STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)
Fongaboo
freebsd at fongaboo.com
Sat Aug 26 20:12:34 UTC 2017
I switched from IPFW to PF to try the config described here:
https://forums.freebsd.org/threads/59223/#post-339781
/var/log/pflog is a tcpdump file. If I run tcpdump -r /var/log/pflog, I get:
tcpdump -r /var/log/pflog
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
18:06:01.613027 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:06:03.971339 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:06:08.675294 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:06:17.278446 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:06:33.344992 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:12:02.691919 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:12:05.261983 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:12:08.931149 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:12:17.402740 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:12:32.635587 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:22:20.921185 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 4035284244, ack 1027120871, win 65535, length 0
18:23:24.940182 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:24:28.983673 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:25:33.030676 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:26:37.046672 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:27:41.086657 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:28:45.098661 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:29:49.131903 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [F.], seq 0, ack 1, win 65535, length 0
18:30:53.149655 IP ip-aws-private-ip.ec2.internal.smtp > ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964: Flags [R.], seq 1, ack 1, win 65535, length 0
18:33:50.511601 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 28
18:33:50.723636 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 28
18:33:51.148137 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 48
18:33:53.262119 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2[|icmp6], length 48
18:54:37.515017 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:54:39.561270 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:54:43.638084 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:54:52.017993 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:55:08.264719 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:55:42.101742 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:55:44.380150 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:55:47.824354 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:55:56.645017 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
18:56:11.651346 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
19:03:15.099495 IP ip-aws-private-ip.ec2.internal.smtp > 190.67.161.242.61885: Flags [F.], seq 1970151435, ack 1289455849, win 1041, length 0
19:04:19.102813 IP ip-aws-private-ip.ec2.internal.smtp > 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0
19:05:23.117498 IP ip-aws-private-ip.ec2.internal.smtp > 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0
Running tcpdump then connecting client:
tcpdump | grep openvpn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xn0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:04:17.710245 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 509
20:04:18.553458 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:18.553557 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 53
20:04:18.618648 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109
20:04:18.675979 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:18.681394 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109
20:04:18.761257 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:18.809412 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:19.175102 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:19.409976 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:19.409994 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:19.410001 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:19.410081 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
20:04:19.410084 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:19.410085 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:19.410106 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
20:04:19.802659 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 85
20:04:22.129320 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
20:04:22.129470 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 26
20:04:22.177060 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.182265 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 203
20:04:22.189218 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 126
20:04:22.189240 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.189249 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.189276 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.233404 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.233419 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.233603 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.237922 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.237927 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.237964 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.237977 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.237987 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.271936 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
20:04:22.272042 IP ip-aws-private-ip.ec2.internal.openvpn > my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
20:04:22.276420 IP my-home-ip.nycap.res.rr.com.openvpn > ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
On Sat, 26 Aug 2017, Adam Vande More wrote:
> On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo <freebsd at fongaboo.com> wrote:
>
>>
>> I'm following this tutorial:
>>
>> https://www.digitalocean.com/community/tutorials/how-to-conf
>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1
>>
>> Trying this on an AWS instance first and then planning to try on a bare
>> metal colo server.
>>
>> OpenVPN client and daemon seem to be working, in terms of handshaking and
>> connecting with each other. Problem is, no matter what I do, connected
>> clients can't get out to the Internet through the server's gateway
>> interface.
>>
>> I've tried setting up NATD, like the tutorial instructs. I've tried
>> enabling ipfw_nat as described in this comment:
>>
>> https://www.digitalocean.com/community/tutorials/how-to-conf
>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-
>> 1?comment=40498
>>
>> rc.conf (for NATD):
>>
>> #enable firewall
>> firewall_enable="YES"
>> firewall_script="/usr/local/etc/ipfw.rules"
>> firewall_type="open"
>>
>> gateway_enable="YES"
>> natd_enable="YES"
>> natd_interface="xn0"
>> natd_flags="-dynamic -m"
>>
>> rc.conf (revised for ipfw_nat):
>>
>> #enable firewall
>> firewall_enable="YES"
>> firewall_script="/usr/local/etc/ipfw.rules"
>> firewall_type="open"
>> firewall_nat_enable="YES"
>> firewall_nat_interface="xn0"
>>
>> gateway_enable="YES"
>> #natd_enable="YES"
>> #natd_interface="xn0"
>> #natd_flags="-dynamic -m"
>>
>> *xn0 = external interface of the server
>>
>> Neither config allows Internet access. I have this line enabled in
>> /usr/local/etc/openvpn/openvpn.conf:
>>
>> push "redirect-gateway def1 bypass-dhcp"
>>
>> Perhaps this is part of the solution?:
>>
>> # Configure server mode for ethernet bridging
>> # using a DHCP-proxy, where clients talk
>> # to the OpenVPN server-side DHCP server
>> # to receive their IP address allocation
>> # and DNS server addresses. You must first use
>> # your OS's bridging capability to bridge the TAP
>> # interface with the ethernet NIC interface.
>> # Note: this mode only works on clients (such as
>> # Windows), where the client-side TAP adapter is
>> # bound to a DHCP client.
>> ;server-bridge
>>
>> Any advice would be appreciated. I'm willing to try any combination of
>> ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to
>> see the WAN. TIA!
>>
>
> tcpdump and ipfw logs.
>
> --
> Adam
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
More information about the freebsd-questions
mailing list