Results 1 to 8 of 8
  1. #1
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default OpenVPN + routing for IoT

    This is new, not urgent.

    I expect to need to post all kinds of details, as this set-up is pretty complicated.
    I believe I am up against a brick wall, because I can't see past my nose at this point.

    Some of the layers is because security / segmentation.

    All the UT is v14.2.1

    I have the basics working:
    There is the [M]ain office, and the [R]emote site.
    Both sites have double NAT with NGFW (router mode) inside, and UDP port 1194 forwarded to OpenVPN on [M]
    [M] has the OpenVPN server instance.
    [R] has the OpenVPN client instance.
    [M] has a Building Automation front end client. [FEC]
    [R] has a single IoT server device. [SD]

    OpenVPN dials in and works great. It has NAT checkbox off.
    From NGFW at [M] I can ping NGFW at [R] on it's external IP address 192.168.114.14. Not on internal 192.168.137.1, though.
    I can administer NGFW at [R]
    I can ping [SD] from NGFW [R] troubleshooting, and the needed (3) ports are open on [SD] according to Connection Test.

    I can ping [FEC] from NGFW at [R]
    I can't get to 192.168.137.12 on[R] from anywhere in [M]

    I think I am close.
    It just doesn't seem to want to add my route. I keep getting a "Route to unreachable address" Notification, which is baloney. 172.16.236.14 is the OpenVPN link to the NGFW at [R], and quite pingable. See attached screenshot (refreshed)
    Notification 2019-08-30 211533.png
    Is there something obvious I am doing wrong with adding the route?


    I believe this setup I have is also a use case for SD-WAN. I hope to do it more often.

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    I found a mistake, and made some progress.
    I changed mode on the remote NGFW from bridged to router, and did not give the OpenVPN client configuration the new network.
    That is why I was stuck on the external interface.

    The attached screenshot has what looks like the correct route to me, but No Joy.
    route Capture.PNG

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Question OpenVPN needs route???

    How do I get OpenVPN (client mode) to know where to put these packets it gets at the Remote NGFW?
    This is not making sense, UT has all of this.

    The Windows Client at 192.168.16.99 (main office) says:
    tracert Capture.PNG



    Remote NGFW has:
    netstat Capture.PNG



    Remote NGFW routes are:
    routes Capture.PNG



    OpenVPN client at remote NGFW does:
    tcpdump Capture.PNG



    Server device is awake:
    8760 Capture.PNG

    Last edited by Jim.Alles; 08-31-2019 at 12:32 PM. Reason: formatting

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,189

    Default

    OpenVPN exports on the OpenVPN server are the routes that get pushed to clients.

    As far as I know you cannot push a route from a client to the server, you need the IPSec module and an IPSec tunnel to do that.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    Quote Originally Posted by sky-knight View Post
    OpenVPN exports on the OpenVPN server are the routes that get pushed to clients.
    Yes, and UT is the client and has the last hop.

    Quote Originally Posted by sky-knight View Post
    As far as I know you cannot push a route from a client to the server, you need the IPSec module and an IPSec tunnel to do that.
    Don't need to. I did need to configure the route on the server-side NGFW, in order to get the packets over to the remote/client. Those static routes are at the top of the screenshot in the second post.

    I am seeing positive indications that this should work in the OpenVPN documentation. I am trying to find an ifconfig statement or something to stuff into the config file. I don't expect UT to do that for the upload at this time.
    Last edited by Jim.Alles; 08-31-2019 at 10:30 PM.

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Red face

    HehHeh It works.
    With the help of a gotcha to trip me up, I shot myself in the foot on this one.

    The phrase "ICMP TCP port unreachable" can be generated by filter rules. I have a lot blocked on "Any WAN" interfaces to prevent leaking & spoofing.

    I have a mess to clean up there.

    Although my server isn't answering, the packets are hitting eth1. so mark this one solved.
    Last edited by Jim.Alles; 09-01-2019 at 09:56 AM.

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    And a bit of a follow-up, my server device is now answering, (I missed the default gateway setting - it is an IoT device, not a windows box).

    I still have the notification alert on an 'route to unreachable address' that is passing traffic, opened a ticket on that, and a bug report is to be filed.
    Last edited by Jim.Alles; 09-05-2019 at 04:43 AM.

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    Quote Originally Posted by Jim.Alles View Post
    I still have the notification alert on an 'route to unreachable address' that is passing traffic, opened a ticket on that, and a bug report is to be filed.
    Quote Originally Posted by sky-knight:
    OpenVPN exports on the OpenVPN server are the routes that get pushed to clients.
    This is true. And I have learned the following:
    1. The exports listed are global: all clients get them all.
    2. If the OpenVPN [Address Space] subnet is included here, clients can route to each-other.
    3. OpenVPN maintains it's own independent routing table. It would not do any good try to to create a static route through OpenVPN on an NGFW client that OpenVPN doesn't know about. So UT doesn't allow that, making 'route to unreachable address' notification correct since NGFW won't insert this route into the kernel table, but confusing in this corner case, where the next hop is reachable, but through OpenVPN.
    4. OpenVPN establishes those routes gracefully when it starts, and tears them down when a session is done.
    5. A Hack, at this time: Routes can be established in each OpenVPN client's config file. This affects NGFW routing on the client box only. It does not get pushed to the server, and does not need to be.


    I am doing further research on this last item.

    There is also service/openvpn/server/remote_clients

    In the case of NGFW as an OpenVPN client, any and all of the networks on the the NGFW interfaces can be listed, if you want to route to them. It is not obvious that the convention of a comma separated list is available here. I do this in the screenshot to successfully administrate the modem configuration on External.

    remote networks Capture.PNG
    Last edited by Jim.Alles; 09-17-2019 at 11:02 AM. Reason: why

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2