STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)

Ultima ultima1252 at gmail.com
Sat Aug 26 21:00:44 UTC 2017 

Please post the following which will help debug this, obscure public
ip/macs as needed.
ifconfig
netstat -nr
openvpn.log (verb=1 should be good enough may, need higher later)
openvpn.conf
tcpdump -i xn0
tcpdump -i tun0
rc.conf

This information should be enough to figure out the issue you are having.
If you have listed some of this information previously, still please dump
it in the same email as you keep changing your configuration.

On Sat, Aug 26, 2017 at 1:12 PM, Fongaboo <freebsd at fongaboo.com> wrote:

>
> I switched from IPFW to PF to try the config described here:
>
> https://forums.freebsd.org/threads/59223/#post-339781
>
>
> /var/log/pflog is a tcpdump file. If I run tcpdump -r /var/log/pflog, I
> get:
>
> tcpdump -r /var/log/pflog
>
> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
> 18:06:01.613027 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:06:03.971339 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:06:08.675294 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:06:17.278446 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:06:33.344992 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:12:02.691919 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:12:05.261983 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:12:08.931149 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:12:17.402740 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:12:32.635587 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:22:20.921185 IP ip-aws-private-ip.ec2.internal.smtp >
> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
> Flags [F.], seq 4035284244, ack 1027120871, win 65535, length 0
> 18:23:24.940182 IP ip-aws-private-ip.ec2.internal.smtp >
> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
> Flags [F.], seq 0, ack 1, win 65535, length 0
> 18:24:28.983673 IP ip-aws-private-ip.ec2.internal.smtp >
> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
> Flags [F.], seq 0, ack 1, win 65535, length 0
> 18:25:33.030676 IP ip-aws-private-ip.ec2.internal.smtp >
> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
> Flags [F.], seq 0, ack 1, win 65535, length 0
> 18:26:37.046672 IP ip-aws-private-ip.ec2.internal.smtp >
> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
> Flags [F.], seq 0, ack 1, win 65535, length 0
> 18:27:41.086657 IP ip-aws-private-ip.ec2.internal.smtp >
> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
> Flags [F.], seq 0, ack 1, win 65535, length 0
> 18:28:45.098661 IP ip-aws-private-ip.ec2.internal.smtp >
> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
> Flags [F.], seq 0, ack 1, win 65535, length 0
> 18:29:49.131903 IP ip-aws-private-ip.ec2.internal.smtp >
> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
> Flags [F.], seq 0, ack 1, win 65535, length 0
> 18:30:53.149655 IP ip-aws-private-ip.ec2.internal.smtp >
> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
> Flags [R.], seq 1, ack 1, win 65535, length 0
> 18:33:50.511601 IP6 :: > ff02::16: HBH ICMP6, multicast listener report
> v2[|icmp6], length 28
> 18:33:50.723636 IP6 :: > ff02::16: HBH ICMP6, multicast listener report
> v2[|icmp6], length 28
> 18:33:51.148137 IP6 :: > ff02::16: HBH ICMP6, multicast listener report
> v2[|icmp6], length 48
> 18:33:53.262119 IP6 :: > ff02::16: HBH ICMP6, multicast listener report
> v2[|icmp6], length 48
> 18:54:37.515017 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:54:39.561270 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:54:43.638084 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:54:52.017993 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:55:08.264719 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:55:42.101742 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:55:44.380150 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:55:47.824354 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:55:56.645017 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 18:56:11.651346 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 19:03:15.099495 IP ip-aws-private-ip.ec2.internal.smtp >
> 190.67.161.242.61885: Flags [F.], seq 1970151435, ack 1289455849, win 1041,
> length 0
> 19:04:19.102813 IP ip-aws-private-ip.ec2.internal.smtp >
> 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0
> 19:05:23.117498 IP ip-aws-private-ip.ec2.internal.smtp >
> 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0
>
>
> Running tcpdump then connecting client:
>
> tcpdump | grep openvpn
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on xn0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 20:04:17.710245 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 509
> 20:04:18.553458 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
> 20:04:18.553557 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 53
> 20:04:18.618648 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109
> 20:04:18.675979 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
> 20:04:18.681394 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109
> 20:04:18.761257 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
> 20:04:18.809412 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
> 20:04:19.175102 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
> 20:04:19.409976 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
> 20:04:19.409994 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
> 20:04:19.410001 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
> 20:04:19.410081 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
> 20:04:19.410084 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
> 20:04:19.410085 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
> 20:04:19.410106 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
> 20:04:19.802659 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 85
> 20:04:22.129320 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
> 20:04:22.129470 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 26
> 20:04:22.177060 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
> 20:04:22.182265 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 203
> 20:04:22.189218 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 126
> 20:04:22.189240 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
> 20:04:22.189249 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
> 20:04:22.189276 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
> 20:04:22.233404 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
> 20:04:22.233419 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
> 20:04:22.233603 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
> 20:04:22.237922 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
> 20:04:22.237927 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
> 20:04:22.237964 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
> 20:04:22.237977 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
> 20:04:22.237987 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
> 20:04:22.271936 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
> 20:04:22.272042 IP ip-aws-private-ip.ec2.internal.openvpn >
> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
> 20:04:22.276420 IP my-home-ip.nycap.res.rr.com.openvpn >
> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
>
>
>
> On Sat, 26 Aug 2017, Adam Vande More wrote:
>
> On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo <freebsd at fongaboo.com> wrote:
>>
>>
>>> I'm following this tutorial:
>>>
>>> https://www.digitalocean.com/community/tutorials/how-to-conf
>>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1
>>>
>>> Trying this on an AWS instance first and then planning to try on a bare
>>> metal colo server.
>>>
>>> OpenVPN client and daemon seem to be working, in terms of handshaking and
>>> connecting with each other. Problem is, no matter what I do, connected
>>> clients can't get out to the Internet through the server's gateway
>>> interface.
>>>
>>> I've tried setting up NATD, like the tutorial instructs. I've tried
>>> enabling ipfw_nat as described in this comment:
>>>
>>> https://www.digitalocean.com/community/tutorials/how-to-conf
>>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-
>>> 1?comment=40498
>>>
>>> rc.conf (for NATD):
>>>
>>> #enable firewall
>>> firewall_enable="YES"
>>> firewall_script="/usr/local/etc/ipfw.rules"
>>> firewall_type="open"
>>>
>>> gateway_enable="YES"
>>> natd_enable="YES"
>>> natd_interface="xn0"
>>> natd_flags="-dynamic -m"
>>>
>>> rc.conf (revised for ipfw_nat):
>>>
>>> #enable firewall
>>> firewall_enable="YES"
>>> firewall_script="/usr/local/etc/ipfw.rules"
>>> firewall_type="open"
>>> firewall_nat_enable="YES"
>>> firewall_nat_interface="xn0"
>>>
>>> gateway_enable="YES"
>>> #natd_enable="YES"
>>> #natd_interface="xn0"
>>> #natd_flags="-dynamic -m"
>>>
>>> *xn0 = external interface of the server
>>>
>>> Neither config allows Internet access. I have this line enabled in
>>> /usr/local/etc/openvpn/openvpn.conf:
>>>
>>> push "redirect-gateway def1 bypass-dhcp"
>>>
>>> Perhaps this is part of the solution?:
>>>
>>> # Configure server mode for ethernet bridging
>>> # using a DHCP-proxy, where clients talk
>>> # to the OpenVPN server-side DHCP server
>>> # to receive their IP address allocation
>>> # and DNS server addresses.  You must first use
>>> # your OS's bridging capability to bridge the TAP
>>> # interface with the ethernet NIC interface.
>>> # Note: this mode only works on clients (such as
>>> # Windows), where the client-side TAP adapter is
>>> # bound to a DHCP client.
>>> ;server-bridge
>>>
>>> Any advice would be appreciated. I'm willing to try any combination of
>>> ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to
>>> see the WAN. TIA!
>>>
>>>
>> tcpdump and ipfw logs.
>>
>> --
>> Adam
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe
>> @freebsd.org"
>>
>> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe
> @freebsd.org"
>

More information about the freebsd-questions mailing list