Page 1 of 3 123 LastLast
Results 1 to 10 of 22
  1. #1
    Master Untangler RiffRaff's Avatar
    Join Date
    Jul 2008
    Location
    Indianapolis, Indiana, USA
    Posts
    133

    Question Mind Blowing OpenVPN Issue - No Explanation

    This has baffled not only me, but also my mentor, who has forgotten more about networking than I will ever know. Here is the situation:

    One master Untangle Server at corporate office with static public IP; 24 remote store locations with Untangle machines configured to connect to the office server as OpenVPN clients. This setup has pretty much worked flawlessly for over two years.

    I've been converting store locations from AT&T UVerse to Comcast Business. Basically, nothing more than a change of public IP address as far as Untangle is concerned. First three stores went fine. Thursday, while Comcast was installing their gear I upgraded the store's version 11 box to version 12.2.1. Everything worked except the OpenVPN connection. 72 hours later, we are no further along than what we were, and I still have no connection between that store and the office. Here is what we know:

    Reinstalling Untangle version 12 at the store from scratch had no impact.
    My laptop can VPN in to the office Untangle from that store with absolutely no problem. However, a Windows 7 machine utilizing my credentials on that same network cannot.
    Running packet sniffers and tcpdumps, we see no UDP traffic coming in on port 1194 from that store whatsoever, but we know it's leaving the store.
    The Comcast Gateway at the office has all firewalls disabled with UDP 1194 port forwarded to the Untangle Server. We even tried putting Untangle in Comcast's DMZ. Nothing.
    I tried setting up the store's Untangle as an OpenVPN Server and configured the office Untangle to connect as a client. I could see the initial connection made, but then no traffic across the tunnel whatsoever.

    Anything I can think of that would cause this problem is ruled out by the fact that all the other stores work just fine and the fact that my laptop can establish a VPN connection from the store with no trouble.

    Network Setup:
    Store Untangle: 10.1.3.0/24
    Store Comcast: 10.0.3.0/254
    Office Comcast: 10.22.0.0/24
    Office Untangle: 192.168.1.0/24 (yeah, I know. Can't change it yet for other reasons)
    Office Untangle VPN: 172.16.99.0/24

    It feels like a firewall issue to me, but there are no firewalls in place that would block traffic from just this one store.

    Has anybody ever run into a similar problem?

    I'm sending an e-mail to Untangle Support with this information as well, but I need to get this wrapped up soon as our sales and employee hours are sent to the office across the VPN.

    Thanks,
    Riff

    Edit: Also tried deleting and recreating that store's OpenVPN credentials. No effect.
    Last edited by RiffRaff; 03-19-2017 at 01:48 PM.
    Risking my life for people I hate for reasons I don't understand.

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,415

    Default

    What version NGFW at the Office (Master), and the other stores?

    What version OpenVPN clients on the laptop, and then the Windoze 7 machine?

    The OpenVPN client has been updated.

    This thread might be helpful:
    https://forums.untangle.com/openvpn/...s-version.html

    My first guess is to regenerate the client config for the problem site.
    Last edited by Jim.Alles; 03-19-2017 at 01:52 PM.

  3. #3
    Master Untangler RiffRaff's Avatar
    Join Date
    Jul 2008
    Location
    Indianapolis, Indiana, USA
    Posts
    133

    Default

    Quote Originally Posted by Jim.Alles View Post
    What version NGFW at the Office (Master), and the other stores?
    12.2.1 at the Office. Other stores are either running version 11 or version 12.2.1. I'm upgrading all of them as I go through them with the Comcast installations.


    Quote Originally Posted by Jim.Alles View Post
    What version OpenVPN clients on the laptop, and then the Windoze 7 machine?

    Laptop: 2.3.10-1ubuntu2
    Windows 7: OpenVPN 2.3.13, OpenVPN GUI 5

    The OpenVPN client has been updated.

    This thread might be helpful:
    https://forums.untangle.com/openvpn/...s-version.html

    My first guess is to regenerate the client config for the problem site.
    I did try that. And I'm not sure it would explain how all the other version 11 and version 12 boxes are connection with no problem.

    Also, my laptop can connect into the store with no problem.
    Risking my life for people I hate for reasons I don't understand.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,385

    Default

    If the laptop works, and the site to site tunnel doesn't, the only thing I can think of is the client configuration for the site-to-site tunnel is screwed up.

    Have you tried removing the client from the server, regenerating it, and trying again? Heck, have you looked at openvpn.conf to verify the contents of the generated file are correct?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,415

    Default

    do you have a reason against trying IPsec for site-to-site?

    https://wiki.untangle.com/index.php/IPsec_VPN

  6. #6
    Master Untangler RiffRaff's Avatar
    Join Date
    Jul 2008
    Location
    Indianapolis, Indiana, USA
    Posts
    133

    Default

    Quote Originally Posted by sky-knight View Post
    If the laptop works, and the site to site tunnel doesn't, the only thing I can think of is the client configuration for the site-to-site tunnel is screwed up.

    Have you tried removing the client from the server, regenerating it, and trying again? Heck, have you looked at openvpn.conf to verify the contents of the generated file are correct?
    I did, but I'm willing to try again.

    Here is the openvpn.conf file:

    client
    resolv-retry 20
    keepalive 10 60
    nobind
    mute-replay-warnings
    ns-cert-type server
    comp-lzo
    max-routes 500
    verb 1
    persist-key
    persist-tun
    explicit-exit-notify 1
    dev tun
    proto udp
    port 1194
    cipher AES-128-CBC
    cert keys/xxx.crt
    key keys/xxx.key
    ca keys/xxx.crt
    remote xxx.xxx.xxx.xxx 1194 # public address
    Everything appears correct.
    Risking my life for people I hate for reasons I don't understand.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,385

    Default

    Quote Originally Posted by Jim.Alles View Post
    do you have a reason against trying IPsec for site-to-site?

    https://wiki.untangle.com/index.php/IPsec_VPN
    Beyond the fact that he's port forwarding from a comcrap router which dictates his client side Untangle devices are bridges, therefore not the NAT'ing device, and that would end in a terrible ball of fire?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    21,385

    Default

    Quote Originally Posted by RiffRaff View Post
    I did, but I'm willing to try again.

    Here is the openvpn.conf file:



    Everything appears correct.
    So, if you use those configuration files on a Windows OpenVPN client does it work?

    Better question, can you access the remote administration of the server side Untangle server from that site?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Master Untangler RiffRaff's Avatar
    Join Date
    Jul 2008
    Location
    Indianapolis, Indiana, USA
    Posts
    133

    Default

    Quote Originally Posted by sky-knight View Post
    So, if you use those configuration files on a Windows OpenVPN client does it work?

    Better question, can you access the remote administration of the server side Untangle server from that site?
    Haven't tried swapping in the configuration files on the Windows machine. I can definitely give that a whack. I cannot access the remote administration without VPN. Both Comcast and Untangle are in router mode using separate IP pools. This method works at all other locations. I have tried both putting the Comcast Gateway in bridge mode and putting Untangle in the Comcast DMZ with no change.
    Risking my life for people I hate for reasons I don't understand.

  10. #10
    Master Untangler RiffRaff's Avatar
    Join Date
    Jul 2008
    Location
    Indianapolis, Indiana, USA
    Posts
    133

    Default

    Just tried deleting and recreating the client on the server again. No luck. It shows as installed on the client but lists "false" Under Remote Server Connection Status.
    Risking my life for people I hate for reasons I don't understand.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2