Solved [Solved] OpenVPN question

fred974 · Oct 6, 2014

Hello eveyone.

I run FreeBSD 10 with 3 jails and would like to know the following:

Do I need to install security/openvpn on the all my FreeBSD servers (host+jails) or can I only set it for the FreeBSD host, and PF will do the redirection?

Thank you
Fred

kpa · Oct 6, 2014

Re: OpenVPN question

You only need it on the host and it's in fact easier than trying to get OpenVPN to work inside the jails. You may have to do some scripting with up/down scripts (see OpenVPN documentation) to set up/tear down port forwardings and rules automatically when the tunnel interface is created or destroyed.

fred974 · Oct 6, 2014

Re: OpenVPN question

Thank you @kpa
So by installing it only of the Host, The PF firewall will redirect all my connections to the other jails on their own port uisng openvpn?
I have different ssh port number for each jails

kpa · Oct 6, 2014

Re: OpenVPN question

Without knowing how you're going to set up the networking in the jails and the VPN tunnel I can not really give you a better answer yet. If you could describe your set up in more detail?

fred974 · Oct 6, 2014

Re: OpenVPN question

Hi @kpa,

Thank you for your reply..

My topology is the following:

Code:

+----------+
|  router  |
+----^-----+
     | 192.168.1.1
     |                               FreeBSD host 192.168.1.192
+----+-----+                       +---------------+
|  switch  +----------------->bce0+| 192.168.1.198 | (dbjail)
+----------+                       | 192.168.1.165 | (wwwjail)
     +                             +---------------+
     |  192.168.0.150
+-----------+
| notebook  |
+-----------+

To clarify tough, the router also act as the gateway switch...

This my pf.conf file

Code:

### Interfaces ###
#ext_if="bce0"
ext_if="lagg0"

IP_FREEBSD_HOST="192.168.1.192"
IP_WEBJAIL="192.168.1.165"
IP_DBJAIL="192.168.1.198"

HOSTS= "{" $IP_FREEBSD_HOST $IP_WEBJAIL $IP_DBJAIL "}"
ICMP_TYPES="{echoreq,unreach}"

PORT_WEB="{80,443}"
PORT_SSH="{2923,2924}"
#PORT_ZABBIX="{10059}"

### Tables ###
table <workssh> {192.168.1.1/24,216.146.161.254,82.41.44.193}
table <sshguard> persist

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# [translation]

# [filtering]
pass out all
block in all

# block all IPs from  sshguard-pf blocklist without any further evaluation
block drop in log quick on $ext_if inet from <sshguard> to any

# Allow ssh traffic from authorise IPs only and set Stateful Tracking Options (STO)
pass log on $ext_if inet proto tcp from <workssh> to $HOSTS port $PORT_SSH \
    flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, \
     overload <sshguard> flush global)

# Allow HTTP and HTTPS traffic
pass in quick proto tcp from any to $IP_WEBJAIL port $PORT_WEB

Now the aim is to be able to use OpenVNP for the following reason
1 - as an added layer of security to the server
2- because one of our site block all non standard port and changing the rule is apparently a no go area...

Thank you in advance

Fred

kpa · Oct 6, 2014

Re: OpenVPN question

You won't need any port forwarding to access the jail SSH services since your jails are using addresses from the same subnet as the LAN IP address of the server. All you need to do is to make sure that traffic coming in on the tun(4) interface is allowed to make contact to the jail SSH services by appropriate filter rules.

Here is my up.sh and down.sh for the OpenVPN server I run on my firewall. In this form they allow everything in on the tunnel interface because it's not a big concern in my own usage. You can adapt these by removing the pass quick on ${dev} all line and writing rules that allow in only the SSH traffic.

Code:

#!/bin/sh

ANCHOR="openvpn"

/sbin/ifconfig ${dev} inet6 -ifdisabled

/sbin/pfctl -a ${ANCHOR} -F rules
/sbin/pfctl -a ${ANCHOR} -F nat
/sbin/pfctl -a ${ANCHOR} -f - <<EOT
nat on ${OPENVPN_wan} inet from ${dev}:network to any -> (${OPENVPN_wan}:0) port 1024:65535 
pass quick on ${dev} all
pass in quick on ${OPENVPN_wan} inet proto udp from any to (${OPENVPN_wan}) port ${local_port_1}
EOT

down.sh:

Code:

#!/bin/sh

/sbin/pfctl -a openvpn -F rules
/sbin/pfctl -a openvpn -F nat

For this to work few settings have to be added to the openvpn.conf:

Code:

script-security 2
setenv-safe wan vr0
up /usr/local/etc/openvpn/up.sh
down /usr/local/etc/openvpn/down.sh

The second line causes OPENVPN_wan variable to be set in the environment of up.sh and down.sh scripts so it's possible to write the two scripts without having to hardcode the interfaces in them. You would use bce0 instead of vr0 on your system.

In the PF rules the following must exist also:

Code:

# NAT rules
nat-anchor "openvpn"
...
# RDR rules
rdr-anchor "openvpn"
...
# Filter rules
anchor "openvpn"

fred974 · Oct 6, 2014

Re: OpenVPN question

Hi @kpa,

Sorry to bother you...
I implemented the scritp you gave me and changed my pf.conf file but I get the following in the OpenVPN log in my windows 7 machine
client.log

Code:

Mon Oct 06 20:00:37 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct 06 20:00:37 2014 TLS Error: TLS handshake failed
Mon Oct 06 20:00:37 2014 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct 06 20:00:37 2014 MANAGEMENT: >STATE:1412622037,RECONNECTING,tls-error,,
Mon Oct 06 20:00:37 2014 Restart pause, 2 second(s)
Mon Oct 06 20:00:39 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Oct 06 20:00:39 2014 UDPv4 link local: [undef]
Mon Oct 06 20:00:39 2014 UDPv4 link remote: [AF_INET]81.102.230.31:1194
Mon Oct 06 20:00:39 2014 MANAGEMENT: >STATE:1412622039,WAIT,,,

pf.conf

Code:

### Interfaces ###
#ext_if="bce0"
ext_if="lagg0"

IP_FREEBSD_HOST="192.168.1.192"
IP_WEBJAIL="192.168.1.165"
IP_DBJAIL="192.168.1.198"

HOSTS= "{" $IP_FREEBSD_HOST $IP_WEBJAIL $IP_DBJAIL "}"
ICMP_TYPES="{echoreq,unreach}"

PORT_WEB="{80,443}"
PORT_SSH="{2923,2924}"
#PORT_ZABBIX="{10059}"

### Tables ###
table <workssh> {192.168.1.1/24,216.146.161.254,82.41.44.193}
table <sshguard> persist

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# NAT rules
nat-anchor "openvpn"
# RDR rules
rdr-anchor "openvpn"

# [translation]

# [filtering]
pass out all
block in all
anchor "openvpn"

# block all IPs from  sshguard-pf blocklist without any further evaluation
block drop in log quick on $ext_if inet from <sshguard> to any

# Allow ssh traffic from authorise IPs only and set Stateful Tracking Options (STO)
pass log on $ext_if inet proto tcp from <workssh> to $HOSTS port $PORT_SSH \
    flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, \
     overload <sshguard> flush global)

# Allow HTTP and HTTPS traffic
pass in quick proto tcp from any to $IP_WEBJAIL port $PORT_WEB

Does it matter that I have public/private key authentication for sshd?
Or have I missed configured the pf.conf file?
Do I need to set port forwarding on the router?

Fred

kpa · Oct 6, 2014

Re: OpenVPN question

You do need to forward UDP (if you're using UDP as the protocol) port 1194 on the router to the FreeBSD server, I thought you had that covered already, sorry about that.

fred974 · Oct 7, 2014

Re: OpenVPN question

I set port forwarding to the FreeBSD host on port 1194 but the error message is still the same...
client.log (windows 7 machine)

Code:

Tue Oct 07 10:56:03 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Oct 07 10:56:03 2014 TLS Error: TLS handshake failed
Tue Oct 07 10:56:03 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Oct 07 10:56:03 2014 MANAGEMENT: >STATE:1412675763,RECONNECTING,tls-error,,
Tue Oct 07 10:56:03 2014 Restart pause, 2 second(s)
Tue Oct 07 10:56:05 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Oct 07 10:56:05 2014 UDPv4 link local: [undef]
Tue Oct 07 10:56:05 2014 UDPv4 link remote: [AF_INET]81.102.230.31:1194
Tue Oct 07 10:56:05 2014 MANAGEMENT: >STATE:1412675765,WAIT,,,

/var/log/messages

Code:

Oct  7 10:56:04 FreeBSDHost openvpn[4301]: 82.45.44.186:61787 TLS: Initial packet from [AF_INET]82.45.44.186:61787, sid=8f7f7e9d cb7467f4
Oct  7 10:57:04 FreeBSDHost openvpn[4301]: 82.45.44.186:61787 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct  7 10:57:04 FreeBSDHost openvpn[4301]: 82.45.44.186:61787 TLS Error: TLS handshake failed
Oct  7 10:57:04 FreeBSDHost openvpn[4301]: 82.45.44.186:61787 SIGUSR1[soft,tls-error] received, client-instance restarting

Could this be because I have the following in my ssh/sshd.config file?

Code:

Port 2923 
ListenAddress 192.168.1.192
Protocol 2
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 30s
PermitRootLogin no
AllowUsers myadminuser
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no

GatewayPorts no
X11Forwarding no
PrintMotd yes
TCPKeepAlive yes

UsePrivilegeSeparation yes

ClientAliveInterval 300
ClientAliveCountMax 2

Subsystem	sftp	/usr/libexec/sftp-server

I am including all the file related to OpenVPN...

/usr/local/etc/openvpn/server.conf

Code:

port 1194
script-security 2
setenv-safe wan lagg0   # set to lagg interface
up /usr/local/etc/openvpn/up.sh
down /usr/local/etc/openvpn/down.sh

proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

server 192.168.10.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.1 255.255.255.0"

keepalive 10 120
cipher BF-CBC
comp-lzo

max-clients 2

user nobody
group nobody

persist-key
persist-tun
status openvpn-status.log

verb 3
mute 20

client.ovpn (Windows7 machine)

Code:

client
dev tun
proto udp
remote 82.41.44.193 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
cipher BF-CBC
comp-lzo
verb 3
mute 20

pf.conf

Code:

#ext_if="bce0"
ext_if="lagg0"

IP_FREEBSD_HOST="192.168.1.192"
IP_WEBJAIL="192.168.1.165"
IP_DBJAIL="192.168.1.198"

HOSTS= "{" $IP_FREEBSD_HOST $IP_WEBJAIL $IP_DBJAIL "}"
ICMP_TYPES="{echoreq,unreach}"

PORT_WEB="{80,443}"
PORT_SSH="{2923,2924,1194}" # added OpenVPN port

### Tables ###
table <workssh> {192.168.1.1/24,216.146.161.254,82.41.44.193}
table <sshguard> persist

# [options]
set skip on lo0

# [normalizaiton]
scrub in all

# NAT rules set for OpenVPN
nat-anchor "openvpn"
# RDR rules set for OpenVPN
rdr-anchor "openvpn"

# [filtering]
pass out all
block in all
anchor "openvpn"

# block all IPs from  sshguard-pf blocklist without any further evaluation
block drop in log quick on $ext_if inet from <sshguard> to any

# Allow ssh traffic from authorise IPs only and set Stateful Tracking Options (STO)
pass log on $ext_if inet proto tcp from <workssh> to $HOSTS port $PORT_SSH \
    flags S/SA keep state \
    (max-src-conn 100, max-src-conn-rate 15/5, \
     overload <sshguard> flush global)

# Allow HTTP and HTTPS traffic
pass in quick proto tcp from any to $IP_WEBJAIL port $PORT_WEB

up.sh

Code:

#!/bin/sh

ANCHOR="openvpn"

/sbin/ifconfig ${dev} inet6 -ifdisabled

/sbin/pfctl -a ${ANCHOR} -F rules
/sbin/pfctl -a ${ANCHOR} -F nat
/sbin/pfctl -a ${ANCHOR} -f - <<EOT
nat on ${OPENVPN_wan} inet from ${dev}:network to any -> (${OPENVPN_wan}:0) port 1024:65535
pass quick on ${dev} all
pass in quick on ${OPENVPN_wan} inet proto udp from any to (${OPENVPN_wan}) port ${local_port_1}
EOT

down.sh

Code:

#!/bin/sh

/sbin/pfctl -a openvpn -F rules
/sbin/pfctl -a openvpn -F nat

/etc/rc.conf.sh

Code:

 ### OpenVPN virtual private network settings
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_if="tun"

### lagg Failover Mode
cloned_interfaces="lagg0"
ifconfig_bce0="up"
ifconfig_bce1="up"
ifconfig_lagg0="laggproto lacp laggport bce0 laggport bce1"
ipv4_addrs_lagg0="192.168.1.192/24"
defaultrouter="192.168.1.1"

Could anyone spot where I went wrong?
At the moment all I am only trying to connect to my FreeBSD host server

Thank you.

Fred

kpa · Oct 7, 2014

Re: OpenVPN question

Your sshd(8) configuration has no effect on other services that don't use the SSH protocol and the TCP port 22 (or your custom listening port).

Run these when the OpenVPN service is running and post the outputs:

Code:

pfctl -sr -a openvpn
pfctl -sn -a openvpn

fred974 · Oct 7, 2014

Re: OpenVPN question

Hi @kpa
Thank you very much for your help here. I really appreciate it.
pfctl -sr -a openvpn

Code:

pass quick on tun0 all flags S/SA keep state
pass in quick on lagg0 inet proto udp from any to (lagg0) port = openvpn keep state

pfctl -sn -a openvpn

Code:

nat on lagg0 inet from 192.168.10.1 to any -> (lagg0:0) port 1024:65535

I also set the verb to 6 to get more debug output.
Server logs /var/log/messages

Code:

Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: MULTI: multi_create_instance called
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 Re-using SSL/TLS context
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 LZO compression initialized
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 Local Options hash (VER=V4): '530fdded'
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 Expected Remote Options hash (VER=V4): '41690919'
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 UDPv4 READ [14] from [AF_INET]82.45.44.186:57123: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 TLS: Initial packet from [AF_INET]82.45.44.186:57123, sid=65ab2c2f b061ef9b
Oct  7 11:25:49 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 UDPv4 WRITE [26] to [AF_INET]82.45.44.186:57123: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Oct  7 11:25:51 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 UDPv4 READ [14] from [AF_INET]82.45.44.186:57123: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct  7 11:25:51 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 UDPv4 WRITE [26] to [AF_INET]82.45.44.186:57123: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Oct  7 11:25:55 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 UDPv4 READ [14] from [AF_INET]82.45.44.186:57123: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Oct  7 11:25:55 FreeBSDHost  openvpn[4570]: 82.45.44.186:57123 UDPv4 WRITE [26] to [AF_INET]82.45.44.186:57123: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0

Client logs client.log

Code:

Tue Oct 07 11:25:49 2014 us=256116 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Tue Oct 07 11:25:49 2014 us=262117 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Oct 07 11:25:49 2014 us=262117 Need hold release from management interface, waiting...
Tue Oct 07 11:25:49 2014 us=671140 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Oct 07 11:25:49 2014 us=772145 MANAGEMENT: CMD 'state on'
Tue Oct 07 11:25:49 2014 us=772145 MANAGEMENT: CMD 'log all on'
Tue Oct 07 11:25:49 2014 us=824148 MANAGEMENT: CMD 'hold off'
Tue Oct 07 11:25:49 2014 us=827149 MANAGEMENT: CMD 'hold release'
Tue Oct 07 11:25:50 2014 us=98164 LZO compression initialized
Tue Oct 07 11:25:50 2014 us=98164 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Oct 07 11:25:50 2014 us=99164 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Oct 07 11:25:50 2014 us=99164 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Oct 07 11:25:50 2014 us=99164 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Oct 07 11:25:50 2014 us=99164 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Oct 07 11:25:50 2014 us=170168 Local Options hash (VER=V4): '41690919'
Tue Oct 07 11:25:50 2014 us=170168 Expected Remote Options hash (VER=V4): '530fdded'
Tue Oct 07 11:25:50 2014 us=170168 UDPv4 link local: [undef]
Tue Oct 07 11:25:50 2014 us=170168 UDPv4 link remote: [AF_INET]82.41.44.193:1194
Tue Oct 07 11:25:50 2014 us=170168 MANAGEMENT: >STATE:1412677550,WAIT,,,
Tue Oct 07 11:25:50 2014 us=181169 UDPv4 WRITE [14] to [AF_INET]82.41.44.193:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Oct 07 11:25:50 2014 us=182169 UDPv4 READ [0] from [undef]: DATA UNDEF len=-1
Tue Oct 07 11:25:52 2014 us=282288 UDPv4 WRITE [14] to [AF_INET]82.41.44.193:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Oct 07 11:25:56 2014 us=482526 UDPv4 WRITE [14] to [AF_INET]82.41.44.193:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Oct 07 11:26:04 2014 us=790997 UDPv4 WRITE [14] to [AF_INET]82.41.44.193:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Oct 07 11:26:20 2014 us=79813 UDPv4 WRITE [14] to [AF_INET]82.41.44.193:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Oct 07 11:26:46 2014 us=148241 TCP/UDP: Closing socket

Thank you

fred974 · Oct 12, 2014

Re: OpenVPN question

Is anybody able to help me identify my problem please ?
Thank you
Fred

junovitch@ · Oct 13, 2014

Re: OpenVPN question

I'm not seeing the problem so far. Can you post the output of tcpdump -n -i lagg0 port 1194 on your FreeBSD server? Please start that just before connecting as the client and keep it running until the client says no key negotiation within 60 seconds. The client size logs suggest that no packets are coming back to it and I'm wondering if we can see anything to confirm that.

fred974 · Oct 13, 2014

Re: OpenVPN question

Hi @junovitch,

Thank you for your reply, here are the requested informations:
tcpdump -n -i lagg0 port 1194

Code:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lagg0, link-type EN10MB (Ethernet), capture size 65535 bytes
capability mode sandbox enabled
08:55:05.156346 IP 82.45.44.186.63463 > 192.168.1.192.1194: UDP, length 14
08:55:05.157118 IP 192.168.1.165.1194 > 82.45.44.186.63463: UDP, length 26
08:55:07.401071 IP 192.168.1.165.1194 > 82.45.44.186.63463: UDP, length 14
08:55:07.636484 IP 82.45.44.186.63463 > 192.168.1.192.1194: UDP, length 14
08:55:07.636611 IP 192.168.1.165.1194 > 82.45.44.186.63463: UDP, length 22
08:55:11.002470 IP 192.168.1.165.1194 > 82.45.44.186.63463: UDP, length 14
08:55:11.360905 IP 82.45.44.186.63463 > 192.168.1.192.1194: UDP, length 14
08:55:11.361025 IP 192.168.1.165.1194 > 82.45.44.186.63463: UDP, length 22
08:55:19.220486 IP 192.168.1.165.1194 > 82.45.44.186.63463: UDP, length 14
08:55:19.620085 IP 82.45.44.186.63463 > 192.168.1.192.1194: UDP, length 14
08:55:19.620202 IP 192.168.1.165.1194 > 82.45.44.186.63463: UDP, length 22
08:55:35.340913 IP 82.45.44.186.63463 > 192.168.1.192.1194: UDP, length 14
08:55:35.341078 IP 192.168.1.165.1194 > 82.45.44.186.63463: UDP, length 26
08:56:07.012907 IP 82.45.44.186.64890 > 192.168.1.192.1194: UDP, length 14
08:56:07.013408 IP 192.168.1.165.1194 > 82.45.44.186.64890: UDP, length 26
08:56:09.297511 IP 82.45.44.186.64890 > 192.168.1.192.1194: UDP, length 14
08:56:09.297628 IP 192.168.1.165.1194 > 82.45.44.186.64890: UDP, length 26
08:56:13.874037 IP 82.45.44.186.64890 > 192.168.1.192.1194: UDP, length 14
08:56:13.874164 IP 192.168.1.165.1194 > 82.45.44.186.64890: UDP, length 26
08:56:21.083787 IP 192.168.1.165.1194 > 82.45.44.186.64890: UDP, length 14
08:56:21.706051 IP 82.45.44.186.64890 > 192.168.1.192.1194: UDP, length 14
08:56:21.706185 IP 192.168.1.165.1194 > 82.45.44.186.64890: UDP, length 22
08:56:37.097458 IP 192.168.1.165.1194 > 82.45.44.186.64890: UDP, length 14
08:56:37.427237 IP 82.45.44.186.64890 > 192.168.1.192.1194: UDP, length 14
08:56:37.427352 IP 192.168.1.165.1194 > 82.45.44.186.64890: UDP, length 22
08:57:10.010532 IP 82.45.44.186.52729 > 192.168.1.192.1194: UDP, length 14
08:57:10.011074 IP 192.168.1.165.1194 > 82.45.44.186.52729: UDP, length 26
08:57:12.080652 IP 82.45.44.186.52729 > 192.168.1.192.1194: UDP, length 14
08:57:12.080771 IP 192.168.1.165.1194 > 82.45.44.186.52729: UDP, length 26
08:57:16.217059 IP 82.45.44.186.52729 > 192.168.1.192.1194: UDP, length 14
08:57:16.217174 IP 192.168.1.165.1194 > 82.45.44.186.52729: UDP, length 26
08:57:24.986472 IP 82.45.44.186.52729 > 192.168.1.192.1194: UDP, length 14
08:57:24.986622 IP 192.168.1.165.1194 > 82.45.44.186.52729: UDP, length 26
08:57:40.451855 IP 192.168.1.165.1194 > 82.45.44.186.52729: UDP, length 14

** 192.168.1.165 is my webjail.. why is that showing up in that trace?

fred974 · Oct 13, 2014

Re: OpenVPN question

Hi,

I don't know if this helps but here I replaced the IP addresses with the associated machine:

Code:

08:55:05.156346 IP ExtPublicIP.63463 > FreeBSDHost.1194: UDP, length 14
08:55:05.157118 IP webjail.1194 > ExtPublicIP.63463: UDP, length 26
08:55:07.401071 IP webjail.1194 > ExtPublicIP.63463: UDP, length 14
08:55:07.636484 IP ExtPublicIP.63463 > FreeBSDHost.1194: UDP, length 14
08:55:07.636611 IP webjail.1194 > ExtPublicIP.63463: UDP, length 22
08:55:11.002470 IP webjail.1194 > ExtPublicIP.63463: UDP, length 14
08:55:11.360905 IP ExtPublicIP.63463 > FreeBSDHost.1194: UDP, length 14
08:55:11.361025 IP webjail.1194 > ExtPublicIP.63463: UDP, length 22
08:55:19.220486 IP webjail.1194 > ExtPublicIP.63463: UDP, length 14
08:55:19.620085 IP ExtPublicIP.63463 > FreeBSDHost.1194: UDP, length 14
08:55:19.620202 IP webjail.1194 > ExtPublicIP.63463: UDP, length 22
08:55:35.340913 IP ExtPublicIP.63463 > FreeBSDHost.1194: UDP, length 14
08:55:35.341078 IP webjail.1194 > ExtPublicIP.63463: UDP, length 26
08:56:07.012907 IP ExtPublicIP.64890 > FreeBSDHost.1194: UDP, length 14
08:56:07.013408 IP webjail.1194 > ExtPublicIP.64890: UDP, length 26
08:56:09.297511 IP ExtPublicIP.64890 > FreeBSDHost.1194: UDP, length 14
08:56:09.297628 IP webjail.1194 > ExtPublicIP.64890: UDP, length 26
08:56:13.874037 IP ExtPublicIP.64890 > FreeBSDHost.1194: UDP, length 14
08:56:13.874164 IP webjail.1194 > ExtPublicIP.64890: UDP, length 26
08:56:21.083787 IP webjail.1194 > ExtPublicIP.64890: UDP, length 14
08:56:21.706051 IP ExtPublicIP.64890 > FreeBSDHost.1194: UDP, length 14
08:56:21.706185 IP webjail.1194 > ExtPublicIP.64890: UDP, length 22
08:56:37.097458 IP webjail.1194 > ExtPublicIP.64890: UDP, length 14
08:56:37.427237 IP ExtPublicIP.64890 > FreeBSDHost.1194: UDP, length 14
08:56:37.427352 IP webjail.1194 > ExtPublicIP.64890: UDP, length 22
08:57:10.010532 IP ExtPublicIP.52729 > FreeBSDHost.1194: UDP, length 14
08:57:10.011074 IP webjail.1194 > ExtPublicIP.52729: UDP, length 26
08:57:12.080652 IP ExtPublicIP.52729 > FreeBSDHost.1194: UDP, length 14
08:57:12.080771 IP webjail.1194 > ExtPublicIP.52729: UDP, length 26
08:57:16.217059 IP ExtPublicIP.52729 > FreeBSDHost.1194: UDP, length 14
08:57:16.217174 IP webjail.1194 > ExtPublicIP.52729: UDP, length 26
08:57:24.986472 IP ExtPublicIP.52729 > FreeBSDHost.1194: UDP, length 14
08:57:24.986622 IP webjail.1194 > ExtPublicIP.52729: UDP, length 26
08:57:40.451855 IP webjail.1194 > ExtPublicIP.52729: UDP, length 14

kpa · Oct 13, 2014

Re: OpenVPN question

I think you should set local in openvpn.conf explicitly, now it's listening on every possible address for connections but you have jails and the lagg(4) link that might mess up things. Add this to the configuration:

Code:

local 192.168.1.192

fred974 · Oct 13, 2014

Re: OpenVPN question

kpa said:
I think you should set local in openvpn.conf explicitly, now it's listening on every possible address for connections but you have jails and the lagg(4) link that might mess up things. Add this to the configuration:

Code:

local 192.168.1.192

Yeaaaaa!!!!!
Thank you soooo much.

My problem is now resolved

junovitch@ · Oct 13, 2014

Re: OpenVPN question

This is what I was hoping to see. One of the considerations with any UDP services is that replies will just usually come from the "closest" interface. The issue here is that the replies appear to be a different connection from the one made by the port forward on your router. The rule of thumb here is to make sure you set the service to bind on a specific IP. When you use jails, this is also a recommendation so services within jails don't get mixed up with services outside of jails.

fred974 · Oct 13, 2014

Re: OpenVPN question

junovitch said:
This is what I was hoping to see. One of the considerations with any UDP services is that replies will just usually come from the "closest" interface. The issue here is that the replies appear to be a different connection from the one made by the port forward on your router. The rule of thumb here is to make sure you set the service to bind on a specific IP. When you use jails, this is also a recommendation so services within jails don't get mixed up with services outside of jails.

Thank you for the advise @junovitch. Point noted