Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-16 Thread Tom Roche 

For the benefit of OP with similar {concerns, interests, problems}, I have 
documented my process @

https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home

Part is scripted, and part is not, but even the part that is *not* scripted 
provides cut'n'pasteable console input. The good news is, at this point

https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-client-test

the server's IP# is visible from the outside world, e.g., @ 
http://www.whatismyip.com/ . The bad news is, this is only part of what I need, 
which is to run another SSL VPN through the tunnel, which is failing--more on 
that separately (though that may be getting OT for this list).

HTH, Tom Roche tom_ro...@pobox.com


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87r3x2sxuk@pobox.com

Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-10 Thread Pascal Hambourg 
Tom Roche a écrit :
 
 me@laptop:~$ date ; traceroute www.whatismyip.com
 Sun Nov  9 09:33:06 EST 2014
 traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte 
 packets
  1  10.8.0.1 (10.8.0.1)  99.579 ms  99.584 ms  104.230 ms
  2  * * *
 ...

This shows that forwarding is enabled. But packets don't get a reply
after they are forwarded. Maybe the masquerading does not work as
expected. What is the output of iptables-save -c and ip link  on the
VPN server ?



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/54613845.5050...@plouf.fr.eu.org

Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-09 Thread Mart van de Wege 
Tom Roche tom_ro...@pobox.com writes:


 * `ifconfig` shows a new entry=`tun0`, which looks correct
 * I can `ping` the server using either its real IP# or `10.8.0.1`
 * I can `ssh` to the server using either its real IP# or `10.8.0.1`
 * `nslookup www.whatismyip.com` gives correct results


This tells me that your VPN works. What I suspect is a routing problem
on the other side of the VPN.

Can you ping IP addresses beyond your VPN?

What does the output of traceroute show?

Mart

-- 
We will need a longer wall when the revolution comes.
--- AJS, quoting an uncertain source.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/86ppcwiqll@gaheris.avalon.lan

Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-09 Thread Pascal Hambourg 
Tom Roche a écrit :
 
 My jumpbox/server firewall is currently set to forward everything, using
 `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`

This rule doesn't forward anything, it just enables masquerading.
IPv4 forwarding is enabled with sysctl net.ipv4.ip_forward=1.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/545f5a5c.8000...@plouf.fr.eu.org

Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-09 Thread Tom Roche 

summary: I have a routing problem on the server side of the VPN, as diagnosed 
by Mart van de Wege[1]: veel dank Mart! I hope to fix that problem using these 
linode instructions[2].

details:

Tom Roche Sat, 08 Nov 2014 23:47:29 -0500 [3]
 My jumpbox/server firewall is currently set to forward everything, using 
 `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`:

Pascal Hambourg Sun, 09 Nov 2014 13:13:16 +0100 [4]
 This rule doesn't forward anything, it just enables masquerading.
 IPv4 forwarding is enabled with sysctl net.ipv4.ip_forward=1.

Correct: I also have 

me@jumpbox:~$ fgrep -e 'forward' /etc/sysctl.conf
 # Uncomment the next line to enable packet forwarding for IPv4
 net.ipv4.ip_forward=1
 # Uncomment the next line to enable packet forwarding for IPv6
 #net.ipv6.conf.all.forwarding=1

on the server. Indeed I am a network newbie as previously advertised :-( In any 
case, current firewall behavior is as noted:

 me@jumpbox:~$ date ; sudo iptables -L
 Sat Nov  8 16:42:06 EST 2014
 Chain INPUT (policy ACCEPT)
 target prot opt source destination 
 fail2ban-ssh  tcp  --  anywhereanywhere multiport dports ssh

 Chain FORWARD (policy ACCEPT)
 target prot opt source destination 

 Chain OUTPUT (policy ACCEPT)
 target prot opt source destination 

 Chain fail2ban-ssh (1 references)
 target prot opt source destination 
 RETURN all  --  anywhere   anywhere

Mart van de Wege Sun, 09 Nov 2014 12:02:46 +0100 [1]
 What I suspect is a routing problem on the other side of the VPN.

 Can you ping IP addresses beyond your VPN?

 What does the output of traceroute show?

Good questions! I will add these to the Debian wiki[5] because your suspicions 
are correct. Before starting OpenVPN on either the laptop/client or the 
jumpbox/server:

me@laptop:~$ date ; pgrep -l openvpn | wc -l
 Sun Nov  9 09:24:43 EST 2014
 0

me@laptop:~$ date ; ping -c 4 www.whatismyip.com
 Sun Nov  9 09:24:48 EST 2014
 PING www.whatismyip.com (141.101.120.15) 56(84) bytes of data.
 64 bytes from 141.101.120.15: icmp_seq=1 ttl=57 time=94.7 ms
 64 bytes from 141.101.120.15: icmp_seq=2 ttl=57 time=157 ms
 64 bytes from 141.101.120.15: icmp_seq=3 ttl=57 time=88.3 ms
 64 bytes from 141.101.120.15: icmp_seq=4 ttl=57 time=88.8 ms

 --- www.whatismyip.com ping statistics ---
 4 packets transmitted, 4 received, 0% packet loss, time 15621ms
 rtt min/avg/max/mdev = 88.370/107.325/157.369/29.002 ms

me@laptop:~$ date ; traceroute www.whatismyip.com
 Sun Nov  9 09:25:17 EST 2014
 traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte 
 packets
  1  192.168.15.1 (192.168.15.1)  0.850 ms  0.838 ms  1.378 ms
  2  71-23-64-2.clt.clearwire-wmx.net (71.23.64.2)  75.041 ms  75.040 ms  
 75.030 ms
  3  71.22.7.161 (71.22.7.161)  75.293 ms  75.287 ms  75.661 ms
  4  66-192-62-1.static.twtelecom.net (66.192.62.1)  75.260 ms  75.619 ms  
 75.600 ms
  5  ash1-pr1-xe-2-3-0-0.us.twtelecom.net (66.192.244.214)  84.267 ms  84.467 
 ms  84.456 ms
  6  xe-0.equinix.asbnva01.us.bb.gin.ntt.net (206.126.236.12)  84.429 ms  
 86.913 ms  86.863 ms
  7  ae10.ar2.iad1.us.as4436.gtt.net (69.31.31.168)  96.019 ms  96.242 ms  
 95.980 ms
  8  as13335.xe-7-0-3.ar1.iad1.us.as4436.gtt.net (69.31.31.90)  95.604 ms  
 95.585 ms as13335.xe-9-0-2.ar1.iad1.us.as4436.gtt.net (69.31.30.14)  96.170 ms
  9  * as13335.xe-7-0-3.ar1.iad1.us.as4436.gtt.net (69.31.31.90)  95.515 ms  
 95.520 ms
 10  141.101.120.15 (141.101.120.15)  96.397 ms  96.392 ms  95.841 ms

After starting OpenVPN on first the jumpbox/server then the laptop/client, 
off-VPN routing is indeed hosed:

me@laptop:~$ date ; pgrep -l openvpn | wc -l
 Sun Nov  9 09:31:27 EST 2014
 1

me@laptop:~$ date ; ping -c 4 www.whatismyip.com
 Sun Nov  9 09:31:33 EST 2014
 PING www.whatismyip.com (141.101.120.14) 56(84) bytes of data.

 --- www.whatismyip.com ping statistics ---
 4 packets transmitted, 0 received, 100% packet loss, time 3023ms

me@laptop:~$ date ; traceroute www.whatismyip.com
 Sun Nov  9 09:33:06 EST 2014
 traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte 
 packets
  1  10.8.0.1 (10.8.0.1)  99.579 ms  99.584 ms  104.230 ms
  2  * * *
...
 30  * * *

Note also that the jumpbox/server is a linode running a stock Debian (`cat 
/etc/debian_version`=='7.7'), which are apparently able to support OpenVPN, per 
these linode.com-hosted instructions[6]. They are vague in places, which made 
me switch to the Debian wiki[5], but now I suspect that I need to switch back 
to its section='Tunneling All Connections through the VPN'[2]. So I'll give 
that a try. (Eventually I prefer only to tunnel ssh and the SSL VPN through the 
OpenVPN to the cluster, so I'll probably be back later :-)

Your assistance is appreciated! Tom Roche tom_ro...@pobox.com

[1] https://lists.debian.org/debian-user/2014/11/msg00463.html
[2]

Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-09 Thread Mart van de Wege 
Tom Roche tom_ro...@pobox.com writes:

 summary: I have a routing problem on the server side of the VPN, as
 diagnosed by Mart van de Wege[1]: veel dank Mart! I hope to fix that
 problem using these linode instructions[2].

No problem, I remember tearing my hair out when I ran into this in the
past, at home and at work.

Routing over VPNs is always a headache.

-- 
We will need a longer wall when the revolution comes.
--- AJS, quoting an uncertain source.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/86ioioibma@gaheris.avalon.lan

Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails

2014-11-08 Thread Tom Roche 

for completeness, added server firewall settings below:

Tom Roche Sat, 08 Nov 2014 21:07:03 -0500 
https://lists.debian.org/debian-user/2014/11/msg00440.html
 summary: I'm running [OpenVPN] from an LMDE [client through a Debian 
 jumpbox/server]. After I [start the server, start the client] most IP-based 
 applications seem to work from the client, but web browsing fails: e.g., 
 client's Firefox cannot connect to http://www.whatismyip.com/ . How to fix or 
 debug?

 details:

 (Apologies in advance if you feel this is a question better asked elsewhere. 
 If so, please let me know where to ask. The OpenVPN forums are quite slow to 
 respond in my experience, hence I'm asking here first.)

 I have a laptop running up-to-date LMDE (`cat 
 /etc/debian_version`=='jessie/sid'), including Firefox version=33.0. From 
 that laptop I need to access a compute cluster. The cluster formerly required 
 only an SSL VPN (enabled by a Firefox plugin) to access, but now has several 
 additional requirements, which I seek to satisfy by running the SSL VPN 
 through a jumpbox running an OpenVPN server. The jumpbox is a linode running 
 a vanilla Debian (`cat /etc/debian_version`=='7.7').

 Note that I have been using the laptop successfully for a few years with LMDE 
 and without network problems. Currently I have the client/laptop connected by 
 wire directly to an ISP-supplied modem/router. With `openvpn` NOT running on 
 my client/laptop, I see the following:

 * `ifconfig` shows no entry='tun0' (just the usual entries for 'eth0', 
 'lo', 'wlan0'), and shows the expected client IP# bound to 'eth0'.
 * I can `ping` my jumpbox/server using its real IP#, but cannot `ping 
 10.8.0.1`
 * I can `ssh` to my jumpbox/server using its real IP#, but cannot `ssh 
 10.8.0.1`
 * `nslookup www.whatismyip.com` gives correct results
 * browsing to http://www.whatismyip.com/ shows my client's IP# (as also shown 
 in `ifconfig`)

 Both the client and server setups are quite generic OpenVPN-wise, and are 
 almost exactly as described on the Debian wiki here

 https://wiki.debian.org/openvpn%20for%20server%20and%20client

 Note particularly that my client and server configurations are currently 
 near-exact copies of those listed at that Debian wiki page: the only changes 
 are my server IP# (obfuscated below) and the name of my client:

 me@jumpbox:~$ date ; cat /etc/openvpn/server.conf
 Sat Nov  8 16:49:00 EST 2014
 port 1194
 proto udp
 dev tun
 ca /etc/openvpn/ca.crt
 cert /etc/openvpn/server.crt
 key /etc/openvpn/server.key
 dh /etc/openvpn/dh1024.pem
 server 10.8.0.0 255.255.255.0
 ifconfig-pool-persist ipp.txt
 push redirect-gateway def1 bypass-dhcp
 push dhcp-option DNS 8.8.8.8 # google public DNS
 keepalive 10 120
 comp-lzo
 user nobody
 group nogroup
 persist-key
 persist-tun
 status openvpn-status.log
 verb 3

 me@laptop:~$ date ; cat /etc/openvpn/client1.conf
 Sat Nov  8 16:51:31 EST 2014
 client
 dev tun
 proto udp
 remote ser.ver.IP.num 1194
 resolv-retry infinite
 nobind
 user nobody
 group nogroup
 persist-key
 persist-tun
 mute-replay-warnings
 ca /etc/openvpn/ca.crt
 cert /etc/openvpn/client1.crt
 key /etc/openvpn/client1.key
 ns-cert-type server
 comp-lzo
 verb 3
 up /etc/openvpn/update-resolv-conf
 down /etc/openvpn/update-resolv-conf

My jumpbox/server firewall is currently set to forward everything, using 
`iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`:

me@jumpbox:~$ date ; sudo iptables -L
Sat Nov  8 16:42:06 EST 2014
Chain INPUT (policy ACCEPT)
target prot opt source   destination 
fail2ban-ssh  tcp  --  anywhere anywhere multiport 
dports ssh

Chain FORWARD (policy ACCEPT)
target prot opt source   destination 

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination 

Chain fail2ban-ssh (1 references)
target prot opt source   destination 
RETURN all  --  anywhere anywhere

 After I start `openvpn` on first the server and then the client, I see no 
 OpenVPN errors on either the server or the client:

 me@jumpbox:~$ sudo openvpn --script-security 2 --config 
 /etc/openvpn/server.conf 
 Sat Nov  8 17:48:25 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] 
 [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 
 (2.2RC2)] built on Jun 18 2013
 Sat Nov  8 17:48:25 2014 NOTE: the current --script-security setting may 
 allow this configuration to call user-defined scripts
 Sat Nov  8 17:48:25 2014 Diffie-Hellman initialized with 1024 bit key
 Sat Nov  8 17:48:25 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 
 ET:0 EL:0 ]
 Sat Nov  8 17:48:25 2014 Socket Buffers: R=[212992-131072]