Jump to content
Hak5 Forums
GMaxW

Reverse VPN -- anybody got it working?

Recommended Posts

I was hoping to get the reverse VPN setup working, but have been so unsuccessful I'm starting to doubt that it actually works.

In the absence of better docs, I have been following the Hak5 video here:

https://www.youtube.com/watch?v=b7qr0laM8kA

I have painstakingly scoured this video second by second, noting every setting that Darren makes. And I have slavishly configured OpenVPN AS at Digital Ocean exactly the same way (well, except specific IP addresses of course), installed the ovpn files on an off-LAN client, and also on the Turtle. And I've also checked the network and firewall settings at the end of the video, which were already in place out-of-the-box.

I can get:

  • both LAN Turtle and the off-LAN client to show up as clients in the OpenVPN admin web interface.
  • I can SSH from the off-LAN client to the Turtle on the LAN
  • (However, I can't SSH from LAN machines to the Turtle, which is a puzzle, posted in a different thread)

But what I can't do is to get the off-LAN client to connect to other machines on the LAN that Turtle is supposed to be acting as gateway for. For example, I set up a couple of on-LAN machines with a simple web server, which is visible to other machines on the LAN, and should be connectable by the Turtle.

I also used traceroute from the off-LAN machine to a machine on the LAN, and the only two hops I get are first to the gateway on the OpenVPN-AS virtual LAN, and then to the VPN address of the Turtle, but no further.

So the bottom line question is: what are the exact settings needed to get this gateway to work?  Or further diagnostic steps? Thanks.

Share this post


Link to post
Share on other sites

And in case it's any use, here's the result of ip route on Turtle:

root@turtle:~# ip route
0.0.0.0/1 via 172.27.224.129 dev tun0
default via 192.168.65.1 dev eth1  proto static  src 192.168.65.102  metric 20
default via 172.16.84.84 dev eth0  proto static  metric 30
128.0.0.0/1 via 172.27.224.129 dev tun0
[OpenVPN-AS server's IP] via 192.168.65.1 dev eth1
172.16.84.0/24 dev eth0  proto static  scope link  metric 30
172.27.224.128/25 dev tun0  proto kernel  scope link  src 172.27.224.165
192.168.65.0/24 dev eth1  proto static  scope link  metric 20
192.168.65.1 dev eth1  proto static  scope link  src 192.168.65.102  metric 20
root@turtle:~#

192.168.65.0/24 is the LAN

172.27.224.128/25 is the virtual network on the OpenVPN-AS server, with its gateway at 172.27.224.129

OpenVPN-AS shows turtle connected at 172.27.224.165

Share this post


Link to post
Share on other sites

When you created the ovpn file for the turtle on OpenVPN AS I see the VPN Gateway is set to 192.168.65.0/24.  Did you also check the box for Allow access from "all server-side private subnets" and "all other VPN clients?"

When you SSH into your turtle from your off-lan machine can you ping your on-lan machines from the turtle?

 

Share this post


Link to post
Share on other sites

> When you created the ovpn file for the turtle on OpenVPN AS I see the VPN Gateway is set to 192.168.65.0/24.

Not sure what you mean here. 192.168.65.0/24 is indeed the subnet address range for the LAN that the gateway/client is on.

>  Did you also check the box for Allow access from "all server-side private subnets" and "all other VPN clients?"

I assume you mean for the gateway client, in which case yes.

> When you SSH into your turtle from your off-lan machine can you ping your on-lan machines from the turtle?

That's a good question. I did not try that. And I have now reconfigured to try using an Ubuntu machine as the gateway/client, so had to unconfigure the Turtle. Sadly not getting the Ubuntu client/gateway to work yet either.

Frankly I lack hope of getting this to work with a series of "did you try this, di your try that" piecemeal suggestions. Which is why I'm looking for a complete set of config settings that are known to actually work verbatim.

 

Share this post


Link to post
Share on other sites

So you followed that Hak5 video to a T.  You were able to setup OpenVPN AS.  You were able to create two OVPN files and put one on the turtle and one on your "off lan" machine.  That's 99% of it so why would I or anyone else take the time to right a complete set of config settings when you would read through them and say yup yup I did all that already???

All we are down to are three small areas. 

Did you configure the OpenVPN AS reverse gateway correctly?  Which is give it an IP: 192.168.65.0/24 and check those two boxes above it.  Which at this point you almost make it sound like your not sure what I'm referring to.

Did you configure the lan that the turtle is on correctly?  Ping every device you want to see and make sure at least a ping works.  Can the turtle see a computer on that lan and can the computer on that lan see the turtle?

Then lastly did you setup the turtle correctly which at this point if you followed the video it should be but we can walk through it if the other two sections above are completely proved out and work.

I just recently set all this up for the packet squirrel and it worked flawlessly.  Then I took it all apart when I was done.  Two days ago I put it all back together, dusted off my lan turtle and got it to work flawlessly as well.  So your just about there.  Don't give up, we'll get there.

Share this post


Link to post
Share on other sites

> why would I or anyone else take the time to right a complete set of config settings

I was hoping someone already had then written down, primarily someone from hak5, given that Turtle is promoted to do this scenario.

> when you would read through them and say yup yup I did all that already???

Obviously I'm looking for the thing in the known-working config that I would NOT say "yup" too! ?

> Did you configure the OpenVPN AS reverse gateway correctly?  Which is give it an IP: 192.168.65.0/24 and check those two boxes above it.  Which at this point you almost make it sound like your not sure what I'm referring to.

Well, I guess you are referring to the client "VPN Gateway" setting, the "act as VPN gateway for this subnet" slot, and the "Allow access from" checkboxes.

Yes, those are configured correctly.

> Did you configure the lan that the turtle is on correctly?

The LAN that the Turtle is on is not supposed to require any configuration. That is part of the point -- you are supposed to be able to stick the Turtle onto a LAN without needing any intervention in the existing LAN's config.  ("Excuse me Mr Admin of the network I'm trying to snoop on, would you mind configuring your router for me" hahaha.) (Though I hasten to add my own purpose is not nefarious.)

You are right that additional info would be gathered by performing the pings:  (a) while SSH'ed to Turtle, and performing pings from Turtle to LAN devices, and (b), the holy grail, pinging from some other VPN client, through the VPN, through Turtle, to a LAN device.  That I can't do quickly at the moment.

However, I have in the past couple of hours got this structure working, just with an Ubuntu machine substituting in the role of Turtle.

The missing piece was to get the gateway machine to perform NAT for traffic gateway <--> LAN.  I guess that way additional routing is not needed on the LAN; machines on the LAN get packets addressed from a LAN-local machine, and send replies back to a LAN-local machine (the gateway), so the LAN's router is not involved.  On Ubuntu this involved the two commands:

sudo iptables -t nat -A POSTROUTING -s 192.168.65.0/24 -o tun0 -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -s 172.27.224.0/24 -o enp2s0 -j MASQUERADE

I don't know the equivalent on Turtle, but nothing in the video's instructions indicated anything about NAT for Turtle's interaction with the LAN.  So I don't know if that piece is needed but was missing from the video, or was expected to be pushed by OpenVPN AS to Turtle but isn't, or what.

Anyhow, I appreciate you're engaging with this issue. Perhaps you have other comments on the NAT issue. Thanks.

Share this post


Link to post
Share on other sites

My apologies.  I made the wrong assumption that you either had made the network changes to the turtle or that it had come with that already taken care of.  (I had heard that new turtles already had that done.)  I don't have the turtle with me but later today I'll log into it and show you what I had to add/change on mine.  I believe it's all in the network file, maybe a little in the firewall file.  There are some lan turtle 101, 102, etc videos that Darren did a while back and one of them tells you exactly what needs changed.  I had thought it was in that Hak5 video but maybe it wasn't.  Either way I'll get you that info later today.  Sorry about the confusion.

Share this post


Link to post
Share on other sites

To be clear, in the Reverse VPN video I linked, Darren did list some firewall and network changes, which I copy below. Those were already in place on my Turtle as delivered. And these do not include the iptables NAT settings  I just mentioned.

/etc/config/network:
... after config interface 'wan' section...
config interface 'vpn
    option ifname 'tun0'
    option proto 'dhcp'    
    
/etc/config/firewall:
check there's a section:

config zone
        option  name            'vpn'
        list    network         'vpn'
        option  input           ACCEPT
        option  output          ACCEPT
        option  forward         REJECT

config forwarding
        option  src             lan
        option  dest            vpn

config forwarding
        option  src             vpn
        option  dest            lan

 

Share this post


Link to post
Share on other sites

Change option forward from REJECT to ACCEPT

config zone
        option  name            'vpn'
        list    network         'vpn'
        option  input           ACCEPT
        option  output          ACCEPT
        option  forward         ACCEPT

  • Like 1

Share this post


Link to post
Share on other sites

I just checked out my network and firewall files on my lan turtle and they are exactly as you have above except my option forward on the vpn zone is set to ACCEPT not REJECT as mentioned above.  Hopefully that'll fix your issue.

Share this post


Link to post
Share on other sites
6 hours ago, Bob123 said:

Change option forward from REJECT to ACCEPT

config zone
        option  name            'vpn'
        list    network         'vpn'
        option  input           ACCEPT
        option  output          ACCEPT
        option  forward         ACCEPT

Yes,  you have indeed spotted a discrepancy, and it's a setting that indeed looks relevant to the problem ?.  I think from the video I absorbed that the Turtle might have these blocks of settings already in place, and when I noticed they were, I must not have read as closely as I should.  Anyhow, I have now changed that setting in my Turtle, but I can't test on the VPN at the moment, so that'll have to wait until a bit later.

Thanks for your attention. I will report back whether this indeed gets things working.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×