summary: I have a routing problem on the server side of the VPN, as diagnosed by Mart van de Wege[1]: veel dank Mart! I hope to fix that problem using these linode instructions[2].
details: Tom Roche Sat, 08 Nov 2014 23:47:29 -0500 [3] >>> My jumpbox/server firewall is currently set to forward everything, using >>> `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`: Pascal Hambourg Sun, 09 Nov 2014 13:13:16 +0100 [4] >> This rule doesn't forward anything, it just enables masquerading. >> IPv4 forwarding is enabled with sysctl net.ipv4.ip_forward=1. Correct: I also have me@jumpbox:~$ fgrep -e 'forward' /etc/sysctl.conf > # Uncomment the next line to enable packet forwarding for IPv4 > net.ipv4.ip_forward=1 > # Uncomment the next line to enable packet forwarding for IPv6 > #net.ipv6.conf.all.forwarding=1 on the server. Indeed I am a network newbie as previously advertised :-( In any case, current firewall behavior is as noted: >>> me@jumpbox:~$ date ; sudo iptables -L >>> Sat Nov 8 16:42:06 EST 2014 >>> Chain INPUT (policy ACCEPT) >>> target prot opt source destination >>> fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh >>> Chain FORWARD (policy ACCEPT) >>> target prot opt source destination >>> Chain OUTPUT (policy ACCEPT) >>> target prot opt source destination >>> Chain fail2ban-ssh (1 references) >>> target prot opt source destination >>> RETURN all -- anywhere anywhere Mart van de Wege Sun, 09 Nov 2014 12:02:46 +0100 [1] > What I suspect is a routing problem on the other side of the VPN. > Can you ping IP addresses beyond your VPN? > What does the output of traceroute show? Good questions! I will add these to the Debian wiki[5] because your suspicions are correct. Before starting OpenVPN on either the laptop/client or the jumpbox/server: me@laptop:~$ date ; pgrep -l openvpn | wc -l > Sun Nov 9 09:24:43 EST 2014 > 0 me@laptop:~$ date ; ping -c 4 www.whatismyip.com > Sun Nov 9 09:24:48 EST 2014 > PING www.whatismyip.com (141.101.120.15) 56(84) bytes of data. > 64 bytes from 141.101.120.15: icmp_seq=1 ttl=57 time=94.7 ms > 64 bytes from 141.101.120.15: icmp_seq=2 ttl=57 time=157 ms > 64 bytes from 141.101.120.15: icmp_seq=3 ttl=57 time=88.3 ms > 64 bytes from 141.101.120.15: icmp_seq=4 ttl=57 time=88.8 ms > > --- www.whatismyip.com ping statistics --- > 4 packets transmitted, 4 received, 0% packet loss, time 15621ms > rtt min/avg/max/mdev = 88.370/107.325/157.369/29.002 ms me@laptop:~$ date ; traceroute www.whatismyip.com > Sun Nov 9 09:25:17 EST 2014 > traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte > packets > 1 192.168.15.1 (192.168.15.1) 0.850 ms 0.838 ms 1.378 ms > 2 71-23-64-2.clt.clearwire-wmx.net (71.23.64.2) 75.041 ms 75.040 ms > 75.030 ms > 3 71.22.7.161 (71.22.7.161) 75.293 ms 75.287 ms 75.661 ms > 4 66-192-62-1.static.twtelecom.net (66.192.62.1) 75.260 ms 75.619 ms > 75.600 ms > 5 ash1-pr1-xe-2-3-0-0.us.twtelecom.net (66.192.244.214) 84.267 ms 84.467 > ms 84.456 ms > 6 xe-0.equinix.asbnva01.us.bb.gin.ntt.net (206.126.236.12) 84.429 ms > 86.913 ms 86.863 ms > 7 ae10.ar2.iad1.us.as4436.gtt.net (69.31.31.168) 96.019 ms 96.242 ms > 95.980 ms > 8 as13335.xe-7-0-3.ar1.iad1.us.as4436.gtt.net (69.31.31.90) 95.604 ms > 95.585 ms as13335.xe-9-0-2.ar1.iad1.us.as4436.gtt.net (69.31.30.14) 96.170 ms > 9 * as13335.xe-7-0-3.ar1.iad1.us.as4436.gtt.net (69.31.31.90) 95.515 ms > 95.520 ms > 10 141.101.120.15 (141.101.120.15) 96.397 ms 96.392 ms 95.841 ms After starting OpenVPN on first the jumpbox/server then the laptop/client, off-VPN routing is indeed hosed: me@laptop:~$ date ; pgrep -l openvpn | wc -l > Sun Nov 9 09:31:27 EST 2014 > 1 me@laptop:~$ date ; ping -c 4 www.whatismyip.com > Sun Nov 9 09:31:33 EST 2014 > PING www.whatismyip.com (141.101.120.14) 56(84) bytes of data. > > --- www.whatismyip.com ping statistics --- > 4 packets transmitted, 0 received, 100% packet loss, time 3023ms me@laptop:~$ date ; traceroute www.whatismyip.com > Sun Nov 9 09:33:06 EST 2014 > traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte > packets > 1 10.8.0.1 (10.8.0.1) 99.579 ms 99.584 ms 104.230 ms > 2 * * * ... > 30 * * * Note also that the jumpbox/server is a linode running a stock Debian (`cat /etc/debian_version`=='7.7'), which are apparently able to support OpenVPN, per these linode.com-hosted instructions[6]. They are vague in places, which made me switch to the Debian wiki[5], but now I suspect that I need to switch back to its section='Tunneling All Connections through the VPN'[2]. So I'll give that a try. (Eventually I prefer only to tunnel ssh and the SSL VPN through the OpenVPN to the cluster, so I'll probably be back later :-) Your assistance is appreciated! Tom Roche <tom_ro...@pobox.com> [1] https://lists.debian.org/debian-user/2014/11/msg00463.html [2] https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7#tunneling-all-connections-through-the-vpn [3] https://lists.debian.org/debian-user/2014/11/msg00447.html [4] https://lists.debian.org/debian-user/2014/11/msg00468.html [5] https://wiki.debian.org/openvpn%20for%20server%20and%20client [6] https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8761eotnx9....@pobox.com