Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


A Little Help with OpenVPN
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

A Little Help with OpenVPN

rooterrooter Member

Alright so I have been running a vpn for several years and this year my office implemented a new firewall. My VPN still connects and I am able to browse remote sites (remote from the server) but the local webserver is throwing errors on my iphone.

"Safari cannot open the page because it could not establish a secure connection to the server"

I can browse the local website when connected from my work laptop via the vpn with no issues. When I look in the nginx logs there are no references to the iphone trying to connect so it must be losing the traffic before it hits the webserver but I am at a loss to see why if it works on my windows work laptop.

Here is my server.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 10 120
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn.status
verb 4
crl-verify crl.pem
topology subnet

And here is the client config:

lient
dev tun
proto udp
remote server.address.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ns-cert-type server
comp-lzo
verb 4

-----BEGIN CERTIFICATE-----
xxx-----END CERTIFICATE-----


-----BEGIN CERTIFICATE-----
xxx


-----BEGIN PRIVATE KEY-----
xxxxx
-----END PRIVATE KEY-----

I have also tried using a vpn service via the same OpenVPN app on ios and I am able to reach the vpn server's websites no problem. So I am thinking there must be an issue with passing the local traffic through the vpn on the server but unfortunately I am unable to find the solution.

I have also double checked that ip_forwarding is enabled and I have a rule in iptables to allow forwarding as well as accept traffic from the devices:

-A POSTROUTING -s 10.8.0.0/8 -o p1p1 -j SNAT --to-source 123.456.789.000 (my public ip)

net.ipv4.ip_forward=1

-A INPUT -i tun+ -j ACCEPT

Posted this over at openvpn forums a couple days ago and haven't gotten any replies so I thought I would try here as well. This is really frustrating me!

Thanks for any help or ideas you can provide.

Comments

  • rooter said: local webserver is throwing errors on my iphone.

    That is I presume your company local webserver? Probably due to OpenVPN running the connection to the local webserver is going over the wrong network adapter and the firewall for the local webserver rejects the traffic. So there's not even a log in Nginx. If that is your companies local webserver.

    Tell me if I got anything wrong. If it's a webserver on the same VPS as your OpenVPN server is.

    Thanked by 1rooter
  • @Hidden_Refuge said:
    Tell me if I got anything wrong. If it's a webserver on the same VPS as your OpenVPN server is.

    Sorry if I wasn't clear, the webserver I am having trouble with is the same machine that runs openvpn. I meant that it is local to the server itself.

  • AbdussamadAbdussamad Member
    edited August 2015

    In order for you to be able to connect to the vpn server you have a rule in your OS routing table telling it to access said vpn server's public IP via your unencrypted network connection (eth1 or whatever) and not through the encrypted tunnel (tun*). Do you understand what I mean? Everything goes through the tunnel except for the connection to the VPN server itself. Meaning connections to the VPN server's public IP goes through your normal unencrypted internet connection. So that is why you can't access websites hosted on the VPN server. Your phone is trying to connect through your work network and the firewall there is blocking access.

    So what you need to do is set the IP address for your website domain name to equal your VPN servers' virtual IP i.e. 10.8.0.1 and not the public IP. This way the traffic will go through the tunnel.

    If you had access to the hosts file of your iphone you could do it there.

    Otherwise install dnsmasq on the VPN server, set 'dhcp-option DNS 10.8.0.1' in your openvpn server.conf so that the phone uses dnsmaq as the DNS server and then configure dnsmasq to answer with 10.8.0.1 when asked for your website domain's A record:

    http://unix.stackexchange.com/questions/52933/how-to-assign-multiple-fixed-ip-address-for-one-domain

    (set the ip to 10.8.0.1)

    Finally make sure nginx is listening on all interfaces.

    Thanked by 1rooter
  • rooterrooter Member
    edited August 2015

    Ok I think I follow, the strange thing is that I don't have his problem when I am using any other network besides my work wifi. Why am I able to load the sites from the local web server over cellular or my home wifi?

    I do appreciate you taking the time to answer and I will try your suggestion tomorrow when I get to work.

    Last thing, the vpn server and the Nginx instance are located on the same machine. I am curious as to why the SNAT isn't working like it does via the other network (cellular or other wifi)?

    Thanks again for taking the time :-)

  • AbdussamadAbdussamad Member
    edited August 2015

    rooter said: Ok I think I follow, the strange thing is that I don't have his problem when I am using any other network besides my work wifi. Why am I able to load the sites from the local web server over cellular or my home wifi?

    Abdussamad said: Meaning connections to the VPN server's public IP goes through your normal unencrypted internet connection.

    Do you understand this bit? Any connections to any service on your VPN server are going to go over whatever internet connection you have. That includes connections to openvpn and connections to nginx. These connections are not being tunneled through the VPN.

    Your phone is trying to connect through your work network and the firewall there is blocking access.

    This hapens on your work network. On your other networks there is no censorship so you can connect to nginx on the VPN server.

  • -A POSTROUTING -s 10.8.0.0/8 -o p1p1 -j SNAT --to-source 123.456.789.000

    This is your problem

  • cosmicgate said:

    -A POSTROUTING -s 10.8.0.0/8 -o p1p1 -j SNAT --to-source 123.456.789.000

    This is your problem

    nope. nothing wrong with that.

  • Ok I fixed he issue by simply putting the VPN on a separate up from the web server. Thank you for all your suggestions and workarounds.

Sign In or Register to comment.