Topic: smerserver-openvpn-bridge: can connect from LAN, not from WAN

[Arnaud]

Hi,

I'm trying to establish a VPN connection from "outside" to my sme9. I use the contribs smeserver-openvpn-bridge and I followed the wiki for the configuration.
The client is a Fedora.
As written into the title, when the client is connected to the internal side of the sme, the VPN connection is done immediately but when I connect the client to the external side (= to the same "box" than the sme is connected with) I get no connection.

The address hostname.domain.tld is resolvable and can be ping from "outside". The "box" is in bridged mode and redirect everything to the sme.

Here the db of the sme:

Code: [Select]

# db configuration show openvpn-bridge
openvpn-bridge=service
    ConfigRequired=disabled
    CrlUrl=http://localhost:940/phpki/index.php?stage=dl_crl_pem
    UDPPort=1194
    access=public
    cipher=AES-256-CFB
    clientToClient=disabled
    endPool=192.168.2.245
    management=localhost:11194:koCBPnQLxNpx9NJNonhUhXNYpE
    maxClients=2
    redirectGW=PerClient
    startPool=192.168.2.240
    status=enabled
    tapIf=tap0
    userAuth=CrtWithPass


Code: [Select]

# db configuration show bridge
bridge=service
    bridgeInterface=br0
    ethernetInterface=eth0
    status=enabled
    tapInterface=tap0
VPN connection is allowed for the user into the server-manager (evenif it works without from the LAN)

On the client I get:

Code: [Select]

# journalctl -u NetworkManager

juin 15 17:52:29 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497541949.1945] audit: op="connection-activate" uuid="cc396581-b172-4720-a381-3f2855b352b8" name="guedel_arnaud_local" pid=5969 uid=1000 result="success"
juin 15 17:52:29 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497541949.2014] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: Started the VPN service, PID 7682
juin 15 17:52:29 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497541949.2140] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: Saw the service appear; activating connection
juin 15 17:52:45 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497541965.1733] keyfile: update /etc/NetworkManager/system-connections/guedel_arnaud_local (cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local")
juin 15 17:52:45 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497541965.1904] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN plugin: state changed: starting (3)
juin 15 17:52:45 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497541965.1905] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN connection: (ConnectInteractive) reply received
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: OpenVPN 2.4.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 11 2017
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.08
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: TCP/UDP: Preserving recently used remote address: [AF_INET]188.118.130.93:1194
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: UDP link local: (not bound)
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: UDP link remote: [AF_INET]188.118.130.93:1194
juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
juin 15 17:53:45 fedora-compaq.guedel.eu nm-openvpn[7697]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
juin 15 17:53:45 fedora-compaq.guedel.eu nm-openvpn[7697]: TLS Error: TLS handshake failed
juin 15 17:53:45 fedora-compaq.guedel.eu nm-openvpn[7697]: SIGUSR1[soft,tls-error] received, process restarting
juin 15 17:53:45 fedora-compaq.guedel.eu nm-openvpn-serv[7682]: Connect timer expired, disconnecting.
juin 15 17:53:45 fedora-compaq.guedel.eu nm-openvpn[7697]: SIGTERM[hard,init_instance] received, process exiting
juin 15 17:53:45 fedora-compaq.guedel.eu NetworkManager[712]: <warn>  [1497542025.7686] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN connection: connect timeout exceeded.
juin 15 17:53:45 fedora-compaq.guedel.eu NetworkManager[712]: <warn>  [1497542025.7720] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN plugin: failed: connect-failed (1)
juin 15 17:53:45 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497542025.7729] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN plugin: state changed: stopping (5)
juin 15 17:53:45 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497542025.7735] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN plugin: state changed: stopped (6)
juin 15 17:53:45 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497542025.7763] vpn-connection[0x55bd530a24e0,cc396581-b172-4720-a381-3f2855b352b8,"guedel_arnaud_local",0]: VPN service disappeared
juin 15 18:00:14 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497542414.7628] device (enp3s0): state change: activated -> unavailable (reason 'carrier-changed') [100 20 40]
juin 15 18:00:14 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497542414.7681] manager: NetworkManager state is now CONNECTED_LOCAL
juin 15 18:00:14 fedora-compaq.guedel.eu NetworkManager[712]: <info>  [1497542414.7688] manager: NetworkManager state is now DISCONNECTED=> At 17:33:45 there is/was an TLS error.
and before: juin 15 17:52:45 fedora-compaq.guedel.eu nm-openvpn[7697]: UDP link local: (not bound) => is it normal?

I noticed that there is no logs into "openvpn-bridge" for such a failing connection  . Connections from "inside" are into the logs visible. So I'm not sure that a request for a connection is reaching the sme (=the client doesn't try to connect).

My questions are: why do I get this TLS error only by connecting from "outside"? and how to solve it (of course...)?

Thanks.
Arnaud

[Daniel B.]

So, you have a router (your box) and the external interface of your SME Server connected to it. The external IP of your SME Server is probably something like 192.168.x.y while hostname.domain.tld resolves to 188.118.130.93. This public IP 188.118.130.93 is not the one of your SME, but the one of your router. Your router receives this, but won't NAT it to the SME Server external IP because it's comming from the internal network (from your router's POV). This would require your router to supports NAT reflexion. It should work from the outside (I mean from another location). If you want it to work when your behind your box, you need to either use the external IP of your SME in the VPN connection. Or a DNS name which will resolve to the external IP of your SME

[Arnaud]

Many thank for your detailed explanations and..... the solution!

I had fully forgotten that the "box" isn't (only) a stupid switch but has an internal and an external side too!
During 2 days I was looking for failures into a system that is running.....if it is used in a correct way.

Success of the week!
Thanks again.
Bye
Arnaud

[cyrano]

if your SMEserver is configurated as router and gateway, you need to configure your BOX as a simple BRIDGE and i think you'll be able to connect.

[Arnaud]

no!
That if exactly the mistake I made: even in bridge mode, my box isn't completely stupid and detect that the request comes from its LAN.
Daniel gave the explanations.

Arnaud