[kwlug-disc] Initiating connections to OpenVPN clients

unsolicited unsolicited at swiz.ca
Wed Jun 29 19:24:04 EDT 2011


Sorry, you said it can respond. Never mind. Please ignore.

When I have run into this, the traffic from server b is not properly 
getting sent down the tunnel, it's going elsewhere / being considered 
as something else. IIRC, this was typically on the vpn server, where 
it was routing server b down the wrong non-vpn 'super-'interface 
instead of through the vpn (virtual) sub-interface.

This feels like a configuration issue on your end of the vpn link. 
Incorrect dynamically allocated / created route on your end?

If you do 'route' before/after vpn connection, do you see the 
additional route created on the vpn server?

unsolicited wrote, On 06/29/2011 6:50 PM:
> Paul Nijjar wrote, On 06/29/2011 6:37 PM:
>> Let's say I have the following:
>> - a network named "A", which is an OpenVPN server (running on pfSense,
>>   as usual)
>> - a server named "B" on that network. It is running Windows. - a 
>> client named "C", which has a connection to network A. It is
>>   running Ubuntu, and has SSHD running on it.
>> Client C can see network A. It can make arbitrary connections to
>> machines in that network, including server B.
>>
>> However, server B cannot initiate an SSH session on C (or ping it, or
>> anything else). It can *respond* to requests for client C, but cannot
>> *initiate* anything. 
> 
> Can anything else on the network? (Excluding the vpn server itself.)
> 
> Follow the route - if you see how server B's traffic is hopping, perhaps 
> it is not going down the expected path.
> 
> Try 'route add <vpn net> mask <vpn net mask> <vpn server>' on server B, 
> see if it all gets happy. If it does, server B's gateway isn't sending 
> the packet back the vpn server's way.
> 
>> My inclination is to say that the firewall in front of client C is
>> blocking incoming connections from network A. But I don't know whether
>> OpenVPN can do magic to get around that. Can it?
> 
> Everything is tunnelled over the established vpn connection. C's 
> firewall's SPI issue shouldn't be apparent. Server B's traffic is 
> tunnelled within it.
> 
>> My eventual goal is to initiate an SSH session from server B to client
>> C. (Yes, I know this is weird.) Can I do this without installing
>> Cygwin and SSHD on server B?
> 
> Well ... if you want server B to ssh anywhere, you'll have to install 
> ssh on it. (Actually, arguably, since the vpn connection is encrypted, 
> telnet may do you.) sshd shouldn't be necessary, given what you've said. 
> I suppose it could be the openssl windows ssh client though (which 
> probably uses the cygwin dll anyways). Or putty, or something.
> 
> But if pings don't work (assuming icmp is accepted by all stations in 
> the path) you have a routing issue. Go directly to jail (routing), do 
> not pass go (ssh client) ...
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 



More information about the kwlug-disc mailing list