From owner-freebsd-questions@freebsd.org Sat Aug 26 21:00:44 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A868DDAE51 for ; Sat, 26 Aug 2017 21:00:44 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 13B1C7D305 for ; Sat, 26 Aug 2017 21:00:44 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yw0-x229.google.com with SMTP id s143so13784239ywg.0 for ; Sat, 26 Aug 2017 14:00:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uD95t+yq7tESg6c4CIUZS15113UaA40u51jElYYvcx8=; b=ELX2gwS7DnOwIjuTHmrxE+qIMUP411+HUdETeMgIdYApXDGoZ94F3dNgmPKf7r4i1n GFuOGHM3sPTvj7HptEssyjUn5NgfFuayua+9OCkT8t9BAQf+p6XeoBgpmUaC1+LZVnyU 7EsKlcR+vlcUXkmvzAqtEILVuIjigELINu+cFXsax/UgFrF6+YLzKPRQutmS3YXfDp7N 93dsnGC6y717dxLkpjMI8ymFsOqL/Wvjn7oJ/UQ1MQKVaLmJjPGtUinVfajlb35juLn0 OOXOipTYQMO3FJ8r1aGoK6akbL8vMI/eEeLR74ha83Ps8/YV3lQV7Cwp3rVYiHRR+j3O EXPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uD95t+yq7tESg6c4CIUZS15113UaA40u51jElYYvcx8=; b=f07qGNFJMj8aGq3P8xEQPGlEVx4onY6CiRXnG3WhhWIppz9QpYqtcQ2SJGqZh3qr/T xWCPtq2bDR2F29P63DVzril6BQoTtQTseltJfzfjfJEZO044is5376Z+mqyACzVgHhtb Hdofqyr9ZXJWaoxxOug8T4120vBc+dYVwFm3gxksY7/Ywy1zezxSM4kSiz5ialauSYpH Hu37EBUxa3HN5HcnGCQoUiESsZN2xIWPfex5lHzI5OQHhVu3XMbZKqiS+hDMWZEkKM8h UMbbQJZYn0/bKcqltWKrLf79g5L/8AhrynkzNxTBt8tRSyrywV/o1W1TO06jHKK6VjYi 227Q== X-Gm-Message-State: AHYfb5hUNOXDKnyzIXdDREG0F30rJR2DvtbH1W6m/DUP4IaY/SCQMspH hSQA3Nhb0yXUmnFVLuERSqxAdm2MYkb0hyc= X-Received: by 10.37.45.93 with SMTP id s29mr2194286ybe.321.1503781242836; Sat, 26 Aug 2017 14:00:42 -0700 (PDT) MIME-Version: 1.0 Received: by 10.13.231.71 with HTTP; Sat, 26 Aug 2017 14:00:42 -0700 (PDT) In-Reply-To: References: From: Ultima Date: Sat, 26 Aug 2017 14:00:42 -0700 Message-ID: Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) To: Fongaboo Cc: FreeBSD Questions Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2017 21:00:44 -0000 Please post the following which will help debug this, obscure public ip/macs as needed. ifconfig netstat -nr openvpn.log (verb=1 should be good enough may, need higher later) openvpn.conf tcpdump -i xn0 tcpdump -i tun0 rc.conf This information should be enough to figure out the issue you are having. If you have listed some of this information previously, still please dump it in the same email as you keep changing your configuration. On Sat, Aug 26, 2017 at 1:12 PM, Fongaboo wrote: > > I switched from IPFW to PF to try the config described here: > > https://forums.freebsd.org/threads/59223/#post-339781 > > > /var/log/pflog is a tcpdump file. If I run tcpdump -r /var/log/pflog, I > get: > > tcpdump -r /var/log/pflog > > reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) > 18:06:01.613027 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:06:03.971339 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:06:08.675294 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:06:17.278446 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:06:33.344992 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:12:02.691919 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:12:05.261983 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:12:08.931149 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:12:17.402740 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:12:32.635587 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:22:20.921185 IP ip-aws-private-ip.ec2.internal.smtp > > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: > Flags [F.], seq 4035284244, ack 1027120871, win 65535, length 0 > 18:23:24.940182 IP ip-aws-private-ip.ec2.internal.smtp > > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: > Flags [F.], seq 0, ack 1, win 65535, length 0 > 18:24:28.983673 IP ip-aws-private-ip.ec2.internal.smtp > > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: > Flags [F.], seq 0, ack 1, win 65535, length 0 > 18:25:33.030676 IP ip-aws-private-ip.ec2.internal.smtp > > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: > Flags [F.], seq 0, ack 1, win 65535, length 0 > 18:26:37.046672 IP ip-aws-private-ip.ec2.internal.smtp > > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: > Flags [F.], seq 0, ack 1, win 65535, length 0 > 18:27:41.086657 IP ip-aws-private-ip.ec2.internal.smtp > > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: > Flags [F.], seq 0, ack 1, win 65535, length 0 > 18:28:45.098661 IP ip-aws-private-ip.ec2.internal.smtp > > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: > Flags [F.], seq 0, ack 1, win 65535, length 0 > 18:29:49.131903 IP ip-aws-private-ip.ec2.internal.smtp > > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: > Flags [F.], seq 0, ack 1, win 65535, length 0 > 18:30:53.149655 IP ip-aws-private-ip.ec2.internal.smtp > > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: > Flags [R.], seq 1, ack 1, win 65535, length 0 > 18:33:50.511601 IP6 :: > ff02::16: HBH ICMP6, multicast listener report > v2[|icmp6], length 28 > 18:33:50.723636 IP6 :: > ff02::16: HBH ICMP6, multicast listener report > v2[|icmp6], length 28 > 18:33:51.148137 IP6 :: > ff02::16: HBH ICMP6, multicast listener report > v2[|icmp6], length 48 > 18:33:53.262119 IP6 :: > ff02::16: HBH ICMP6, multicast listener report > v2[|icmp6], length 48 > 18:54:37.515017 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:54:39.561270 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:54:43.638084 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:54:52.017993 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:55:08.264719 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:55:42.101742 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:55:44.380150 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:55:47.824354 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:55:56.645017 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 18:56:11.651346 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 19:03:15.099495 IP ip-aws-private-ip.ec2.internal.smtp > > 190.67.161.242.61885: Flags [F.], seq 1970151435, ack 1289455849, win 1041, > length 0 > 19:04:19.102813 IP ip-aws-private-ip.ec2.internal.smtp > > 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0 > 19:05:23.117498 IP ip-aws-private-ip.ec2.internal.smtp > > 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0 > > > Running tcpdump then connecting client: > > tcpdump | grep openvpn > > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on xn0, link-type EN10MB (Ethernet), capture size 65535 bytes > 20:04:17.710245 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 509 > 20:04:18.553458 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 > 20:04:18.553557 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 53 > 20:04:18.618648 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109 > 20:04:18.675979 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 > 20:04:18.681394 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109 > 20:04:18.761257 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 > 20:04:18.809412 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 > 20:04:19.175102 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 > 20:04:19.409976 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 > 20:04:19.409994 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 > 20:04:19.410001 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 > 20:04:19.410081 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 > 20:04:19.410084 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 > 20:04:19.410085 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 > 20:04:19.410106 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 > 20:04:19.802659 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 85 > 20:04:22.129320 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 > 20:04:22.129470 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 26 > 20:04:22.177060 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 > 20:04:22.182265 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 203 > 20:04:22.189218 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 126 > 20:04:22.189240 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 > 20:04:22.189249 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 > 20:04:22.189276 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 > 20:04:22.233404 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 > 20:04:22.233419 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 > 20:04:22.233603 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 > 20:04:22.237922 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 > 20:04:22.237927 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 > 20:04:22.237964 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 > 20:04:22.237977 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 > 20:04:22.237987 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 > 20:04:22.271936 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 > 20:04:22.272042 IP ip-aws-private-ip.ec2.internal.openvpn > > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 > 20:04:22.276420 IP my-home-ip.nycap.res.rr.com.openvpn > > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 > > > > On Sat, 26 Aug 2017, Adam Vande More wrote: > > On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo wrote: >> >> >>> I'm following this tutorial: >>> >>> https://www.digitalocean.com/community/tutorials/how-to-conf >>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1 >>> >>> Trying this on an AWS instance first and then planning to try on a bare >>> metal colo server. >>> >>> OpenVPN client and daemon seem to be working, in terms of handshaking and >>> connecting with each other. Problem is, no matter what I do, connected >>> clients can't get out to the Internet through the server's gateway >>> interface. >>> >>> I've tried setting up NATD, like the tutorial instructs. I've tried >>> enabling ipfw_nat as described in this comment: >>> >>> https://www.digitalocean.com/community/tutorials/how-to-conf >>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10- >>> 1?comment=40498 >>> >>> rc.conf (for NATD): >>> >>> #enable firewall >>> firewall_enable="YES" >>> firewall_script="/usr/local/etc/ipfw.rules" >>> firewall_type="open" >>> >>> gateway_enable="YES" >>> natd_enable="YES" >>> natd_interface="xn0" >>> natd_flags="-dynamic -m" >>> >>> rc.conf (revised for ipfw_nat): >>> >>> #enable firewall >>> firewall_enable="YES" >>> firewall_script="/usr/local/etc/ipfw.rules" >>> firewall_type="open" >>> firewall_nat_enable="YES" >>> firewall_nat_interface="xn0" >>> >>> gateway_enable="YES" >>> #natd_enable="YES" >>> #natd_interface="xn0" >>> #natd_flags="-dynamic -m" >>> >>> *xn0 = external interface of the server >>> >>> Neither config allows Internet access. I have this line enabled in >>> /usr/local/etc/openvpn/openvpn.conf: >>> >>> push "redirect-gateway def1 bypass-dhcp" >>> >>> Perhaps this is part of the solution?: >>> >>> # Configure server mode for ethernet bridging >>> # using a DHCP-proxy, where clients talk >>> # to the OpenVPN server-side DHCP server >>> # to receive their IP address allocation >>> # and DNS server addresses. You must first use >>> # your OS's bridging capability to bridge the TAP >>> # interface with the ethernet NIC interface. >>> # Note: this mode only works on clients (such as >>> # Windows), where the client-side TAP adapter is >>> # bound to a DHCP client. >>> ;server-bridge >>> >>> Any advice would be appreciated. I'm willing to try any combination of >>> ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to >>> see the WAN. TIA! >>> >>> >> tcpdump and ipfw logs. >> >> -- >> Adam >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe >> @freebsd.org" >> >> _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe > @freebsd.org" >