[kwlug-disc] Initiating connections to OpenVPN clients
unsolicited at swiz.ca
Wed Jun 29 19:24:04 EDT 2011
Sorry, you said it can respond. Never mind. Please ignore.
When I have run into this, the traffic from server b is not properly
getting sent down the tunnel, it's going elsewhere / being considered
as something else. IIRC, this was typically on the vpn server, where
it was routing server b down the wrong non-vpn 'super-'interface
instead of through the vpn (virtual) sub-interface.
This feels like a configuration issue on your end of the vpn link.
Incorrect dynamically allocated / created route on your end?
If you do 'route' before/after vpn connection, do you see the
additional route created on the vpn server?
unsolicited wrote, On 06/29/2011 6:50 PM:
> Paul Nijjar wrote, On 06/29/2011 6:37 PM:
>> Let's say I have the following:
>> - a network named "A", which is an OpenVPN server (running on pfSense,
>> as usual)
>> - a server named "B" on that network. It is running Windows. - a
>> client named "C", which has a connection to network A. It is
>> running Ubuntu, and has SSHD running on it.
>> Client C can see network A. It can make arbitrary connections to
>> machines in that network, including server B.
>> However, server B cannot initiate an SSH session on C (or ping it, or
>> anything else). It can *respond* to requests for client C, but cannot
>> *initiate* anything.
> Can anything else on the network? (Excluding the vpn server itself.)
> Follow the route - if you see how server B's traffic is hopping, perhaps
> it is not going down the expected path.
> Try 'route add <vpn net> mask <vpn net mask> <vpn server>' on server B,
> see if it all gets happy. If it does, server B's gateway isn't sending
> the packet back the vpn server's way.
>> My inclination is to say that the firewall in front of client C is
>> blocking incoming connections from network A. But I don't know whether
>> OpenVPN can do magic to get around that. Can it?
> Everything is tunnelled over the established vpn connection. C's
> firewall's SPI issue shouldn't be apparent. Server B's traffic is
> tunnelled within it.
>> My eventual goal is to initiate an SSH session from server B to client
>> C. (Yes, I know this is weird.) Can I do this without installing
>> Cygwin and SSHD on server B?
> Well ... if you want server B to ssh anywhere, you'll have to install
> ssh on it. (Actually, arguably, since the vpn connection is encrypted,
> telnet may do you.) sshd shouldn't be necessary, given what you've said.
> I suppose it could be the openssl windows ssh client though (which
> probably uses the cygwin dll anyways). Or putty, or something.
> But if pings don't work (assuming icmp is accepted by all stations in
> the path) you have a routing issue. Go directly to jail (routing), do
> not pass go (ssh client) ...
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
More information about the kwlug-disc