How do I curl though an OpenVPN interface from a script.
-
@guardian In order for this to work, the other end of the vpn must support natting to the internet.
Here is the exact same command
/root: curl -v -4 --interface ovpnc1 http://www.google.com
- Trying 172.217.22.4:80...
- TCP_NODELAY set
- Local Interface ovpnc1 is ip 192.168.127.5 using address family 2
- Local port: 0
- Connected to www.google.com (172.217.22.4) port 80 (#0)
GET / HTTP/1.1
Host: www.google.com
User-Agent: curl/7.67.0
Accept: /- Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Thu, 23 Jul 2020 09:25:51 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< Server: gws
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: 1P_JAR=2020-07-23-09; expires=Sat, 22-Aug-2020 09:25:51 GMT; path=/; domain=.google.com; Secure
< Set-Cookie: NID=204=VGdCUajKT8B5UcexExeV2Km1ye5cs22px0VMjGalBW2Y7qhYMYuw4ty83dvPKnan6gXumpG4fqDlpnl7_2dEFVPE2SZvrNSDambfGuA5YOhLau9C65DK_nBgeZmVgtvD1t5XGwWdvy6sBGNbSz6k-NUvnCSzNF8cc2kGpl61Nyg; expires=Fri, 22-Jan-2021 09:25:51 GMT; path=/; domain=.google.com; HttpOnly
< Accept-Ranges: none
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
<
-
@Gertjan said in How do I curl though an OpenVPN interface from a script.:
You want select the interface that curl uses ?
If so, click.@Gertjan I tried everything that I could see in the link you mentioned, but it didn't work as you can see from the post above.
Any idea how I can troubleshoot?
-
@guardian Your curl command is fine. You have routing/natting issues.
-
@netblues said in How do I curl though an OpenVPN interface from a script.:
@guardian Your curl command is fine. You have routing/natting issues.
Can someone give me some steps to troubleshoot this?
It doesn't seem to generate any firewall log entries and I have a an allow all IPv4 on the OpenVPN firewall rules tab.
Any advice would be much appreciated.
-
@guardian said in How do I curl though an OpenVPN interface from a script.:
It doesn't seem to generate any firewall log entries and I have a an allow all IPv4 on the OpenVPN firewall rules tab.
Your 'curl' is using that rule 'that matches all traffic' and that firewall rule is probably NOT logging.
That why you see no logs.
Be careful : activating logging for the default pass all rule will log huge numbers of log lines at lightning speed. -
I doubt you will find anything on pf logs.
The thing is, that when you select the vpn client interface, you send your request inside the tunnel to the device at the other end.If you curl a service running on the host on the other end of the tunnel, then it would work.
If however you ask for e.g. google, then the device at the other end of the tunnel has to do nat forward the request to google , get the reply and translate it back to you.So what is at the other end of the tunnel interface you are curling into?
-
Thanks @Gertjan @netblues The tunnel is a public VPN service with minimal filtering. I'm pretty sure it has to do with rules/routing regarding the curl command. My resaon for saying this is that I have a guest wifi network that is policy routed out that interface, and the same command works (except it doesn't have the --interface parameter).
If we assume the prblem is local, what would be my next step(s) to troubleshoot?
@Gertjan said in How do I curl though an OpenVPN interface from a script.:
@guardian said in How do I curl though an OpenVPN interface from a script.:
It doesn't seem to generate any firewall log entries and I have a an allow all IPv4 on the OpenVPN firewall rules tab.
Your 'curl' is using that rule 'that matches all traffic' and that firewall rule is probably NOT logging.
That why you see no logs.
Be careful : activating logging for the default pass all rule will log huge numbers of log lines at lightning speed.curl -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -v --interface ovpnc1 'http://ifconfig.me/ip'
@netblues said in How do I curl though an OpenVPN interface from a script.:I doubt you will find anything on pf logs.
The thing is, that when you select the vpn client interface, you send your request inside the tunnel to the device at the other end.If you curl a service running on the host on the other end of the tunnel, then it would work.
If however you ask for e.g. google, then the device at the other end of the tunnel has to do nat forward the request to google , get the reply and translate it back to you.So what is at the other end of the tunnel interface you are curling into?
-
@guardian I do have this exact setup in place
so here is the result
/root: curl -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -v --interface ovpnc1 'http://ifconfig.me/ip'- Trying 216.239.32.21:80...
- TCP_NODELAY set
- Local Interface ovpnc1 is ip 192.168.127.5 using address family 2
- Local port: 0
- Connected to ifconfig.me (216.239.32.21) port 80 (#0)
GET /ip HTTP/1.1
Host: ifconfig.me
Accept: /
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0- Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 25 Jul 2020 18:43:32 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 14
< Access-Control-Allow-Origin: *
< Via: 1.1 google
< - Connection #0 to host ifconfig.me left intact
other.end.wan.ip
Please post your opevpn firewall rules/and or any rules on specific client interface (if exists)
-
I have been having this EXACT same problem for the past year. I haven't been able to figure out why the pfsense machine won't curl out the interface using the VPN.
I suspect this is an NAT Outbound issue... but nothing I do there has fixed it so far. I have manual rules setup for my Outbound NAT.
This whole issue prevents my script running on pfsense using curl to utilize my VPN. It's very annoying. For a while I simply used the pull routes option from the VPN and then my script worked but everything then went out the VPN from my shell that wasn't specifically setup otherwise. I had DNS going out the VPN so much though that I eventually reverted and decided to stick with the more secure crippled version.
-
This post is deleted!