StrongVPN as part of OpenVPN WAN setup [(partly) SOLVED]
-
Hi,
I'm trying to do the following: make some of my internal outbound traffic go out through an OpenVPN tunnel using StrongVPN. I'm trying to use the VPN tunnel as a second WAN for outbound (and later also inbound) connections.
I have tried to do the following:
. add tunnel config under 'clients' and added an OPT2 interface using that
. add a load balancer group with VPN interface added twice, right now I have a failver group with 2 identical settings and they are 'green' in status
. add a FW rule on internal interface trying to catch traffic and force it through LoadBalancer as gatewaySo far it does not work though, when checking where I come from the IP is still local ISP's.
In OpenVPN logs I see:
Feb 12 20:03:41 openvpn[26567]: UDPv4 link remote: … [ ip ]
Feb 12 20:03:41 openvpn[26567]: UDPv4 link local (bound): [undef]:1195It looks like tunnel is setup, or?
But I'm a bit uncertain if tunnel really is setup since according to Strong VPN I have to make use of both CA cert, client cert, client key AND static key all at once when setting up tunnel.
AFAICT when I choose shared key the other boxes are greyed out and vice versa.
I have looked in the book back and forth and think I need some comments on the general setup strategy here so that I can start ruling out stuff and it's a good start to know if tunnel is ok I guess. I'm also a bit uncertain of some settings in interface for the VPN tunnel.
Now I have set to static IP and used an internal not used one as 'IP address' and VPN server IP as 'gateway'.I'm also a bit curious as to why I have to use monitor IPs when using load LoadBalancing (have tried both that and failover).
Anyone can comment on this so far?
TIA,
-
Well.. things do work! ;D ;D ;D almost as intended, but I have a few questions still.
Now, I can get the tunnel up. Nice. Very nice.
I did however have to google and find a small hint in one question on StrongVPN:s forum http://strongvpn.com/forum/viewtopic.php?id=306 wherein the user (using pfSense) mentioned a "patch". This made me look in packages and sure enough some "OpenVPN-Enhancements" package was there. Not much mentioned of that in this forum though, only got 3 hits, all by users mentioning it briefly, no post from pfSense pointing out that (important) package's existence.
Without the "OpenVPN-Enhancements" package the StrongVPN openVPN service does not seem to work in pfSense 1.2.3.
I haven't seen it mentioned in the book either, this is a showstopper for any user sitting with same kind of config so should be noted in GUI and/or book and/or elsewhere.
I still get the error msg mentioned in the StrongVPN forum post above about "missing parameter topology" and even so I get another one, see below:
openvpn[21517]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:7: topology (2.0.6)
openvpn[21517]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: route-metric (2.0.6)I can use the tunnel though, exit IP is not local. Also, I can verify that I can receive incoming connections on both ISP's assigned WAN IP as well as VPN exit IP and I have successfully communicated with the SMTP service through the tunnel from the outside. Very nice indeed. So basically you could use this to shield any kind of service running from behind the tunnel, making a web site accessible in another country without its traffic/visitors being recorded by the FRA (the swedish NSA) who are as of last year recording ANY traffic flowing in or out of the swedish borders - to give you one example.
Moving on..
Now all outbond traffic is routed through the tunnel, this was my initial idea actually, however I would like this to be more flexible and let just some traffic out through the VPN. That part of the setup doesn't work. Even if I specifically add the normal GW twice in an additonal loadbalanser and assign that as gateway instead of 'default' to the default "allow all" rule on LAN everybody still goes out the VPN.
So obviously the routing table (where OpenVPN has written in those "suck everything into the tunnel" stuff is not aware of my FW rule in this case.
I suspect this has to do with the pushed stuff somehow, this is what's coming from the VPN server:
openvpn[21517]: PUSH: Received control message: 'PUSH_REPLY,route-delay 2,dhcp-option DNS nn.nn.nn.n1 ,dhcp-option DNS nn.nn.nn.n2,route-metric 1,redirect-gateway def1,route 10.x.x.3,topology net30,ping 10,ping-restart 60,ifconfig 10.x.x.1 10.x.x.2'
I guess the "redirect-gateway def1" could be central here? Is it possible to override it somehow or should it be let alone?
Some thoughts though: it appears that tunnel sometimes/mostly does NOT get up if "route-delay 2" is used but does so when changing to "route-delay 10". I thought that it shouldn't matter and that it would retry somehow, but settings such as "resolv-retry infinite" which is in custom options since it was present in their config file, hasn't got anything to do with the route adding rules, that's being issued after 'route-delay' option.
Still traffic seem to get through nicely when the routes are added corrctly.
In 'custom options' I have added the following, since they were in StrongVPN's .ovpn/config file:
persist-key;persist-tun;verb 4;mute 5;tun-mtu 1500;route-method exe;route-delay 5;explicit-exit-notify 2;fragment 1300;mssfix 1450
Actually they had "route-delay 2" in their file.
So, it appears that if tunnel doesn't get up, if 'route-delay' is too low(?) tunnel will never get up, not until I re-save the tunnel-config or perhaps reboots? And then all of the sudden all traffic goes directly down the ISP default GW even if I intended otherwise.
This is not so good, I would like all OR some (according to my config via FW rules) traffic goes through VPN but if VPN dies nothing (maybe or only some) of that traffic should go another route. I should be able to control how traffic is sent out.
How-2 fix?
To summon up, this is present situation:
1. Tunnel works and when up everything works, including incoming traffic to portforwarded services through the tunnel and also the portforwarded services on the WAN IP works as before.
2. ALL outgoing traffic - initiated from internal networks - goes through the tunnel, regardless of my incentives to let some out the WAN using LoadBalansing and FW rules.I would like to be able to do this:
1. Make sure tunnel (all config aspects of it) is retried if something isn't working, like adding routes etc. Also if I loose connection to Internet for 10 min I must be sure that OpenVPN tunnel is up again when connection is up. If I intend for some traffic to go through VPN that traffic should never ever go somewhere else, unless specifically so stated
2. Be able to route outbound traffic trough WAN as well as VPN (OPT2 WAN) to my chosing
3. Be able to add additional OpenVPN tunnels in the same way, therefore I must be able to steer routing and not use "suck everything down here" option from serverMaybe I'll put together a small how-to later, there are some details not mentioned here that needs to be set correctly to make it work this far.
TIA,
-
Update
It seems port fowarded services on WAN work whereas stuff that terminates on the WAN, like PPTP server and OpenVPN SERVER does not.
I have done packet capture on both ports and can verify that traffic is coming in but services seem unresponsive to clients.
So basically it seems that this solution is fine for outbound traffic, no local servers and only surfing the web through the tunnel, and does seem to work for port forwarded services to both WAN interfaces BUT running services on WAN like PPTP and OpenVPN might become unusable.
-
Hi, I have a similar issue as I'd like to use the swissvpn service as an exit node to the internet for part of my lan. Would you be interested in posting a bounty together regarding this? I was thinking about asking for an easy way to configure services like these as wan ports.
-
Maybe, maybe not. But I'm not happy enough with present situation. I have asked questions while providing what I believe to be detailed info and yet virtually nobody has been interested enough to comment.
So basically, I don't know, since no one has verified it, that my thoughts are correct, that the things I'm trying to do cannot be done. If I'm simply configuring something incorrectly that can be done it would be silly to offer a bounty. I would like for someone to tell me that I have done everything 100% correct and the other thing I try to do (policy routing between several or many OpenVPN WANs) cannot be done - or whatever.
When we're at that situation I can decide whether or not a bounty would be ok.
-
Sorry i dont have anymore the time to look at the forum as much as i used to ;)
I use quite something similar as you want to connect my workplace with my home.
I use this to redirect certain traffic i dont want to go over my workplaces network to my home.
(private traffic from my iphone as an example).How i did this:
Basically the same as you describe, however with some minor differences.
I dont use a PKI. For site-to-site connections i just prefer private shared key setups.
I redirect traffic not with the "redirect def1" but with my policy routing.
I dont think what you are after is even possible while using "redirect def1".Also you dont need two entried in the failover pool. A single entry is enough. (see screenshot).
Just set on the OPT-config page the correct IP like in the OpenVPN config and the corresponding gateway. As monitor i use the other side of the VPN.
This is just a workaround from a previous version, with 1.2.3 you can assign the VPN tunnel as interface and thus select it as gateway directly
This is actually another reason why to use a PSK and not a PKI. In a PSK you can hardcode the IP you use in the config.
In a PKI you can get dynamically a different IP when you have multiple clients. (of course you can use a client specific configuration).In my "custom options" i forced the site-to-site connection to "dev tun10" to ensure i always have the same dev when assigning the interface.
In the example screenshot below i redirect my Iphone on wireless over the VPN to my home.
The normal policy routing rules apply.What i would do in your case:
- Get rid of the PKI and set up a PSK.
- Get rid of the failoverpool and use the gateway directly.
- Change the firewall rules to redirect traffic however you want.
-
Thanks very much for your reply.
Sorry i dont have anymore the time to look at the forum as much as i used to ;)
I use quite something similar as you want to connect my workplace with my home.
I use this to redirect certain traffic i dont want to go over my workplaces network to my home.
(private traffic from my iphone as an example).How i did this:
Basically the same as you describe, however with some minor differences.
I dont use a PKI. For site-to-site connections i just prefer private shared key setups.I use a PKI since that's what I get from the provider (StrongVPN), there's no option to use shared keys. Some other providers have it the other way around though.
I redirect traffic not with the "redirect def1" but with my policy routing.
I dont think what you are after is even possible while using "redirect def1".That was my thought too and that's why I tried to manually (while testing) remove the entries from shell (worked) and then use policy routing, but it didn't work all the way.
Also you dont need two entried in the failover pool. A single entry is enough. (see screenshot).
Ok
Just set on the OPT-config page the correct IP like in the OpenVPN config and the corresponding gateway. As monitor i use the other side of the VPN.
This is just a workaround from a previous version, with 1.2.3 you can assign the VPN tunnel as interface and thus select it as gateway directlyHmm yes that's what I've done, the VPN is an interface and much seem to work, I have incoming NAT and FW rules working through the tunnel from the outside too, and verified. Pretty cool. Means I could place my web server or whatever in Hong Kong :) and since IP is static I could add that as A record in DNS too.
This is actually another reason why to use a PSK and not a PKI. In a PSK you can hardcode the IP you use in the config.
In a PKI you can get dynamically a different IP when you have multiple clients. (of course you can use a client specific configuration).I get the same IP etc every time from StrongVPN, in fact that's part of this service, a static IP for the duration of that specific account.
In my "custom options" i forced the site-to-site connection to "dev tun10" to ensure i always have the same dev when assigning the interface.
Ahh, that may be practical.
In the example screenshot below i redirect my Iphone on wireless over the VPN to my home.
The normal policy routing rules apply.What i would do in your case:
- Get rid of the PKI and set up a PSK.
- Get rid of the failoverpool and use the gateway directly.
- Change the firewall rules to redirect traffic however you want.
Thanks for your input, I will try and compare and do some testing. In this case (with this account) I will have to use the PKI though.
There is the problem with dead peer though, if my tunnel stops working for some reason (has happened a few times, tunnel appear up but no traffic goes through) I need to like disable/enable to get it back up but until that is done the network would be effectively offline if I have entered the VPN gateway instead of 'default' in the FW rule.
Maybe one could have a cron job running, pinging some VPN exit point IP and if no answer take down tunnel, bring back up and then remove those routing entries.
I'm also a bit concerned about those problems with WAN-services, like OpenVPN, PPTP, they seem not to work while tunnel is up, even though port forwarded services work fine. I'll try to do some more testing on that too.
Cheers,