Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] OpenVPN Client Blocks Inbound Ports
New Posts  All Forums:Forum Nav:

[SOLVED] OpenVPN Client Blocks Inbound Ports

post #1 of 26
Thread Starter 
I have a fairly standard set up of Internet connection, router and workstation. The workstation runs Ubuntu 10.04, and has an SSH daemon running. I forward port 22 on the router to the workstation, enabling me to access my workstation remotely.

However, if I start up an OpenVPN client on my workstation, all of a sudden the port forwarding fails. The public IP of my router is static, so that's not the issue. The private IP of my workstation - 192.168.1.253 on interface eth0 - is also static, so that's not the issue either.

When the the OpenVPN client makes its connection, it allocates the address 10.1.1.94 to interface tun0.

As long as the OpenVPN client is not running, the forwarded port is accessible. As soon as the OpenVPN client runs, it seems that the forwarding is blocked in some way.

Is tun0 "sitting in front of" eth0, and thereby blocking the port forwarding? If so, how is it that I can access my workstation via its 192.168.1.253 address from inside my LAN?

What exactly is going on?
Edited by parityboy - 6/20/11 at 6:50pm
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #2 of 26
TBH, I run a non-standard port for your SSH.
I ran mine on port 22 and I found someone randomly connecting to my box.
It was rather strange...

Pick something like port 22222 or something.
Something that isn't easy.
post #3 of 26
What is your routers ip? Can't help you without it

192.168.1.253

Hosts 192.168.1.193->192.168.1.254

BROADCAST 192.168.1.255

Subnet 192.168.1.64 -> Broadcast 192.168.1.127

What did you use with your Ssh tunnel putty?
Edited by Spooony - 6/15/11 at 7:42pm
post #4 of 26
Thread Starter 
My router's IP is 192.168.1.1. To connect to my workstation I use standard OpenSSH.
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #5 of 26
Quote:
Originally Posted by parityboy;13891613 
My router's IP is 192.168.1.1. To connect to my workstation I use standard OpenSSH.

tell what are you using the open VPN for. How many pcs do you have on your network? How many routers, switches or any other network equipment. That will help so we can picture your network. At the moment it looks like you want to connect other pcs on a lan via the internet which is like traveling 300 miles for the paper when the local store on the corner are also selling it
post #6 of 26
Thread Starter 
Quote:
Originally Posted by parityboy;13888337 
I have a fairly standard set up of Internet connection, router and workstation. The workstation runs Ubuntu 10.04, and has an SSH daemon running. I forward port 22 on the router to the workstation, enabling me to access my workstation remotely.

Fairly simple. The VPN client runs on the workstation, and connects to a remote VPN server.
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #7 of 26
For the VPN you have to use the internal ip when you do the Portforwarding. What VPN are you using? Is it a ssl VPN?
post #8 of 26
Thread Starter 
Quote:
Originally Posted by Spooony;13896273 
For the VPN you have to use the internal ip when you do the Portforwarding. What VPN are you using? Is it a ssl VPN?

As I stated I use OpenVPN. It is an SSL VPN. Obviously it creates a tunnel between my workstation and the remote endpoint.

However, I can ping my router at address 192.168.1.1 from my workstation, and I can ping my workstation from the router. I can do this while the tunnel is active, which proves that my LAN is working normally.

My routing table looks like this:
Code:
212.7.195.193   192.168.1.1     255.255.255.255 UGH   0      0        0 eth0
192.168.84.0    *               255.255.255.0   U     0      0        0 vmnet1
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
10.1.1.0        *               255.255.255.0   U     0      0        0 tun0
192.168.204.0   *               255.255.255.0   U     0      0        0 vmnet8
link-local      *               255.255.0.0     U     1000   0        0 eth0
239.0.0.0       10.1.1.1        255.0.0.0       UG    0      0        0 tun0
default         10.1.1.1        128.0.0.0       UG    0      0        0 tun0
128.0.0.0       10.1.1.1        128.0.0.0       UG    0      0        0 tun0
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

Outbound traffic is routed over the VPN device tun0, which is fine. What concerns me is that inbound traffic (such as remote access), which works just fine when the VPN client is not active, suddenly fails when the VPN client is active.

I don't understand why this is the case. I would assume that eth0 would continue to behave normally, and would continue to accept port-forwarded requests from outside of the LAN while the VPN tunnel is up.
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #9 of 26
Ok let me explain you like this you can just add your IPS where applicable.

Ok lets say you have the pc at home ip
192.168.2.100

you have a workstation ip 192.168.0.123

Subnets 192.168.2.0/24 and 192.168.0.0/24.

Now you ssh from your pc to your workstation.

Pc->[workstation ->subnets
The requirement is simply that you be able to port-forward to a machine you have root access to.

Now you must configure user-land ppp.
Its the conf file of your vpn
Code:
default: set log Phase Chat LCP IPCP CCP tun command set device /dev/cuaa1 set speed 115200 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" work-vpn: set escape 0xff # using ssh port-forwarding to connect set device localhost:6669/tcp set dial set timeout 600 set log Phase Chat Connect hdlc LCP IPCP IPV6CP CCP tun # specify ip addrs for both ends. set if addr
- >this lime here comes your ip addies

^thats the home pc ssh config

Now your workstation

/etc/services <-
Code:
ppp-in 6669/tcp # Incoming PPP connections over TCP (ppp-vpn)

/etc/inetd
Code:
ppp-in stream tcp nowait root /usr/sbin/ppp ppp -direct ppp-in

tell inetd about the changes

neptune$ sudo killall -HUP inetd

Now the workstations config
/etc/ppp/ppp.conf
Code:
default: set timeout 0 set log Phase Chat LCP IPCP CCP tun command set dial set login ppp-in: set timeout 0 # reverse of the other side. set if addr
->ips that added earlier
Thats just the reverse of the one you setup on the client.

Now tell your workstation about your home service
/etc/ppp/ppp.linkup
Code:
ppp-in: # route traffic to home lan thru the connection. add 192.xxxx your addy comes here HISADDR

Now start the vpn
Before starting ppp, local port 6669 must be forwarded to port 6669

earth$ ssh -L 6669:localhost:6669

Now edit your ssh file
Earth:~/.ssh/config
Code:
Host ssh-gateway.whatevernetworksname.com
ssh-gateway LocalForward 6669 
my-workstation:6669

Once the ssh port-forwarding is confirmed, start ppp.


earth$ sudo ppp -background work-vpn
monitor like this


earth$ sudo tail -f /var/log/ppp.log

Give that a try
post #10 of 26
Thread Starter 
I don't think I've explained myself properly so let me try again. Under normal circumstances - i.e. if the OpenVPN client is NOT running on my workstation - I can be out on the road with my laptop and gain remote access to my workstation via SSH, and get a remote desktop session.

This is because I have a port on my router - a D-Link DSL-2640B on address 192.168.1.1 - forwarded to my workstation to allow inbound SSH traffic.

If however, I start up the VPN client on my workstation, for some reason my workstation no longer accepts inbound traffic. In fact, if I have a remote session active and then start the VPN client during that session, my remote session freezes as if the TCP session has suddenly died.

The Ethernet card appears to have kept its original LAN address of 192.168.1.253, and any other machine on the LAN can connect to it on that address, even while the VPN client is running.

It is specifically traffic port-forwarded from the WAN interface of the router which has issues. Please note that this issue is not specific to inbound SSH; inbound-anything has issues as long as the VPN client is running.

Does the tun0 device "take over" the Ethernet card?
Edited by parityboy - 6/16/11 at 3:59pm
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] OpenVPN Client Blocks Inbound Ports