OpenVPN issues [was: over SSH, twice?]

Fackamato · 2011-05-02 23:37:49

Hi,

I'm attempting to set up OpenVPN so that I can connect from work to my home LAN and access stuff from home as if they were "local" at work.
The problem is that the work firewall blocks all outgoing ports except 21, 22 and 80. This means that I can't directly connect to the OpenVPN daemon on 1194 as it's blocked.

My home server's ssh port is something else, so I can't ssh tunnel the port either. I do have access to another ssh server though. With that I can:

#!/bin/bash
echo "Tunneling port 12345 from home (ssh server) to localhost via 3rdparty-server ..."
ssh -f -L 12345:3rdparty-server:12345 user@3rdparty-server -N

With the above I can access my home server's SSH by just doing:

ssh homeuser@localhost -p 12345

I was thinking, can I then tunnel the OpenVPN port inside this SSH tunnel, then connect OpenVPN to localhost? Like this:

#!/bin/bash
echo "Tunneling port 1194 from home (OpenVPN server) to localhost via localhost (already tunneled) ..."
ssh -f -L 1194:localhost:1194 homeuser@localhost -p 12345 -N

Will this work? Except for terrible latency and higher chance of drop-out, is this OK?

Cheers,

edit: I've tried it now, and it appears to set up the VPN OK, but all traffic stops.

Last edited by Fackamato (2011-05-03 08:02:25)

fukawi2 · 2011-05-03 03:04:56

It will confuse the hell out of things like TCP window scaling etc, not to mention the triple layers of encryption.

Why not just set OpenVPN to listen on TCP 22?

cactus · 2011-05-03 03:08:04

What?!
no. Just use openvpn with tcp and use port 443 (https port) or 22 (move your ssh port to something else like 2222).

edit: bah. fukawi2 beat me!

Last edited by cactus (2011-05-03 03:08:46)

Fackamato · 2011-05-03 04:19:15

Yeah why not. I changed the port of OpenVPN to 22, and I can connect to it fine with my phone and the work laptop.

However, when I connect using the laptop, I cannot reach the Internet or the Intranet anymore, just my home LAN. Any idea why this is? Here is the client config

client-vpn.conf

client
remote myhost.internet 22
dev tun
proto tcp
resolv-retry infinite
nobind
persist-key
persist-tun
verb 2
ca ca.crt
cert client.crt
key mburen.key
comp-lzo

edit: Solved, I commented out this in openvpn.conf:

push "redirect-gateway def1"

thanks guys!

Last edited by Fackamato (2011-05-03 04:33:10)

ghen · 2011-05-03 07:39:11

Keep in mind that (any) VPN over TCP is very inefficient, especially on crappy connections.
If the firewall admin is lousy, maybe those ports 21/22/80 are open for UDP as well? Or try UDP port 53.

Last edited by ghen (2011-05-03 07:46:54)

Fackamato · 2011-05-03 08:01:48

ghen wrote:

Keep in mind that (any) VPN over TCP is very inefficient, especially on crappy connections.
If the firewall admin is lousy, maybe those ports 21/22/80 are open for UDP as well? Or try UDP port 53.

Yeah? Actually it did work for a while, then just stopped working. Not sure if I thought it was working before, but maybe it never was...

I'm trying to bridge the networks over the VPN now. Didn't get far with UDP, with TCP I can connect but the clients never get any IPs... need to investigate further

ghen · 2011-05-03 09:09:31

Fackamato wrote:

Yeah? Actually it did work for a while, then just stopped working. Not sure if I thought it was working before, but maybe it never was...
I'm trying to bridge the networks over the VPN now. Didn't get far with UDP, with TCP I can connect but the clients never get any IPs... need to investigate further

Functionally, OpenVPN will be completely the same over TCP or UDP. But with (Open)VPN over TCP, TCP connections inside the tunnel will have a lot more performance/reliability issues with network congestion and packet loss, as there are TCP layers inside *and* outside the tunnel trying to handle this. TCP over UDP on the other hand will behave mostly like TCP over bare IP.

Last edited by ghen (2011-05-03 09:10:03)

Fackamato · 2011-05-03 11:10:49

Aha, right. I think I have it working now, with UDP and bridged mode. It's working with the phone at least, I've yet to test at work (gimme ~10 hours) . For my own reference, here's the server config for openvpn that I'm currently using:

# /etc/openvpn/server.conf
# 2009.12.31
#
# address to bind to, instead of all available
local 192.168.1.198
# new features, as of v2.1.1
#can listen on multiple ips over udp
multihome
# needed to allow internally called scripts like up/down
#  to call external programs like ifup, etc
;script-security 2

# tcp might work better on certain "dev tun" setups
#  but not for wrapping more tcp or further encrypted
#  streams, as that would be redundant, and very slow
# "port 1194" and "proto udp" are defaults
port 22
proto udp

# could specify interface, like tap0 or tap1
#  or use up/down routing scripts to handle
#  more than one, if needed
dev tap0

# simple scripts
#  for adding/removing  to tap
;up "up.sh br0:0"
;down "down.sh br0:0"

# identical certificate on server & client
# ca config/keys/ca.crt
ca /etc/openvpn/easy-rsa/keys/ca.crt

# server's own cert/key
# cert config/keys/server.crt
# key config/keys/server.key  # keep secret
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key

# for certificate handshake
# dh config/keys/dh1024.pem
dh /etc/openvpn/easy-rsa/keys/dh1024.pem

# no arguments will use this subnet's dhcp server
#  not openvpn dynamic/static assigment
# either way is good, but if you know you're not conflicting
#  with any other IP addressing schemes on your subnet,
#  this is much faster
# this directive expands to include "mode server" and "tls-server"
#  so including them elsewhere is redundant
;server-bridge 192.168.3.252 255.255.255.0 192.168.3.1 192.168.3.16
# like what dhcp does, reuses IPs
;ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.198 255.255.255.0 192.168.1.250 192.168.1.255
# server-bridge

# this one uses a dhcp server, server-side
#  potentially better for controlling ip addresses from one location
#  clients must support binding their dhcp client to their tap adapter
server-bridge nogw # 'nogw' is optional

# openvpn server routes client packets to each other itself
#  should happen anyway in 'dev tap' mode, but this saves time
client-to-client

# ping clients to auto close server side connection
keepalive 10 60

# 0 for server, 1 for client
# tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 # This file is secret

# cryptographic cipher.
;cipher BF-CBC        # Blowfish (default)
cipher AES-128-CBC   # AES

# compression is useful for xfer of
#  not already compressed files, like database
#  files, otherwise add needless overhead
# comp-lzo [mode] ; yes|no|adaptive, adaptive default
# ;comp-lzo
comp-lzo

# not needed yet
;max-clients 100

# drop root priveledges once connected
#  good idea, for servers running on linux
# user nobody
# group nobody

# avoid accessing things you no longer can
persist-key
persist-tun

# short status file showing current connections
#  rewritten every minute.
status /var/log/openvpn-status.log

# use one or the other, useful for managing multiple
#  concurrent servers on a system
# ;log         openvpn.log
log-append /var/log/openvpn.log

# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4

# silence repeating messages past certain number, in log
;mute 20

I get permission denied when I enable the server to drop to the user nobody. Need to check that. I also had to disable TLS, couldn't get it to work with any client.

Arch Linux

#1 2011-05-02 23:37:49

OpenVPN issues [was: over SSH, twice?]

#2 2011-05-03 03:04:56

Re: OpenVPN issues [was: over SSH, twice?]

#3 2011-05-03 03:08:04

Re: OpenVPN issues [was: over SSH, twice?]

#4 2011-05-03 04:19:15

Re: OpenVPN issues [was: over SSH, twice?]

#5 2011-05-03 07:39:11

Re: OpenVPN issues [was: over SSH, twice?]

#6 2011-05-03 08:01:48

Re: OpenVPN issues [was: over SSH, twice?]

#7 2011-05-03 09:09:31

Re: OpenVPN issues [was: over SSH, twice?]

#8 2011-05-03 11:10:49

Re: OpenVPN issues [was: over SSH, twice?]

Board footer