Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 22 December 2024, 01:54:16 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  endian community 2.4 VPN Gw2Gw problem
0 Members and 6 Guests are viewing this topic. « previous next »
Pages: [1] 2  All Go Down Print
Author Topic: endian community 2.4 VPN Gw2Gw problem  (Read 54059 times)
e-telligent
Full Member
***
Offline Offline

Posts: 13


WWW
« on: Sunday 19 September 2010, 09:54:39 pm »

Hi,

I successfully configure endian community 2.4 VPN Gw2Gw  with this configuration:


network1 -----> endian VPN server ----->  INTERNET -------> endian Gw2Gw Client -------> network2


PLEASE PASTE HERE YOUR :
-----> route -n  output if your vpn connection have problem.
-----> cat /etc/sudoers | grep 'openvpn'
Logged

Leonil Sune

e-Telligent Solutions, Inc.
Unit 3-BI, 8101 Pearl Plaza Bldg.,
Pearl Drive, Ortigas Center, Pasig City
www.e-telligent.net
P: (02) 633-5678
F: (02) 638-7263
logicasrl
Full Member
***
Offline Offline

Posts: 18


« Reply #1 on: Sunday 19 September 2010, 10:14:28 pm »

Thank you e-telligent for your help availability.
I have no means at the moment to upload what you are asking for, but tomorrow I will certainly upload what you need.

By the way, I have upgraded one of the 2 EFW from 2.2 to 2.4 (by efw-upgrade from a ssh session), with no errors, but I've noticed to have lost my "proxy" and "port forwarding" configurations... Could this have some consequences on the OpenVPN side too?

Thank you again,
Luca
Logged
e-telligent
Full Member
***
Offline Offline

Posts: 13


WWW
« Reply #2 on: Sunday 19 September 2010, 11:03:04 pm »

Hi,

VPN is different from port forward and proxy config
Logged

Leonil Sune

e-Telligent Solutions, Inc.
Unit 3-BI, 8101 Pearl Plaza Bldg.,
Pearl Drive, Ortigas Center, Pasig City
www.e-telligent.net
P: (02) 633-5678
F: (02) 638-7263
logicasrl
Full Member
***
Offline Offline

Posts: 18


« Reply #3 on: Monday 20 September 2010, 08:05:08 pm »

Here are the outputs of the "route -n" and "cat /etc/sudoers" for both EFW.

root@fw01:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
78.4.160.48     0.0.0.0         255.255.255.248 U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 tap2
192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         78.4.160.49     0.0.0.0         UG    0      0        0 eth1
root@fw01:~ # cat /etc/sudoers | grep 'openvpn'
nobody  ALL=NOPASSWD: /usr/bin/openvpn-user
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py
openvpn  ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py
openvpn  ALL=NOPASSWD: /usr/local/bin/remoteroute.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setsnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setrouting.py
nobody  ALL=NOPASSWD: /etc/init.d/openvpnclient
openvpn  ALL=NOPASSWD: /usr/local/bin/setdnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setvpnfw.py
root@fw01:~ #

root@efw-1283440485:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
93.64.140.112   0.0.0.0         255.255.255.240 U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 tap1
0.0.0.0         93.64.140.113   0.0.0.0         UG    0      0        0 eth1
root@efw-1283440485:~ # cat /etc/sudoers | grep 'openvpn'
nobody  ALL=NOPASSWD: /usr/bin/openvpn-user
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py
nobody  ALL=NOPASSWD: /etc/init.d/openvpnclient
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py
openvpn  ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setsnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setvpnfw.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py
root@efw-1283440485:~ #

I see that the last one have not "openvpn" (but "nobody") on the "setdnat" and "remoteroute" lines: I'll put in it "openvpn" and I'll make you know.

Thank you for your help,
Luca
Logged
logicasrl
Full Member
***
Offline Offline

Posts: 18


« Reply #4 on: Tuesday 21 September 2010, 07:02:27 pm »

I've posted the last trials on this thread: "OpenVPN gw2gw tunnel packet loss"
Thank you
Luca
Logged
e-telligent
Full Member
***
Offline Offline

Posts: 13


WWW
« Reply #5 on: Thursday 23 September 2010, 11:26:26 pm »

Hi,


Add this in sudoers:


openvpn  ALL=NOPASSWD: /usr/local/bin/remoteroute.py

and restart your vpn server
Logged

Leonil Sune

e-Telligent Solutions, Inc.
Unit 3-BI, 8101 Pearl Plaza Bldg.,
Pearl Drive, Ortigas Center, Pasig City
www.e-telligent.net
P: (02) 633-5678
F: (02) 638-7263
logicasrl
Full Member
***
Offline Offline

Posts: 18


« Reply #6 on: Saturday 25 September 2010, 02:12:45 am »

Thank you Leonil for your hints.
In the next days I will be out of office: I'll try your suggestion not before September the 29th.
Luca
Logged
jzola
Jr. Member
*
Offline Offline

Posts: 5


« Reply #7 on: Thursday 30 September 2010, 06:44:09 am »

hmm Please check out how do i set. because its not working Sad

This is a test network with esxi. GW 192.168.6.1 not exist.


CLIENT(192.168.1.1/24) --- (192.168.1.72/24) EFW1 (192.168.6.72) --- (192.168.6.71) EFW2 ( 192.168.1.71/24) --- Client(192.168.1.153/24)


Default configured Endians 2.4, no extra settings.. only just all allowed outgoing firewall etc.

EFW1:
-Enabled OpenVPN with one user

EFW2:
-Gw2Gw established to EFW1  bridged to GREEN


EFW1(in ssh):
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         192.168.6.1     0.0.0.0         UG    0      0        0 eth1

-able ping 192.168.1.71
-cant ping 192.168.1.153
-can ping 192.168.1.1



in EFW2:
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         192.168.6.1     0.0.0.0         UG    0      0        0 eth1

-able ping 192.168.1.72
-cant ping 192.168.1.1
-can ping 192.168.1.153


192.168.1.153 cant ping 192.168.1.1
-and if i run  "tcpdump src host 192.168.1.153" when pinging i see this:
20:18:42.586765 arp who-has 192.168.1.1 tell 192.168.1.153
20:18:43.586865 arp who-has 192.168.1.1 tell 192.168.1.153
20:18:44.587448 arp who-has 192.168.1.1 tell 192.168.1.153



Both endian:   I added you suggested lines.
cat /etc/sudoers | grep 'openvpn'
nobody  ALL=NOPASSWD: /usr/bin/openvpn-user
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py
nobody  ALL=NOPASSWD: /etc/init.d/openvpnclient
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py
openvpn  ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setsnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setvpnfw.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/remoteroute.py
openvpn ALL=NOPASSWD: /usr/local/bin/setdnat.py
Logged
logicasrl
Full Member
***
Offline Offline

Posts: 18


« Reply #8 on: Thursday 30 September 2010, 07:51:18 pm »

Hi everybody,

I've finally tried the "single VPN connection" suggested to me and in fact... it's WORKING now Smiley and there is NO MORE packets loss.

What to pay attention to (in my opinion):
1. with two VPN connections (from client to server and vice versa) there ARE routing problems (not better identiified);
2. it is necessary to start "VPN firewall" (Firewall - VPN traffic) at both sites (and configuring an "any to any" rule for test purposes, for example);
3. it is necessary to configure a "Source NAT" rule (Firewall - Port Forwarding / NAT - Source NAT) at both sites.
N.B. with NO "VPN firewall" and "Source NAT" configured, there is NO communication between the two end sites (100 % packet loss with "ping")

There is, however, a last problem. Everything is working right but only in one direction (let's say from the EFW acting as "OpenVPN client" to the EFW acting as "OpenVPN server"), but I would need a bidirectional link.
At the moment only the LAN PCs behind the "OpenVPN client" can connect to the LAN PCs behind the "OpenVPN Server".

I've also tried to "ping" the LAN behind the "OpenVPN client" from an SSH session on the "OpenVPN server", but there is NO ROUTE to the remote LAN. I cannot "ping" the remote EFW acting as "OpenVPN client" itself.

How is it possible to obtain a bidirectional tunnel???

Thank you very much,
Luca
Logged
jzola
Jr. Member
*
Offline Offline

Posts: 5


« Reply #9 on: Thursday 30 September 2010, 10:48:21 pm »

What's your SNAT rule?
Logged
logicasrl
Full Member
***
Offline Offline

Posts: 18


« Reply #10 on: Thursday 30 September 2010, 11:38:48 pm »

What's your SNAT rule?

In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0.

On the client side I've got this SNAT rule:
source = 192.168.0.0/24
Destination = 192.168.254.0/24
Service = <ANY>
NAT to = "name of the openvpn gw2gw connection"
Logged
jzola
Jr. Member
*
Offline Offline

Posts: 5


« Reply #11 on: Friday 01 October 2010, 12:12:11 am »

What's your SNAT rule?

In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0.

On the client side I've got this SNAT rule:
source = 192.168.0.0/24
Destination = 192.168.254.0/24
Service = <ANY>
NAT to = "name of the openvpn gw2gw connection"

Ahha but I want same subnet both site.
Logged
logicasrl
Full Member
***
Offline Offline

Posts: 18


« Reply #12 on: Friday 01 October 2010, 12:16:31 am »

What's your SNAT rule?

In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0.

On the client side I've got this SNAT rule:
source = 192.168.0.0/24
Destination = 192.168.254.0/24
Service = <ANY>
NAT to = "name of the openvpn gw2gw connection"

Ahha but I want same subnet both site.

Hmmm, from what I know, this is NOT possible.
It seems, from Endian documentation, that the two LAN MUST have different IP addresses...
Luca
Logged
jzola
Jr. Member
*
Offline Offline

Posts: 5


« Reply #13 on: Friday 01 October 2010, 12:47:46 am »

You can set in openvpn gw2gw, that Bridge to your GREEN.
and can traffic dhcp responses.


iam confused now..
Logged
logicasrl
Full Member
***
Offline Offline

Posts: 18


« Reply #14 on: Friday 01 October 2010, 02:16:18 am »

You can set in openvpn gw2gw, that Bridge to your GREEN.
and can traffic dhcp responses.


iam confused now..

Sorry, I fear I can't help you on this subject: I'm not so skilled in Endian "way of working"...
Luca
Logged
Pages: [1] 2  All Go Up Print 
« previous next »
Jump to:  

Page created in 0.172 seconds with 15 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com