Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Can't seem to access OpenVPN AS remotely

  1. #1
    Join Date
    May 2013
    Beans
    10

    Can't seem to access OpenVPN AS remotely

    Hello, everyone. I'm using Ubuntu 12.04.2 LTS server to host my site. I've installed OpenVPN AS v1.8.4 for Ubuntu 10. I'm attempting to connect from it with a remote server, but when I do, the client indicates I can connect to it, yet I can't access any of the PHP pages or Fossil repositories using HTTP. The connectivity test result below seems to suggest some sort of connectivity problem as well.

    VPNConnectionTest.png

    I want to know what I can do to debug this problem. I'm currently not sure whether this is due to server configuration or my Verizon Fios router configuration. What can I do to figure this out?

    Thanks in advance!

  2. #2
    Join Date
    Nov 2008
    Location
    Los Angeles
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Can't seem to access OpenVPN AS remotely

    Hi, have you forwarded any ports/done NAT on the router?

    If not, you will have to forward port 80 (for HTTP) and other ports that you may need to use to your servers LAN address.

  3. #3
    Join Date
    May 2013
    Beans
    10

    Re: Can't seem to access OpenVPN AS remotely

    I am forwarding the HTTPS port so I can connect and access to the VPN site. However, I'd like to keep HTTP private, and only accessible to VPN. Is there a way to do that?

  4. #4
    Join Date
    Nov 2008
    Location
    Los Angeles
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Can't seem to access OpenVPN AS remotely

    Quote Originally Posted by japtar View Post
    I am forwarding the HTTPS port so I can connect and access to the VPN site. However, I'd like to keep HTTP private, and only accessible to VPN. Is there a way to do that?
    Assuming openvpn and the http server are on the same computer:
    1. OpenVPN must be started before the webserver
    2. Make sure that apache2 is listening on all IPs, and is not bound to a single IP.
    3. Forward the OpenVPN ports (normally 1194 UDP)
    4. If you used the default openVPN configuration, the site will be accessable at 10.8.0.1 when you are connected to the VPN


    Few things you may need:
    Code:
    netstat -l
    will show what IPs apache2 is listening on. There should be a 0.0.0.0:80

  5. #5
    Join Date
    May 2013
    Beans
    10

    Re: Can't seem to access OpenVPN AS remotely

    Quote Originally Posted by sandyd View Post
    Assuming openvpn and the http server are on the same computer:
    1. OpenVPN must be started before the webserver
    2. Make sure that apache2 is listening on all IPs, and is not bound to a single IP.
    3. Forward the OpenVPN ports (normally 1194 UDP)
    4. If you used the default openVPN configuration, the site will be accessable at 10.8.0.1 when you are connected to the VPN


    Few things you may need:
    Code:
    netstat -l
    will show what IPs apache2 is listening on. There should be a 0.0.0.0:80
    I've attempted to stop both services, and start openvpnas and apache2 in that order. Furthermore, I've setup the router to forward 1194 UDP. Still, neither https://10.8.0.1 is accessible, nor apache2 appear in the netstat list. The latter is weird since I can still access the HTTPS site openvpnas creates through my DynDNS URL.
    Code:
    $ sudo netstat -l
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 *:943                   *:*                     LISTEN
    tcp        0      0 *:914                   *:*                     LISTEN
    tcp        0      0 *:915                   *:*                     LISTEN
    tcp        0      0 *:ssh                   *:*                     LISTEN
    tcp        0      0 localhost:904           *:*                     LISTEN
    tcp        0      0 localhost:905           *:*                     LISTEN
    tcp        0      0 localhost:906           *:*                     LISTEN
    tcp        0      0 localhost:mysql         *:*                     LISTEN
    tcp        0      0 localhost:907           *:*                     LISTEN
    tcp        0      0 localhost:908           *:*                     LISTEN
    tcp        0      0 localhost:909           *:*                     LISTEN
    tcp6       0      0 [::]:http               [::]:*                  LISTEN
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
    tcp6       0      0 [::]:microsoft-ds       [::]:*                  LISTEN
    tcp6       0      0 [::]:netbios-ssn        [::]:*                  LISTEN
    udp        0      0 192.168.1.25:netbios-ns *:*
    udp        0      0 Kyoto.home:netbios-ns   *:*
    udp        0      0 *:netbios-ns            *:*
    udp        0      0 192.168.1.2:netbios-dgm *:*
    udp        0      0 Kyoto.home:netbios-dgm  *:*
    udp        0      0 *:netbios-dgm           *:*
    udp        0      0 *:916                   *:*
    udp        0      0 *:917                   *:*
    udp        0      0 *:bootpc                *:*
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node   Path
    unix  2      [ ACC ]     STREAM     LISTENING     12620    /usr/local/openvpn_as/etc/sock/sagent
    unix  2      [ ACC ]     STREAM     LISTENING     9472     /var/run/dbus/system_bus_socket
    unix  2      [ ACC ]     STREAM     LISTENING     12623    /usr/local/openvpn_as/etc/sock/sagent.localroot
    unix  2      [ ACC ]     STREAM     LISTENING     12624    /usr/local/openvpn_as/etc/sock/sagent.api
    unix  2      [ ACC ]     STREAM     LISTENING     10242    /var/run/php5-fpm.soc
    unix  2      [ ACC ]     STREAM     LISTENING     8975     /var/run/mysqld/mysqld.sock
    unix  2      [ ACC ]     STREAM     LISTENING     10012    /var/run/acpid.socket
    unix  2      [ ACC ]     STREAM     LISTENING     6765     @/com/ubuntu/mountall/server/
    unix  2      [ ACC ]     STREAM     LISTENING     10197    /tmp/memcached.sock
    unix  2      [ ACC ]     STREAM     LISTENING     6746     @/com/ubuntu/upstart
    unix  2      [ ACC ]     STREAM     LISTENING     10298    /var/run/samba/winbindd_privileged/pipe
    unix  2      [ ACC ]     STREAM     LISTENING     8773     /var/run/samba/unexpected
    unix  2      [ ACC ]     STREAM     LISTENING     10297    /tmp/.winbindd/pipe
    unix  2      [ ACC ]     SEQPACKET  LISTENING     6853     /run/udev/control

  6. #6
    Join Date
    Nov 2009
    Location
    Segur De Calafell, Spain
    Beans
    11,660
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Can't seem to access OpenVPN AS remotely

    What is the difference between openvpn and openvpnas? There might be differences in the configuration, something you missed...

    On the server, can you see the tun0 interface established if you run:
    ifconfig

    Also, it might be better to see all listening services with:
    sudo netstat -plunt
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 12.04 LTS 64bit & Windows 7 Ultimate 64bit

  7. #7
    Join Date
    May 2013
    Beans
    10

    Re: Can't seem to access OpenVPN AS remotely

    Quote Originally Posted by darkod View Post
    What is the difference between openvpn and openvpnas? There might be differences in the configuration, something you missed...

    On the server, can you see the tun0 interface established if you run:
    ifconfig

    Also, it might be better to see all listening services with:
    sudo netstat -plunt
    OpenVPN Access Server is basically OpenVPN with a web-interface for admin-related things. I'm using it after seeing my colleague install it on Windows (with VM) that worked seemingly with little modifications.

    Anyway, for ifconfig, do you mean while a client is (attempting to) connect to the server? Here's what it looks when there isn't any client connecting to the server:
    Code:
    $ ifconfig
    as0t0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                                                                                         -00
              inet addr:5.5.0.1  P-t-P:5.5.0.1  Mask:255.255.252.0
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:200
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    
    as0t1     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                                                                                         -00
              inet addr:5.5.4.1  P-t-P:5.5.4.1  Mask:255.255.252.0
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:200
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    
    as0t2     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                                                                                         -00
              inet addr:5.5.8.1  P-t-P:5.5.8.1  Mask:255.255.252.0
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:200
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    
    as0t3     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00                                                                                         -00
              inet addr:5.5.12.1  P-t-P:5.5.12.1  Mask:255.255.252.0
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:200
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    
    
    eth0      Link encap:Ethernet  HWaddr 00:15:58:2d:dd:8d
              inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
              inet6 addr: fd00::215:58ff:fe2d:dd8d/64 Scope:Global
              inet6 addr: fe80::215:58ff:fe2d:dd8d/64 Scope:Link
              inet6 addr: fd00::b4f9:ee55:f675:8298/64 Scope:Global
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:11315 errors:0 dropped:0 overruns:0 frame:0
              TX packets:4669 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:1394147 (1.3 MB)  TX bytes:959464 (959.4 KB)
              Interrupt:16 Memory:ee000000-ee020000
    
    
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:616 errors:0 dropped:0 overruns:0 frame:0
              TX packets:616 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:493975 (493.9 KB)  TX bytes:493975 (493.9 KB)
    Likewise, netstat when no client is connecting to the server.

    Code:
    $ sudo netstat -plunt
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 0.0.0.0:943             0.0.0.0:*               LISTEN      1942/python
    tcp        0      0 0.0.0.0:914             0.0.0.0:*               LISTEN      1954/openvpn
    tcp        0      0 0.0.0.0:915             0.0.0.0:*               LISTEN      1961/openvpn
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1058/sshd
    tcp        0      0 127.0.0.1:904           0.0.0.0:*               LISTEN      1942/python
    tcp        0      0 127.0.0.1:905           0.0.0.0:*               LISTEN      1942/python
    tcp        0      0 127.0.0.1:906           0.0.0.0:*               LISTEN      1942/python
    tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1174/mysqld
    tcp        0      0 127.0.0.1:907           0.0.0.0:*               LISTEN      1942/python
    tcp        0      0 127.0.0.1:908           0.0.0.0:*               LISTEN      1942/python
    tcp        0      0 127.0.0.1:909           0.0.0.0:*               LISTEN      1942/python
    tcp6       0      0 :::80                   :::*                    LISTEN      1997/apache2
    tcp6       0      0 :::22                   :::*                    LISTEN      1058/sshd
    tcp6       0      0 :::445                  :::*                    LISTEN      870/smbd
    tcp6       0      0 :::139                  :::*                    LISTEN      870/smbd
    udp        0      0 192.168.1.255:137       0.0.0.0:*                           1004/nmbd
    udp        0      0 192.168.1.100:137       0.0.0.0:*                           1004/nmbd
    udp        0      0 0.0.0.0:137             0.0.0.0:*                           1004/nmbd
    udp        0      0 192.168.1.255:138       0.0.0.0:*                           1004/nmbd
    udp        0      0 192.168.1.100:138       0.0.0.0:*                           1004/nmbd
    udp        0      0 0.0.0.0:138             0.0.0.0:*                           1004/nmbd
    udp        0      0 0.0.0.0:916             0.0.0.0:*                           1968/openvpn
    udp        0      0 0.0.0.0:917             0.0.0.0:*                           1974/openvpn
    udp        0      0 0.0.0.0:68              0.0.0.0:*                           942/dhclient3

  8. #8
    Join Date
    Nov 2008
    Location
    Los Angeles
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Can't seem to access OpenVPN AS remotely

    From openvpnas FAQ - ports that should be open
    Short answer: TCP 443, TCP 943, UDP 1194

    Long answer: By default OpenVPN Access Server has 2 OpenVPN daemons running. One of them on UDP port 1194 and another on TCP 443. We recommend that you use the UDP port because this functions better for an OpenVPN tunnel. However, many public locations block all sorts of ports except very common ones like http, https, ftp, pop3, and so on. Therefore we also have TCP 443 as an option. TCP port 443 is the default port for https:// (SSL) traffic and so this is usually allowed through at the user’s location.

    TCP port 943 is the port where the web server interface is listening by default. You can either approach this directly using a URL like https://yourserverhostnamehere:943/ or by approaching it through the standard https:// port TCP 443, since the OpenVPN daemon will automatically internally route browser traffic to TCP 943 by default. (https://yourserverhostnamehere/).

  9. #9
    Join Date
    Nov 2009
    Location
    Segur De Calafell, Spain
    Beans
    11,660
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Can't seem to access OpenVPN AS remotely

    That FAQ says UDP port 1194 but your netstat shows the openvpn service listening on tcp/914, tcp/915, udp/916 and udp/917. Did you modify this during installation? If you did, is the client trying to connect to the correct ports or trying the default udp/1194? If the client is trying udp/1194 it will never connect.

    Also, the default vpn server IP for openvpn is 10.8.0.1 but your ifconfig shows something like 5.5.0.1 and other addresses/tunnels. With OpenVPN you get single tun0 tunnel, there is no need for more. Not sure why you have multiple as0tN tunnels.

    Make sure your firewall is allowing the ports you are using for the service, and the client is connecting to the correct ports.

    But in general, I would say drop the program and use plain standard OpenVPN without the GUI. I understand many people want to depend on a GUI but that is one more security risk. Imagine if someone takes over your VPN GUI?

    I just recently installed openvpn server for a friend and it was really easy, peace of cake. It simply works. I don't know if this AS version is making things more complicated, or you changed the ports and are not using the correct ones in the client, or your firewall is blocking you...

    It looks like installing the AS version was supposed to be the easier way but it turned out more complicated. I would still not leave a GUI on a VPN especially if you are not limiting the access by IP. Any brute force attack can break in.
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 12.04 LTS 64bit & Windows 7 Ultimate 64bit

  10. #10
    Join Date
    May 2013
    Beans
    10

    Re: Can't seem to access OpenVPN AS remotely

    Quote Originally Posted by darkod View Post
    That FAQ says UDP port 1194 but your netstat shows the openvpn service listening on tcp/914, tcp/915, udp/916 and udp/917. Did you modify this during installation? If you did, is the client trying to connect to the correct ports or trying the default udp/1194? If the client is trying udp/1194 it will never connect.

    Also, the default vpn server IP for openvpn is 10.8.0.1 but your ifconfig shows something like 5.5.0.1 and other addresses/tunnels. With OpenVPN you get single tun0 tunnel, there is no need for more. Not sure why you have multiple as0tN tunnels.

    Make sure your firewall is allowing the ports you are using for the service, and the client is connecting to the correct ports.

    But in general, I would say drop the program and use plain standard OpenVPN without the GUI. I understand many people want to depend on a GUI but that is one more security risk. Imagine if someone takes over your VPN GUI?

    I just recently installed openvpn server for a friend and it was really easy, peace of cake. It simply works. I don't know if this AS version is making things more complicated, or you changed the ports and are not using the correct ones in the client, or your firewall is blocking you...

    It looks like installing the AS version was supposed to be the easier way but it turned out more complicated. I would still not leave a GUI on a VPN especially if you are not limiting the access by IP. Any brute force attack can break in.
    To all of your questions, and to be completely honest...I don't know. I've been trying to setup LDAP (Edit: whoops, I meant PPTP, not LDAP!), OpenVPN, and OpenVPN AS with no luck on this server. I may have changed settings I do not recognize while going through numerous online How-Tos.

    I'm no IT person, but my needs were simple: create a private version control server. I'm half-way there. The server works wonders in the internal network. I just need to make it work externally via private access like VPN (if there are other options, do mention it!).
    Last edited by japtar; May 6th, 2013 at 02:57 AM.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •