installed openvpn, not working

I am sorry, I already asked this before, but I have to ask again, I
installed openvpn at both sites, it is not working. This is my
scenario:

1) one side is with cable modem with public IP addr, all local machines
are LAN
2) otherside is with ethernet to office with private ip address (class
C addr), connected to router and all local machines are LAN, all gets
internet, we know the gateway also we know the ISP's public ip addr,
since these people directly do ssh/ftp to the other office (but from
otheroffice couldn't login to the first office, since ni public ip addr
on local router wan port)

is there any problem with this private ip addr to office?. due to that
openvpn is not working?. any suggestions, Thaks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GS wrote:
> I am sorry, I already asked this before, but I have to ask again, I
> installed openvpn at both sites, it is not working. This is my
> scenario:
>
> 1) one side is with cable modem with public IP addr, all local machines
> are LAN
> 2) otherside is with ethernet to office with private ip address (class
> C addr), connected to router and all local machines are LAN, all gets
> internet, we know the gateway also we know the ISP's public ip addr,
> since these people directly do ssh/ftp to the other office (but from
> otheroffice couldn't login to the first office, since ni public ip addr
> on local router wan port)
>
> is there any problem with this private ip addr to office?. due to that
> openvpn is not working?. any suggestions, Thaks

Suggestion: check which transport protocol OpenVPN is set up to use.
Some firewalls (the kind a corporation, ISP or cable modem might
install) do not pass UDP packets, and if OpenVPN is configured to use
UDP, you would see the symptoms you describe.

If OpenVPN /is/ set up for UDP, change it to TCP at both ends (server
and client) and try again.




- --

Lew Pitcher, IT Specialist, Enterprise Data Systems
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed here are my own, not my employer's)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFDYhaEagVFX4UWr64RAlPDAJ9aYlpL/XnozlChhHOB2Ke2e8zHigCgtXiK
dviMTmR0E0wGBf+QVnxJjEc=
=0PHu
-----END PGP SIGNATURE-----

Lew Pitcher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> GS wrote:
>> I am sorry, I already asked this before, but I have to ask again, I
>> installed openvpn at both sites, it is not working. This is my
>> scenario:
>>
>> 1) one side is with cable modem with public IP addr, all local machines
>> are LAN
>> 2) otherside is with ethernet to office with private ip address (class
>> C addr), connected to router and all local machines are LAN, all gets
>> internet, we know the gateway also we know the ISP's public ip addr,
>> since these people directly do ssh/ftp to the other office (but from
>> otheroffice couldn't login to the first office, since ni public ip addr
>> on local router wan port)
>>
>> is there any problem with this private ip addr to office?. due to that
>> openvpn is not working?. any suggestions, Thaks
>
> Suggestion: check which transport protocol OpenVPN is set up to use.
> Some firewalls (the kind a corporation, ISP or cable modem might
> install) do not pass UDP packets, and if OpenVPN is configured to use
> UDP, you would see the symptoms you describe.
>
> If OpenVPN /is/ set up for UDP, change it to TCP at both ends (server
> and client) and try again.
>
>

The default OpenVPN protocol is UDP port 1194 on the server. The
client uses a random source port number. I know that is is
capable of surviving NAT translation because we use it across the
internet where I work. I suggest that you install Ethereal (free
protocol analyser) to get "independent" proof that UDP is being
sent by the client, and not being received by the server (or the
return traffic is not arriving). This is almost certainly the
problem, but without proof from Ethereal you will always just be
wondering.

Steve

Steve Horsley <(E-Mail Removed)> writes:

>The default OpenVPN protocol is UDP port 1194 on the server.

And the Server should be the side with the official IP-Numbers.

OR you have to instruct your (firewalling) NAT-Router to let
those packets through.

> I know that is is
>capable of surviving NAT translation because we use it across the
>internet where I work.

<AOL>
Me too...
</AOL>

>sent by the client, and not being received by the server (or the
>return traffic is not arriving).

I had one problem with a standard-(Firewall-) Install of Suse 9.3
on one client, which did not let those answer-Packets through...


And you may add " verb 7 " to both openVPN-Config-Files and look
into the logfiles.

Good luck, Holger

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Horsley wrote:
> Lew Pitcher wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> GS wrote:
>>
>>> I am sorry, I already asked this before, but I have to ask again, I
>>> installed openvpn at both sites, it is not working. This is my
>>> scenario:
>>>
>>> 1) one side is with cable modem with public IP addr, all local machines
>>> are LAN
>>> 2) otherside is with ethernet to office with private ip address (class
>>> C addr), connected to router and all local machines are LAN, all gets
>>> internet, we know the gateway also we know the ISP's public ip addr,
>>> since these people directly do ssh/ftp to the other office (but from
>>> otheroffice couldn't login to the first office, since ni public ip addr
>>> on local router wan port)
>>>
>>> is there any problem with this private ip addr to office?. due to that
>>> openvpn is not working?. any suggestions, Thaks
>>
>>
>> Suggestion: check which transport protocol OpenVPN is set up to use.
>> Some firewalls (the kind a corporation, ISP or cable modem might
>> install) do not pass UDP packets, and if OpenVPN is configured to use
>> UDP, you would see the symptoms you describe.
>>
>> If OpenVPN /is/ set up for UDP, change it to TCP at both ends (server
>> and client) and try again.
>>
>>
>
> The default OpenVPN protocol is UDP

True, that is the /default/. But OpenVPN also supports TCP as an alternative
to UDP

> port 1194 on the server. The client uses a random source port number.

True, but likely irrelevant

> I know that is is capable of surviving NAT translation because we use it across the internet where I work.

NAT translation might not be the issue. /My/ experience is that some corporate
firewalls block UDP traffic inbound, and this causes an apparently good
OpenVPN setup to mysteriously fail when taken outside the bounds of the
corporate intranet.

My specific experience is with a working UDP OpenVPN configuration that failed
once I took the client on the road. It turned out that the corp firewall that
I was behind (while on the road) blocked incoming UDP packets, causing the
server replies to the OpenVPN client to be dropped. Result: OpenVPN which
worked OK when tested within the LAN environment failed when tried outside the
LAN environment.

> I
> suggest that you install Ethereal (free protocol analyser) to get
> "independent" proof that UDP is being sent by the client, and not being
> received by the server (or the return traffic is not arriving). This is
> almost certainly the problem, but without proof from Ethereal you will
> always just be wondering.

That's a good idea, but may be overkill. You can tell a lot from the OpenVPN
logs, and a simple change to the Server and client config will verify it. But,
best to test this out on an independant implementation, or /before/ releasing
your OpenVPN to your VPN clients.

- --
Lew Pitcher

Master Codewright & JOAT-in-training | GPG public key available on request
Registered Linux User #112576 (http://counter.li.org/)
Slackware - Because I know what I'm doing.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFDYs4nagVFX4UWr64RAmP4AJ94WivjqupppBPX5ZC6R3 +mxO67qACgl0Es
SsrMOz/5gEYa3JbU50GjE30=
=/4Qt
-----END PGP SIGNATURE-----

In my case, the other side I don't have public IP address on my WAN
port, ISP provided ethernet directly to home with private IP addr,
which is assigned to WAN port of my Router, do I have to ask my ISP to
redirect traffic on particular port?.

Thanks.

GS wrote:
> In my case, the other side I don't have public IP address on my WAN
> port, ISP provided ethernet directly to home with private IP addr,
> which is assigned to WAN port of my Router, do I have to ask my ISP to
> redirect traffic on particular port?.

You should not need if the ISP's address translation
is working correctly. To function this way, the
host behind the non-public NAT box must be the one
initiating the connection, and there must be a pretty
short keepalive timeout in OpenVPN configs.

The same consideration about initiating the connection
applies to TCP transport behind a NAT box.

--

Tauno Voipio
tauno voipio (at) iki fi

GS wrote:

> I am sorry, I already asked this before, but I have to ask again, I
> installed openvpn at both sites, it is not working. This is my
> scenario:
>
> 1) one side is with cable modem with public IP addr, all local machines
> are LAN
> 2) otherside is with ethernet to office with private ip address (class
> C addr), connected to router and all local machines are LAN, all gets
> internet, we know the gateway also we know the ISP's public ip addr,
> since these people directly do ssh/ftp to the other office (but from
> otheroffice couldn't login to the first office, since ni public ip addr
> on local router wan port)
>
> is there any problem with this private ip addr to office?. due to that
> openvpn is not working?. any suggestions, Thaks

The VPN has to connect to a valid public IP address. If the VPN does not
terminate on the firewall/router/NAT box, then you have to use port
forwarding on the firewall, to connect to a system behind the firewall.
Port forwarding take the packets intended for the VPN and then forward them
to a specified computer on the LAN. If you use this method, you will then
have to update the routing tables for all local computers that will use the
VPN. If the VPN terminates on the firewall, only the firewall has to be
configured.

GS wrote:

> In my case, the other side I don't have public IP address on my WAN
> port, ISP provided ethernet directly to home with private IP addr,
> which is assigned to WAN port of my Router, do I have to ask my ISP to
> redirect traffic on particular port?.

Yes. It can't work, if you use one of those RFC1914 address ranges, as
those addresses are not supposed to be passed over the public internet.
You will have to get a public address or get the ISP to do port forwarding.
You may have to do it again, if the VPN doesn't terminate on your firewall.