Basic failure in ruleset

jasonhirsh said:
I have managed to hose the configuration and I am pretty much back at ground zero.
Click to expand...

Sorry, that means it works or... ? Because it sounds like not... :)

Did you edit your thread? I did check this thread during my office hours and I saw more detailed configuration. As I didn't have time to check it then I'm checking it now. But I don't see it now.
 
A combination of messing something up in my configuration and being hit by a car has side tracked me;
Server openvpn.log
Code: 
OpenVPN CLIENT LIST
Updated,Wed May 22 13:42:25 2013
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
tuna.theoceanwindow-bv.com,10.0.1.100:52416,8222,9523,Wed May 22 13:37:12 2013
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
172.168.0.6,tuna.theoceanwindow-bv.com,10.0.1.100:52416,Wed May 22 13:37:12 2013
GLOBAL STATS
Max bcast/mcast queue length,0
END

The host box (acting as a client(
openvpn.log
Code: 
2013-05-22 17:45:39 *Tunnelblick: OS X 10.6.8; Tunnelblick 3.2.9 (build 2891.3328)
2013-05-22 17:45:39 *Tunnelblick: Attempting connection with tuna test copy; Set nameserver = 3; monitoring connection
2013-05-22 17:45:39 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start tuna\ test\ copy.conf 1338 3 0 0 0 49 -atDASNGWrdasngw 
2013-05-22 17:45:39 *Tunnelblick: openvpnstart: /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --cd /Users/jason/Library/Application Support/Tunnelblick/Configurations --daemon --management 127.0.0.1 1338 --config /Users/jason/Library/Application Support/Tunnelblick/Configurations/tuna test copy.conf --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Sjason-SLibrary-SApplication Support-STunnelblick-SConfigurations-Stuna test copy.conf.3_0_0_0_49.1338.openvpn.log --management-query-passwords --management-hold --script-security 2 --up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw --plugin /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn-down-root.so /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atDASNGWrdasngw --up-restart
2013-05-22 17:45:40 *Tunnelblick: openvpnstart message: Loading tun.kext
2013-05-22 17:45:40 *Tunnelblick: Established communication with OpenVPN
2013-05-22 17:45:40 us=74409 Current Parameter Settings:
2013-05-22 17:45:40 us=74605   config = '/Users/jason/Library/Application Support/Tunnelblick/Configurations/tuna test copy.conf'
2013-05-22 17:45:40 us=74616   mode = 0
2013-05-22 17:45:40 us=74623   show_ciphers = DISABLED
2013-05-22 17:45:40 us=74630   show_digests = DISABLED
2013-05-22 17:45:40 us=74637 NOTE: --mute triggered...
2013-05-22 17:45:40 us=74659 256 variation(s) on previous 5 message(s) suppressed by --mute
2013-05-22 17:45:40 us=74669 OpenVPN 2.2.1 i386-apple-darwin10.8.0 [SSL] [LZO2] [PKCS11] [eurephia] built on May 14 2013
2013-05-22 17:45:40 us=74759 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338
2013-05-22 17:45:40 us=76972 Need hold release from management interface, waiting...
2013-05-22 17:45:40 us=188184 MANAGEMENT: Client connected from 127.0.0.1:1338
2013-05-22 17:45:40 us=192958 MANAGEMENT: CMD 'pid'
2013-05-22 17:45:40 us=193014 MANAGEMENT: CMD 'state on'
2013-05-22 17:45:40 us=193051 MANAGEMENT: CMD 'state'
2013-05-22 17:45:40 us=193099 MANAGEMENT: CMD 'hold release'
2013-05-22 17:45:40 us=193277 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2013-05-22 17:45:40 us=193313 PLUGIN_INIT: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn-down-root.so '[/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn-down-root.so] [/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh] [-m] [-w] [-d] [-atDASNGWrdasngw]' intercepted=PLUGIN_UP|PLUGIN_DOWN 
2013-05-22 17:45:40 us=193977 WARNING: file './keys/tuna/megacore.key' is group or others accessible
2013-05-22 17:45:40 us=194625 WARNING: file './keys/tuna/ta.key' is group or others accessible
2013-05-22 17:45:40 us=194639 Control Channel Authentication: using './keys/tuna/ta.key' as a OpenVPN static key file
2013-05-22 17:45:40 us=194655 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2013-05-22 17:45:40 us=194666 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2013-05-22 17:45:40 us=194698 LZO compression initialized
2013-05-22 17:45:40 us=194774 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
2013-05-22 17:45:40 us=194827 Socket Buffers: R=[42080->65536] S=[9216->65536]
2013-05-22 17:45:40 us=194843 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2013-05-22 17:45:40 us=194866 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
2013-05-22 17:45:40 us=194875 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
2013-05-22 17:45:40 us=194893 Local Options hash (VER=V4): '504e774e'
2013-05-22 17:45:40 us=194906 Expected Remote Options hash (VER=V4): '14168603'
2013-05-22 17:45:40 us=194918 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2013-05-22 17:45:40 us=194932 UDPv4 link local: [undef]
2013-05-22 17:45:40 us=194943 UDPv4 link remote: 10.0.1.195:1194
2013-05-22 17:45:40 us=194975 MANAGEMENT: >STATE:1369259140,WAIT,,,
2013-05-22 17:45:40 us=195029 UDPv4 WRITE [42] to 10.0.1.195:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
2013-05-22 17:45:40 us=197543 UDPv4 READ [54] from 10.0.1.195:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
2013-05-22 17:45:40 us=197572 MANAGEMENT: >STATE:1369259140,AUTH,,,
2013-05-22 17:45:40 us=197588 TLS: Initial packet from 10.0.1.195:1194, sid=3d3a24cd 8d166cc8
2013-05-22 17:45:40 us=197640 UDPv4 WRITE [50] to 10.0.1.195:1194: P_ACK_V1 kid=0 pid=[ #2 ] [ 0 ]
2013-05-22 17:45:40 us=197760 UDPv4 WRITE [142] to 10.0.1.195:1194: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=1 DATA len=100
2013-05-22 17:45:40 us=197859 UDPv4 WRITE [142] to 10.0.1.195:1194: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=2 DATA len=100
2013-05-22 17:45:40 us=197904 UDPv4 WRITE [53] to 10.0.1.195:1194: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=3 DATA len=11
2013-05-22 17:45:40 us=199703 UDPv4 READ [50] from 10.0.1.195:1194: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]
2013-05-22 17:45:40 us=200933 NOTE: --mute triggered...
2013-05-22 17:45:40 us=273192 44 variation(s) on previous 5 message(s) suppressed by --mute
2013-05-22 17:45:40 us=273224 VERIFY OK: depth=1, /C=US/ST=NJ/L=CAPE_MAY/O=Amalgamated_Hysteria/OU=CA/CN=tuna.theoceanwindow-bv.com/emailAddress=admin@theoceanwindow-bv.com
2013-05-22 17:45:40 us=273448 VERIFY OK: nsCertType=SERVER
2013-05-22 17:45:40 us=273462 VERIFY OK: depth=0, /C=US/ST=NJ/O=Amalgamated_Hysteria/OU=Main_Server/CN=tuna.theoceanwindow-bv.com/emailAddress=admin@theoceanwindow-bv.com
2013-05-22 17:45:40 us=273504 UDPv4 WRITE [50] to 10.0.1.195:1194: P_ACK_V1 kid=0 pid=[ #27 ] [ 22 ]
2013-05-22 17:45:40 us=273560 UDPv4 READ [142] from 10.0.1.195:1194: P_CONTROL_V1 kid=0 pid=[ #26 ] [ ] pid=23 DATA len=100
2013-05-22 17:45:40 us=273600 UDPv4 WRITE [50] to 10.0.1.195:1194: P_ACK_V1 kid=0 pid=[ #28 ] [ 23 ]
2013-05-22 17:45:40 us=274930 UDPv4 READ [142] from 10.0.1.195:1194: P_CONTROL_V1 kid=0 pid=[ #27 ] [ ] pid=24 DATA len=100
2013-05-22 17:45:40 us=274981 UDPv4 WRITE [50] to 10.0.1.195:1194: P_ACK_V1 kid=0 pid=[ #29 ] [ 24 ]
2013-05-22 17:45:40 us=276355 NOTE: --mute triggered...
2013-05-22 17:45:40 us=455226 91 variation(s) on previous 5 message(s) suppressed by --mute
2013-05-22 17:45:40 us=455263 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
2013-05-22 17:45:40 us=455276 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2013-05-22 17:45:40 us=455329 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
2013-05-22 17:45:40 us=455340 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
2013-05-22 17:45:40 us=455376 UDPv4 WRITE [50] to 10.0.1.195:1194: P_ACK_V1 kid=0 pid=[ #75 ] [ 44 ]
2013-05-22 17:45:40 us=455410 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
2013-05-22 17:45:40 us=455436 [tuna.theoceanwindow-bv.com] Peer Connection Initiated with 10.0.1.195:1194
2013-05-22 17:45:41 us=663312 MANAGEMENT: >STATE:1369259141,GET_CONFIG,,,
2013-05-22 17:45:42 us=871386 SENT CONTROL [tuna.theoceanwindow-bv.com]: 'PUSH_REQUEST' (status=1)
2013-05-22 17:45:42 us=871471 UDPv4 WRITE [132] to 10.0.1.195:1194: P_CONTROL_V1 kid=0 pid=[ #76 ] [ ] pid=32 DATA len=90
2013-05-22 17:45:42 us=873247 UDPv4 READ [50] from 10.0.1.195:1194: P_ACK_V1 kid=0 pid=[ #74 ] [ 32 ]
2013-05-22 17:45:42 us=873901 UDPv4 READ [142] from 10.0.1.195:1194: P_CONTROL_V1 kid=0 pid=[ #75 ] [ ] pid=45 DATA len=100
2013-05-22 17:45:42 us=873948 UDPv4 WRITE [50] to 10.0.1.195:1194: P_ACK_V1 kid=0 pid=[ #77 ] [ 45 ]
2013-05-22 17:45:42 us=874760 UDPv4 READ [112] from 10.0.1.195:1194: P_CONTROL_V1 kid=0 pid=[ #76 ] [ ] pid=46 DATA len=70
2013-05-22 17:45:42 us=874811 PUSH: Received control message: 'PUSH_REPLY,route 172.168.0.0 255.255.255.0,route 172.168.0.1,topology net30,ping 10,ping-restart 120,ifconfig 172.168.0.6 172.168.0.5'
2013-05-22 17:45:42 us=874875 OPTIONS IMPORT: timers and/or timeouts modified
2013-05-22 17:45:42 us=874887 OPTIONS IMPORT: --ifconfig/up options modified
2013-05-22 17:45:42 us=874895 OPTIONS IMPORT: route options modified
2013-05-22 17:45:42 us=875043 ROUTE default_gateway=10.0.1.1
2013-05-22 17:45:42 us=875182 TUN/TAP device /dev/tun0 opened
2013-05-22 17:45:42 us=875201 MANAGEMENT: >STATE:1369259142,ASSIGN_IP,,172.168.0.6,
2013-05-22 17:45:42 us=875222 /sbin/ifconfig tun0 delete
2013-05-22 17:45:42 us=876970 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2013-05-22 17:45:42 us=877046 /sbin/ifconfig tun0 172.168.0.6 172.168.0.5 mtu 1500 netmask 255.255.255.255 up
2013-05-22 17:45:42 us=879522 PLUGIN_CALL: POST /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn-down-root.so/PLUGIN_UP status=0
2013-05-22 17:45:42 us=879581 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atDASNGWrdasngw tun0 1500 1542 172.168.0.6 172.168.0.5 init
2013-05-22 17:45:44 us=911277 MANAGEMENT: >STATE:1369259144,ADD_ROUTES,,,
2013-05-22 17:45:44 us=911397 /sbin/route add -net 172.168.0.0 172.168.0.5 255.255.255.0
                                        add net 172.168.0.0: gateway 172.168.0.5
2013-05-22 17:45:44 us=912821 /sbin/route add -net 172.168.0.1 172.168.0.5 255.255.255.255
                                        add net 172.168.0.1: gateway 172.168.0.5
2013-05-22 17:45:44 us=914588 GID set to nobody
2013-05-22 17:45:44 us=914635 UID set to nobody
2013-05-22 17:45:44 us=914647 Initialization Sequence Completed
2013-05-22 17:45:44 us=914666 MANAGEMENT: >STATE:1369259144,CONNECTED,SUCCESS,172.168.0.6,10.0.1.195
2013-05-22 17:45:44 us=914726 UDPv4 WRITE [50] to 10.0.1.195:1194: P_ACK_V1 kid=0 pid=[ #78 ] [ 46 ]
2013-05-22 17:45:44 *Tunnelblick client.up.tunnelblick.sh: No network configuration changes need to be made.
2013-05-22 17:45:44 *Tunnelblick client.up.tunnelblick.sh: Will NOT monitor for other network configuration changes.
2013-05-22 17:45:45 *Tunnelblick: Flushed the DNS cache
2013-05-22 17:45:53 us=84952 UDPv4 READ [53] from 10.0.1.195:1194: P_DATA_V1 kid=0 DATA len=52
2013-05-22 17:45:54 us=127116 UDPv4 WRITE [53] to 10.0.1.195:1194: P_DATA_V1 kid=0 DATA len=52
2013-05-22 17:46:03 us=325119 UDPv4 READ [53] from 10.0.1.195:1194: P_DATA_V1 kid=0 DATA len=52
2013-05-22 17:46:04 us=421918 UDPv4 WRITE [53] to 10.0.1.195:1194: P_DATA_V1 kid=0 DATA len=52
 
pf.conf
Code: 
tcp_pass = "{ 20 21 22 25 53 80 81 8010 110 137 138 139 443 445 465 587 993}"
udp_pass = "{ 137 138 139 465 587 1194}"
vpn_if   = "tun0"
vpn_net  = "172.168.0.0/24"
ext_if   = "em1"
icmp_types = "echoreq"
ip_addr  = "10.0.1.195"
openvpn_port   = "1194"
vpn_server = "172.168.0.2"

# --- SCRUB section ---
scrub in all

# --- NAT  rules -------------
#nat pass on em1 from $vpn_net to any -> $ip_addr
nat on em1 from $vpn_net to any -> $ext_if
pass in quick proto {tcp,udp} to $ip_addr port $openvpn_port keep state
pass in quick from $vpn_net to any   # I do have block in


# ------------------ FILTER RULES -------------------
# --- OUTGOING
pass out quick on em1 inet proto tcp to any port $tcp_pass
pass out quick on em1 inet proto udp to any port $udp_pass
pass out quick on em1 inet from any to any keep state
pass out quick from $ip_addr  to $vpn_net
# --- INCOMING
pass in quick on em1 inet proto udp to any port $udp_pass
pass in quick on em1 inet proto tcp to any port $tcp_pass
pass in quick on $vpn_if inet proto icmp all icmp-type $icmp_types
pass in quick from  $vpn_net to $ip_addr
# --- pass incoming openvpn connections to the internal openvpn server ---
#pass in quick on em1 inet proto { tcp udp } from any to $vpn_server

# --- antispoof protection ---
antispoof quick for em1 inet

# --- default policy
#block log all

# --- end of pf rule set

With these in place I can ping and ssh the guest server at the 10.0.1.195 address from the host box at 10.0.1.100.

From the guest server I can ping the VPN server address but I cannot ping the address that ifconfig says has been assigned to tun(0) on the host/client bu the VPN
 
Note you can't ping both IP addresses which make up the tunnel. If I didn't make a mistake reading your client's log, you can't ping 172.168.0.5.

For example I've the Windows 7 client and FreeBSD server. On a server I have:

# ifconfig tun0|grep inet\
Code: 
inet 192.168.254.1 --> 192.168.254.2 netmask 0xffffffff

On a Windows client I've:

C:\> netsh interface ip show addresses OpenVPN
Code: 
Configuration for interface "OpenVPN"
    DHCP enabled:                         Yes
    IP Address:                           192.168.254.6
    Subnet Prefix:                        192.168.254.4/30 (mask 255.255.255.252)
    Default Gateway:                      192.168.254.5
    Gateway Metric:                       0
    InterfaceMetric:                      30

I'm pushing the whole 192.168.254/24 subnet to clients.
I can ping the endpoint of the client (here 192.168.254.6), but I can't ping 192.168.254.5 from the server.
 
From the client I can't ping anything using the VPN. From the server I can ping the endpoint. Is this consistent with the tunnel?
 
jasonhirsh said:
From the client I can't ping anything using the VPN.
Click to expand...

Hard to tell where the problem is as you are running VPN server in VM which is running on host acting as VPN client.
I can only tell you that rules I mentioned do work.
 
Can you ping across the VPN server using the VPN? I may be looking for something that is unnecessary . if I can tunnel to the Internet and I can access the sever by its true IP (10.0.1.195). Then maybe I have succeeded and just didn't realize it.
 
When I'm connected to VPN I can ping 192.168.254.1 from a client. Server can ping client's OpenVPN IP address (192.168.254.6).
Client has no troubles pinging devices on internet (traceroute does work properly too).
 
You must log in or register to reply here.
Back
Top