Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 10 November 2024, 10:13:48 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14250 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  Can't access server from outside (internet-red)
0 Members and 3 Guests are viewing this topic. « previous next »
Pages: [1] 2 Go Down Print
Author Topic: Can't access server from outside (internet-red)  (Read 71839 times)
dammit
Full Member
***
Offline Offline

Posts: 16


« on: Friday 12 March 2010, 12:05:28 am »

Hello,

I need to set up a OpenVPN server on Endian, but i'm having a problem: from the internet (IE: outside of my corporate LAN and firewall) i can't even ping my company's IP or hostname (it's like the server doesn't respond to any requests from outside).

Aside from that, everything is working fine. All computers on LAN are able to access the red internet connection, from inside I can ping any IP, etc.

How do I solve this? My company really needs a VPN server.

EDIT: forgot to say, endian's running on a esxi server
Logged
dammit
Full Member
***
Offline Offline

Posts: 16


« Reply #1 on: Saturday 13 March 2010, 01:39:20 am »

I just used this to test my openVPN port (1194) and it says it's blocked:  dyndns.com/support/tools/openport.html

also tried port 80, 443 (http and https are working fine for all users accessing the internet from our lan) and it's saying they're all blocked.
I've already tried disabling all firewall and proxy options in endian, but it didn't work as well...
Logged
mzainal
Full Member
***
Offline Offline

Posts: 16


« Reply #2 on: Saturday 13 March 2010, 04:11:40 am »

Hi,

Can you show your network diagram so we can assist you.
Logged
dammit
Full Member
***
Offline Offline

Posts: 16


« Reply #3 on: Saturday 13 March 2010, 05:08:22 am »

My network is something like in the attachment.

We have one physical server, with esxi installed, and two virtual servers:
-File-server: only has access to the physical ethernet port which connects to the LAN
-Firewall: one virtual NIC is configured for the WAN connection (the one that the ADSL modem is connected) and the other configured for the LAN ethernet port (the same as the file-server)

The file-server is on green zone, not on DMZ, as I only want PC's on the lan to be able to connect to it.
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #4 on: Tuesday 16 March 2010, 05:01:40 pm »

Ping reply from RED, open port 80?
What do you expect from a hardened Firewall?

By default efw doesn't reply to any communication from the outside.

If you want that EFW reply to some ports from outside, you must create rules to do so.
The exception are the VPN servers, EFW will create the appropiate rules automatically.
About OpenVPN, dont do a port scan. Just try to connect with an OpenVPN Client to test if it works. If something fails, check the logs.
To ping reply I think you must create a rule on Firewall->System Access.

Some questions are not about EFW, are about any firewall in the world. Recheck your needs, it's very different that your computers can use ports 80 & 443 (outgoing HTTP requests), rather than someone on internet can use your ports 80 & 443 (incoming HTTP requests). Are you trying to open a web server to the internet? Create the correct rules on Port Forwarding (i.e., forward incoming request from port 80 & 443 to the appropiate internal server).
Logged
dammit
Full Member
***
Offline Offline

Posts: 16


« Reply #5 on: Wednesday 17 March 2010, 12:15:54 am »

Ping reply from RED, open port 80?
What do you expect from a hardened Firewall?

By default efw doesn't reply to any communication from the outside.

If you want that EFW reply to some ports from outside, you must create rules to do so.
The exception are the VPN servers, EFW will create the appropiate rules automatically.
About OpenVPN, dont do a port scan. Just try to connect with an OpenVPN Client to test if it works. If something fails, check the logs.
To ping reply I think you must create a rule on Firewall->System Access.

Some questions are not about EFW, are about any firewall in the world. Recheck your needs, it's very different that your computers can use ports 80 & 443 (outgoing HTTP requests), rather than someone on internet can use your ports 80 & 443 (incoming HTTP requests). Are you trying to open a web server to the internet? Create the correct rules on Port Forwarding (i.e., forward incoming request from port 80 & 443 to the appropiate internal server).

I was having problems even when trying to connect to the OpenVPN port...It looked like Endian didn't create the rules needed.
Now I added the port to System Access, and it's able to communicate.
However, i'm getting this error on the client when trying to connect to the VPN:

"Tue Mar 16 10:13:00 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 16 10:13:00 2010 TLS Error: TLS handshake failed
Tue Mar 16 10:13:00 2010 TCP/UDP: Closing socket
Tue Mar 16 10:13:00 2010 SIGUSR1[soft,tls-error] received, process restarting"
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #6 on: Wednesday 17 March 2010, 04:21:12 am »

Can you write down there your OpenVPN client config (just remove the IP)?
Logged
dammit
Full Member
***
Offline Offline

Posts: 16


« Reply #7 on: Wednesday 17 March 2010, 04:30:06 am »

Sure, here it is:

client
dev tap
proto udp
nobind
persist-key
persist-tun
auth-user-pass
resolv-retry infinite
ca cacert.cer
verb 3
comp-lzo

#Specify the IP address of the VPN server
remote ***.***.***.*** 1194
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #8 on: Thursday 18 March 2010, 04:00:54 am »

Seems fine to me.
Check these steps:

1- On your client just check that the file cacert.cer is the one you downloaded from your endian firewall.
2- Check that your OpenVPN server is enabled: VPN->OpenVPN Server->Enabled. Also check that IP pool falls inside your GREEN subnet
3- On VPN->OpenVPN Server->Advanced check that port is 1194, and protocol is UDP. Authentication type must be PSK (username/password)
4- On Firewall->VPN Traffic, create a rule to allow any traffic, and enabled logging.
5- On Firewall->System Access, create a rule to allow ping from outside: Source Interface: RED, Protocol: ICMP, Ports: 8 and 30. Do not create a System Access rule for OpenVPN (1194). It should be created automatically!!!.
6- Try to ping your EFW firewall from outside (RED), it should reply correctly. If not, your problem isn't OpenVPN settings but ethernet one.
6- Now go to Logs->Live Logs and show the logs from OpenVPN
7- Try to connect and check the server logs for any problem.

If it doesn't work please put the OpenVPN logs here. Just remove the sensistive info (Public IP's)
Logged
dammit
Full Member
***
Offline Offline

Posts: 16


« Reply #9 on: Friday 19 March 2010, 12:04:24 am »

Thank you, mrkroket!
It's working now!
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #10 on: Friday 19 March 2010, 07:18:33 am »

If you don't need ping reply from RED, you can remove the rule created in 5. The less open ports to the internet, the better.
Logged
dammit
Full Member
***
Offline Offline

Posts: 16


« Reply #11 on: Monday 22 March 2010, 10:01:01 am »

Now another problem arised: from my home pc (running windows 7), i'm connecting to openvpn normally, but i can't see the pcs behind endian on the lan. Trying pinging them gets me this:

Pinging 192.168.100.101 with 32 bytes of data:
Reply from 192.168.100.72: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.

where 192.168.100.72 is the IP assigned to my TAP connection, and 192.168.100.101 is one of the lan's computers...
Logged
martec
Full Member
***
Offline Offline

Posts: 34


« Reply #12 on: Tuesday 23 March 2010, 03:02:30 am »

Hi,

take a look in VPN --> Open VPN server --> [Tab] Advanced

the option:

  • block dhcp reply from tunnel (more or less... my english it'orrible...)
    don't block traffic between clients

or control if in your test you had add some "wrong" rule ...
Logged
dammit
Full Member
***
Offline Offline

Posts: 16


« Reply #13 on: Friday 26 March 2010, 12:22:56 am »

I checked both...still nothing...
made a rule on VPN firewall to allow all ports, to all connections.
Also made a rule for source nat, allowing any vpn user to acess green.
Still no good...

I'm able to connect to the openvpn server (endian) only. Every other pc on the lan is innacessible...
Logged
dammit
Full Member
***
Offline Offline

Posts: 16


« Reply #14 on: Tuesday 30 March 2010, 03:15:01 am »

I just discovered that if I assign ip, mask and gateway on the client tap device, I'm able to access some of the LAN services (seems like it's not getting the correct gateway ip by itself). However, i'm still not able to access a file-server, for example (the list of pc's doesn't show ip, and even if I type a machine IP, it doesn't respond.
Logged
Pages: [1] 2 Go Up Print 
« previous next »
Jump to:  

Page created in 0.108 seconds with 21 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com