Re: network newbie seeks assistance debugging iptables for VPN tunnel
Tom Roche wrote: 1. Several years ago (when I was first struggling with getting the F5NAP to work directly[6]), I tried to find a headless alternative (e.g., something like a NetworkManager plugin), but was told by F5 that there was no such client for linux (at least, with the make/model of F5VPN that the agency had installed). While reading this thread I did a quick search and found this 3rd party contribution from another person struggling with F5 access. https://fuhm.net/software/f5vpn-login/README I am not associated in any way. I have never used F5 software. I only suggest the above because it seems like it might be useful to you. I have struggled with proprietary company access many times. Sometimes successfully. Sometimes not. I wish you good luck! Bob signature.asc Description: Digital signature
Re: network newbie seeks assistance debugging iptables for VPN tunnel
Back to this task after long detours! well, almost: Matt Ventura Fri, 23 Jan 2015 12:47:21 -0800 [1] The F5 VPN is throwing its default route over the original one, and that's causing traffic to the OpenVPN server to try to route over the F5 VPN. Obviously this doesn't work because the traffic to the F5 VPN needs to go through the OpenVPN link, so it becomes circular. What you need to do is add a route, something like: route add external IP of OpenVPN server gw 192.168.1.1 dev eth0 so that the traffic to the OpenVPN server can be routed properly. Sven Hartge Fri, 23 Jan 2015 21:53:35 +0100 [2] (tweaked) That would complete the VPN Trinity: * one route 0/1 * one route 128/1 * one host route to the other VPN endpoint (making it reachable regardless of other routes) I will give that a shot ... after I take care of a bit more real life :-( Meanwhile, I have uploaded a new'n'improved client_networking_investigation.txt[3] (improved notably by my increasing facility with `ip` syntax). However it presently lacks - your routing advice above - scripting of connectivity checks (e.g., `ping`, `nslookup`) which I will add (feel free to suggest others). I'm especially interested in the 'zombie routes' (i.e., I del a route, it disappears from `ip route show`, then reappears later) and other network-restoration oddities I'm observing (see states 5-8[3]), so I'd be especially interested in knowing how to prevent that. (I suspect it's due to my crude manner of starting/stopping OpenVPN on the client, but ICBW.) Your assistance is appreciated! Tom Roche tom_ro...@pobox.com [1]: https://lists.debian.org/debian-user/2015/01/msg00830.html [2]: https://lists.debian.org/debian-user/2015/01/msg00831.html [3]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87egqlrx06@pobox.com
Re: network newbie seeks assistance debugging iptables for VPN tunnel
On 1/22/2015 9:43 AM, Tom Roche wrote: summary: Smells like progress! If I'm guessing correctly, the `route` changes imposed by connecting to the F5VPN[3] are conflicting with my server/jumpbox's current `iptables` (through which my client seeks to tunnel[7]. Does that claim seem warranted? If so, how to fix the server firewall? details: Matt Ventura Wed, 21 Jan 2015 09:58:38 -0800 [1] First thing to check would be the routing table while the VPN is active. Tom Roche Wed, 21 Jan 2015 16:33:43 -0500 [2] The `route -n` for while the OpenVPN connection is active is here[3], which is part of a longer section[4] with all the gory details ... Matt Ventura Wed, 21 Jan 2015 22:18:57 -0800 [5] I meant the routing table when the F5 VPN is active, when the connectivity breaks. The bad news is, I should have realized that :-) The good news is, that seems quite revealing, esp in the now-upgraded context of the revised connectivity-debugging scenario[3] (which I also reran to verify results): connecting to the F5VPN (after logging into the remote-access website) creates an interface=ppp0 and extensively rewrites the routing table! https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt ### 4. After connecting to F5VPN (requires login to remote-access website) ... me@client:~$ date ; sudo route -n Thu Jan 22 11:48:48 EST 2015 Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 10.144.15.100 128.0.0.0 UG1 00 ppp0 0.0.0.0 192.168.1.1 0.0.0.0 UG0 00 eth0 10.144.0.1 0.0.0.0 255.255.255.255 UH0 00 ppp0 128.0.0.0 10.144.15.100 128.0.0.0 UG1 00 ppp0 134.67.15.3010.8.0.5255.255.255.255 UGH 1 00 tun0 So now I'm guessing that: 1. (from `whois 134.67.15.30`) 134.67.15.30 is the agency's VPN server. 2. I need to reconcile the above `route`ing with my server's current firewall config[6]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 10.8.0.0/24 anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- 222.186.34.202 anywhere RETURN all -- anywhere anywhere So my questions are: 1. Am I guessing correctly? 2. If so, how to reconcile the `route`ing change imposed by the F5VPN with my server's current firewall config[6]? Thanks again for your prompt assistance, Tom Rochetom_ro...@pobox.com [1]: https://lists.debian.org/debian-user/2015/01/msg00733.html [2]: https://lists.debian.org/debian-user/2015/01/msg00744.html [3]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt [4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-dns-problem [5]: https://lists.debian.org/debian-user/2015/01/msg00761.html [6]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt [7]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution I'm assuming ppp0 is the F5 VPN interface. Try deleting the first entry in the routing table after bringing up the F5 VPN (something like 'route del default ppp0' if memory serves) and see if it fixes the problem. This will probably break connectivity to the VPN until you restart it, but see if you can access the internet in general. Also, another option would be to simply run the F5 VPN client on the linode. Matt Ventura -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54c1485e.2060...@mattventura.net
Re: network newbie seeks assistance debugging iptables for VPN tunnel
Tom Roche Thu, 22 Jan 2015 12:43:17 -0500 [1] summary: Smells like progress! If I'm guessing correctly, the `route` changes imposed by connecting to the F5VPN[2] are conflicting with my server/jumpbox's current `iptables`[3] (through which my client seeks to tunnel[4]). Does that claim seem warranted? If so, how to fix the server firewall? Matt Ventura Thu, 22 Jan 2015 10:58:38 -0800 [5] (rearranged) another option would be to simply run the F5 VPN client on the linode. Alas, no: 1. Several years ago (when I was first struggling with getting the F5NAP to work directly[6]), I tried to find a headless alternative (e.g., something like a NetworkManager plugin), but was told by F5 that there was no such client for linux (at least, with the make/model of F5VPN that the agency had installed). 2. Several months ago (when linode.com was first recommended to me), I was sternly warned that linodes prefer to be run headless, and that running Firefox on a linode would be expensive and painful, if it worked at all. I'm assuming ppp0 is the F5 VPN interface. Me, too: connecting to the F5VPN[2] creates that interface on the client, and disconnecting from the F5VPN removes it from the client. Try deleting the first entry in the routing table after bringing up the F5 VPN (something like 'route del default ppp0' if memory serves) will check and see if it fixes the problem. This will probably break connectivity to the VPN until you restart it, but see if you can access the internet in general. Will do. I've got an appt, but will be back soonest. Thanks in advance! Hoping soon to get back to work on my *real* project, Tom Roche tom_ro...@pobox.com [1]: https://lists.debian.org/debian-user/2015/01/msg00774.html [2]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt [3]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt [4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution [5]: https://lists.debian.org/debian-user/2015/01/msg00779.html [6]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87mw5asg8x@pobox.com
Re: network newbie seeks assistance debugging iptables for VPN tunnel
summary: Smells like progress! If I'm guessing correctly, the `route` changes imposed by connecting to the F5VPN[3] are conflicting with my server/jumpbox's current `iptables` (through which my client seeks to tunnel[7]. Does that claim seem warranted? If so, how to fix the server firewall? details: Matt Ventura Wed, 21 Jan 2015 09:58:38 -0800 [1] First thing to check would be the routing table while the VPN is active. Tom Roche Wed, 21 Jan 2015 16:33:43 -0500 [2] The `route -n` for while the OpenVPN connection is active is here[3], which is part of a longer section[4] with all the gory details ... Matt Ventura Wed, 21 Jan 2015 22:18:57 -0800 [5] I meant the routing table when the F5 VPN is active, when the connectivity breaks. The bad news is, I should have realized that :-) The good news is, that seems quite revealing, esp in the now-upgraded context of the revised connectivity-debugging scenario[3] (which I also reran to verify results): connecting to the F5VPN (after logging into the remote-access website) creates an interface=ppp0 and extensively rewrites the routing table! https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt ### 4. After connecting to F5VPN (requires login to remote-access website) ... me@client:~$ date ; sudo route -n Thu Jan 22 11:48:48 EST 2015 Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 0.0.0.0 10.144.15.100 128.0.0.0 UG1 00 ppp0 0.0.0.0 192.168.1.1 0.0.0.0 UG0 00 eth0 10.144.0.1 0.0.0.0 255.255.255.255 UH0 00 ppp0 128.0.0.0 10.144.15.100 128.0.0.0 UG1 00 ppp0 134.67.15.3010.8.0.5255.255.255.255 UGH 1 00 tun0 So now I'm guessing that: 1. (from `whois 134.67.15.30`) 134.67.15.30 is the agency's VPN server. 2. I need to reconcile the above `route`ing with my server's current firewall config[6]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- 10.8.0.0/24 anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- 222.186.34.202 anywhere RETURN all -- anywhere anywhere So my questions are: 1. Am I guessing correctly? 2. If so, how to reconcile the `route`ing change imposed by the F5VPN with my server's current firewall config[6]? Thanks again for your prompt assistance, Tom Roche tom_ro...@pobox.com [1]: https://lists.debian.org/debian-user/2015/01/msg00733.html [2]: https://lists.debian.org/debian-user/2015/01/msg00744.html [3]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt [4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-dns-problem [5]: https://lists.debian.org/debian-user/2015/01/msg00761.html [6]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt [7]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87ppa6socq@pobox.com
network newbie seeks assistance debugging iptables for VPN tunnel
[note: following contains ASCII art in the middle, and footnoted links at the end] summary: I need to tunnel one SSL VPN (F5, running on one debian host) through another (OpenVPN, running on another debian host), but lose networking (e.g., `ping`) after the F5 VPN connects. I'm not sure whether this is due to my firewall/iptables or VPN configuration, but suspect the former. Unfortunately I am not knowledgeable regarding networking, so I'd appreciate any assistance you could provide. details: I need to remotely (off the physical LAN) SSH into some firewalled compute clusters to do environmental modeling (e.g., this[1]). Formerly I could do this from my debian laptop using the cluster-provider-mandated F5VPN[2]. However, access policy changed[3] (notably to require a single registered IP#), so I can no longer do this directly (i.e., just running the F5VPN from my laptop). I seek to adapt to the new policy (and resume work on my project) by implementing a VPN tunnel through a debian linode. Design details here[4], but my design can be roughly summarized with the following ASCII art (appropriately rendered here[4]): -MY CONTROL AGENCY CONTROLLED- firewall +--+ +---+ +---+ | +-+ | laptop + | | linode + | | remote-access | | | cluster | | F5NAP + | -- | OpenVPN + | -- | website + | -|- | node(s) | | OpenVPN | | security | | F5VPN | | | | +--+ +---+ +---+ | +-+ (Implementation details here[5]) The good news is, the following sequence works: I can 1. start an OpenVPN server on the linode[6] 2. start an OpenVPN client on my laptop[7], after which http://www.whatismyip.com shows the IP# of my linode (which is registered) 3. start the F5VPN client (an F5NAP'ed Firefox[8]), and from that still see my linode's IP#. 4. using the F5VPN client, login to the agency's remote-access website, and bring up the F5VPN's control UI (e.g., to start/stop/logout). The bad news is[9], as soon as I start the F5VPN, and see status==Connected in its web UI, I lose IP networking. I had originally thought this was just a DNS problem, but I cannot even `ping` IP#s, e.g., $ ping -c 4 141.101.120.15 # == www.whatismyip.com PING 141.101.120.15 (141.101.120.15) 56(84) bytes of data. --- 141.101.120.15 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3022ms (The only consolation here is that the network failure kills the tunnel, which causes my client to regain its networking ... but also its access to the registered IP#.) I had thought that this problem was due to OpenVPN misconfiguration on my part, but now suspect that I need to tweak my server firewall[10] (which is `iptables`, running on Debian 7.8) in order to allow my OpenVPN configuration to work. Unfortunately I don't know enough about IP/TCP/UDP/Linux/Debian networking, so I'd appreciate assistance from someone more knowledgeable. Apologies if this is a FAQ or LMGTFY, but my websearches have not found anything that seems to matching my usecase. Pointers to doc or other educational resources are also appreciated. TIA, Tom Roche tom_ro...@pobox.com [1]: https://bitbucket.org/tlroche/aqmeii-na_n2o/wiki/Home [2]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-access [3]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-aug-2014-policy-change [4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution [5]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-id6 [6]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-server-startup [7]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-client-startup [8]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap [9]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-network-problem [10]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87vbk0rpkj@pobox.com
Re: network newbie seeks assistance debugging iptables for VPN tunnel
On 1/21/2015 9:50 AM, Tom Roche wrote: [note: following contains ASCII art in the middle, and footnoted links at the end] summary: I need to tunnel one SSL VPN (F5, running on one debian host) through another (OpenVPN, running on another debian host), but lose networking (e.g., `ping`) after the F5 VPN connects. I'm not sure whether this is due to my firewall/iptables or VPN configuration, but suspect the former. Unfortunately I am not knowledgeable regarding networking, so I'd appreciate any assistance you could provide. details: I need to remotely (off the physical LAN) SSH into some firewalled compute clusters to do environmental modeling (e.g., this[1]). Formerly I could do this from my debian laptop using the cluster-provider-mandated F5VPN[2]. However, access policy changed[3] (notably to require a single registered IP#), so I can no longer do this directly (i.e., just running the F5VPN from my laptop). I seek to adapt to the new policy (and resume work on my project) by implementing a VPN tunnel through a debian linode. Design details here[4], but my design can be roughly summarized with the following ASCII art (appropriately rendered here[4]): First thing to check would be the routing table while the VPN is active. If the VPN client doesn't automatically add a route for the VPN server through your normal gateway, but does add a default route through the VPN, then it will break your connectivity because it's trying to send all traffic through the VPN, including the traffic to the actual VPN server. Post your 'route' table and I'll have a look. Matt Ventura -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54bfe8ce.9010...@mattventura.net
Re: network newbie seeks assistance debugging iptables for VPN tunnel
Tom Roche Wed, 21 Jan 2015 12:50:04 -0500 [1] I need to tunnel one SSL VPN (F5, running on one debian host) through another (OpenVPN, running on another debian host), but lose networking (e.g., `ping`) after the F5 VPN connects. I'm not sure whether this is due to my firewall/iptables or VPN configuration, but suspect the former. Unfortunately I am not knowledgeable regarding networking, so I'd appreciate any assistance you could provide. ... slightly revised ASCII art -MY CONTROL AGENCY CONTROL- firewall +--+ +---+ +---+ | +-+ | laptop + | | linode + | | remote-access | | | cluster | | F5NAP + | -- | OpenVPN | -- | website + | -|- | node(s) | | OpenVPN | | server + | | F5VPN server | | | | | client | | security | | | | | | +--+ +---+ +---+ | +-+ Matt Ventura Wed, 21 Jan 2015 09:58:38 -0800 [2] First thing to check would be the routing table while the VPN is active. The `route -n` for while the OpenVPN connection is active is here[3], which is part of a longer section[4] with all the gory details ... and thanks! your prompt assistance is appreciated, Tom Roche tom_ro...@pobox.com [1]: https://lists.debian.org/debian-user/2015/01/msg00732.html [2]: https://lists.debian.org/debian-user/2015/01/msg00733.html [3]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt [4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-dns-problem -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87sif3sts8@pobox.com
Re: network newbie seeks assistance debugging iptables for VPN tunnel
On 1/21/2015 1:33 PM, Tom Roche wrote: Tom Roche Wed, 21 Jan 2015 12:50:04 -0500 [1] I need to tunnel one SSL VPN (F5, running on one debian host) through another (OpenVPN, running on another debian host), but lose networking (e.g., `ping`) after the F5 VPN connects. I'm not sure whether this is due to my firewall/iptables or VPN configuration, but suspect the former. Unfortunately I am not knowledgeable regarding networking, so I'd appreciate any assistance you could provide. ... slightly revised ASCII art -MY CONTROL AGENCY CONTROL- firewall +--+ +---+ +---+ | +-+ | laptop + | | linode + | | remote-access | | | cluster | | F5NAP + |-- | OpenVPN |-- | website + |-|- | node(s) | | OpenVPN | | server + | | F5VPN server | | | | | client | | security | | | | | | +--+ +---+ +---+ | +-+ Matt Ventura Wed, 21 Jan 2015 09:58:38 -0800 [2] First thing to check would be the routing table while the VPN is active. The `route -n` for while the OpenVPN connection is active is here[3], which is part of a longer section[4] with all the gory details ... and thanks! your prompt assistance is appreciated, Tom Rochetom_ro...@pobox.com [1]: https://lists.debian.org/debian-user/2015/01/msg00732.html [2]: https://lists.debian.org/debian-user/2015/01/msg00733.html [3]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt [4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-dns-problem Sorry, I meant the routing table when the F5 VPN is active, when the connectivity breaks. Matt Ventura -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54c09651.3070...@mattventura.net