Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
For the benefit of OP with similar {concerns, interests, problems}, I have documented my process @ https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home Part is scripted, and part is not, but even the part that is *not* scripted provides cut'n'pasteable console input. The good news is, at this point https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-client-test the server's IP# is visible from the outside world, e.g., @ http://www.whatismyip.com/ . The bad news is, this is only part of what I need, which is to run another SSL VPN through the tunnel, which is failing--more on that separately (though that may be getting OT for this list). HTH, Tom Roche tom_ro...@pobox.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87r3x2sxuk@pobox.com
Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
Tom Roche a écrit : me@laptop:~$ date ; traceroute www.whatismyip.com Sun Nov 9 09:33:06 EST 2014 traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets 1 10.8.0.1 (10.8.0.1) 99.579 ms 99.584 ms 104.230 ms 2 * * * ... This shows that forwarding is enabled. But packets don't get a reply after they are forwarded. Maybe the masquerading does not work as expected. What is the output of iptables-save -c and ip link on the VPN server ? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54613845.5050...@plouf.fr.eu.org
Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
Tom Roche tom_ro...@pobox.com writes: * `ifconfig` shows a new entry=`tun0`, which looks correct * I can `ping` the server using either its real IP# or `10.8.0.1` * I can `ssh` to the server using either its real IP# or `10.8.0.1` * `nslookup www.whatismyip.com` gives correct results This tells me that your VPN works. What I suspect is a routing problem on the other side of the VPN. Can you ping IP addresses beyond your VPN? What does the output of traceroute show? Mart -- We will need a longer wall when the revolution comes. --- AJS, quoting an uncertain source. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/86ppcwiqll@gaheris.avalon.lan
Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
Tom Roche a écrit : My jumpbox/server firewall is currently set to forward everything, using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE` This rule doesn't forward anything, it just enables masquerading. IPv4 forwarding is enabled with sysctl net.ipv4.ip_forward=1. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/545f5a5c.8000...@plouf.fr.eu.org
Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
summary: I have a routing problem on the server side of the VPN, as diagnosed by Mart van de Wege[1]: veel dank Mart! I hope to fix that problem using these linode instructions[2]. details: Tom Roche Sat, 08 Nov 2014 23:47:29 -0500 [3] My jumpbox/server firewall is currently set to forward everything, using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`: Pascal Hambourg Sun, 09 Nov 2014 13:13:16 +0100 [4] This rule doesn't forward anything, it just enables masquerading. IPv4 forwarding is enabled with sysctl net.ipv4.ip_forward=1. Correct: I also have me@jumpbox:~$ fgrep -e 'forward' /etc/sysctl.conf # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 #net.ipv6.conf.all.forwarding=1 on the server. Indeed I am a network newbie as previously advertised :-( In any case, current firewall behavior is as noted: me@jumpbox:~$ date ; sudo iptables -L Sat Nov 8 16:42:06 EST 2014 Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhereanywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere Mart van de Wege Sun, 09 Nov 2014 12:02:46 +0100 [1] What I suspect is a routing problem on the other side of the VPN. Can you ping IP addresses beyond your VPN? What does the output of traceroute show? Good questions! I will add these to the Debian wiki[5] because your suspicions are correct. Before starting OpenVPN on either the laptop/client or the jumpbox/server: me@laptop:~$ date ; pgrep -l openvpn | wc -l Sun Nov 9 09:24:43 EST 2014 0 me@laptop:~$ date ; ping -c 4 www.whatismyip.com Sun Nov 9 09:24:48 EST 2014 PING www.whatismyip.com (141.101.120.15) 56(84) bytes of data. 64 bytes from 141.101.120.15: icmp_seq=1 ttl=57 time=94.7 ms 64 bytes from 141.101.120.15: icmp_seq=2 ttl=57 time=157 ms 64 bytes from 141.101.120.15: icmp_seq=3 ttl=57 time=88.3 ms 64 bytes from 141.101.120.15: icmp_seq=4 ttl=57 time=88.8 ms --- www.whatismyip.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 15621ms rtt min/avg/max/mdev = 88.370/107.325/157.369/29.002 ms me@laptop:~$ date ; traceroute www.whatismyip.com Sun Nov 9 09:25:17 EST 2014 traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets 1 192.168.15.1 (192.168.15.1) 0.850 ms 0.838 ms 1.378 ms 2 71-23-64-2.clt.clearwire-wmx.net (71.23.64.2) 75.041 ms 75.040 ms 75.030 ms 3 71.22.7.161 (71.22.7.161) 75.293 ms 75.287 ms 75.661 ms 4 66-192-62-1.static.twtelecom.net (66.192.62.1) 75.260 ms 75.619 ms 75.600 ms 5 ash1-pr1-xe-2-3-0-0.us.twtelecom.net (66.192.244.214) 84.267 ms 84.467 ms 84.456 ms 6 xe-0.equinix.asbnva01.us.bb.gin.ntt.net (206.126.236.12) 84.429 ms 86.913 ms 86.863 ms 7 ae10.ar2.iad1.us.as4436.gtt.net (69.31.31.168) 96.019 ms 96.242 ms 95.980 ms 8 as13335.xe-7-0-3.ar1.iad1.us.as4436.gtt.net (69.31.31.90) 95.604 ms 95.585 ms as13335.xe-9-0-2.ar1.iad1.us.as4436.gtt.net (69.31.30.14) 96.170 ms 9 * as13335.xe-7-0-3.ar1.iad1.us.as4436.gtt.net (69.31.31.90) 95.515 ms 95.520 ms 10 141.101.120.15 (141.101.120.15) 96.397 ms 96.392 ms 95.841 ms After starting OpenVPN on first the jumpbox/server then the laptop/client, off-VPN routing is indeed hosed: me@laptop:~$ date ; pgrep -l openvpn | wc -l Sun Nov 9 09:31:27 EST 2014 1 me@laptop:~$ date ; ping -c 4 www.whatismyip.com Sun Nov 9 09:31:33 EST 2014 PING www.whatismyip.com (141.101.120.14) 56(84) bytes of data. --- www.whatismyip.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3023ms me@laptop:~$ date ; traceroute www.whatismyip.com Sun Nov 9 09:33:06 EST 2014 traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets 1 10.8.0.1 (10.8.0.1) 99.579 ms 99.584 ms 104.230 ms 2 * * * ... 30 * * * Note also that the jumpbox/server is a linode running a stock Debian (`cat /etc/debian_version`=='7.7'), which are apparently able to support OpenVPN, per these linode.com-hosted instructions[6]. They are vague in places, which made me switch to the Debian wiki[5], but now I suspect that I need to switch back to its section='Tunneling All Connections through the VPN'[2]. So I'll give that a try. (Eventually I prefer only to tunnel ssh and the SSL VPN through the OpenVPN to the cluster, so I'll probably be back later :-) Your assistance is appreciated! Tom Roche tom_ro...@pobox.com [1] https://lists.debian.org/debian-user/2014/11/msg00463.html [2]
Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
Tom Roche tom_ro...@pobox.com writes: summary: I have a routing problem on the server side of the VPN, as diagnosed by Mart van de Wege[1]: veel dank Mart! I hope to fix that problem using these linode instructions[2]. No problem, I remember tearing my hair out when I ran into this in the past, at home and at work. Routing over VPNs is always a headache. -- We will need a longer wall when the revolution comes. --- AJS, quoting an uncertain source. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/86ioioibma@gaheris.avalon.lan
Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
for completeness, added server firewall settings below: Tom Roche Sat, 08 Nov 2014 21:07:03 -0500 https://lists.debian.org/debian-user/2014/11/msg00440.html summary: I'm running [OpenVPN] from an LMDE [client through a Debian jumpbox/server]. After I [start the server, start the client] most IP-based applications seem to work from the client, but web browsing fails: e.g., client's Firefox cannot connect to http://www.whatismyip.com/ . How to fix or debug? details: (Apologies in advance if you feel this is a question better asked elsewhere. If so, please let me know where to ask. The OpenVPN forums are quite slow to respond in my experience, hence I'm asking here first.) I have a laptop running up-to-date LMDE (`cat /etc/debian_version`=='jessie/sid'), including Firefox version=33.0. From that laptop I need to access a compute cluster. The cluster formerly required only an SSL VPN (enabled by a Firefox plugin) to access, but now has several additional requirements, which I seek to satisfy by running the SSL VPN through a jumpbox running an OpenVPN server. The jumpbox is a linode running a vanilla Debian (`cat /etc/debian_version`=='7.7'). Note that I have been using the laptop successfully for a few years with LMDE and without network problems. Currently I have the client/laptop connected by wire directly to an ISP-supplied modem/router. With `openvpn` NOT running on my client/laptop, I see the following: * `ifconfig` shows no entry='tun0' (just the usual entries for 'eth0', 'lo', 'wlan0'), and shows the expected client IP# bound to 'eth0'. * I can `ping` my jumpbox/server using its real IP#, but cannot `ping 10.8.0.1` * I can `ssh` to my jumpbox/server using its real IP#, but cannot `ssh 10.8.0.1` * `nslookup www.whatismyip.com` gives correct results * browsing to http://www.whatismyip.com/ shows my client's IP# (as also shown in `ifconfig`) Both the client and server setups are quite generic OpenVPN-wise, and are almost exactly as described on the Debian wiki here https://wiki.debian.org/openvpn%20for%20server%20and%20client Note particularly that my client and server configurations are currently near-exact copies of those listed at that Debian wiki page: the only changes are my server IP# (obfuscated below) and the name of my client: me@jumpbox:~$ date ; cat /etc/openvpn/server.conf Sat Nov 8 16:49:00 EST 2014 port 1194 proto udp dev tun ca /etc/openvpn/ca.crt cert /etc/openvpn/server.crt key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push redirect-gateway def1 bypass-dhcp push dhcp-option DNS 8.8.8.8 # google public DNS keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status openvpn-status.log verb 3 me@laptop:~$ date ; cat /etc/openvpn/client1.conf Sat Nov 8 16:51:31 EST 2014 client dev tun proto udp remote ser.ver.IP.num 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun mute-replay-warnings ca /etc/openvpn/ca.crt cert /etc/openvpn/client1.crt key /etc/openvpn/client1.key ns-cert-type server comp-lzo verb 3 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf My jumpbox/server firewall is currently set to forward everything, using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`: me@jumpbox:~$ date ; sudo iptables -L Sat Nov 8 16:42:06 EST 2014 Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination RETURN all -- anywhere anywhere After I start `openvpn` on first the server and then the client, I see no OpenVPN errors on either the server or the client: me@jumpbox:~$ sudo openvpn --script-security 2 --config /etc/openvpn/server.conf Sat Nov 8 17:48:25 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jun 18 2013 Sat Nov 8 17:48:25 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sat Nov 8 17:48:25 2014 Diffie-Hellman initialized with 1024 bit key Sat Nov 8 17:48:25 2014 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Sat Nov 8 17:48:25 2014 Socket Buffers: R=[212992-131072]