Date: Sat, 26 Aug 2017 14:02:54 -0700 From: Ultima <ultima1252@gmail.com> To: Fongaboo <freebsd@fongaboo.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd) Message-ID: <CANJ8om5Mncup-H%2BG6K%2B0Y2YhD9Wf53KZ0X1Vb6rReXnGfBxV%2BQ@mail.gmail.com> In-Reply-To: <CANJ8om6ASJwqvpwta7f8MyNfa22XqhjBK7oVk1O5JuKW_E6ePA@mail.gmail.com> References: <alpine.BSF.2.20.1708260858410.50226@h4lix.wtfayla.net> <CA%2BtpaK3yo1GYBc%2B62=%2BNoRuEFPgoZjaPEdW7KgxqX_hiQ6npZw@mail.gmail.com> <alpine.BSF.2.20.1708261601320.50226@h4lix.wtfayla.net> <CANJ8om6ASJwqvpwta7f8MyNfa22XqhjBK7oVk1O5JuKW_E6ePA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Also, I forgot to add, pf.conf or ipfw.conf. On Sat, Aug 26, 2017 at 2:00 PM, Ultima <ultima1252@gmail.com> wrote: > Please post the following which will help debug this, obscure public > ip/macs as needed. > ifconfig > netstat -nr > openvpn.log (verb=1 should be good enough may, need higher later) > openvpn.conf > tcpdump -i xn0 > tcpdump -i tun0 > rc.conf > > This information should be enough to figure out the issue you are having. > If you have listed some of this information previously, still please dump > it in the same email as you keep changing your configuration. > > On Sat, Aug 26, 2017 at 1:12 PM, Fongaboo <freebsd@fongaboo.com> wrote: > >> >> I switched from IPFW to PF to try the config described here: >> >> https://forums.freebsd.org/threads/59223/#post-339781 >> >> >> /var/log/pflog is a tcpdump file. If I run tcpdump -r /var/log/pflog, I >> get: >> >> tcpdump -r /var/log/pflog >> >> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file) >> 18:06:01.613027 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:06:03.971339 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:06:08.675294 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:06:17.278446 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:06:33.344992 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:12:02.691919 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:12:05.261983 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:12:08.931149 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:12:17.402740 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:12:32.635587 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:22:20.921185 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 4035284244, ack 1027120871, win 65535, length 0 >> 18:23:24.940182 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:24:28.983673 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:25:33.030676 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:26:37.046672 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:27:41.086657 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:28:45.098661 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:29:49.131903 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [F.], seq 0, ack 1, win 65535, length 0 >> 18:30:53.149655 IP ip-aws-private-ip.ec2.internal.smtp > >> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: >> Flags [R.], seq 1, ack 1, win 65535, length 0 >> 18:33:50.511601 IP6 :: > ff02::16: HBH ICMP6, multicast listener report >> v2[|icmp6], length 28 >> 18:33:50.723636 IP6 :: > ff02::16: HBH ICMP6, multicast listener report >> v2[|icmp6], length 28 >> 18:33:51.148137 IP6 :: > ff02::16: HBH ICMP6, multicast listener report >> v2[|icmp6], length 48 >> 18:33:53.262119 IP6 :: > ff02::16: HBH ICMP6, multicast listener report >> v2[|icmp6], length 48 >> 18:54:37.515017 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:54:39.561270 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:54:43.638084 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:54:52.017993 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:55:08.264719 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:55:42.101742 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:55:44.380150 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:55:47.824354 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:55:56.645017 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 18:56:11.651346 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 19:03:15.099495 IP ip-aws-private-ip.ec2.internal.smtp > >> 190.67.161.242.61885: Flags [F.], seq 1970151435, ack 1289455849, win 1041, >> length 0 >> 19:04:19.102813 IP ip-aws-private-ip.ec2.internal.smtp > >> 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0 >> 19:05:23.117498 IP ip-aws-private-ip.ec2.internal.smtp > >> 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0 >> >> >> Running tcpdump then connecting client: >> >> tcpdump | grep openvpn >> >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on xn0, link-type EN10MB (Ethernet), capture size 65535 bytes >> 20:04:17.710245 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 509 >> 20:04:18.553458 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:18.553557 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 53 >> 20:04:18.618648 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109 >> 20:04:18.675979 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:18.681394 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109 >> 20:04:18.761257 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:18.809412 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:19.175102 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:19.409976 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:19.409994 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:19.410001 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:19.410081 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93 >> 20:04:19.410084 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:19.410085 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:19.410106 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101 >> 20:04:19.802659 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 85 >> 20:04:22.129320 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14 >> 20:04:22.129470 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 26 >> 20:04:22.177060 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.182265 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 203 >> 20:04:22.189218 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 126 >> 20:04:22.189240 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.189249 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.189276 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.233404 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.233419 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.233603 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.237922 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.237927 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.237964 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.237977 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.237987 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.271936 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> 20:04:22.272042 IP ip-aws-private-ip.ec2.internal.openvpn > >> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114 >> 20:04:22.276420 IP my-home-ip.nycap.res.rr.com.openvpn > >> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22 >> >> >> >> On Sat, 26 Aug 2017, Adam Vande More wrote: >> >> On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo <freebsd@fongaboo.com> wrote: >>> >>> >>>> I'm following this tutorial: >>>> >>>> https://www.digitalocean.com/community/tutorials/how-to-conf >>>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1 >>>> >>>> Trying this on an AWS instance first and then planning to try on a bare >>>> metal colo server. >>>> >>>> OpenVPN client and daemon seem to be working, in terms of handshaking >>>> and >>>> connecting with each other. Problem is, no matter what I do, connected >>>> clients can't get out to the Internet through the server's gateway >>>> interface. >>>> >>>> I've tried setting up NATD, like the tutorial instructs. I've tried >>>> enabling ipfw_nat as described in this comment: >>>> >>>> https://www.digitalocean.com/community/tutorials/how-to-conf >>>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10- >>>> 1?comment=40498 >>>> >>>> rc.conf (for NATD): >>>> >>>> #enable firewall >>>> firewall_enable="YES" >>>> firewall_script="/usr/local/etc/ipfw.rules" >>>> firewall_type="open" >>>> >>>> gateway_enable="YES" >>>> natd_enable="YES" >>>> natd_interface="xn0" >>>> natd_flags="-dynamic -m" >>>> >>>> rc.conf (revised for ipfw_nat): >>>> >>>> #enable firewall >>>> firewall_enable="YES" >>>> firewall_script="/usr/local/etc/ipfw.rules" >>>> firewall_type="open" >>>> firewall_nat_enable="YES" >>>> firewall_nat_interface="xn0" >>>> >>>> gateway_enable="YES" >>>> #natd_enable="YES" >>>> #natd_interface="xn0" >>>> #natd_flags="-dynamic -m" >>>> >>>> *xn0 = external interface of the server >>>> >>>> Neither config allows Internet access. I have this line enabled in >>>> /usr/local/etc/openvpn/openvpn.conf: >>>> >>>> push "redirect-gateway def1 bypass-dhcp" >>>> >>>> Perhaps this is part of the solution?: >>>> >>>> # Configure server mode for ethernet bridging >>>> # using a DHCP-proxy, where clients talk >>>> # to the OpenVPN server-side DHCP server >>>> # to receive their IP address allocation >>>> # and DNS server addresses. You must first use >>>> # your OS's bridging capability to bridge the TAP >>>> # interface with the ethernet NIC interface. >>>> # Note: this mode only works on clients (such as >>>> # Windows), where the client-side TAP adapter is >>>> # bound to a DHCP client. >>>> ;server-bridge >>>> >>>> Any advice would be appreciated. I'm willing to try any combination of >>>> ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to >>>> see the WAN. TIA! >>>> >>>> >>> tcpdump and ipfw logs. >>> >>> -- >>> Adam >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe >>> @freebsd.org" >>> >>> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe >> @freebsd.org" >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANJ8om5Mncup-H%2BG6K%2B0Y2YhD9Wf53KZ0X1Vb6rReXnGfBxV%2BQ>