Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
summary: I have a routing problem on the server side of the VPN, as diagnosed by Mart van de Wege[1]: veel dank Mart! I hope to fix that problem using these linode instructions[2].
details:
Tom Roche Sat, 08 Nov 2014 23:47:29 -0500 [3]
>>> My jumpbox/server firewall is currently set to forward everything, using `iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE`:
Pascal Hambourg Sun, 09 Nov 2014 13:13:16 +0100 [4]
>> This rule doesn't forward anything, it just enables masquerading.
>> IPv4 forwarding is enabled with sysctl net.ipv4.ip_forward=1.
Correct: I also have
me@jumpbox:~$ fgrep -e 'forward' /etc/sysctl.conf
> # Uncomment the next line to enable packet forwarding for IPv4
> net.ipv4.ip_forward=1
> # Uncomment the next line to enable packet forwarding for IPv6
> #net.ipv6.conf.all.forwarding=1
on the server. Indeed I am a network newbie as previously advertised :-( In any case, current firewall behavior is as noted:
>>> me@jumpbox:~$ date ; sudo iptables -L
>>> Sat Nov 8 16:42:06 EST 2014
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>> fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
>>> Chain FORWARD (policy ACCEPT)
>>> target prot opt source destination
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>> Chain fail2ban-ssh (1 references)
>>> target prot opt source destination
>>> RETURN all -- anywhere anywhere
Mart van de Wege Sun, 09 Nov 2014 12:02:46 +0100 [1]
> What I suspect is a routing problem on the other side of the VPN.
> Can you ping IP addresses beyond your VPN?
> What does the output of traceroute show?
Good questions! I will add these to the Debian wiki[5] because your suspicions are correct. Before starting OpenVPN on either the laptop/client or the jumpbox/server:
me@laptop:~$ date ; pgrep -l openvpn | wc -l
> Sun Nov 9 09:24:43 EST 2014
> 0
me@laptop:~$ date ; ping -c 4 www.whatismyip.com
> Sun Nov 9 09:24:48 EST 2014
> PING www.whatismyip.com (141.101.120.15) 56(84) bytes of data.
> 64 bytes from 141.101.120.15: icmp_seq=1 ttl=57 time=94.7 ms
> 64 bytes from 141.101.120.15: icmp_seq=2 ttl=57 time=157 ms
> 64 bytes from 141.101.120.15: icmp_seq=3 ttl=57 time=88.3 ms
> 64 bytes from 141.101.120.15: icmp_seq=4 ttl=57 time=88.8 ms
>
> --- www.whatismyip.com ping statistics ---
> 4 packets transmitted, 4 received, 0% packet loss, time 15621ms
> rtt min/avg/max/mdev = 88.370/107.325/157.369/29.002 ms
me@laptop:~$ date ; traceroute www.whatismyip.com
> Sun Nov 9 09:25:17 EST 2014
> traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets
> 1 192.168.15.1 (192.168.15.1) 0.850 ms 0.838 ms 1.378 ms
> 2 71-23-64-2.clt.clearwire-wmx.net (71.23.64.2) 75.041 ms 75.040 ms 75.030 ms
> 3 71.22.7.161 (71.22.7.161) 75.293 ms 75.287 ms 75.661 ms
> 4 66-192-62-1.static.twtelecom.net (66.192.62.1) 75.260 ms 75.619 ms 75.600 ms
> 5 ash1-pr1-xe-2-3-0-0.us.twtelecom.net (66.192.244.214) 84.267 ms 84.467 ms 84.456 ms
> 6 xe-0.equinix.asbnva01.us.bb.gin.ntt.net (206.126.236.12) 84.429 ms 86.913 ms 86.863 ms
> 7 ae10.ar2.iad1.us.as4436.gtt.net (69.31.31.168) 96.019 ms 96.242 ms 95.980 ms
> 8 as13335.xe-7-0-3.ar1.iad1.us.as4436.gtt.net (69.31.31.90) 95.604 ms 95.585 ms as13335.xe-9-0-2.ar1.iad1.us.as4436.gtt.net (69.31.30.14) 96.170 ms
> 9 * as13335.xe-7-0-3.ar1.iad1.us.as4436.gtt.net (69.31.31.90) 95.515 ms 95.520 ms
> 10 141.101.120.15 (141.101.120.15) 96.397 ms 96.392 ms 95.841 ms
After starting OpenVPN on first the jumpbox/server then the laptop/client, off-VPN routing is indeed hosed:
me@laptop:~$ date ; pgrep -l openvpn | wc -l
> Sun Nov 9 09:31:27 EST 2014
> 1
me@laptop:~$ date ; ping -c 4 www.whatismyip.com
> Sun Nov 9 09:31:33 EST 2014
> PING www.whatismyip.com (141.101.120.14) 56(84) bytes of data.
>
> --- www.whatismyip.com ping statistics ---
> 4 packets transmitted, 0 received, 100% packet loss, time 3023ms
me@laptop:~$ date ; traceroute www.whatismyip.com
> Sun Nov 9 09:33:06 EST 2014
> traceroute to www.whatismyip.com (141.101.120.15), 30 hops max, 60 byte packets
> 1 10.8.0.1 (10.8.0.1) 99.579 ms 99.584 ms 104.230 ms
> 2 * * *
...
> 30 * * *
Note also that the jumpbox/server is a linode running a stock Debian (`cat /etc/debian_version`=='7.7'), which are apparently able to support OpenVPN, per these linode.com-hosted instructions[6]. They are vague in places, which made me switch to the Debian wiki[5], but now I suspect that I need to switch back to its section='Tunneling All Connections through the VPN'[2]. So I'll give that a try. (Eventually I prefer only to tunnel ssh and the SSL VPN through the OpenVPN to the cluster, so I'll probably be back later :-)
Your assistance is appreciated! Tom Roche <Tom_Roche@pobox.com>
[1] https://lists.debian.org/debian-user/2014/11/msg00463.html
[2] https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7#tunneling-all-connections-through-the-vpn
[3] https://lists.debian.org/debian-user/2014/11/msg00447.html
[4] https://lists.debian.org/debian-user/2014/11/msg00468.html
[5] https://wiki.debian.org/openvpn%20for%20server%20and%20client
[6] https://www.linode.com/docs/networking/vpn/secure-communications-with-openvpn-on-ubuntu-12-04-precise-and-debian-7
Reply to:
- References:
- Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
- From: Mart van de Wege <mvdwege@gmail.com>
- Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
- From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
- From: Tom Roche <Tom_Roche@pobox.com>
- [newbie] OpenVPN: {DNS, ping, ssh} work, HTTP fails
- From: Tom Roche <Tom_Roche@pobox.com>