[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Server behind OpenVPN server does not respond

Posted on 2010-04-06
10
Medium Priority
?
1,286 Views
Last Modified: 2012-06-27
I have installed a zeroshell vpn router with host to lan vpn. If i ping an IP address from the client through VPN it is working, but sometimes processes not respond (192.168.110.6/mantis or subversion) but i can always ping the IP. Sometimes it is working, sometimes not. If i use my second VPN connection, which is pptp, i can access the servers all the time.
0
Comment
Question by:Patricck
  • 6
  • 4
10 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 29956955
I do not have experience with zeroshell, but let's try to find the error:

are there firewall rules applying to OpenVPN that are not applied to pptp, say like nat, or any other iptables?

write here the output of
iptables -L -vn -t nat

and the output of
iptables -L -vn

on the openvpn server (I believe that is the zeroshell right?)

workaround: what about putting a NAT from the firewall to inside and see if that solve the problem

# considering eth0 is the internal network card and OpenVPN network is 10.8.0.0/16:
iptables -A POSTROUTING -t nat -o eth0 -s 10.8.0.0/16 -j MASQUERADE
0
 
LVL 3

Author Comment

by:Patricck
ID: 29993614
Hi, thanks for the answer.
Yes there are, but if i disable the firewall, it is the same thing.
iptables -L -vn -t nat:
Chain PREROUTING (policy ACCEPT 3780K packets, 341M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723 to:192.168.110.253:1723
  902 41876 DNAT       tcp  --  ETH01  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723 to:192.168.110.253:1723
    0     0 DNAT       udp  --  ETH01  *       0.0.0.0/0            0.0.0.0/0           udp dpt:1723 to:192.168.110.253:1723
  341 19910 DNAT       47   --  ETH01  *       0.0.0.0/0            0.0.0.0/0           to:192.168.110.253
 709K   38M Proxy      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain POSTROUTING (policy ACCEPT 951K packets, 58M bytes)
 pkts bytes target     prot opt in     out     source               destination
3886K  312M SNATVS     all  --  *      *       0.0.0.0/0            0.0.0.0/0
2935K  254M MASQUERADE  all  --  *      ETH01   0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
    0     0 MASQUERADE  all  --  *      VPN00   0.0.0.0/0            0.0.0.0/0
  129  6265 MASQUERADE  all  --  *      VPN99   0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1438K packets, 95M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain Proxy (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain SNATVS (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0xff1973

------------------------------------------------------------------------
iptables -L -vn - in the attachement
I have a NAT configured in the zeroshell box.
Zeroshell is the openVPN server

I dont understand why is it working somethimes, and somethimes not. hmm...



Chain INPUT (policy DROP 159K packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination
  19M 1111M SYS_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  523 33338 SYS_HTTPS  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
39824 2989K SYS_HTTPS  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
8884K  375M SYS_SSH    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     47   --  ppp0   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     47   --  ETH01  *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1701
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:1701
    0     0 ACCEPT     tcp  --  ETH01  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5000
 513K   91M ACCEPT     udp  --  ETH01  *       0.0.0.0/0            0.0.0.0/0           udp dpt:5000
18061  764K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
  573 48132 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 0
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
 184K   12M ACCEPT     udp  --  ETH00  *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     47   --  ETH00  *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  ETH00  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1723
  202 19596 ACCEPT     tcp  --  ETH01  *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1195
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1195
    0     0 ACCEPT     udp  --  ETH01  *       0.0.0.0/0            0.0.0.0/0           udp dpt:1195
    0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:1195
    0     0 ACCEPT     all  --  VPN00  *       0.0.0.0/0            0.0.0.0/0
26001 2297K ACCEPT     all  --  VPN99  *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 164M packets, 116G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 18M packets, 4928M bytes)
 pkts bytes target     prot opt in     out     source               destination
  30M 5716M SYS_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain NetBalancer (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain SYS_HTTPS (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       81.2.197.75          0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       92.240.234.46        0.0.0.0/0
73603 5415K ACCEPT     all  --  *      *       192.168.110.0/24     0.0.0.0/0
 1538 77652 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SYS_INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  12M  748M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 514K   97M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:53 state ESTABLISHED
 1317 1047K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:80 state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:8245 state ESTABLISHED
11163  848K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:123 state ESTABLISHED
  11M  593M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SYS_OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination
  12M  748M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
 522K   40M ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
 1455 97424 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8245
11317  860K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:123
  18M 4928M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SYS_SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
8884K  375M ACCEPT     all  --  *      *       192.168.110.0/24     0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       92.240.234.46        0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       81.2.197.75          0.0.0.0/0
  172  9308 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Open in new window

0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 30027981
what is the ip of the zeroshell box?

it looks like the pptp server is another internal machine on the ip 192.168.110.253, and you need to nat internally because the zeroshell box is not the default gateway, right?

how about fixing things correctly and
a) put an entry on the application box for the VPN network using the zeroshell box as the gateway
   something like
   route add 10.8.0.0/16 gateway internal.ip.of.zero.shell
b) disable nat temporarily for the openvpn service on the zeroshell box to do the test
c) test to see if there are no more disconnections

I would like to know what vpn is openvpn. VPN99 ? VPN00? my  undestanding is ppp0 is the internet interfase and ETH01 is the LAN one.

Please correct me if I'm wrong
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 3

Author Comment

by:Patricck
ID: 30037964
Hi, thanks for the answer
my PPTP server is a router on the 192.168.110.253 address.
The zeroshell box is the default gateway in the LAN and its address is 192.168.110.254.
I have a firewall configured on  my zeroshell box, which identifies the incoming ports, and if it is the PPTP port, it forwards the packets them to the PPTP router.


VPN00 is used to connect the server to another zeroshell server, it is a LAN to LAN connection.
ETH01 is my main internet connection.
ppp0 is my second internet connection, but it is plugged out at the moment - it will be used for load balancing
 VPN99 is my openvpn connection.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 30046977
great information. This mean you have your OpenVPN running on the port udp/5000

That port was used long time ago in the times of OpenVPN 1.x, with preshared keys.

For those, the usual options to make the vpn more resilient to changes, and for having also some logging where (in the code attached)

could you please post your openvpn config file (I assumed is named server.conf)


server.conf:
... (your other options)
-----8<-----------------------------
keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/status.log
verb 5
-----8<-----------------------------

Open in new window

0
 
LVL 3

Author Comment

by:Patricck
ID: 30049690
Hi,
i have attached my config file, but i have a bad feeling, that the problem will be on the internal LAN, because i can not access just linux machines.. strange.. maybe something could be wrong with the ARP tables on our switch?
comp-lzo
verb 3
mute 20
resolv-retry infinite
nobind
client
dev tap
persist-key
persist-tun
route-method exe
route-delay 2

Open in new window

0
 
LVL 3

Author Comment

by:Patricck
ID: 30051249
Sorry, this is my client config file,
I dont know where can i find the server config file on the zeroshell box.. hhmmm. I am accessing the options via a web interface.
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 30085153
looks like there are openvpn logs enabled from the zeroshell openvpn server:
http://www.zeroshell.net/eng/ss/#vpn

have you analyzed the log?

If you cannot find anything, post it here (specially when you suffer a disconnection) so we can try to validate what is happening.
0
 
LVL 3

Author Comment

by:Patricck
ID: 30614813
Hi,
thanks for your answer, sorry but i could not access the server for a few days. What i dont understand is... i can always connect to windows machines.. remote desktop etc. but some linux machines can not be accessed many times....
If 192.168.110.3 is a linux machine.. 192.168.110.3/mantis throgh hhtp is not working half of the time...

why is this happening? i can access it always from the LAN.

This is my server log>
14:20:56       @client IP@:59401 Re-using SSL/TLS context
14:20:56       @client IP@:59401 LZO compression initialized
14:20:58       @client IP@:59401 [vpn-user@aaa.LOCAL] Trying Kerberos 5 (Local KDC) authentication
14:20:58       @client IP@:59401 [vpn-user@aaa.LOCAL] Successfully authenticated
14:20:58       @client IP@:59401 [vpn-user] Peer Connection Initiated with @client IP@:59401
14:20:58       @client IP@:59401 [vpn-user] Virtual IP automatically assigned: 192.168.111.100
14:29:19       @client IP@:59319 Re-using SSL/TLS context
14:29:19       @client IP@:59319 LZO compression initialized
14:29:19       @client IP@:59319 [vpn-user@aaa.LOCAL] Trying Kerberos 5 (Local KDC) authentication
14:29:19       @client IP@:59319 [vpn-user@aaa.LOCAL] Successfully authenticated
14:29:19       @client IP@:59319 [vpn-user] Peer Connection Initiated with @client IP@:59319
14:29:19       @client IP@:59319 [vpn-user] Virtual IP automatically assigned: 192.168.111.101
14:29:36       vpn-user/@client IP@:59401 [vpn-user] Inactivity timeout (--ping-restart), restarting
14:29:36       @client IP@:59401 [vpn-user] Client disconnected

client log file attached in the file below.

Thanks very much.
Best regards
Patrik
Tue Apr 13 14:31:02 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Tue Apr 13 14:31:28 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Tue Apr 13 14:31:28 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Apr 13 14:31:28 2010 LZO compression initialized
Tue Apr 13 14:31:28 2010 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Apr 13 14:31:28 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Apr 13 14:31:28 2010 Local Options hash (VER=V4): 'd79ca330'
Tue Apr 13 14:31:28 2010 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue Apr 13 14:31:28 2010 UDPv4 link local: [undef]
Tue Apr 13 14:31:28 2010 UDPv4 link remote: @server IP@:1194
Tue Apr 13 14:31:28 2010 TLS: Initial packet from @server IP@:1194, sid=e7a6cf42 9339a190
Tue Apr 13 14:31:28 2010 VERIFY OK: depth=1, /C=SK/ST=State/L=city/O=aaa.com/OU=bbb_Server/CN=bbb.com/emailAddress=qqq@aaa.com
Tue Apr 13 14:31:28 2010 VERIFY OK: depth=0, /C=SK/ST=State/O=aaa.com/OU=aaa.com/CN=@client IP@/emailAddress=qqq@aaa.com
Tue Apr 13 14:31:28 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 13 14:31:28 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 13 14:31:28 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Apr 13 14:31:28 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 13 14:31:28 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Apr 13 14:31:28 2010 [@client IP@] Peer Connection Initiated with @server IP@:1194
Tue Apr 13 14:31:29 2010 SENT CONTROL [@client IP@]: 'PUSH_REQUEST' (status=1)
Tue Apr 13 14:31:29 2010 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.111.1,,dhcp-option DNS 192.168.111.1,route remote_host 255.255.255.255 net_gateway 1,route 192.168.110.0 255.255.255.255,route 192.168.2.0 255.255.255.255,route 192.168.110.0 255.255.255.0,route 192.168.2.0 255.255.255.0,ping 5,ping-restart 60,ifconfig 192.168.111.101 255.255.255.0'
Tue Apr 13 14:31:29 2010 OPTIONS IMPORT: timers and/or timeouts modified
Tue Apr 13 14:31:29 2010 OPTIONS IMPORT: --ifconfig/up options modified
Tue Apr 13 14:31:29 2010 OPTIONS IMPORT: route options modified
Tue Apr 13 14:31:29 2010 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Apr 13 14:31:29 2010 TAP-WIN32 device [Local Area Connection 3] opened: \\.\Global\{0B2B867D-47A4-4D75-AADE-4A8E61F219E8}.tap
Tue Apr 13 14:31:29 2010 TAP-Win32 Driver Version 8.4 
Tue Apr 13 14:31:29 2010 TAP-Win32 MTU=1500
Tue Apr 13 14:31:29 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.111.101/255.255.255.0 on interface {0B2B867D-47A4-4D75-AADE-4A8E61F219E8} [DHCP-serv: 192.168.111.0, lease-time: 31536000]
Tue Apr 13 14:31:29 2010 Successful ARP Flush on interface [4] {0B2B867D-47A4-4D75-AADE-4A8E61F219E8}
Tue Apr 13 14:31:29 2010 TEST ROUTES: 0/0 succeeded len=5 ret=0 a=0 u/d=down
Tue Apr 13 14:31:29 2010 Route: Waiting for TUN/TAP interface to come up...
Tue Apr 13 14:31:31 2010 TEST ROUTES: 0/0 succeeded len=5 ret=0 a=0 u/d=down
Tue Apr 13 14:31:31 2010 Route: Waiting for TUN/TAP interface to come up...
Tue Apr 13 14:31:31 2010 TEST ROUTES: 5/5 succeeded len=5 ret=1 a=0 u/d=up
Tue Apr 13 14:31:31 2010 route ADD @server IP@ MASK 255.255.255.255 192.168.113.252 METRIC 1
Tue Apr 13 14:31:31 2010 Route addition via IPAPI succeeded
Tue Apr 13 14:31:31 2010 route ADD 192.168.110.0 MASK 255.255.255.255 192.168.111.1
Tue Apr 13 14:31:31 2010 Route addition via IPAPI succeeded
Tue Apr 13 14:31:31 2010 route ADD 192.168.2.0 MASK 255.255.255.255 192.168.111.1
Tue Apr 13 14:31:31 2010 Route addition via IPAPI succeeded
Tue Apr 13 14:31:31 2010 route ADD 192.168.110.0 MASK 255.255.255.0 192.168.111.1
Tue Apr 13 14:31:31 2010 Route addition via IPAPI succeeded
Tue Apr 13 14:31:31 2010 route ADD 192.168.2.0 MASK 255.255.255.0 192.168.111.1
Tue Apr 13 14:31:31 2010 Route addition via IPAPI succeeded
Tue Apr 13 14:31:31 2010 Initialization Sequence Completed

Open in new window

0
 
LVL 3

Accepted Solution

by:
Patricck earned 0 total points
ID: 32583093
I have found the problem:
it was an internal problem with our switch or network card.. I have added static Mac addresses to the arp table, and it is now working.

Best regards
Patrik
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question