Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] OpenVPN Client Blocks Inbound Ports
New Posts  All Forums:Forum Nav:

[SOLVED] OpenVPN Client Blocks Inbound Ports - Page 3

post #21 of 26
Thread Starter 
My suspicions proved to be correct. The incoming connection arrives on interface eth0, the server(s) answer the query but the return communication is sent over tun0, which is useless.

I checked this by setting up a static route to a server on the 'net I have control of, and then ssh'ing in from that server to my router's WAN interface. The connection worked perfectly, so I know it's a routing issue - the default route is accessible via tun0, not eth0.

What I need is to be able to force the server to reply on the same interface it received the query on, rather than simply sending the packet via the default route.
Quote:
Originally Posted by Spooony;13944523 
open VPN took that ports. OpenVPN is a all application VPN. that means you can sent anything from anywhere on your workstation its going via your proxy to the destination. That's why the port is not there.

Wrong. OpenVPN does not "take" any ports when operating in client mode, which is exactly the mode it is in at my end. It works by creating a client-server connection to a remote endpoint on port 1194, and then using the tun device to trap IP packets and sent them over the encrypted connection.
Quote:
Originally Posted by Spooony;13944523 
Does your "VPN provider" support server port forward?

Nope, and I don't need it to.
Quote:
Originally Posted by Spooony;13944523 
Another question. Where is your workstation? Is it on the same router?

Do you even bother to read people's posts?
Quote:
Originally Posted by Spooony;13944523 
If it is you will have to edit the config file of OpenVPN and add your route as a exclude.

I can't see that working. The problem is that an incoming connection from out on the public Internet will have the IP address of the source machine, and very obviously the server software running on my workstation will use that address as the reply address. Since that reply address is not on the local subnet, any connection to it will have to go via the default route, which is only accessible via tun0, the VPN device.
Edited by parityboy - 6/20/11 at 6:49pm
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #22 of 26
Quote:
Originally Posted by parityboy View Post
My suspicions proved to be correct. The incoming connection arrives on interface eth0, the server(s) answer the query but the return communication is sent over tun0, which is useless.

I checked this by setting up a static route to a server on the 'net I have control of, and then ssh'ing in from that server to my router's WAN interface. The connection worked perfectly, so I know it's a routing issue - the default route is accessible via tun0, not eth0.

What I need is to be able to force the server to reply on the same interface it received the query on, rather than simply sending the packet via the default route.



Wrong. OpenVPN does not "take" any ports when operating in client mode, which is exactly the mode it is in at my end. It works by creating a client-server connection to a remote endpoint on port 1194, and then using the tun device to trap IP packets and sent them over the encrypted connection.



Nope, and I don't need it to.



Do you even bother to read people's posts?



I can't see that working. The problem is that an incoming connection from out on the public Internet will have the IP address of the source machine, and very obviously the server software running on my workstation will use that address as the reply address. Since that reply address is not on the local subnet, any connection to it will have to go via the default route, which is only accessible via tun0, the VPN device.
Do you use openVPN?
http://www.sans.org/reading_room/whi...evolution_1459

OpenVPN is not application based.
Edited by Spooony - 6/20/11 at 7:04pm
post #23 of 26
Thread Starter 
Quote:
Originally Posted by Spooony View Post
Do you use openVPN?
http://www.sans.org/reading_room/whi...evolution_1459

OpenVPN is not application based.
I never said it was. In fact I know that it isn't, since is uses a virtual network interface which is transparent to all applications, and even to the IP packets which traverse it.

Why do you keep asking this?
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #24 of 26
What was your solution,iptables your router??
 
Event Ryzen
(18 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 6700k MSI Z170M Mortar  Sapphire RX470 8GB  Crucial Ballistix Sport (grey & black) 
Hard DriveHard DriveCoolingOS
240GB Transcend SSD  512GB Transcend SSD Corsair H80i V2 Windows 10 Pro 
MonitorKeyboardPowerCase
LG 29UM68-P & LG 23MP48HQ-P CODE 61(MX Clears) Evga SN 550w RaidMax Hyperion (Black & Silver) 
MouseMouse PadAudioAudio
Logitech G900 Hot Eagle XL mousepad Klipsch R-14M's Presonus audiobox usb. 
AudioAudioAudio
Akai Pro MPK Mini Audio-Technica ATH-M50x, Phillips SHP9500's MXL 990/991 
CPUMotherboardGraphicsRAM
Ryzen 1600x  ASROCK AB350M PRO Sapphire RX 470 8GB  Crucial Ballistic Sport LT 32GB 
Hard DriveHard DriveHard DriveCooling
x1 Intel S3500 240GB  x2 Intel S3700 400GB  5TB Toshiba NZXT Kraken x52  
OSOSMonitorMonitor
Windows 10 Pro Fedora workstation 25  29in LG ultrawide  25in LG ultrawide 
KeyboardPowerCaseMouse
MagicForce 68(Gateron Blacks) SeaSonic 620 ???? Open Air-Haven't decided Logitech 303 
Mouse PadAudio
xxl mousepad Same as before  
  hide details  
Reply
 
Event Ryzen
(18 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 6700k MSI Z170M Mortar  Sapphire RX470 8GB  Crucial Ballistix Sport (grey & black) 
Hard DriveHard DriveCoolingOS
240GB Transcend SSD  512GB Transcend SSD Corsair H80i V2 Windows 10 Pro 
MonitorKeyboardPowerCase
LG 29UM68-P & LG 23MP48HQ-P CODE 61(MX Clears) Evga SN 550w RaidMax Hyperion (Black & Silver) 
MouseMouse PadAudioAudio
Logitech G900 Hot Eagle XL mousepad Klipsch R-14M's Presonus audiobox usb. 
AudioAudioAudio
Akai Pro MPK Mini Audio-Technica ATH-M50x, Phillips SHP9500's MXL 990/991 
CPUMotherboardGraphicsRAM
Ryzen 1600x  ASROCK AB350M PRO Sapphire RX 470 8GB  Crucial Ballistic Sport LT 32GB 
Hard DriveHard DriveHard DriveCooling
x1 Intel S3500 240GB  x2 Intel S3700 400GB  5TB Toshiba NZXT Kraken x52  
OSOSMonitorMonitor
Windows 10 Pro Fedora workstation 25  29in LG ultrawide  25in LG ultrawide 
KeyboardPowerCaseMouse
MagicForce 68(Gateron Blacks) SeaSonic 620 ???? Open Air-Haven't decided Logitech 303 
Mouse PadAudio
xxl mousepad Same as before  
  hide details  
Reply
post #25 of 26
Thread Starter 
My "solution" was to create a static route from my workstation to a server on the 'net I have admin rights to - one I set up in Amazon's cloud - and then ssh or NX remote desktop from there.

Like I said, the issue is that when the SSH server answers an incoming request and spawns a child process to deal with it, that child process is going to reply using the default route, which in this case runs over the VPN.

A proper solution would be to "jail" a server process to a specified network interface, so it listens and responds using that interface. That would solve the issue at a stroke.
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Apple Basic Keyboard Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #26 of 26
Quote:
Originally Posted by parityboy View Post
My "solution" was to create a static route from my workstation to a server on the 'net I have admin rights to - one I set up in Amazon's cloud - and then ssh or NX remote desktop from there.

Like I said, the issue is that when the SSH server answers an incoming request and spawns a child process to deal with it, that child process is going to reply using the default route, which in this case runs over the VPN.

A proper solution would be to "jail" a server process to a specified network interface, so it listens and responds using that interface. That would solve the issue at a stroke.
yes. But you couldve just tunnel a way with openVPN to extend the private network. That's what OpenVPN is for. That's what a VPN is. Those commands and scripts I posted up there is to use Ssh over it. But OpenVPN was a solution created to make Ipsec and all of those solutions easy. You create a key on both sides. You enter the ip and then it tunnel a way to the ip. So you have a encrypted tunnel from your workstation to other pcs. Connectivity providers have taken the word VPN to sell products. They're good for hiding your ip that's it. But in this case you want to extend your private network that's what a VPN is. That's what OpenVPN was created for hence the security provided with it.
So next time just create two keys with OpenVPN then just enter the ip of your workstation. You have to config the config file to say what keys to use but its simple and easy to do. You'll have a nice encrypted tunnel between the two to do your admin work. You can tunnel anything through it that you want.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] OpenVPN Client Blocks Inbound Ports