Answer the question
In order to leave comments, you need to log in
Z
Z
zazrab2017-06-24 23:34:45
zazrab, 2017-06-24 23:34:45
Port not reachable via openvpn?
openvpn up for pfsense, on pfsense routing 10.2.0.0/24 192.168.12.4
rdp 192.168.12.28
openvpn 10.2.0.6
iptables
#!/sbin/iptables-restore
#Таблица filter и её цепочки
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Разрешаем связанные и установленые соединения
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Разрешаем служебный icmp-трафик
-A INPUT -p icmp -j ACCEPT
# Разрешаем доверенный трафик на интерфейс loopback
-A INPUT -i lo -j ACCEPT
# Сюда можно вставлять дополнительные правила для цепочки INPUT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 1197 -j ACCEPT
-A INPUT -i tun0 -p tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 2566 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 1197 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
# Запрещаем всё остальное для INPUT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# Порядок и смысл правил для цепочек FORWARD и OUTPUT аналогичен INPUT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# Фильтровать цепочку OUTPUT настоятельно не рекомендуется
#-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -p icmp -j ACCEPT
#-A OUTPUT -o lo -j ACCEPT
#-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
#Таблица filter и её цепочки
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Разрешаем связанные и установленые соединения
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Разрешаем служебный icmp-трафик
-A INPUT -p icmp -j ACCEPT
# Разрешаем доверенный трафик на интерфейс loopback
-A INPUT -i lo -j ACCEPT
# Сюда можно вставлять дополнительные правила для цепочки INPUT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 1197 -j ACCEPT
-A INPUT -i tun0 -p tcp --dport 3389 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 2566 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 1197 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT
# Запрещаем всё остальное для INPUT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# Порядок и смысл правил для цепочек FORWARD и OUTPUT аналогичен INPUT
-A FORWARD -i tun0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
# Фильтровать цепочку OUTPUT настоятельно не рекомендуется
#-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#-A OUTPUT -p icmp -j ACCEPT
#-A OUTPUT -o lo -j ACCEPT
#-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
client
client
proto tcp
dev tun
ca ca.crt
dh dh2048.pem
cert qaz1.crt
key qaz1.key
remote 188.255.97.5 1197
cipher AES-128-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind
proto tcp
dev tun
ca ca.crt
dh dh2048.pem
cert qaz1.crt
key qaz1.key
remote 188.255.97.5 1197
cipher AES-128-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind
server
port 1197
proto tcp-server
dev tun0
ca keys/server/ca.crt
cert keys/server/test1.crt
key keys/server/test1.key
dh keys/server/dh2048.pem
server 10.2.0.0 255.255.255.0
crl-verify keys/server/crl.pem
cipher AES-128-CBC
user nobody
group nogroup
status servers/changeme/logs/openvpn-status.log
log-append servers/changeme/logs/openvpn.log
verb 2
mute 20
max-clients 100
keepalive 10 120
client-config-dir /etc/openvpn/servers/changeme/ccd
comp-lzo
persist-key
persist-tun
ccd-exclusive
push "route 192.168.12.0 255.255.255.0"
proto tcp-server
dev tun0
ca keys/server/ca.crt
cert keys/server/test1.crt
key keys/server/test1.key
dh keys/server/dh2048.pem
server 10.2.0.0 255.255.255.0
crl-verify keys/server/crl.pem
cipher AES-128-CBC
user nobody
group nogroup
status servers/changeme/logs/openvpn-status.log
log-append servers/changeme/logs/openvpn.log
verb 2
mute 20
max-clients 100
keepalive 10 120
client-config-dir /etc/openvpn/servers/changeme/ccd
comp-lzo
persist-key
persist-tun
ccd-exclusive
push "route 192.168.12.0 255.255.255.0"
The openvpn client on Windows connects and the network 192.168.12.0 behind the server is pinged.
From 192.168.12.0 to 10.2.0.0, it connects via rdp, but from 10.2.0.0 to 192.168.12.0 via ports 3389/22/ or webmin does not allow webmin to face the web.
tcpdump 192.168.12.28 and port 3389
tcpdump -i eth0 host 192.168.12.28 and port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:18:10.135954 IP 10.2.0.6.50810 > 192.168.12.28.3389: Flags [S], seq 4201269139, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:18:13.165874 IP 10.2.0.6.50810 > 192.168.12.28.3389: Flags [S], seq 4201269139, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
tcpdump -i eth0 host 192.168.12.28 and port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:18:10.135954 IP 10.2.0.6.50810 > 192.168.12.28.3389: Flags [S], seq 4201269139, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:18:13.165874 IP 10.2.0.6.50810 > 192.168.12.28.3389: Flags [S], seq 4201269139, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
tcpdump 192.168.12.26 and port 10000
tcpdump -i eth0 host 192.168.12.26 and port 10000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:25:38.957860 IP 10.2.0.6.50845 > 192.168.12.26.webmin: Flags [S], seq 448614509, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:25:38.994651 IP 10.2.0.6.50846 > 192.168.12.26.webmin: Flags [S], seq 2040360806, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:25:39.134572 IP 10.2.0.6.50847 > 192.168.12.26.webmin: Flags [S], seq 1454663716, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:25:42.212823 IP 10.2.0.6.50845 > 192.168.12.26.webmin: Flags [S], seq 448614509, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:25:42.245498 IP 10.2.0.6.50846 > 192.168.12.26.webmin: Flags [S], seq 2040360806, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:25:42.245528 IP 10.2.0.6.50847 > 192.168.12.26.webmin: Flags [S], seq 1454663716, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
tcpdump -i eth0 host 192.168.12.26 and port 10000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:25:38.957860 IP 10.2.0.6.50845 > 192.168.12.26.webmin: Flags [S], seq 448614509, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:25:38.994651 IP 10.2.0.6.50846 > 192.168.12.26.webmin: Flags [S], seq 2040360806, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:25:39.134572 IP 10.2.0.6.50847 > 192.168.12.26.webmin: Flags [S], seq 1454663716, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:25:42.212823 IP 10.2.0.6.50845 > 192.168.12.26.webmin: Flags [S], seq 448614509, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:25:42.245498 IP 10.2.0.6.50846 > 192.168.12.26.webmin: Flags [S], seq 2040360806, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
23:25:42.245528 IP 10.2.0.6.50847 > 192.168.12.26.webmin: Flags [S], seq 1454663716, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
tcpdubp from pfsense
23:30:15.274864 IP 192.168.12.28.3389 > 10.2.0.6.50852: tcp 0
23:30:18.291332 IP 192.168.12.28.3389 > 10.2.0.6.50852: tcp 0
23:30:15.274864 IP 192.168.12.28.3389 > 10.2.0.6.50852: tcp 0
23:30:18.291332 IP 192.168.12.28.3389 > 10.2.0.6.50852: tcp 0
Help me figure out why I can't connect via rdp/ssh via openvpn from 10.2.0.0 to 192.168.12.0?
1 answer(s)
@mureevms
M
mureevms, 2017-06-25 @mureevms
It seems to me that the problem is in the route on the hosts of the 192.168.12.0 network. They don't know the route to the 10.2.0.0 subnet. The dump shows that packets on intermediate nodes come from the connection initiator, but do not return back.
The solution might be to manually add this route on every host on this subnet, something like add 10.2.0.0/24 via openvpn.local.IP.from.192.168.12.0.net. Or add it to the gateway of this subnet.
Although it is strange that pings pass. In general, if the problem is not in the route, then more information is needed and it is also desirable to attach a network diagram with host addresses for clarity. Also, it is not entirely clear from which host the iptables rules. If with OVPN, then why is port 3389 open there, if with an RDP server, then where does the tun interface come from on it.
Similar questions
E
M
S
D
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question