From owner-freebsd-questions@freebsd.org Sat Aug 26 21:02:55 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BFB4EDDB081 for ; Sat, 26 Aug 2017 21:02:55 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7883B7D5FF for ; Sat, 26 Aug 2017 21:02:55 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yw0-x22b.google.com with SMTP id h127so13678675ywf.3 for ; Sat, 26 Aug 2017 14:02:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bdbmSd/F/+TnSD+kmtS+ehyxGVB7qWmCJv2rMUp7A0c=; b=IxfMgicjjNQYvJ3cZHvjfZhoKaz1DHnAYdejXYVqOAj1vUdD893dkm0bxw3oW7tdiS lRlX8deGVK5bXFVDl9cULp1goBAbhtNmUOcdc0CdAvB0yV/+VDhPYRXR9Iyg1tiAR+E8 vbnWlt8H06xW+HDNi6uRD6JOzqyhw9A8qjBB8eC1/GTJ75RMr6fsJvrWQdAmhukXf6Ki DyDNAnPB7rITFYR7T+CJDT3yyvKMBrFmtTsr7vD+4lWo2fTX16ud9u047nYQrxkA+Adz EEMDQ1nJf6G+FT9nu9blMehL0zVQw1PEsSf93yOzYhLNEL3Mti0tUjT4OlMNbaE5YAHF jlOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bdbmSd/F/+TnSD+kmtS+ehyxGVB7qWmCJv2rMUp7A0c=; b=RLM/6kvcrq6N2cGZj/OY2KC4JllvPNRNo8f5bip3u8Elazo5fhB1ACyNjjayUfINaI ZJHhUpIE2XQb1OBlNyZygF1VksSt/Y7CIFw1QbcONTzhwNSTSKkRA5O2l7YRu2OsNafx Sp4kxlnnYbR5OQlmqXCSD0H+6/6a1oWJ+ayicgpns3D9i0nPduxaUzkN/HXJeqjGvDQJ S4lkonJi0J8DE/FKsoN0saDbou+pjXIXdqt7KpD8HeJFkEWz4y3XCaHW6gpAEV7DR7y8 qnz3iXFTcd0m4X7k7s0bF7i58ihr1ZlqR9CK4bVpC6gfxMC6ujtjD9gl0Ze3rxaonmcZ GY8A== X-Gm-Message-State: AHYfb5iO5q2e+5o5QlVyCNZ5fIyYM3ObXVAf127sJNMedGFH74qenMic JCsS+TqUi3UILEOfVWKFMSRvHuutm7uB X-Received: by 10.37.79.69 with SMTP id d66mr2133541ybb.122.1503781374486; Sat, 26 Aug 2017 14:02:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.13.231.71 with HTTP; Sat, 26 Aug 2017 14:02:54 -0700 (PDT) In-Reply-To: References: From: Ultima Date: Sat, 26 Aug 2017 14:02:54 -0700 Message-ID: Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) To: Fongaboo Cc: FreeBSD Questions Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Aug 2017 21:02:55 -0000 Also, I forgot to add, pf.conf or ipfw.conf. On Sat, Aug 26, 2017 at 2:00 PM, Ultima wrote: > Please post the following which will help debug this, obscure public > ip/macs as needed. > ifconfig > netstat -nr > openvpn.log (verb=1 should be good enough may, need higher later) > openvpn.conf > tcpdump -i xn0 > tcpdump -i tun0 > rc.conf > > This information should be enough to figure out the issue you are having. > If you have listed some of this information previously, still please dump > it in the same email as you keep changing your configuration. > > On Sat, Aug 26, 2017 at 1:12 PM, Fongaboo wrote: > >> >> I switched from IPFW to PF to try the config described here: >> >> https://forums.freebsd.org/threads/59223/#post-339781 >> >> >> /var/log/pflog is a tcpdump file. If I run tcpdump -r /var/log/pflog, I >> get: >> >> tcpdump -r /var/log/pflog >> >> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) >> 18:06:01.613027 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:06:03.971339 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:06:08.675294 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:06:17.278446 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:06:33.344992 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:12:02.691919 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:12:05.261983 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:12:08.931149 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:12:17.402740 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:12:32.635587 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:22:20.921185 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 4035284244, ack 1027120871, win 65535, length 0 >> 18:23:24.940182 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:24:28.983673 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:25:33.030676 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:26:37.046672 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:27:41.086657 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:28:45.098661 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:29:49.131903 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:30:53.149655 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [R.], seq 1, ack 1, win 65535, length 0 >> 18:33:50.511601 IP6 :: > ff02::16: HBH ICMP6, multicast listener report >> v2[|icmp6], length 28 >> 18:33:50.723636 IP6 :: > ff02::16: HBH ICMP6, multicast listener report >> v2[|icmp6], length 28 >> 18:33:51.148137 IP6 :: > ff02::16: HBH ICMP6, multicast listener report >> v2[|icmp6], length 48 >> 18:33:53.262119 IP6 :: > ff02::16: HBH ICMP6, multicast listener report >> v2[|icmp6], length 48 >> 18:54:37.515017 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:54:39.561270 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:54:43.638084 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:54:52.017993 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:55:08.264719 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:55:42.101742 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:55:44.380150 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:55:47.824354 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:55:56.645017 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:56:11.651346 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 19:03:15.099495 IP ip-aws-private-ip.ec2.internal.smtp > >> 190.67.161.242.61885: Flags [F.], seq 1970151435, ack 1289455849, win 1041, >> length 0 >> 19:04:19.102813 IP ip-aws-private-ip.ec2.internal.smtp > >> 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0 >> 19:05:23.117498 IP ip-aws-private-ip.ec2.internal.smtp > >> 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0 >> >> >> Running tcpdump then connecting client: >> >> tcpdump | grep openvpn >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on xn0, link-type EN10MB (Ethernet), capture size 65535 bytes >> 20:04:17.710245 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 509 >> 20:04:18.553458 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:18.553557 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 53 >> 20:04:18.618648 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109 >> 20:04:18.675979 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:18.681394 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109 >> 20:04:18.761257 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:18.809412 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:19.175102 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:19.409976 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:19.409994 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:19.410001 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:19.410081 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:19.410084 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:19.410085 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:19.410106 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:19.802659 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 85 >> 20:04:22.129320 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 20:04:22.129470 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 26 >> 20:04:22.177060 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.182265 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 203 >> 20:04:22.189218 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 126 >> 20:04:22.189240 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.189249 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.189276 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.233404 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.233419 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.233603 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.237922 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.237927 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.237964 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.237977 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.237987 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.271936 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.272042 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.276420 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> >> >> >> On Sat, 26 Aug 2017, Adam Vande More wrote: >> >> On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo wrote: >>> >>> >>>> I'm following this tutorial: >>>> >>>> https://www.digitalocean.com/community/tutorials/how-to-conf >>>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1 >>>> >>>> Trying this on an AWS instance first and then planning to try on a bare >>>> metal colo server. >>>> >>>> OpenVPN client and daemon seem to be working, in terms of handshaking >>>> and >>>> connecting with each other. Problem is, no matter what I do, connected >>>> clients can't get out to the Internet through the server's gateway >>>> interface. >>>> >>>> I've tried setting up NATD, like the tutorial instructs. I've tried >>>> enabling ipfw_nat as described in this comment: >>>> >>>> https://www.digitalocean.com/community/tutorials/how-to-conf >>>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10- >>>> 1?comment=40498 >>>> >>>> rc.conf (for NATD): >>>> >>>> #enable firewall >>>> firewall_enable="YES" >>>> firewall_script="/usr/local/etc/ipfw.rules" >>>> firewall_type="open" >>>> >>>> gateway_enable="YES" >>>> natd_enable="YES" >>>> natd_interface="xn0" >>>> natd_flags="-dynamic -m" >>>> >>>> rc.conf (revised for ipfw_nat): >>>> >>>> #enable firewall >>>> firewall_enable="YES" >>>> firewall_script="/usr/local/etc/ipfw.rules" >>>> firewall_type="open" >>>> firewall_nat_enable="YES" >>>> firewall_nat_interface="xn0" >>>> >>>> gateway_enable="YES" >>>> #natd_enable="YES" >>>> #natd_interface="xn0" >>>> #natd_flags="-dynamic -m" >>>> >>>> *xn0 = external interface of the server >>>> >>>> Neither config allows Internet access. I have this line enabled in >>>> /usr/local/etc/openvpn/openvpn.conf: >>>> >>>> push "redirect-gateway def1 bypass-dhcp" >>>> >>>> Perhaps this is part of the solution?: >>>> >>>> # Configure server mode for ethernet bridging >>>> # using a DHCP-proxy, where clients talk >>>> # to the OpenVPN server-side DHCP server >>>> # to receive their IP address allocation >>>> # and DNS server addresses. You must first use >>>> # your OS's bridging capability to bridge the TAP >>>> # interface with the ethernet NIC interface. >>>> # Note: this mode only works on clients (such as >>>> # Windows), where the client-side TAP adapter is >>>> # bound to a DHCP client. >>>> ;server-bridge >>>> >>>> Any advice would be appreciated. I'm willing to try any combination of >>>> ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to >>>> see the WAN. TIA! >>>> >>>> >>> tcpdump and ipfw logs. >>> >>> -- >>> Adam >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe >>> @freebsd.org" >>> >>> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe >> @freebsd.org" >> > >