endian community 2.4 VPN Gw2Gw problem

[Guest]

[e-telligent]

Hi,

I successfully configure endian community 2.4 VPN Gw2Gw  with this configuration:


network1 -----> endian VPN server ----->  INTERNET -------> endian Gw2Gw Client -------> network2


PLEASE PASTE HERE YOUR :
-----> route -n  output if your vpn connection have problem.
-----> cat /etc/sudoers | grep 'openvpn'

[logicasrl]

Thank you e-telligent for your help availability.
I have no means at the moment to upload what you are asking for, but tomorrow I will certainly upload what you need.

By the way, I have upgraded one of the 2 EFW from 2.2 to 2.4 (by efw-upgrade from a ssh session), with no errors, but I've noticed to have lost my "proxy" and "port forwarding" configurations... Could this have some consequences on the OpenVPN side too?

Thank you again,
Luca

[e-telligent]

Hi,

VPN is different from port forward and proxy config

[logicasrl]

Here are the outputs of the "route -n" and "cat /etc/sudoers" for both EFW.

root@fw01:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
78.4.160.48     0.0.0.0         255.255.255.248 U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 tap2
192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         78.4.160.49     0.0.0.0         UG    0      0        0 eth1
root@fw01:~ # cat /etc/sudoers | grep 'openvpn'
nobody  ALL=NOPASSWD: /usr/bin/openvpn-user
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py
openvpn  ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py
openvpn  ALL=NOPASSWD: /usr/local/bin/remoteroute.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setsnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setrouting.py
nobody  ALL=NOPASSWD: /etc/init.d/openvpnclient
openvpn  ALL=NOPASSWD: /usr/local/bin/setdnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setvpnfw.py
root@fw01:~ #

root@efw-1283440485:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
93.64.140.112   0.0.0.0         255.255.255.240 U     0      0        0 eth1
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.254.0   0.0.0.0         255.255.255.0   U     0      0        0 tap1
0.0.0.0         93.64.140.113   0.0.0.0         UG    0      0        0 eth1
root@efw-1283440485:~ # cat /etc/sudoers | grep 'openvpn'
nobody  ALL=NOPASSWD: /usr/bin/openvpn-user
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py
nobody  ALL=NOPASSWD: /etc/init.d/openvpnclient
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py
openvpn  ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setsnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setvpnfw.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py
root@efw-1283440485:~ #

I see that the last one have not "openvpn" (but "nobody") on the "setdnat" and "remoteroute" lines: I'll put in it "openvpn" and I'll make you know.

Thank you for your help,
Luca

[logicasrl]

I've posted the last trials on this thread: "OpenVPN gw2gw tunnel packet loss"
Thank you
Luca

[e-telligent]

Hi,


Add this in sudoers:


openvpn  ALL=NOPASSWD: /usr/local/bin/remoteroute.py

and restart your vpn server

[logicasrl]

Thank you Leonil for your hints.
In the next days I will be out of office: I'll try your suggestion not before September the 29th.
Luca

[jzola]

hmm Please check out how do i set. because its not working

This is a test network with esxi. GW 192.168.6.1 not exist.


CLIENT(192.168.1.1/24) --- (192.168.1.72/24) EFW1 (192.168.6.72) --- (192.168.6.71) EFW2 ( 192.168.1.71/24) --- Client(192.168.1.153/24)


Default configured Endians 2.4, no extra settings.. only just all allowed outgoing firewall etc.

EFW1:
-Enabled OpenVPN with one user

EFW2:
-Gw2Gw established to EFW1  bridged to GREEN


EFW1(in ssh):
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         192.168.6.1     0.0.0.0         UG    0      0        0 eth1

-able ping 192.168.1.71
-cant ping 192.168.1.153
-can ping 192.168.1.1



in EFW2:
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.6.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
0.0.0.0         192.168.6.1     0.0.0.0         UG    0      0        0 eth1

-able ping 192.168.1.72
-cant ping 192.168.1.1
-can ping 192.168.1.153


192.168.1.153 cant ping 192.168.1.1
-and if i run  "tcpdump src host 192.168.1.153" when pinging i see this:
20:18:42.586765 arp who-has 192.168.1.1 tell 192.168.1.153
20:18:43.586865 arp who-has 192.168.1.1 tell 192.168.1.153
20:18:44.587448 arp who-has 192.168.1.1 tell 192.168.1.153



Both endian:   I added you suggested lines.
cat /etc/sudoers | grep 'openvpn'
nobody  ALL=NOPASSWD: /usr/bin/openvpn-user
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpnclients.py
nobody  ALL=NOPASSWD: /etc/init.d/openvpnclient
nobody  ALL=NOPASSWD: /usr/local/bin/restartopenvpn.py
openvpn  ALL=NOPASSWD: /usr/local/bin/updatednsmasq.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setsnat.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setvpnfw.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/setpolicyrouting.py
openvpn  ALL=NOPASSWD: /usr/local/bin/remoteroute.py
openvpn ALL=NOPASSWD: /usr/local/bin/setdnat.py

[logicasrl]

Hi everybody,

I've finally tried the "single VPN connection" suggested to me and in fact... it's WORKING now and there is NO MORE packets loss.

What to pay attention to (in my opinion):
1. with two VPN connections (from client to server and vice versa) there ARE routing problems (not better identiified);
2. it is necessary to start "VPN firewall" (Firewall - VPN traffic) at both sites (and configuring an "any to any" rule for test purposes, for example);
3. it is necessary to configure a "Source NAT" rule (Firewall - Port Forwarding / NAT - Source NAT) at both sites.
N.B. with NO "VPN firewall" and "Source NAT" configured, there is NO communication between the two end sites (100 % packet loss with "ping")

There is, however, a last problem. Everything is working right but only in one direction (let's say from the EFW acting as "OpenVPN client" to the EFW acting as "OpenVPN server"), but I would need a bidirectional link.
At the moment only the LAN PCs behind the "OpenVPN client" can connect to the LAN PCs behind the "OpenVPN Server".

I've also tried to "ping" the LAN behind the "OpenVPN client" from an SSH session on the "OpenVPN server", but there is NO ROUTE to the remote LAN. I cannot "ping" the remote EFW acting as "OpenVPN client" itself.

How is it possible to obtain a bidirectional tunnel???

Thank you very much,
Luca

[jzola]

What's your SNAT rule?

[logicasrl]

What's your SNAT rule?

In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0.

On the client side I've got this SNAT rule:
source = 192.168.0.0/24
Destination = 192.168.254.0/24
Service = <ANY>
NAT to = "name of the openvpn gw2gw connection"

[jzola]

What's your SNAT rule?

In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0.

On the client side I've got this SNAT rule:
source = 192.168.0.0/24
Destination = 192.168.254.0/24
Service = <ANY>
NAT to = "name of the openvpn gw2gw connection"

Ahha but I want same subnet both site.

[logicasrl]

What's your SNAT rule?

In my case the client side has a subnet 192.168.0.0, and the server side 192.168.254.0.

On the client side I've got this SNAT rule:
source = 192.168.0.0/24
Destination = 192.168.254.0/24
Service = <ANY>
NAT to = "name of the openvpn gw2gw connection"

Ahha but I want same subnet both site.

Hmmm, from what I know, this is NOT possible.
It seems, from Endian documentation, that the two LAN MUST have different IP addresses...
Luca

[jzola]

You can set in openvpn gw2gw, that Bridge to your GREEN.
and can traffic dhcp responses.


iam confused now..

[logicasrl]

You can set in openvpn gw2gw, that Bridge to your GREEN.
and can traffic dhcp responses.


iam confused now..

Sorry, I fear I can't help you on this subject: I'm not so skilled in Endian "way of working"...
Luca