Title: Can't access server from outside (internet-red) Post by: dammit on Friday 12 March 2010, 12:05:28 am Hello,
I need to set up a OpenVPN server on Endian, but i'm having a problem: from the internet (IE: outside of my corporate LAN and firewall) i can't even ping my company's IP or hostname (it's like the server doesn't respond to any requests from outside). Aside from that, everything is working fine. All computers on LAN are able to access the red internet connection, from inside I can ping any IP, etc. How do I solve this? My company really needs a VPN server. EDIT: forgot to say, endian's running on a esxi server Title: Re: Can't access server from outside (internet-red) Post by: dammit on Saturday 13 March 2010, 01:39:20 am I just used this to test my openVPN port (1194) and it says it's blocked: dyndns.com/support/tools/openport.html
also tried port 80, 443 (http and https are working fine for all users accessing the internet from our lan) and it's saying they're all blocked. I've already tried disabling all firewall and proxy options in endian, but it didn't work as well... Title: Re: Can't access server from outside (internet-red) Post by: mzainal on Saturday 13 March 2010, 04:11:40 am Hi,
Can you show your network diagram so we can assist you. Title: Re: Can't access server from outside (internet-red) Post by: dammit on Saturday 13 March 2010, 05:08:22 am My network is something like in the attachment.
We have one physical server, with esxi installed, and two virtual servers: -File-server: only has access to the physical ethernet port which connects to the LAN -Firewall: one virtual NIC is configured for the WAN connection (the one that the ADSL modem is connected) and the other configured for the LAN ethernet port (the same as the file-server) The file-server is on green zone, not on DMZ, as I only want PC's on the lan to be able to connect to it. Title: Re: Can't access server from outside (internet-red) Post by: mrkroket on Tuesday 16 March 2010, 05:01:40 pm Ping reply from RED, open port 80?
What do you expect from a hardened Firewall? By default efw doesn't reply to any communication from the outside. If you want that EFW reply to some ports from outside, you must create rules to do so. The exception are the VPN servers, EFW will create the appropiate rules automatically. About OpenVPN, dont do a port scan. Just try to connect with an OpenVPN Client to test if it works. If something fails, check the logs. To ping reply I think you must create a rule on Firewall->System Access. Some questions are not about EFW, are about any firewall in the world. Recheck your needs, it's very different that your computers can use ports 80 & 443 (outgoing HTTP requests), rather than someone on internet can use your ports 80 & 443 (incoming HTTP requests). Are you trying to open a web server to the internet? Create the correct rules on Port Forwarding (i.e., forward incoming request from port 80 & 443 to the appropiate internal server). Title: Re: Can't access server from outside (internet-red) Post by: dammit on Wednesday 17 March 2010, 12:15:54 am Ping reply from RED, open port 80? What do you expect from a hardened Firewall? By default efw doesn't reply to any communication from the outside. If you want that EFW reply to some ports from outside, you must create rules to do so. The exception are the VPN servers, EFW will create the appropiate rules automatically. About OpenVPN, dont do a port scan. Just try to connect with an OpenVPN Client to test if it works. If something fails, check the logs. To ping reply I think you must create a rule on Firewall->System Access. Some questions are not about EFW, are about any firewall in the world. Recheck your needs, it's very different that your computers can use ports 80 & 443 (outgoing HTTP requests), rather than someone on internet can use your ports 80 & 443 (incoming HTTP requests). Are you trying to open a web server to the internet? Create the correct rules on Port Forwarding (i.e., forward incoming request from port 80 & 443 to the appropiate internal server). I was having problems even when trying to connect to the OpenVPN port...It looked like Endian didn't create the rules needed. Now I added the port to System Access, and it's able to communicate. However, i'm getting this error on the client when trying to connect to the VPN: "Tue Mar 16 10:13:00 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Tue Mar 16 10:13:00 2010 TLS Error: TLS handshake failed Tue Mar 16 10:13:00 2010 TCP/UDP: Closing socket Tue Mar 16 10:13:00 2010 SIGUSR1[soft,tls-error] received, process restarting" Title: Re: Can't access server from outside (internet-red) Post by: mrkroket on Wednesday 17 March 2010, 04:21:12 am Can you write down there your OpenVPN client config (just remove the IP)?
Title: Re: Can't access server from outside (internet-red) Post by: dammit on Wednesday 17 March 2010, 04:30:06 am Sure, here it is:
client dev tap proto udp nobind persist-key persist-tun auth-user-pass resolv-retry infinite ca cacert.cer verb 3 comp-lzo #Specify the IP address of the VPN server remote ***.***.***.*** 1194 Title: Re: Can't access server from outside (internet-red) Post by: mrkroket on Thursday 18 March 2010, 04:00:54 am Seems fine to me.
Check these steps: 1- On your client just check that the file cacert.cer is the one you downloaded from your endian firewall. 2- Check that your OpenVPN server is enabled: VPN->OpenVPN Server->Enabled. Also check that IP pool falls inside your GREEN subnet 3- On VPN->OpenVPN Server->Advanced check that port is 1194, and protocol is UDP. Authentication type must be PSK (username/password) 4- On Firewall->VPN Traffic, create a rule to allow any traffic, and enabled logging. 5- On Firewall->System Access, create a rule to allow ping from outside: Source Interface: RED, Protocol: ICMP, Ports: 8 and 30. Do not create a System Access rule for OpenVPN (1194). It should be created automatically!!!. 6- Try to ping your EFW firewall from outside (RED), it should reply correctly. If not, your problem isn't OpenVPN settings but ethernet one. 6- Now go to Logs->Live Logs and show the logs from OpenVPN 7- Try to connect and check the server logs for any problem. If it doesn't work please put the OpenVPN logs here. Just remove the sensistive info (Public IP's) Title: Re: Can't access server from outside (internet-red) Post by: dammit on Friday 19 March 2010, 12:04:24 am Thank you, mrkroket!
It's working now! Title: Re: Can't access server from outside (internet-red) Post by: mrkroket on Friday 19 March 2010, 07:18:33 am If you don't need ping reply from RED, you can remove the rule created in 5. The less open ports to the internet, the better.
Title: Re: Can't access server from outside (internet-red) Post by: dammit on Monday 22 March 2010, 10:01:01 am Now another problem arised: from my home pc (running windows 7), i'm connecting to openvpn normally, but i can't see the pcs behind endian on the lan. Trying pinging them gets me this:
Pinging 192.168.100.101 with 32 bytes of data: Reply from 192.168.100.72: Destination host unreachable. Request timed out. Request timed out. Request timed out. where 192.168.100.72 is the IP assigned to my TAP connection, and 192.168.100.101 is one of the lan's computers... Title: Re: Can't access server from outside (internet-red) Post by: martec on Tuesday 23 March 2010, 03:02:30 am Hi,
take a look in VPN --> Open VPN server --> [Tab] Advanced the option:
or control if in your test you had add some "wrong" rule ... Title: Re: Can't access server from outside (internet-red) Post by: dammit on Friday 26 March 2010, 12:22:56 am I checked both...still nothing...
made a rule on VPN firewall to allow all ports, to all connections. Also made a rule for source nat, allowing any vpn user to acess green. Still no good... I'm able to connect to the openvpn server (endian) only. Every other pc on the lan is innacessible... Title: Re: Can't access server from outside (internet-red) Post by: dammit on Tuesday 30 March 2010, 03:15:01 am I just discovered that if I assign ip, mask and gateway on the client tap device, I'm able to access some of the LAN services (seems like it's not getting the correct gateway ip by itself). However, i'm still not able to access a file-server, for example (the list of pc's doesn't show ip, and even if I type a machine IP, it doesn't respond.
Title: Re: Can't access server from outside (internet-red) Post by: koukobin on Sunday 04 April 2010, 04:00:51 am Do you have the ips enabled? I had the same problem (i was able to ping all the systems, i was able to access web servers, but windows file sharing was not working).
Finally i had to disable some rules in the ips and everything was fine after that. The strange thing was that the ips log was clear. IPS was blocking the file sharing but didn't log this action. If your ips is enable try to disable it and try again. Title: Re: Can't access server from outside (internet-red) Post by: dammit on Wednesday 07 April 2010, 09:05:37 pm it's already disabled...
i've looked at the logs: Apr 6 14:50:43 local OpenVPN 2.1_rc15 i586-pc-linux [SSL] [LZO2] [EPOLL] built on Aug 11 2009 Apr 6 14:50:43 local NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to Apr 6 14:50:43 local NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Apr 6 14:50:43 local NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion Apr 6 14:50:43 local WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate Apr 6 14:50:43 local TUN/TAP device tap0 opened Apr 6 14:50:43 local GID set to openvpn Apr 6 14:50:43 local UID set to openvpn Apr 6 14:50:43 local UDPv4 link local (bound): [undef]:1194 Apr 6 14:50:43 local UDPv4 link remote: [undef] Apr 6 14:50:43 local Initialization Sequence Completed Apr 6 14:50:59 local event_wait : Interrupted system call (code=4) Apr 6 14:50:59 local OpenVPN CLIENT LIST Apr 6 14:50:59 local Updated,Tue Apr 6 14:50:59 2010 Apr 6 14:50:59 local Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since Apr 6 14:50:59 local ROUTING TABLE Apr 6 14:50:59 local Virtual Address,Common Name,Real Address,Last Ref Apr 6 14:50:59 local GLOBAL STATS Apr 6 14:50:59 local Max bcast/mcast queue length,0 Apr 6 14:50:59 local END only thing wrong that I found is that in bold, although I couldn't find anything about it... Title: Re: Can't access server from outside (internet-red) Post by: mrkroket on Sunday 11 April 2010, 03:43:39 am The basic steps on testing an OpenVPN connection:
1- Check the server is running 2- On Server: Check that VPN Firewall is correctly setup. 3- Check if client connects. With OpenVPN Client on Windows you'll see a green icon on taskbar. 4- On Client: Check that your TUN/TAP interface has a correct IP from your EFW Green Network. 5- On Client: Traceroute to EFW Firewall. As it seems you are able to get that. 6- On Server: Check that you are pushing your networks. It's on VPN->OpenVPN Server->Push these networks: 192.168.100.0/24. Restart. 7- On Client: Try a Traceroute to another pc on GREEN. It should reach it on one step, if on tracert appears more than one jump, the traffic probably isn't going inside the VPN tunnel. Post the results of tracert 192.168.100.101 here. Ping is useful, but very broad. Tracert gives you better info about what's going on with your traffic. Title: Re: Can't access server from outside (internet-red) Post by: dammit on Tuesday 13 April 2010, 01:04:43 pm i did that...results are:
tracert to endian (192.168.100.3) Code: Tracing route to 192.168.100.3 over a maximum of 30 hops tracert to one lan pc (192.168.100.102) Code: Tracing route to 192.168.100.102 over a maximum of 30 hops ipconfig from client: Code: Windows IP Configuration Log from client: Code: Mon Apr 12 23:47:47 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 log from endian: Code: Apr 12 23:41:31 local ***.**.173.172:61205 Re-using SSL/TLS context I noticed that on TAP client, the gateway is not assigned, so I tried to manually configure it rather than obtaining it from DHCP, but the results were: Code: Tracing route to 192.168.100.102 over a maximum of 30 h Title: Re: Can't access server from outside (internet-red) Post by: dammit on Tuesday 13 April 2010, 01:20:02 pm also there's a lot of pages like this on endian's firewall log:
Title: Re: Can't access server from outside (internet-red) Post by: mrkroket on Wednesday 14 April 2010, 01:59:08 am Good and bad news:
Good News: Your traffic is being routing OK, so your VPN in fact is OK Bad News: You still can connect to your PC. You don't need a Gateway on TAP interface, in fact is better not to have one, since subnet 192.168.100.0 is local to you. Just to check: 1-Ensure both PC can reply to ping. Double check that isn't a Windows Firewall problem. It happens to me a of times that problems relies on something totally different. Try to ping from your Endian Firewall console to 192.168.100.102. If that doesn't work, you have blocked the ping reply on the .102 PC. See http://www.sysprobs.com/enable-ping-reply-windows-7 (http://www.sysprobs.com/enable-ping-reply-windows-7) and on Control Panel->Firewall->Advanced->ICMP->Allow incoming echo request. Disable Windows Firewall on both machines. 2-Try the reverse ping/traceroute, from .102 to .160. 3- On your last log I don't see any ICMP traffic. On VPN Firewall disable all logs, and create a 1st position rules to accept and log traffic from protocol ICMP on both directions, first rule from Any VPN User to GREEN and second rule viceversa. Title: Re: Can't access server from outside (internet-red) Post by: dammit on Thursday 15 April 2010, 01:46:21 am I just found the problem: promiscuous mode was rejected on the VMWare Vswitches! I allowed it and now VPN clients are able to see and access all LAN PCs.
Thanks for mkroket and everyone else who helped here in this topic! ;D Title: Re: Can't access server from outside (internet-red) Post by: raneesh on Saturday 17 April 2010, 08:17:40 pm which version of endian you are using?
Title: Re: Can't access server from outside (internet-red) Post by: mrkroket on Saturday 24 April 2010, 04:02:52 pm I just found the problem: promiscuous mode was rejected on the VMWare Vswitches! I allowed it and now VPN clients are able to see and access all LAN PCs. Hmmm, you never mentioned you have a virtualization layer.Thanks for mkroket and everyone else who helped here in this topic! ;D That complexes the whole thing adding another test points. Well, whatever, grats to resolve by yourself. :D |