Koozali.org: home of the SME Server

server-manager acces via Open VPN client

Offline bbialy

  • ***
  • 105
  • +0/-0
server-manager acces via Open VPN client
« on: July 29, 2013, 03:23:53 PM »
Hello,

i have one SME server (let's call ServerA ) OpenVPN bridge contrib installed.
Mode server-gateway
Public IP XXX.XXX.XXX.XXX
Lan 172.16.16.1/X
Open VPN DHCP Range 172.16.16.10-30

second SME (ServerB)
in server-only behind NAT
LAN IP: 10.10.10.200

on serverB i have installed openvpn (from smecontribs)
- i have autolaunch script for bringing tap0 interface after start.

I can ping ServerA from Server B and oposite way.

How to access to server-manager on serverB from ServerA (or other openVPN client to server A)

i know it is connected with firewall settings becouse if i will switch off masq - it works ! I mean I have access to server-manager
Code: [Select]
/etc.init.d/masq stopbut it is not good solution
i also tried via localnetworks LAN 172.16.16.0/255.255.255.0 thrugh 172.16.16.10 - but SME says that 172.16.16.10 i not reachable - and from eth0 point of view it is correct :-)

I just don't know how to do it in SME way !! :D
all tips are very welcome


        if someone will ask why to do it. I need to set (asterisk) IAX2 trunks between those two servers. it also would be nice have ability to manage server over VPN

in location of serverB i don't have access to router and also don't have fixed public IP





Reading with understanding is the hardest thing IN THE WORLD

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: server-manager acces via Open VPN client
« Reply #1 on: July 29, 2013, 03:46:01 PM »
If you want to connect two servers, you'd better use the Site2Site OpenVPN contrib: http://wiki.contribs.org/OpenVPN_SiteToSite

For VoIP, I recommand to also disable the outbound SNAT option, as explained http://wiki.contribs.org/OpenVPN_SiteToSite#Additional_options (db openvpn-s2s myvpn SnatOutbound disabled). FOr IAX2 it shouldn't be an issue, but for SIP you'll have a few problem when SNAT is active.

You can use both contrib (bridge and Site2Site) at the same time, as long as you use different ports (the default UDP/1194 is used for bridge, you can use 1195 for example for Site2site)

Regards, Daniel
C'est la fin du monde !!! :lol:

Offline bbialy

  • ***
  • 105
  • +0/-0
Re: server-manager acces via Open VPN client
« Reply #2 on: July 30, 2013, 02:40:01 PM »
I was thinking about Siet2Site but my problem is that I don't have fixed public IP on ServerB site
Additionally I also don't have access to router/firewall in ServerB site to make port forward
OpenVPNBridge works perfect behind NAT
that's why i asked how to add tap0 interface as Local Innterface.

I also checked possibility to use bridge interface but LAn subnets doesn't match.

I found in /etc/init.d/network sth like vpninterface maybe this is the clue
Code: [Select]
       
vlaninterfaces=""
vpninterfaces=""
xdslinterfaces=""
bridgeinterfaces=""

but /etc/ini.d/networks starts quite fast (before openvpn is able to set connection) - so this is not too logical solution, isn't it?.

maybe im able to add some iptables rules after ovpn starts but don't know which one and how to.
Reading with understanding is the hardest thing IN THE WORLD

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: server-manager acces via Open VPN client
« Reply #3 on: July 30, 2013, 02:54:13 PM »
I was thinking about Siet2Site but my problem is that I don't have fixed public IP on ServerB site

No problem, just use ServerB as the OpenVPN client

Additionally I also don't have access to router/firewall in ServerB site to make port forward

If ServerB is a client, the VPN connexion will an outgoing one, no need to add any port forwarding

OpenVPNBridge works perfect behind NAT

Just as the Site2Site one

you do not want to use the bridge contrib for that. It's working in layer 2 (same broadcast domain). Site2Site is really made for what you want, working in routing mode
C'est la fin du monde !!! :lol:

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: server-manager acces via Open VPN client
« Reply #4 on: July 30, 2013, 02:56:21 PM »
Forgot to add: Site2Site will configure the firewall for you, once the VPN is established, all the traffic between the two servers (and their local networks) will be allowed, without anything to configure manually
C'est la fin du monde !!! :lol:

Offline bbialy

  • ***
  • 105
  • +0/-0
Re: server-manager acces via Open VPN client
« Reply #5 on: July 30, 2013, 03:05:22 PM »
OK i'll try to do that in 30 minutes:
additionally i found that if I add to /etc/init.d/masq line 423

/sbin/iptables -A $NEW_local_chk -s 172.16.16.0/255.255.255.0 -j ACCEPT #BBIALY

it works but i know this is not SME way, it is also not best practice so do not repeat that :-)

i'll post results after site2site installation
Reading with understanding is the hardest thing IN THE WORLD

Offline bbialy

  • ***
  • 105
  • +0/-0
Re: server-manager acces via Open VPN client
« Reply #6 on: July 30, 2013, 10:12:31 PM »
I've made test with s2s and here are some conclusions

you cant check current status of tunnel. you can see only if it is enabled/disabled.

on serverA i had to manually create route
Code: [Select]
ip route add 10.0.10.0/24 dev tunserverB
to make packets flow working.
 
on serverB all routes were made OK

I switched off SNAT as you suggested but i have still problem with asterisk.
IAX trunk didn't connect.
Probably it is connected with listening address or interface of asterisk or antoher fireawall rule. i'm sorry i didn't have enough time to hardly debug this problem and got back to my brutal, and not SME way to dolve the problem. I will get back to this problem during weekend maybe with better resoults 
Reading with understanding is the hardest thing IN THE WORLD

Offline Daniel B.

  • *
  • 1,699
  • +0/-0
    • Firewall Services, la sécurité des réseaux
Re: server-manager acces via Open VPN client
« Reply #7 on: July 30, 2013, 10:46:13 PM »
you cant check current status of tunnel. you can see only if it is enabled/disabled.
Not directly in the panel, but you can ping the other side, and check the logs in /var/log/openvpn-s2s/<ID>.log

on serverA i had to manually create route
Code: [Select]
ip route add 10.0.10.0/24 dev tunserverB
to make packets flow working.
Probably something is wrong in the configuration, this shouldn't be needed, everything is configured from the panel.
 
I switched off SNAT as you suggested but i have still problem with asterisk.
IAX trunk didn't connect.
IAX is hard to debug, and sometimes just doesn't work for no apparent reason. I'd suggest you first try to establish a SIP trunk, then, when things are working, try IAX again (or keep SIP, in my experience, it's really more reliable).

Regards, Daniel
C'est la fin du monde !!! :lol: