1 Attachment(s)
Can't seem to access OpenVPN AS remotely
Hello, everyone. I'm using Ubuntu 12.04.2 LTS server to host my site. I've installed OpenVPN AS v1.8.4 for Ubuntu 10. I'm attempting to connect from it with a remote server, but when I do, the client indicates I can connect to it, yet I can't access any of the PHP pages or Fossil repositories using HTTP. The connectivity test result below seems to suggest some sort of connectivity problem as well.
Attachment 242149
I want to know what I can do to debug this problem. I'm currently not sure whether this is due to server configuration or my Verizon Fios router configuration. What can I do to figure this out?
Thanks in advance!
Re: Can't seem to access OpenVPN AS remotely
Hi, have you forwarded any ports/done NAT on the router?
If not, you will have to forward port 80 (for HTTP) and other ports that you may need to use to your servers LAN address.
Re: Can't seem to access OpenVPN AS remotely
I am forwarding the HTTPS port so I can connect and access to the VPN site. However, I'd like to keep HTTP private, and only accessible to VPN. Is there a way to do that?
Re: Can't seem to access OpenVPN AS remotely
Quote:
Originally Posted by
japtar
I am forwarding the HTTPS port so I can connect and access to the VPN site. However, I'd like to keep HTTP private, and only accessible to VPN. Is there a way to do that?
Assuming openvpn and the http server are on the same computer:
- OpenVPN must be started before the webserver
- Make sure that apache2 is listening on all IPs, and is not bound to a single IP.
- Forward the OpenVPN ports (normally 1194 UDP)
- If you used the default openVPN configuration, the site will be accessable at 10.8.0.1 when you are connected to the VPN
Few things you may need:
will show what IPs apache2 is listening on. There should be a 0.0.0.0:80
Re: Can't seem to access OpenVPN AS remotely
Quote:
Originally Posted by
sandyd
Assuming openvpn and the http server are on the same computer:
- OpenVPN must be started before the webserver
- Make sure that apache2 is listening on all IPs, and is not bound to a single IP.
- Forward the OpenVPN ports (normally 1194 UDP)
- If you used the default openVPN configuration, the site will be accessable at 10.8.0.1 when you are connected to the VPN
Few things you may need:
will show what IPs apache2 is listening on. There should be a 0.0.0.0:80
I've attempted to stop both services, and start openvpnas and apache2 in that order. Furthermore, I've setup the router to forward 1194 UDP. Still, neither https://10.8.0.1 is accessible, nor apache2 appear in the netstat list. The latter is weird since I can still access the HTTPS site openvpnas creates through my DynDNS URL.
Code:
$ sudo netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:943 *:* LISTEN
tcp 0 0 *:914 *:* LISTEN
tcp 0 0 *:915 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:904 *:* LISTEN
tcp 0 0 localhost:905 *:* LISTEN
tcp 0 0 localhost:906 *:* LISTEN
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 localhost:907 *:* LISTEN
tcp 0 0 localhost:908 *:* LISTEN
tcp 0 0 localhost:909 *:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:microsoft-ds [::]:* LISTEN
tcp6 0 0 [::]:netbios-ssn [::]:* LISTEN
udp 0 0 192.168.1.25:netbios-ns *:*
udp 0 0 Kyoto.home:netbios-ns *:*
udp 0 0 *:netbios-ns *:*
udp 0 0 192.168.1.2:netbios-dgm *:*
udp 0 0 Kyoto.home:netbios-dgm *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 *:916 *:*
udp 0 0 *:917 *:*
udp 0 0 *:bootpc *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 12620 /usr/local/openvpn_as/etc/sock/sagent
unix 2 [ ACC ] STREAM LISTENING 9472 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 12623 /usr/local/openvpn_as/etc/sock/sagent.localroot
unix 2 [ ACC ] STREAM LISTENING 12624 /usr/local/openvpn_as/etc/sock/sagent.api
unix 2 [ ACC ] STREAM LISTENING 10242 /var/run/php5-fpm.soc
unix 2 [ ACC ] STREAM LISTENING 8975 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 10012 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 6765 @/com/ubuntu/mountall/server/
unix 2 [ ACC ] STREAM LISTENING 10197 /tmp/memcached.sock
unix 2 [ ACC ] STREAM LISTENING 6746 @/com/ubuntu/upstart
unix 2 [ ACC ] STREAM LISTENING 10298 /var/run/samba/winbindd_privileged/pipe
unix 2 [ ACC ] STREAM LISTENING 8773 /var/run/samba/unexpected
unix 2 [ ACC ] STREAM LISTENING 10297 /tmp/.winbindd/pipe
unix 2 [ ACC ] SEQPACKET LISTENING 6853 /run/udev/control
Re: Can't seem to access OpenVPN AS remotely
What is the difference between openvpn and openvpnas? There might be differences in the configuration, something you missed...
On the server, can you see the tun0 interface established if you run:
ifconfig
Also, it might be better to see all listening services with:
sudo netstat -plunt
Re: Can't seem to access OpenVPN AS remotely
Quote:
Originally Posted by
darkod
What is the difference between openvpn and openvpnas? There might be differences in the configuration, something you missed...
On the server, can you see the tun0 interface established if you run:
ifconfig
Also, it might be better to see all listening services with:
sudo netstat -plunt
OpenVPN Access Server is basically OpenVPN with a web-interface for admin-related things. I'm using it after seeing my colleague install it on Windows (with VM) that worked seemingly with little modifications.
Anyway, for ifconfig, do you mean while a client is (attempting to) connect to the server? Here's what it looks when there isn't any client connecting to the server:
Code:
$ ifconfig
as0t0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00
inet addr:5.5.0.1 P-t-P:5.5.0.1 Mask:255.255.252.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
as0t1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00
inet addr:5.5.4.1 P-t-P:5.5.4.1 Mask:255.255.252.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
as0t2 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00
inet addr:5.5.8.1 P-t-P:5.5.8.1 Mask:255.255.252.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
as0t3 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00
inet addr:5.5.12.1 P-t-P:5.5.12.1 Mask:255.255.252.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth0 Link encap:Ethernet HWaddr 00:15:58:2d:dd:8d
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fd00::215:58ff:fe2d:dd8d/64 Scope:Global
inet6 addr: fe80::215:58ff:fe2d:dd8d/64 Scope:Link
inet6 addr: fd00::b4f9:ee55:f675:8298/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11315 errors:0 dropped:0 overruns:0 frame:0
TX packets:4669 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1394147 (1.3 MB) TX bytes:959464 (959.4 KB)
Interrupt:16 Memory:ee000000-ee020000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:616 errors:0 dropped:0 overruns:0 frame:0
TX packets:616 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:493975 (493.9 KB) TX bytes:493975 (493.9 KB)
Likewise, netstat when no client is connecting to the server.
Code:
$ sudo netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:943 0.0.0.0:* LISTEN 1942/python
tcp 0 0 0.0.0.0:914 0.0.0.0:* LISTEN 1954/openvpn
tcp 0 0 0.0.0.0:915 0.0.0.0:* LISTEN 1961/openvpn
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1058/sshd
tcp 0 0 127.0.0.1:904 0.0.0.0:* LISTEN 1942/python
tcp 0 0 127.0.0.1:905 0.0.0.0:* LISTEN 1942/python
tcp 0 0 127.0.0.1:906 0.0.0.0:* LISTEN 1942/python
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1174/mysqld
tcp 0 0 127.0.0.1:907 0.0.0.0:* LISTEN 1942/python
tcp 0 0 127.0.0.1:908 0.0.0.0:* LISTEN 1942/python
tcp 0 0 127.0.0.1:909 0.0.0.0:* LISTEN 1942/python
tcp6 0 0 :::80 :::* LISTEN 1997/apache2
tcp6 0 0 :::22 :::* LISTEN 1058/sshd
tcp6 0 0 :::445 :::* LISTEN 870/smbd
tcp6 0 0 :::139 :::* LISTEN 870/smbd
udp 0 0 192.168.1.255:137 0.0.0.0:* 1004/nmbd
udp 0 0 192.168.1.100:137 0.0.0.0:* 1004/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 1004/nmbd
udp 0 0 192.168.1.255:138 0.0.0.0:* 1004/nmbd
udp 0 0 192.168.1.100:138 0.0.0.0:* 1004/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 1004/nmbd
udp 0 0 0.0.0.0:916 0.0.0.0:* 1968/openvpn
udp 0 0 0.0.0.0:917 0.0.0.0:* 1974/openvpn
udp 0 0 0.0.0.0:68 0.0.0.0:* 942/dhclient3
Re: Can't seem to access OpenVPN AS remotely
From openvpnas FAQ - ports that should be open
Quote:
Short answer: TCP 443, TCP 943, UDP 1194
Long answer: By default OpenVPN Access Server has 2 OpenVPN daemons running. One of them on UDP port 1194 and another on TCP 443. We recommend that you use the UDP port because this functions better for an OpenVPN tunnel. However, many public locations block all sorts of ports except very common ones like http, https, ftp, pop3, and so on. Therefore we also have TCP 443 as an option. TCP port 443 is the default port for https:// (SSL) traffic and so this is usually allowed through at the user’s location.
TCP port 943 is the port where the web server interface is listening by default. You can either approach this directly using a URL like
https://yourserverhostnamehere:943/ or by approaching it through the standard https:// port TCP 443, since the OpenVPN daemon will automatically internally route browser traffic to TCP 943 by default. (
https://yourserverhostnamehere/).
Re: Can't seem to access OpenVPN AS remotely
That FAQ says UDP port 1194 but your netstat shows the openvpn service listening on tcp/914, tcp/915, udp/916 and udp/917. Did you modify this during installation? If you did, is the client trying to connect to the correct ports or trying the default udp/1194? If the client is trying udp/1194 it will never connect.
Also, the default vpn server IP for openvpn is 10.8.0.1 but your ifconfig shows something like 5.5.0.1 and other addresses/tunnels. With OpenVPN you get single tun0 tunnel, there is no need for more. Not sure why you have multiple as0tN tunnels.
Make sure your firewall is allowing the ports you are using for the service, and the client is connecting to the correct ports.
But in general, I would say drop the program and use plain standard OpenVPN without the GUI. I understand many people want to depend on a GUI but that is one more security risk. Imagine if someone takes over your VPN GUI?
I just recently installed openvpn server for a friend and it was really easy, peace of cake. It simply works. I don't know if this AS version is making things more complicated, or you changed the ports and are not using the correct ones in the client, or your firewall is blocking you...
It looks like installing the AS version was supposed to be the easier way but it turned out more complicated. I would still not leave a GUI on a VPN especially if you are not limiting the access by IP. Any brute force attack can break in.
Re: Can't seem to access OpenVPN AS remotely
Quote:
Originally Posted by
darkod
That FAQ says UDP port 1194 but your netstat shows the openvpn service listening on tcp/914, tcp/915, udp/916 and udp/917. Did you modify this during installation? If you did, is the client trying to connect to the correct ports or trying the default udp/1194? If the client is trying udp/1194 it will never connect.
Also, the default vpn server IP for openvpn is 10.8.0.1 but your ifconfig shows something like 5.5.0.1 and other addresses/tunnels. With OpenVPN you get single tun0 tunnel, there is no need for more. Not sure why you have multiple as0tN tunnels.
Make sure your firewall is allowing the ports you are using for the service, and the client is connecting to the correct ports.
But in general, I would say drop the program and use plain standard OpenVPN without the GUI. I understand many people want to depend on a GUI but that is one more security risk. Imagine if someone takes over your VPN GUI?
I just recently installed openvpn server for a friend and it was really easy, peace of cake. It simply works. I don't know if this AS version is making things more complicated, or you changed the ports and are not using the correct ones in the client, or your firewall is blocking you...
It looks like installing the AS version was supposed to be the easier way but it turned out more complicated. I would still not leave a GUI on a VPN especially if you are not limiting the access by IP. Any brute force attack can break in.
To all of your questions, and to be completely honest...I don't know. I've been trying to setup LDAP (Edit: whoops, I meant PPTP, not LDAP!), OpenVPN, and OpenVPN AS with no luck on this server. I may have changed settings I do not recognize while going through numerous online How-Tos.
I'm no IT person, but my needs were simple: create a private version control server. I'm half-way there. The server works wonders in the internal network. I just need to make it work externally via private access like VPN (if there are other options, do mention it!).