Reverse VPN -- anybody got it working?

[GMaxW]

I was hoping to get the reverse VPN setup working, but have been so unsuccessful I'm starting to doubt that it actually works.

In the absence of better docs, I have been following the Hak5 video here:

https://www.youtube.com/watch?v=b7qr0laM8kA

I have painstakingly scoured this video second by second, noting every setting that Darren makes. And I have slavishly configured OpenVPN AS at Digital Ocean exactly the same way (well, except specific IP addresses of course), installed the ovpn files on an off-LAN client, and also on the Turtle. And I've also checked the network and firewall settings at the end of the video, which were already in place out-of-the-box.

I can get:

• both LAN Turtle and the off-LAN client to show up as clients in the OpenVPN admin web interface.
• I can SSH from the off-LAN client to the Turtle on the LAN
• (However, I can't SSH from LAN machines to the Turtle, which is a puzzle, posted in a different thread)

But what I can't do is to get the off-LAN client to connect to other machines on the LAN that Turtle is supposed to be acting as gateway for. For example, I set up a couple of on-LAN machines with a simple web server, which is visible to other machines on the LAN, and should be connectable by the Turtle.

I also used traceroute from the off-LAN machine to a machine on the LAN, and the only two hops I get are first to the gateway on the OpenVPN-AS virtual LAN, and then to the VPN address of the Turtle, but no further.

So the bottom line question is: what are the exact settings needed to get this gateway to work?  Or further diagnostic steps? Thanks.

[GMaxW]

And in case it's any use, here's the result of ip route on Turtle:

root@turtle:~# ip route
0.0.0.0/1 via 172.27.224.129 dev tun0
default via 192.168.65.1 dev eth1  proto static  src 192.168.65.102  metric 20
default via 172.16.84.84 dev eth0  proto static  metric 30
128.0.0.0/1 via 172.27.224.129 dev tun0
[OpenVPN-AS server's IP] via 192.168.65.1 dev eth1
172.16.84.0/24 dev eth0  proto static  scope link  metric 30
172.27.224.128/25 dev tun0  proto kernel  scope link  src 172.27.224.165
192.168.65.0/24 dev eth1  proto static  scope link  metric 20
192.168.65.1 dev eth1  proto static  scope link  src 192.168.65.102  metric 20
root@turtle:~#

192.168.65.0/24 is the LAN

172.27.224.128/25 is the virtual network on the OpenVPN-AS server, with its gateway at 172.27.224.129

OpenVPN-AS shows turtle connected at 172.27.224.165

[Bob123]

When you created the ovpn file for the turtle on OpenVPN AS I see the VPN Gateway is set to 192.168.65.0/24.  Did you also check the box for Allow access from "all server-side private subnets" and "all other VPN clients?"

When you SSH into your turtle from your off-lan machine can you ping your on-lan machines from the turtle?

 

[GMaxW]

> When you created the ovpn file for the turtle on OpenVPN AS I see the VPN Gateway is set to 192.168.65.0/24.

Not sure what you mean here. 192.168.65.0/24 is indeed the subnet address range for the LAN that the gateway/client is on.

>  Did you also check the box for Allow access from "all server-side private subnets" and "all other VPN clients?"

I assume you mean for the gateway client, in which case yes.

> When you SSH into your turtle from your off-lan machine can you ping your on-lan machines from the turtle?

That's a good question. I did not try that. And I have now reconfigured to try using an Ubuntu machine as the gateway/client, so had to unconfigure the Turtle. Sadly not getting the Ubuntu client/gateway to work yet either.

Frankly I lack hope of getting this to work with a series of "did you try this, di your try that" piecemeal suggestions. Which is why I'm looking for a complete set of config settings that are known to actually work verbatim.

 

[Bob123]

So you followed that Hak5 video to a T.  You were able to setup OpenVPN AS.  You were able to create two OVPN files and put one on the turtle and one on your "off lan" machine.  That's 99% of it so why would I or anyone else take the time to right a complete set of config settings when you would read through them and say yup yup I did all that already???

All we are down to are three small areas. 

Did you configure the OpenVPN AS reverse gateway correctly?  Which is give it an IP: 192.168.65.0/24 and check those two boxes above it.  Which at this point you almost make it sound like your not sure what I'm referring to.

Did you configure the lan that the turtle is on correctly?  Ping every device you want to see and make sure at least a ping works.  Can the turtle see a computer on that lan and can the computer on that lan see the turtle?

Then lastly did you setup the turtle correctly which at this point if you followed the video it should be but we can walk through it if the other two sections above are completely proved out and work.

I just recently set all this up for the packet squirrel and it worked flawlessly.  Then I took it all apart when I was done.  Two days ago I put it all back together, dusted off my lan turtle and got it to work flawlessly as well.  So your just about there.  Don't give up, we'll get there.

[GMaxW]

> why would I or anyone else take the time to right a complete set of config settings

I was hoping someone already had then written down, primarily someone from hak5, given that Turtle is promoted to do this scenario.

> when you would read through them and say yup yup I did all that already???

Obviously I'm looking for the thing in the known-working config that I would NOT say "yup" too! ?

> Did you configure the OpenVPN AS reverse gateway correctly?  Which is give it an IP: 192.168.65.0/24 and check those two boxes above it.  Which at this point you almost make it sound like your not sure what I'm referring to.

Well, I guess you are referring to the client "VPN Gateway" setting, the "act as VPN gateway for this subnet" slot, and the "Allow access from" checkboxes.

Yes, those are configured correctly.

> Did you configure the lan that the turtle is on correctly?

The LAN that the Turtle is on is not supposed to require any configuration. That is part of the point -- you are supposed to be able to stick the Turtle onto a LAN without needing any intervention in the existing LAN's config.  ("Excuse me Mr Admin of the network I'm trying to snoop on, would you mind configuring your router for me" hahaha.) (Though I hasten to add my own purpose is not nefarious.)

You are right that additional info would be gathered by performing the pings:  (a) while SSH'ed to Turtle, and performing pings from Turtle to LAN devices, and (b), the holy grail, pinging from some other VPN client, through the VPN, through Turtle, to a LAN device.  That I can't do quickly at the moment.

However, I have in the past couple of hours got this structure working, just with an Ubuntu machine substituting in the role of Turtle.

The missing piece was to get the gateway machine to perform NAT for traffic gateway <--> LAN.  I guess that way additional routing is not needed on the LAN; machines on the LAN get packets addressed from a LAN-local machine, and send replies back to a LAN-local machine (the gateway), so the LAN's router is not involved.  On Ubuntu this involved the two commands:

sudo iptables -t nat -A POSTROUTING -s 192.168.65.0/24 -o tun0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 172.27.224.0/24 -o enp2s0 -j MASQUERADE

I don't know the equivalent on Turtle, but nothing in the video's instructions indicated anything about NAT for Turtle's interaction with the LAN.  So I don't know if that piece is needed but was missing from the video, or was expected to be pushed by OpenVPN AS to Turtle but isn't, or what.

Anyhow, I appreciate you're engaging with this issue. Perhaps you have other comments on the NAT issue. Thanks.

[Bob123]

My apologies.  I made the wrong assumption that you either had made the network changes to the turtle or that it had come with that already taken care of.  (I had heard that new turtles already had that done.)  I don't have the turtle with me but later today I'll log into it and show you what I had to add/change on mine.  I believe it's all in the network file, maybe a little in the firewall file.  There are some lan turtle 101, 102, etc videos that Darren did a while back and one of them tells you exactly what needs changed.  I had thought it was in that Hak5 video but maybe it wasn't.  Either way I'll get you that info later today.  Sorry about the confusion.

[GMaxW]

To be clear, in the Reverse VPN video I linked, Darren did list some firewall and network changes, which I copy below. Those were already in place on my Turtle as delivered. And these do not include the iptables NAT settings  I just mentioned.

/etc/config/network:
... after config interface 'wan' section...
config interface 'vpn
    option ifname 'tun0'
    option proto 'dhcp'    
    
/etc/config/firewall:
check there's a section:

config zone
        option  name            'vpn'
        list    network         'vpn'
        option  input           ACCEPT
        option  output          ACCEPT
        option  forward         REJECT

config forwarding
        option  src             lan
        option  dest            vpn

config forwarding
        option  src             vpn
        option  dest            lan

 

[Bob123]

Change option forward from REJECT to ACCEPT

config zone
        option  name            'vpn'
        list    network         'vpn'
        option  input           ACCEPT
        option  output          ACCEPT
        option  forward         ACCEPT

[Bob123]

I just checked out my network and firewall files on my lan turtle and they are exactly as you have above except my option forward on the vpn zone is set to ACCEPT not REJECT as mentioned above.  Hopefully that'll fix your issue.

[GMaxW]

6 hours ago, Bob123 said:

Change option forward from REJECT to ACCEPT

config zone
        option  name            'vpn'
        list    network         'vpn'
        option  input           ACCEPT
        option  output          ACCEPT
        option  forward         ACCEPT

Yes,  you have indeed spotted a discrepancy, and it's a setting that indeed looks relevant to the problem ?.  I think from the video I absorbed that the Turtle might have these blocks of settings already in place, and when I noticed they were, I must not have read as closely as I should.  Anyhow, I have now changed that setting in my Turtle, but I can't test on the VPN at the moment, so that'll have to wait until a bit later.

Thanks for your attention. I will report back whether this indeed gets things working.

[ADBYITMS]

Hi all i dont know if anyone is still about on this topic but i would love some help, i love hak5 by the way 🙂 i have followed the video 3 times now and i can get a connection and then i can connect to the ip address of the server i have on the network i need to view remotly, the one computer i can view , ping or see if that computer, no matter what i have tried i cant seem to see any other computer in the office, this would be fine but due to out isp we no longer can see the CCTV and this is what i need to see 

I am using a windows server not a turtle , i hope someone can help me please 

[urhen]

For anyone looking to this in 2020. Follow the step-by-step link in the OpenVPN official documentation.

I was able to setup this up using a ubuntu VM in my HomeLab. I had to configured static route, which it was straight forward on my home router.

Hope this helps.

[fkreuz]

THX. Still, unfortunately, I did not get it working (my bad maybe) in any way, even including other sources and videos so far. I would like to get some "road warrior" use case done, accessing my home network through an OpenVPN AS server residing at a VPS at Google Cloud, through which I would like to gain access to a client at home (Windows10), acting as gateway into the home network (settings done as showed in the video).

OpenVPN AS does work, client at home does get connection to OpenVPN AS (and gets an IP address from there), still I have acces to the internet as usual (which is intended). So far, so good.

BUT: With my laptop (Mac Book, OS X), as soon as I do establish the connection to OpenVPN AS (which works as well), all internet connection is lost and I cannot even ping the other client with the VPN internal network address - so lost all connections more or less.

Did also try try to use a Debian10 machine as client / gateway in my network, to rule our any windows issues, applying all kind of iptable setttings recommended etc., no success so far.

I am no Linux expert, neither a network engineer, so more than happy if anyone could enlighten me with a step-by-step guid how to do this.

[Old Man]

I recently got Reverse VPN working with the on board OpenVPN that comes with the ASUS RT-AC87U router. More then happy to share the screen shots. I suspect the OPENvpn with most ASUS routers should work.

More then happy to supply Router screenshots and OpenVpn.conf

 

EG

[urhen]

https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/

[Vodkadrinker]

On 3/24/2020 at 10:34 PM, urhen said:

https://openvpn.net/vpn-server-resources/site-to-site-routing-explained-in-detail/

Thank you for the link. It's what I looked for.

Really easy explanation.