Jump to content
Hak5 Forums

GMaxW

Active Members
  • Content Count

    7
  • Joined

  • Last visited

About GMaxW

  • Rank
    Newbie

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. GMaxW

    Reverse VPN -- anybody got it working?

    Yes, you have indeed spotted a discrepancy, and it's a setting that indeed looks relevant to the problem ?. I think from the video I absorbed that the Turtle might have these blocks of settings already in place, and when I noticed they were, I must not have read as closely as I should. Anyhow, I have now changed that setting in my Turtle, but I can't test on the VPN at the moment, so that'll have to wait until a bit later. Thanks for your attention. I will report back whether this indeed gets things working.
  2. GMaxW

    Reverse VPN -- anybody got it working?

    To be clear, in the Reverse VPN video I linked, Darren did list some firewall and network changes, which I copy below. Those were already in place on my Turtle as delivered. And these do not include the iptables NAT settings I just mentioned. /etc/config/network: ... after config interface 'wan' section... config interface 'vpn option ifname 'tun0' option proto 'dhcp' /etc/config/firewall: check there's a section: config zone option name 'vpn' list network 'vpn' option input ACCEPT option output ACCEPT option forward REJECT config forwarding option src lan option dest vpn config forwarding option src vpn option dest lan
  3. GMaxW

    Reverse VPN -- anybody got it working?

    > why would I or anyone else take the time to right a complete set of config settings I was hoping someone already had then written down, primarily someone from hak5, given that Turtle is promoted to do this scenario. > when you would read through them and say yup yup I did all that already??? Obviously I'm looking for the thing in the known-working config that I would NOT say "yup" too! ? > Did you configure the OpenVPN AS reverse gateway correctly? Which is give it an IP: 192.168.65.0/24 and check those two boxes above it. Which at this point you almost make it sound like your not sure what I'm referring to. Well, I guess you are referring to the client "VPN Gateway" setting, the "act as VPN gateway for this subnet" slot, and the "Allow access from" checkboxes. Yes, those are configured correctly. > Did you configure the lan that the turtle is on correctly? The LAN that the Turtle is on is not supposed to require any configuration. That is part of the point -- you are supposed to be able to stick the Turtle onto a LAN without needing any intervention in the existing LAN's config. ("Excuse me Mr Admin of the network I'm trying to snoop on, would you mind configuring your router for me" hahaha.) (Though I hasten to add my own purpose is not nefarious.) You are right that additional info would be gathered by performing the pings: (a) while SSH'ed to Turtle, and performing pings from Turtle to LAN devices, and (b), the holy grail, pinging from some other VPN client, through the VPN, through Turtle, to a LAN device. That I can't do quickly at the moment. However, I have in the past couple of hours got this structure working, just with an Ubuntu machine substituting in the role of Turtle. The missing piece was to get the gateway machine to perform NAT for traffic gateway <--> LAN. I guess that way additional routing is not needed on the LAN; machines on the LAN get packets addressed from a LAN-local machine, and send replies back to a LAN-local machine (the gateway), so the LAN's router is not involved. On Ubuntu this involved the two commands: sudo iptables -t nat -A POSTROUTING -s 192.168.65.0/24 -o tun0 -j MASQUERADE sudo iptables -t nat -A POSTROUTING -s 172.27.224.0/24 -o enp2s0 -j MASQUERADE I don't know the equivalent on Turtle, but nothing in the video's instructions indicated anything about NAT for Turtle's interaction with the LAN. So I don't know if that piece is needed but was missing from the video, or was expected to be pushed by OpenVPN AS to Turtle but isn't, or what. Anyhow, I appreciate you're engaging with this issue. Perhaps you have other comments on the NAT issue. Thanks.
  4. GMaxW

    Reverse VPN -- anybody got it working?

    > When you created the ovpn file for the turtle on OpenVPN AS I see the VPN Gateway is set to 192.168.65.0/24. Not sure what you mean here. 192.168.65.0/24 is indeed the subnet address range for the LAN that the gateway/client is on. > Did you also check the box for Allow access from "all server-side private subnets" and "all other VPN clients?" I assume you mean for the gateway client, in which case yes. > When you SSH into your turtle from your off-lan machine can you ping your on-lan machines from the turtle? That's a good question. I did not try that. And I have now reconfigured to try using an Ubuntu machine as the gateway/client, so had to unconfigure the Turtle. Sadly not getting the Ubuntu client/gateway to work yet either. Frankly I lack hope of getting this to work with a series of "did you try this, di your try that" piecemeal suggestions. Which is why I'm looking for a complete set of config settings that are known to actually work verbatim.
  5. GMaxW

    Reverse VPN -- anybody got it working?

    And in case it's any use, here's the result of ip route on Turtle: root@turtle:~# ip route 0.0.0.0/1 via 172.27.224.129 dev tun0 default via 192.168.65.1 dev eth1 proto static src 192.168.65.102 metric 20 default via 172.16.84.84 dev eth0 proto static metric 30 128.0.0.0/1 via 172.27.224.129 dev tun0 [OpenVPN-AS server's IP] via 192.168.65.1 dev eth1 172.16.84.0/24 dev eth0 proto static scope link metric 30 172.27.224.128/25 dev tun0 proto kernel scope link src 172.27.224.165 192.168.65.0/24 dev eth1 proto static scope link metric 20 192.168.65.1 dev eth1 proto static scope link src 192.168.65.102 metric 20 root@turtle:~# 192.168.65.0/24 is the LAN 172.27.224.128/25 is the virtual network on the OpenVPN-AS server, with its gateway at 172.27.224.129 OpenVPN-AS shows turtle connected at 172.27.224.165
  6. I was hoping to get the reverse VPN setup working, but have been so unsuccessful I'm starting to doubt that it actually works. In the absence of better docs, I have been following the Hak5 video here: https://www.youtube.com/watch?v=b7qr0laM8kA I have painstakingly scoured this video second by second, noting every setting that Darren makes. And I have slavishly configured OpenVPN AS at Digital Ocean exactly the same way (well, except specific IP addresses of course), installed the ovpn files on an off-LAN client, and also on the Turtle. And I've also checked the network and firewall settings at the end of the video, which were already in place out-of-the-box. I can get: both LAN Turtle and the off-LAN client to show up as clients in the OpenVPN admin web interface. I can SSH from the off-LAN client to the Turtle on the LAN (However, I can't SSH from LAN machines to the Turtle, which is a puzzle, posted in a different thread) But what I can't do is to get the off-LAN client to connect to other machines on the LAN that Turtle is supposed to be acting as gateway for. For example, I set up a couple of on-LAN machines with a simple web server, which is visible to other machines on the LAN, and should be connectable by the Turtle. I also used traceroute from the off-LAN machine to a machine on the LAN, and the only two hops I get are first to the gateway on the OpenVPN-AS virtual LAN, and then to the VPN address of the Turtle, but no further. So the bottom line question is: what are the exact settings needed to get this gateway to work? Or further diagnostic steps? Thanks.
  7. I have done the initial config procedure on a new Turtle, which of course entails an SSH connection over USB. And that includes the update procedure. Now I want to SSH to the turtle via its ethernet port. It's on the LAN, I can ping it, but attempts to connect via SSH (port 22) are refused (ie: not just timed out). I have tried the firewall fixes by MonkeyMan here: ... and rebooted. But no improvement. Could somebody post or point to the exact settings required to get this simple function to work? Thanks.
×