OpenVPN client, does not access to the green side.

General questions.
Post Reply
mg
Posts: 5
Joined: March 3rd, 2010, 10:06 am

OpenVPN client, does not access to the green side.

Post by mg » December 7th, 2014, 6:51 pm

Hello all,
I read many earlier topic for this problem. But I can't solve my access problem.
I changed the Win 8.1 client registry necessary option, and I runned OpenVPN client with administrator rights etc. I can ping of IPfire green side IP address, and no more. I can't handling any IP addresses in the green zone. My opinion this is routing problem. I insert the all OpenVPN logs and routing tables. I can't see simple things in the routing table? Please somebody teach me seeing!  Thanks for your answers.

OpenVPN Client connection log:

Sun Dec 07 12:02:10 2014 DEPRECATED OPTION: --tls-remote, please update your configuration
Sun Dec 07 12:02:10 2014 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Sun Dec 07 12:02:10 2014 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Sun Dec 07 12:02:10 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Dec 07 12:02:10 2014 Need hold release from management interface, waiting...
Sun Dec 07 12:02:10 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Dec 07 12:02:11 2014 MANAGEMENT: CMD 'state on'
Sun Dec 07 12:02:11 2014 MANAGEMENT: CMD 'log all on'
Sun Dec 07 12:02:11 2014 MANAGEMENT: CMD 'hold off'
Sun Dec 07 12:02:11 2014 MANAGEMENT: CMD 'hold release'
Sun Dec 07 12:02:15 2014 MANAGEMENT: CMD 'password [...]'
Sun Dec 07 12:02:15 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Dec 07 12:02:15 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Dec 07 12:02:15 2014 UDPv4 link local: [undef]
Sun Dec 07 12:02:15 2014 UDPv4 link remote: [AF_INET]123.123.123.123:1194
Sun Dec 07 12:02:15 2014 MANAGEMENT: >STATE:1234567890,WAIT,,,
Sun Dec 07 12:02:15 2014 MANAGEMENT: >STATE:1234567890,AUTH,,,
Sun Dec 07 12:02:15 2014 TLS: Initial packet from [AF_INET]123.123.123.123:1194, sid=0b789db7 a22f587e
Sun Dec 07 12:02:17 2014 VERIFY OK: depth=1, /C=XY/ST=State/L=City/O=XYZW_Company/OU ... n@xyzw.com
Sun Dec 07 12:02:17 2014 VERIFY OK: nsCertType=SERVER
Sun Dec 07 12:02:17 2014 VERIFY X509NAME OK: /C=XY/ST=State/O=XYZW_Company/OU=IT/CN=123.123.123.123
Sun Dec 07 12:02:17 2014 VERIFY OK: depth=0, /C=XY/ST=State/O=XYZW_Company/OU=IT/CN=123.123.123.123
Sun Dec 07 12:02:24 2014 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec 07 12:02:24 2014 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Dec 07 12:02:24 2014 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Sun Dec 07 12:02:24 2014 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Sun Dec 07 12:02:24 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Dec 07 12:02:24 2014 [123.123.123.123] Peer Connection Initiated with [AF_INET]123.123.123.123:1194
Sun Dec 07 12:02:25 2014 MANAGEMENT: >STATE:0987654321,GET_CONFIG,,,
Sun Dec 07 12:02:27 2014 SENT CONTROL [123.123.123.123]: 'PUSH_REQUEST' (status=1)
Sun Dec 07 12:02:27 2014 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DOMAIN domain.domain,dhcp-option DNS 10.10.10.16,dhcp-option WINS 10.10.10.10,route 192.168.3.1,topology net30,ping 10,ping-restart 60,route 10.10.10.0 255.255.255.0,ifconfig 192.168.4.2 192.168.4.1'
Sun Dec 07 12:02:27 2014 OPTIONS IMPORT: timers and/or timeouts modified
Sun Dec 07 12:02:27 2014 OPTIONS IMPORT: --ifconfig/up options modified
Sun Dec 07 12:02:27 2014 OPTIONS IMPORT: route options modified
Sun Dec 07 12:02:27 2014 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Dec 07 12:02:27 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Dec 07 12:02:27 2014 MANAGEMENT: >STATE:0987654321,ASSIGN_IP,,192.168.4.2,
Sun Dec 07 12:02:27 2014 open_tun, tt->ipv6=0
Sun Dec 07 12:02:27 2014 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{4325FE76-00AE-4F9E-88B1-0E44AFCF9B0C}.tap
Sun Dec 07 12:02:27 2014 TAP-Windows Driver Version 9.21
Sun Dec 07 12:02:27 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.4.2/255.255.255.252 on interface {4325FE76-00AE-4F9E-88B1-0E44AFCF9B0C} [DHCP-serv: 192.168.4.1, lease-time: 31536000]
Sun Dec 07 12:02:27 2014 Successful ARP Flush on interface [18] {4325FE76-00AE-4F9E-88B1-0E44AFCF9B0C}
Sun Dec 07 12:02:32 2014 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Sun Dec 07 12:02:32 2014 MANAGEMENT: >STATE:5432106789,ADD_ROUTES,,,
Sun Dec 07 12:02:32 2014 C:\WINDOWS\system32\route.exe ADD 192.168.3.1 MASK 255.255.255.255 192.168.4.1
Sun Dec 07 12:02:32 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Dec 07 12:02:32 2014 Route addition via IPAPI succeeded [adaptive]
Sun Dec 07 12:02:32 2014 C:\WINDOWS\system32\route.exe ADD 10.10.10.0 MASK 255.255.255.0 192.168.4.1
Sun Dec 07 12:02:32 2014 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Sun Dec 07 12:02:32 2014 Route addition via IPAPI succeeded [adaptive]
Sun Dec 07 12:02:32 2014 Initialization Sequence Completed
Sun Dec 07 12:02:32 2014 MANAGEMENT: >STATE:5432106789,CONNECTED,SUCCESS,192.168.4.2,123.123.123.123

Ipfire route table:

Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
0.0.0.0        123.123.123.129  0.0.0.0        UG    0      0        0 red0
10.10.10.0      0.0.0.0        255.255.255.0  U    0      0        0 green0
192.168.1.0    0.0.0.0        255.255.255.0  U    0      0        0 orange0
192.168.2.0    0.0.0.0        255.255.255.0  U    0      0        0 blue0
192.168.3.0    192.168.3.2    255.255.255.0  UG    0      0        0 tun0
192.168.3.2    0.0.0.0        255.255.255.255 UH    0      0        0 tun0
192.168.4.0    192.168.3.2    255.255.255.252 UG    0      0        0 tun0
192.168.5.0    192.168.3.2    255.255.255.252 UG    0      0        0 tun0
192.168.6.0    192.168.3.2    255.255.255.252 UG    0      0        0 tun0
192.168.7.0    192.168.3.2    255.255.255.252 UG    0      0        0 tun0
192.168.8.0    192.168.3.2    255.255.255.252 UG    0      0        0 tun0
123.123.123.0    0.0.0.0        255.255.255.0  U    0      0        0 red0

Windows 8.1 Client route table

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway      Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.100    20
      10.10.10.0    255.255.255.0      192.168.3.1      192.168.4.2    21
      10.10.10.0    255.255.255.0      192.168.4.1      192.168.4.2    20
        127.0.0.0        255.0.0.0        On-link        127.0.0.1    306
        127.0.0.1  255.255.255.255        On-link        127.0.0.1    306
  127.255.255.255  255.255.255.255        On-link        127.0.0.1    306
      192.168.1.0    255.255.255.0        On-link    192.168.1.100    276
    192.168.1.100  255.255.255.255        On-link    192.168.1.100    276
    192.168.1.255  255.255.255.255        On-link    192.168.1.100    276
      192.168.3.1  255.255.255.255      192.168.4.1      192.168.4.2    20
      192.168.4.0  255.255.255.252        On-link      192.168.4.2    276
      192.168.4.2  255.255.255.255        On-link      192.168.4.2    276
      192.168.4.3  255.255.255.255        On-link      192.168.4.2    276
        224.0.0.0        240.0.0.0        On-link        127.0.0.1    306
        224.0.0.0        240.0.0.0        On-link      192.168.4.2    276
        224.0.0.0        240.0.0.0        On-link    192.168.1.100    276
  255.255.255.255  255.255.255.255        On-link        127.0.0.1    306
  255.255.255.255  255.255.255.255        On-link      192.168.4.2    276
  255.255.255.255  255.255.255.255        On-link    192.168.1.100    276
===========================================================================

o1e9
Posts: 1
Joined: May 19th, 2017, 3:55 pm

Re: OpenVPN client, does not access to the green side.

Post by o1e9 » May 19th, 2017, 4:15 pm

Hi,

It seems the problem remains on Core 110 release. I have routing set on client to gateway via ipfire to GREEN zone however I may not access it. OpenVPN connection works all right both from Ubuntu and Windows7 clients, I may see ipfire gateway and access it however no GREEN zone even routing says I have it. I do not have DHCP on ipfire because AD server is in green zone with DHCP activated, not sure if DHCP may create any issues with routing.

The alternative issue may exist with iptables settings so my packets are bounced even I have active OpenVPN connection.

Any ideas?

UPDATE: I may see GREEN zone however may access only 4 IPs from it. It seems some issues with NATing to me. GREEN zone IP for ipfire device is 10.54.54.18 however I may ping and access only devices in range 10.54.54.16-19, the rest of the network is not available at all.

How can I check if iptables has everything it needs to route and NAT from OpenVPN virtual net to GREEN zone and back? What shall I look in iptables -S/-L for?

Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests