called, r=256 v=256 > Sat Nov 8 17:48:25 2014 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0 > Sat Nov 8 17:48:25 2014 ifconfig_pool_read(), in='TomRoche,10.8.0.4', > TODO: IPv6 > Sat Nov 8 17:48:25 2014 succeeded -> ifconfig_pool_set() > Sat Nov 8 17:48:25 2014 IFCONFIG POOL LIST > Sat Nov 8 17:48:25 2014 TomRoche,10.8.0.4 > Sat Nov 8 17:48:25 2014 Initialization Sequence Completed > me@laptop:~$ sudo openvpn --script-security 2 --config > /etc/openvpn/client1.conf & > Sat Nov 8 17:49:12 2014 NOTE: the current --script-security setting may > allow this configuration to call user-defined scripts > Sat Nov 8 17:49:12 2014 Socket Buffers: R=[212992->131072] > S=[212992->131072] > Sat Nov 8 17:49:12 2014 NOTE: UID/GID downgrade will be delayed because > of --client, --pull, or --up-delay > Sat Nov 8 17:49:12 2014 UDPv4 link local: [undef] > Sat Nov 8 17:49:12 2014 UDPv4 link remote: [AF_INET]jump.box.IP.num:1194 > Sat Nov 8 17:49:12 2014 TLS: Initial packet from > [AF_INET]jump.box.IP.num:1194, sid=25df7af6 0ece4089 > Sat Nov 8 17:49:13 2014 VERIFY OK: depth=1, <my config data/> > Sat Nov 8 17:49:13 2014 VERIFY OK: nsCertType=SERVER > Sat Nov 8 17:49:13 2014 VERIFY OK: depth=0, <my config data/> > Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Cipher 'BF-CBC' > initialized with 128 bit key > Sat Nov 8 17:49:14 2014 Data Channel Encrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Cipher 'BF-CBC' > initialized with 128 bit key > Sat Nov 8 17:49:14 2014 Data Channel Decrypt: Using 160 bit message hash > 'SHA1' for HMAC authentication > Sat Nov 8 17:49:14 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 > DHE-RSA-AES256-SHA, 1024 bit RSA > Sat Nov 8 17:49:14 2014 [TomRoche] Peer Connection Initiated with > [AF_INET]jump.box.IP.num:1194 > Sat Nov 8 17:49:16 2014 SENT CONTROL [TomRoche]: 'PUSH_REQUEST' > (status=1) > Sat Nov 8 17:49:16 2014 PUSH: Received control message: > 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,route > 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' > Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: timers and/or timeouts modified > Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ifconfig/up options modified > Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: route options modified > Sat Nov 8 17:49:16 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option > options modified > Sat Nov 8 17:49:16 2014 ROUTE_GATEWAY lap.top.gate.way/255.255.255.0 > IFACE=eth0 HWADDR=la:pt:op:MAC:ad:dr > Sat Nov 8 17:49:16 2014 TUN/TAP device tun0 opened > Sat Nov 8 17:49:16 2014 TUN/TAP TX queue length set to 100 > Sat Nov 8 17:49:16 2014 do_ifconfig, tt->ipv6=0, > tt->did_ifconfig_ipv6_setup=0 > Sat Nov 8 17:49:16 2014 /sbin/ip link set dev tun0 up mtu 1500 > Sat Nov 8 17:49:16 2014 /sbin/ip addr add dev tun0 local 10.8.0.6 peer > 10.8.0.5 > Sat Nov 8 17:49:16 2014 /etc/openvpn/update-resolv-conf tun0 1500 1542 > 10.8.0.6 10.8.0.5 init > dhcp-option DNS 8.8.8.8 > Sat Nov 8 17:49:16 2014 /sbin/ip route add lap.top.IP.num/32 via > lap.top.gate.way > Sat Nov 8 17:49:16 2014 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5 > Sat Nov 8 17:49:16 2014 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5 > Sat Nov 8 17:49:16 2014 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5 > Sat Nov 8 17:49:16 2014 GID set to nogroup > Sat Nov 8 17:49:16 2014 UID set to nobody > Sat Nov 8 17:49:16 2014 Initialization Sequence Completed > I then see the following on my client: > * `ifconfig` shows a new entry=`tun0`, which looks correct > * I can `ping` the server using either its real IP# or `10.8.0.1` > * I can `ssh` to the server using either its real IP# or `10.8.0.1` > * `nslookup www.whatismyip.com` gives correct results > ... but I get no connection if I open a new instance of Firefox and browse to > http://www.whatismyip.com/ :-( "Looking up www.whatismyip.com..." succeeds > quickly but the status line continues to display "Connecting to > www.whatismyip.com..." until the attempt times out. I also get the same > behavior (connection timeout) if I open a new instance of Chrome, or if I > browse to http://www.whatismyip.com/ with a Firefox opened prior to starting > OpenVPN. FWIW I get the same behavior browsing to any URI, including (e.g.) > Google. > This is a major problem for me! For the SSL VPN to work, I need to start a > Firefox and run it (since the SSL VPN's vendor only supports it on Linux via > a Firefox plugin) to access a particular remote-access website. Furthermore I > need the SSL VPN to run through the jumpbox/OpenVPN. (Don't ask, it's a long, > sad story ...) > How can I fix this? Alternatively, what should I do to further debug the > problem? > your assistance is appreciated, Tom Roche <tom_ro...@pobox.com> -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/878ujlt1y6....@pobox.com
