STUMPED: Setting up OpenVPN server on FreeBSD (self.freebsd)
Ultima
ultima1252 at gmail.com
Sat Aug 26 21:02:55 UTC 2017
Also, I forgot to add, pf.conf or ipfw.conf.
On Sat, Aug 26, 2017 at 2:00 PM, Ultima <ultima1252 at gmail.com> wrote:
> Please post the following which will help debug this, obscure public
> ip/macs as needed.
> ifconfig
> netstat -nr
> openvpn.log (verb=1 should be good enough may, need higher later)
> openvpn.conf
> tcpdump -i xn0
> tcpdump -i tun0
> rc.conf
>
> This information should be enough to figure out the issue you are having.
> If you have listed some of this information previously, still please dump
> it in the same email as you keep changing your configuration.
>
> On Sat, Aug 26, 2017 at 1:12 PM, Fongaboo <freebsd at fongaboo.com> wrote:
>
>>
>> I switched from IPFW to PF to try the config described here:
>>
>> https://forums.freebsd.org/threads/59223/#post-339781
>>
>>
>> /var/log/pflog is a tcpdump file. If I run tcpdump -r /var/log/pflog, I
>> get:
>>
>> tcpdump -r /var/log/pflog
>>
>> reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
>> 18:06:01.613027 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:06:03.971339 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:06:08.675294 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:06:17.278446 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:06:33.344992 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:12:02.691919 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:12:05.261983 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:12:08.931149 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:12:17.402740 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:12:32.635587 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:22:20.921185 IP ip-aws-private-ip.ec2.internal.smtp >
>> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
>> Flags [F.], seq 4035284244, ack 1027120871, win 65535, length 0
>> 18:23:24.940182 IP ip-aws-private-ip.ec2.internal.smtp >
>> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
>> Flags [F.], seq 0, ack 1, win 65535, length 0
>> 18:24:28.983673 IP ip-aws-private-ip.ec2.internal.smtp >
>> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
>> Flags [F.], seq 0, ack 1, win 65535, length 0
>> 18:25:33.030676 IP ip-aws-private-ip.ec2.internal.smtp >
>> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
>> Flags [F.], seq 0, ack 1, win 65535, length 0
>> 18:26:37.046672 IP ip-aws-private-ip.ec2.internal.smtp >
>> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
>> Flags [F.], seq 0, ack 1, win 65535, length 0
>> 18:27:41.086657 IP ip-aws-private-ip.ec2.internal.smtp >
>> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
>> Flags [F.], seq 0, ack 1, win 65535, length 0
>> 18:28:45.098661 IP ip-aws-private-ip.ec2.internal.smtp >
>> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
>> Flags [F.], seq 0, ack 1, win 65535, length 0
>> 18:29:49.131903 IP ip-aws-private-ip.ec2.internal.smtp >
>> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
>> Flags [F.], seq 0, ack 1, win 65535, length 0
>> 18:30:53.149655 IP ip-aws-private-ip.ec2.internal.smtp >
>> ge-0-4.customer-gw-rangewave-consulting.es-28-jnb.za.seacomnet.com.28964:
>> Flags [R.], seq 1, ack 1, win 65535, length 0
>> 18:33:50.511601 IP6 :: > ff02::16: HBH ICMP6, multicast listener report
>> v2[|icmp6], length 28
>> 18:33:50.723636 IP6 :: > ff02::16: HBH ICMP6, multicast listener report
>> v2[|icmp6], length 28
>> 18:33:51.148137 IP6 :: > ff02::16: HBH ICMP6, multicast listener report
>> v2[|icmp6], length 48
>> 18:33:53.262119 IP6 :: > ff02::16: HBH ICMP6, multicast listener report
>> v2[|icmp6], length 48
>> 18:54:37.515017 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:54:39.561270 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:54:43.638084 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:54:52.017993 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:55:08.264719 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:55:42.101742 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:55:44.380150 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:55:47.824354 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:55:56.645017 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 18:56:11.651346 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 19:03:15.099495 IP ip-aws-private-ip.ec2.internal.smtp >
>> 190.67.161.242.61885: Flags [F.], seq 1970151435, ack 1289455849, win 1041,
>> length 0
>> 19:04:19.102813 IP ip-aws-private-ip.ec2.internal.smtp >
>> 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0
>> 19:05:23.117498 IP ip-aws-private-ip.ec2.internal.smtp >
>> 190.67.161.242.61885: Flags [F.], seq 0, ack 1, win 1041, length 0
>>
>>
>> Running tcpdump then connecting client:
>>
>> tcpdump | grep openvpn
>>
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on xn0, link-type EN10MB (Ethernet), capture size 65535 bytes
>> 20:04:17.710245 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 509
>> 20:04:18.553458 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
>> 20:04:18.553557 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 53
>> 20:04:18.618648 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109
>> 20:04:18.675979 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
>> 20:04:18.681394 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 109
>> 20:04:18.761257 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
>> 20:04:18.809412 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
>> 20:04:19.175102 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
>> 20:04:19.409976 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
>> 20:04:19.409994 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
>> 20:04:19.410001 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
>> 20:04:19.410081 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 93
>> 20:04:19.410084 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
>> 20:04:19.410085 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
>> 20:04:19.410106 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 101
>> 20:04:19.802659 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 85
>> 20:04:22.129320 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 14
>> 20:04:22.129470 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 26
>> 20:04:22.177060 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
>> 20:04:22.182265 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 203
>> 20:04:22.189218 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 126
>> 20:04:22.189240 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
>> 20:04:22.189249 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
>> 20:04:22.189276 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
>> 20:04:22.233404 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
>> 20:04:22.233419 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
>> 20:04:22.233603 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
>> 20:04:22.237922 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
>> 20:04:22.237927 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
>> 20:04:22.237964 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
>> 20:04:22.237977 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
>> 20:04:22.237987 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
>> 20:04:22.271936 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
>> 20:04:22.272042 IP ip-aws-private-ip.ec2.internal.openvpn >
>> my-home-ip.nycap.res.rr.com.openvpn: UDP, length 114
>> 20:04:22.276420 IP my-home-ip.nycap.res.rr.com.openvpn >
>> ip-aws-private-ip.ec2.internal.openvpn: UDP, length 22
>>
>>
>>
>> On Sat, 26 Aug 2017, Adam Vande More wrote:
>>
>> On Sat, Aug 26, 2017 at 8:03 AM, Fongaboo <freebsd at fongaboo.com> wrote:
>>>
>>>
>>>> I'm following this tutorial:
>>>>
>>>> https://www.digitalocean.com/community/tutorials/how-to-conf
>>>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-1
>>>>
>>>> Trying this on an AWS instance first and then planning to try on a bare
>>>> metal colo server.
>>>>
>>>> OpenVPN client and daemon seem to be working, in terms of handshaking
>>>> and
>>>> connecting with each other. Problem is, no matter what I do, connected
>>>> clients can't get out to the Internet through the server's gateway
>>>> interface.
>>>>
>>>> I've tried setting up NATD, like the tutorial instructs. I've tried
>>>> enabling ipfw_nat as described in this comment:
>>>>
>>>> https://www.digitalocean.com/community/tutorials/how-to-conf
>>>> igure-and-connect-to-a-private-openvpn-server-on-freebsd-10-
>>>> 1?comment=40498
>>>>
>>>> rc.conf (for NATD):
>>>>
>>>> #enable firewall
>>>> firewall_enable="YES"
>>>> firewall_script="/usr/local/etc/ipfw.rules"
>>>> firewall_type="open"
>>>>
>>>> gateway_enable="YES"
>>>> natd_enable="YES"
>>>> natd_interface="xn0"
>>>> natd_flags="-dynamic -m"
>>>>
>>>> rc.conf (revised for ipfw_nat):
>>>>
>>>> #enable firewall
>>>> firewall_enable="YES"
>>>> firewall_script="/usr/local/etc/ipfw.rules"
>>>> firewall_type="open"
>>>> firewall_nat_enable="YES"
>>>> firewall_nat_interface="xn0"
>>>>
>>>> gateway_enable="YES"
>>>> #natd_enable="YES"
>>>> #natd_interface="xn0"
>>>> #natd_flags="-dynamic -m"
>>>>
>>>> *xn0 = external interface of the server
>>>>
>>>> Neither config allows Internet access. I have this line enabled in
>>>> /usr/local/etc/openvpn/openvpn.conf:
>>>>
>>>> push "redirect-gateway def1 bypass-dhcp"
>>>>
>>>> Perhaps this is part of the solution?:
>>>>
>>>> # Configure server mode for ethernet bridging
>>>> # using a DHCP-proxy, where clients talk
>>>> # to the OpenVPN server-side DHCP server
>>>> # to receive their IP address allocation
>>>> # and DNS server addresses. You must first use
>>>> # your OS's bridging capability to bridge the TAP
>>>> # interface with the ethernet NIC interface.
>>>> # Note: this mode only works on clients (such as
>>>> # Windows), where the client-side TAP adapter is
>>>> # bound to a DHCP client.
>>>> ;server-bridge
>>>>
>>>> Any advice would be appreciated. I'm willing to try any combination of
>>>> ipfw vs. pf or natd vs. ipfw_nat or whatever if it will allow clients to
>>>> see the WAN. TIA!
>>>>
>>>>
>>> tcpdump and ipfw logs.
>>>
>>> --
>>> Adam
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe
>>> @freebsd.org"
>>>
>>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe
>> @freebsd.org"
>>
>
>
More information about the freebsd-questions
mailing list