[note: following contains ASCII art in the middle, and footnoted links at the 
end]

summary: I need to tunnel one SSL VPN (F5, running on one debian host) through 
another (OpenVPN, running on another debian host), but lose networking (e.g., 
`ping`) after the F5 VPN connects. I'm not sure whether this is due to my 
firewall/iptables or VPN configuration, but suspect the former. Unfortunately I 
am not knowledgeable regarding networking, so I'd appreciate any assistance you 
could provide.

details:

I need to remotely (off the physical LAN) SSH into some firewalled compute 
clusters to do environmental modeling (e.g., this[1]). Formerly I could do this 
from my debian laptop using the cluster-provider-mandated F5VPN[2]. However, 
access policy changed[3] (notably to require a single registered IP#), so I can 
no longer do this "directly" (i.e., just running the F5VPN from my laptop). I 
seek to adapt to the new policy (and resume work on my project) by implementing 
a VPN tunnel "through" a debian linode. Design details here[4], but my design 
can be roughly summarized with the following ASCII art (appropriately rendered 
here[4]):

                     <-MY CONTROL  AGENCY CONTROLLED->
                                                      firewall
+----------+      +-----------+      +---------------+   |   +---------+
| laptop + |      | linode  + |      | remote-access |   |   | cluster |
| F5NAP  + | <--> | OpenVPN + | <--> | website +     | <-|-> | node(s) |
| OpenVPN  |      | security  |      | F5VPN         |   |   |         |
+----------+      +-----------+      +---------------+   |   +---------+

(Implementation details here[5]) The good news is, the following sequence 
works: I can

1. start an OpenVPN server on the linode[6]
2. start an OpenVPN client on my laptop[7], after which 
http://www.whatismyip.com shows the IP# of my linode (which is registered)
3. start the F5VPN client (an F5NAP'ed Firefox[8]), and from that still see my 
linode's IP#.
4. using the F5VPN client, login to the agency's remote-access website, and 
bring up the F5VPN's control UI (e.g., to start/stop/logout).

The bad news is[9], as soon as I start the F5VPN, and see status==Connected in 
its web UI, I lose IP networking. I had originally thought this was just a DNS 
problem, but I cannot even `ping` IP#s, e.g.,

    $ ping -c 4 141.101.120.15 # == www.whatismyip.com
    PING 141.101.120.15 (141.101.120.15) 56(84) bytes of data.

    --- 141.101.120.15 ping statistics ---
    4 packets transmitted, 0 received, 100% packet loss, time 3022ms

(The only consolation here is that the network failure kills the tunnel, which 
causes my client to regain its networking ... but also its access to the 
registered IP#.)

I had thought that this problem was due to OpenVPN misconfiguration on my part, 
but now suspect that I need to tweak my server firewall[10] (which is 
`iptables`, running on Debian 7.8) in order to allow my OpenVPN configuration 
to work. Unfortunately I don't know enough about IP/TCP/UDP/Linux/Debian 
networking, so I'd appreciate assistance from someone more knowledgeable.

Apologies if this is a FAQ or LMGTFY, but my websearches have not found 
anything that seems to matching my usecase. Pointers to doc or other 
educational resources are also appreciated.

TIA, Tom Roche <tom_ro...@pobox.com>

[1]: https://bitbucket.org/tlroche/aqmeii-na_n2o/wiki/Home
[2]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-access
[3]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-aug-2014-policy-change
[4]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[5]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-id6
[6]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-server-startup
[7]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-client-startup
[8]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap
[9]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-network-problem
[10]: 
https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87vbk0rpkj....@pobox.com

Reply via email to