Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to tunnel proprietary VPN through OpenVPN jumpbox?

83 views
Skip to first unread message

Tom Roche

unread,
Jan 16, 2015, 1:07:25 AM1/16/15
to
BACKGROUND:
* If there is a better newsgroup (or other channel) for this question, please let me know.
* Post contains one ASCII-art diagram, also available via link.
* Links in footnotes @ end of post.
* Apologies if this is tl;dr but the problem seems somewhat complex (at least to me)

SUMMARY: I seek to tunnel an F5 SSL VPN (hard requirement) through an OpenVPN server (apparently required) in order to shell into a compute cluster behind a firewall. I can access the required F5 remote-access website (RAW) through the OpenVPN tunnel, but lose DNS once I activate the F5VPN using the RAW's web GUI. I suspect this is due to a problem with my OpenVPN configuration, since direct access using the F5VPN (unfortunately now disallowed) worked for me in the past; specifically I suspect my OpenVPN server is not enabling my F5VPN client to see/use the DNS server(s) inside the firewall.

How to fix? Alternatively,

* what else do I need to learn/discover before a fix can be applied?
* where else should I go for help?
* is there a better way to do what I need?

DETAILS:

This seems pretty complicated (to me, anyway), and I'm hoping to make whatever I discover available for others, so I'm maintaining my code/configs as project=linode_jumpbox_config[1] and documenting @ that project's wiki[2] (which has a glossary[3] which may clarify terms used below).

The details on what I'm trying to do[4] are hopefully summarized by this ASCII art (web-rendered here[4] in case you're not reading this in monospace):

<-MY CONTROL | AGENCY CONTROLLED->
firewall
+----------+ +-----------+ +---------------+ | +---------+
| laptop + | | linode + | | remote-access | | | cluster |
| F5NAP + | <--> | OpenVPN + | <---> | website + | <-|-> | node(s) |
| OpenVPN | | security | | F5VPN | | | |
+----------+ +-----------+ +---------------+ | +---------+[/code]

Both laptop and linode are running Debian, and I configure them. I know almost nothing about what agency=='US EPA'[5] runs, and have even less control. The agency requires me to run an F5NAP=='F5 Network Access Plugin'[6] in order to access the agency's F5VPN which enables access to compute clusters on which I need to do research (I'm a student). In the past I could run the F5NAP directly from my laptop to access the F5VPN[7], but this was recently broken by access-policy change[8].

To accommodate the new policies, I'm trying to tunnel through a linode jumpbox[1], such that the linode satisfies all the new requirements (notably, static IP#[8]). Most of the linode's pre-OpenVPN networking is configured by this bash script[9], which (hopefully) automates this manual procedure[10]. (Details on the entire networking+OpenVPN install+configuration starts here[11], and is mostly automated. The automating scripts[12] unfortunately need more structure and commenting, but should be relatively readable. Questions are welcomed; pull requests even more so.)

My implementation of my design works only for the following sequence (details here[13]), after which it fails:

1. I can start an OpenVPN server on my linode[14] (via SSH from my laptop) apparently successfully.

2. On my laptop, if I browse to (e.g.) http://www.whatismyip.com , I see a "normal" (for my ISP) IP#.

3. I can then start an OpenVPN client on my laptop[15] (in a bash shell/terminal), again apparently successfully.

4. On my laptop, if I browse to http://www.whatismyip.com (using my normal, Debian-packaged browser=Firefox), as expected I now see the IP# of my linode. This is essential, since that IP# is on the agency's whitelist.

5. On my laptop, I can start my F5NAP'ed Firefox[6], and with that browse to http://www.whatismyip.com/ , and still see my linode's IP#.

6. Using the F5NAP'ed Firefox (on my laptop), I can browse to the agency's remote-access website and login normally.

7. Using (from the F5NAP'ed Firefox on my laptop) the web GUI provided (post-authentication) by the remote-access website, I can start the F5VPN, and see status==Connected in the F5VPN UI. This is what I expect from "the good old days" when I could run the F5VPN directly from my laptop[16].

At this point, in "the good old days," I could go to any shell/gnome-terminal on my laptop, utter `ssh fqdn.for.a.cluster.login.node.at.epa.gov`, and get to work. But not now :-(

Currently I am broken at this point in the sequence (details here[17]). Specifically, I lose DNS, which

* (immediately) causes SSH to fail, preventing me from running SSH to any cluster login node (which is the whole point of this exercise).

* (eventually) breaks the OpenVPN tunnel, which means the F5VPN no longer sees the registered/whitelisted IP#, causing it to drop my connection.

How to fix or debug? Complications for debugging/support include:

1. F5 (the agency's VPN vendor) is completely proprietary, and barely supports Linux. My attempts to get support from them have been mostly ignored.

2. The agency barely supports Linux internally, for users. (Of course the scientific-research clusters which we seek to use are *all* Linux, but they're supported by separate contractors who only support the clusters themselves, not access *to* the clusters.) The agency barely *tolerates* Linux for remote access, and especially by non-employees like me. (I'm a student.)

Net: I suspect I can get answers to some direct, specific questions from agency support, but I know (from bitter experience) that I cannot get support if I just say to them (as I am to you now) "this isn't working--what should I do?" I know especially that I cannot get help with anything related to a Linux client: agency client-side support is (AFAICS) *strictly* limited to Windows XP (no lie!)

How to fix this problem? (FWIW, I will document the fix @ project wiki[2], and my effusive praise for anyone who provides any assistance will last ... as long as its git repo does :-) Alternatively,

* what else do I need to learn/discover before a fix can be applied?
* where else should I go for help?
* is there a better way to do what I need?

If feasible, please reply to me as well as to the group, and thanks in advance! Tom Roche <Tom_...@pobox.com>

[1]: https://bitbucket.org/tlroche/linode_jumpbox_config
[2]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home
[3]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-glossary
[4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[5]: http://www.epa.gov/ , part of the US Federal government.
[6]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5nap
[7]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-access
[8]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-aug-2014-policy-change
[9]: https://bitbucket.org/tlroche/linode_jumpbox_config/raw/HEAD/scripts/OpenVPN_install_server.sh
[10]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-network-configuration
[11]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-id6
[12]: https://bitbucket.org/tlroche/linode_jumpbox_config/src/HEAD/scripts/?at=master
[13]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-dns-problem
[14]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-test-server-startup
[15]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-client-test
[16]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn-only-access
[17]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-dns-breakage

Chris Davies

unread,
Jan 16, 2015, 10:00:05 AM1/16/15
to
Tom Roche <tom_...@pobox.com> wrote:
> SUMMARY: [...] I suspect my OpenVPN server is not enabling my F5VPN
> client to see/use the DNS server(s) inside the firewall.

Set your OpenVPN client to accept DNS settings from the server. The
keyword here is "pull", which presupposes the server is actually trying
to push them. (This keyword will also pull routing, so you may want
"route-nopull" if you prefer to define your own.)

You will also need these three lines, which allows a Linux-based client
to make use of the DNS settings it's been given:

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Check your DNS settings in /etc/resolv.conf after your OpenVPN client
has connected, to confirm that you have the correct values.

Chris

Pascal Hambourg

unread,
Jan 16, 2015, 4:56:51 PM1/16/15
to
Tom Roche a écrit :
>
> SUMMARY: I seek to tunnel an F5 SSL VPN (hard requirement) through an OpenVPN server (apparently required) in order to shell into a compute cluster behind a firewall. I can access the required F5 remote-access website (RAW) through the OpenVPN tunnel, but lose DNS once I activate the F5VPN using the RAW's web GUI. I suspect this is due to a problem with my OpenVPN configuration, since direct access using the F5VPN (unfortunately now disallowed) worked for me in the past; specifically I suspect my OpenVPN server is not enabling my F5VPN client to see/use the DNS server(s) inside the firewall.

One thing I don't understand. In you web page, you wrote :

> good news: I can still ping IP#s, e.g.,
>
> $ ping -c 4 www.whatismyip.com
> PING www.whatismyip.com (141.101.120.15) 56(84) bytes of data.
> 64 bytes from 141.101.120.15: icmp_seq=1 ttl=56 time=95.1 ms
(...)
> bad news: DNS fails, e.g.,
>
> $ nslookup www.whatismyip.com
> ;; connection timed out; no servers could be reached

But your ping command requires name resolution to retrieve the IP
address to send the packets to. Does it send a DNS request or did you
add www.whatismyip.com to your /etc/hosts file ? If the former, can you
capture and compare the DNS traffic of the two commands ?

Tom Roche

unread,
Jan 17, 2015, 4:29:02 PM1/17/15
to
Tom Roche Thu, 15 Jan 2015 22:07:22 -0800 (PST)[1]
>>> I seek to tunnel an F5 SSL VPN (hard requirement) through an OpenVPN server (apparently required) in order to shell into a compute cluster behind a firewall. I can access the required F5 remote-access website (RAW) through the OpenVPN tunnel, but lose DNS once I activate the F5VPN using the RAW's web GUI.

Chris Davies Fri, 16 Jan 2015 14:25:15 +0000[2]
>> Set your OpenVPN client to accept DNS settings from the server. The keyword here is "pull"

Apologies for dullness on my part, but I am a newbie (particularly to OpenVPN, but I'm not so strong on Linux networking either--I'm basically a developer who's been forced to do much more administration than I would prefer). What exactly should I add to my client.conf?[3] (Note I will cheerfully RTFM if pointed to documentation.)

>> You will also need these three lines, which allows a Linux-based client to make use of the DNS settings it's been given:

>> script-security 2
>> up /etc/openvpn/update-resolv-conf
>> down /etc/openvpn/update-resolv-conf

I had the latter 2 lines (see my client.conf[3]); I will add the first.

Pascal Hambourg Fri, 16 Jan 2015 22:56:46 +0100[4]
> One thing I don't understand. In you web page, you wrote :

> > good news: I can still ping IP#s, e.g.,

> > $ ping -c 4 www.whatismyip.com

Good point! I'm not sure if that's cut-n-paste error on my part, or an artifact of the name-resolution process. I will rebuild the server[5] and attempt to reproduce.

> did you add www.whatismyip.com to your /etc/hosts

I can certainly say I did *not* add and have not added www.whatismyip.com to /etc/hosts on either my OpenVPN server or client.

> can you capture and compare the DNS traffic of the two commands ?

How would I do that? Seriously--I don't know, but would cheerfully RTFM if pointed to documentation.

Your assistance is appreciated! Tom Roche <Tom_...@pobox.com>

[1]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/9872Q8gZB9QJ
[2]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/rmY-GUngTFMJ
[3]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-client-conf
[4]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/cCBJhpb6T6oJ
[5]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-install-process

Pascal Hambourg

unread,
Jan 17, 2015, 5:47:22 PM1/17/15
to
Tom Roche a écrit :
>
>> can you capture and compare the DNS traffic of the two commands ?
>
> How would I do that?

In console : tcpdump, tshark
In GUI : wireshark
Filter on "port 53" for DNS traffic. Ex :
tcpdump -n -i any port 53

Tom Roche

unread,
Jan 18, 2015, 10:47:50 PM1/18/15
to
[Apologies for any duplicate messages: I tried to send the following via `inews` but I don't have that correctly configured. Someday I have gotta setup `gnus`.]

I have just finished

1. clarifying logging. Main log no longer goes to syslog, status log path is no longer default, both paths are set in client.conf[1] and server.conf[2].
2. documenting logging. The evolution of the logs through the various stages of my problem are now hopefully documented helpfully for both client[3] and server[4].
3. improving code[5] (hopefully) by increasing parameterization (most variables should only get set once, and more get set by the user's private.properties) and automating some setup/cleanup
4. rerunning the problem after rebuilding server and relevant bits of the client

The main difference now is, the behavior I reported that confused Pascal Hambourg[6] has now disappeared (if it was ever there): after I connect to the F5VPN[7] (which is the proprietary VPN I need to tunnel through an OpenVPN) I completely lose all connectivity (both DNS and raw `ping`) until I disconnect from the F5VPN.

Chris Davies Fri, 16 Jan 2015 14:25:15 +0000[8]
>>> Set your OpenVPN client to accept DNS settings from the server. The keyword here is "pull"

Tom Roche Sat, 17 Jan 2015 13:28:58 -0800 (PST)[9]
>> What exactly should I add to my client.conf? (Note I will cheerfully RTFM if pointed to documentation.)

I would still very much like to know how to do this. Note again my current client.conf contents[1].

Pascal Hambourg Sat, 17 Jan 2015 23:47:19 +0100[10]
> Filter on "port 53" for DNS traffic. Ex : `tcpdump -n -i any port 53`

I hope to try that tomorrow.

your assistance (and tolerance of newbie stumbling) is appreciated, Tom Roche <Tom_...@pobox.com>

[1]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-client-conf
[2]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-server-conf
[3]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-client-logs
[4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-server-logs
[5]: https://bitbucket.org/tlroche/linode_jumpbox_config/src/HEAD/scripts/?at=master
[6]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/cCBJhpb6T6oJ
[7]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-dns-problem
[8]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/rmY-GUngTFMJ
[9]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/bddTLoNO6ekJ
[10]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/stbvBHGoqdQJ

Tauno Voipio

unread,
Jan 19, 2015, 3:32:01 AM1/19/15
to
On 19.1.15 05:47, Tom Roche wrote:
>
> The main difference now is, the behavior I reported that confused Pascal Hambourg[6] has now disappeared
(if it was ever there): after I connect to the F5VPN[7] (which is the
proprietary VPN I need to tunnel
through an OpenVPN) I completely lose all connectivity (both DNS and raw
`ping`) until I disconnect from the F5VPN.

This is a default behavior in most commercial VPN's. Its purpose
is to prevent sneak paths to/from the VPN's tunneled network via
the client computer.

It seems to me that you're attempting to do something that the
VPN target network's owner does not like.

--

Tauno Voipio


Tom Roche

unread,
Jan 19, 2015, 11:48:41 AM1/19/15
to
Tauno Voipio Mon, 19 Jan 2015 10:31:57 +0200[1]
> This is a default behavior in most commercial [VPNs]. [...] It seems to me that you're attempting to do something that the VPN target network's owner does not like.

Since you may not have read this[2] or found it unclear:

1. Neither of the VPNs I'm using are commercial in the sense of "commercial service." The government agency whose cluster I'm trying to reach owns the instance of the proprietary VPN[3] they've deployed (hardware and software), and I rent the hardware on which I have deployed the OpenVPN .

2. Similarly, the compute cluster to which I'm trying to tunnel is not a commercial service: it's a government-run scientific research facility.

3. No one at the agency has said "you can't do this," and they are usually fairly upfront/agressive about usage they prohibit.

4. As previously noted[4], I am still quite inexperienced with Linux networking and advanced IP networking generally, and OpenVPN in particular.

I Could Be Wrong, but given the above, ISTM reasonable to conclude that "user error" on my end is more likely than blockage on the agency end.

[1]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/ijhXEl4H09gJ
[2]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-motivation
[3]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-f5vpn
[4]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/bddTLoNO6ekJ

Tauno Voipio

unread,
Jan 19, 2015, 1:45:22 PM1/19/15
to
The blockage is at your end. The tunneling client code in your host
kills other network routes when tunneling is activated.

By 'commercial' I intended to say 'ready-made, not open'.

Is it possible to make a sketch of the networking you'd like to set up?

Please check what the following commands (as root) report:

ifconfig
route -n

in different situations:

a) when your VPN client is off
b) when your VPN client is activated

OpenVPN is pretty clear. In default configuration, it tunnels the client
network frames (either Ethernet (layer 2) or IP (layer 3))
using UDP port 1194 to transfer the encrypted packets.

If you have a separate box running OpenVPN, it seems to me that
it has a firewall set up so that only the client network (tunnel
inside) packets are transferred.

--

-TV

Tom Roche

unread,
Jan 19, 2015, 5:58:51 PM1/19/15
to
Tauno Voipio Mon, 19 Jan 2015 20:45:19 +0200 [1] (rearranged)
> Is it possible to make a sketch of the networking you'd like to set up?

Not only is it possible, it's online[2] :-)

> it seems to me that [your OpenVPN server] has a firewall set up so that only the client network (tunnel inside) packets are transferred.

That's entirely possible! And I hadn't thought about that (probably because, as previously mentioned,

Tom Roche Sat, 17 Jan 2015 13:28:58 -0800 (PST)[3]
>> I am a newbie (particularly to OpenVPN, but I'm not so strong on Linux networking either

), so thanks for the suggestion. I have now added a section on the server firewall[4] to the doc: does that look problematic? If so, how should the server's iptables (possibly et al) be changed?

> Please check what the following commands (as root) report: [ {ifconfig, route -n} x {client openvpn running, client openvpn !running} ]

OK. IIUC, you want these run on/from the client (as defined here[5]) and not the server (ditto): if so, see the (slightly edited) output here[6].

... and thanks for your assistance! Note that I will be keeping the results of this project online[7] for the benefit of the next poor bastard in my situation, so your assistance will hopefully not be wasted.

[1]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/CLshmsh9nE4J
[2]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
[3]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/bddTLoNO6ekJ
[4]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-server-firewall
[5]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-glossary
[6]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt
[7]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home

Chris Davies

unread,
Jan 22, 2015, 11:00:05 AM1/22/15
to
Tom Roche <tom_...@pobox.com> wrote:
> Chris Davies Fri, 16 Jan 2015 14:25:15 +0000 suggested:
>> script-security 2
>> up /etc/openvpn/update-resolv-conf
>> down /etc/openvpn/update-resolv-conf

> I had the latter 2 lines (see my client.conf); I will add the first.

Without the first the others cannot run.

Chris

Tom Roche

unread,
Jan 22, 2015, 1:07:54 PM1/22/15
to
Chris Davies Fri, 16 Jan 2015 14:25:15 +0000 [1]
>>> script-security 2
>>> up /etc/openvpn/update-resolv-conf
>>> down /etc/openvpn/update-resolv-conf

Tom Roche Sat, 17 Jan 2015 13:28:58 -0800 (PST) [2]
>> I had the latter 2 lines (see my client.conf[3]); I will add the first.

Chris Davies Thu, 22 Jan 2015 15:09:16 +0000 [4]
> Without the first the others cannot run.

True that! however that did not affect this problem, since (dunno why) I was adding `--script-security 2` to my client-starting commandline rather than putting it in the client.conf (which is more reproducible).

What may actually be significant is, I now see what appears to be the root of my problem (IIUC, which I may not be, because my networking knowledge is still rather thin): connecting to the F5VPN changes my client's `route`ing (see state#=4 here[5]) in a manner that I suspect conflicts with the `iptables` currently on my server/jumpbox[6] (through which I seek to tunnel[7]). Does that seem correct? If so, how to fix?

[1]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/rmY-GUngTFMJ
[2]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/bddTLoNO6ekJ
[3]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/OpenVPN_install#rst-header-client-conf
[4]: https://groups.google.com/d/msg/comp.os.linux.networking/xkpZLHxcf24/LxufxKNWVP0J
[5]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/client_networking_investigation.txt
[6]: https://bitbucket.org/tlroche/linode_jumpbox_config/downloads/server_iptables_L.txt
[7]: https://bitbucket.org/tlroche/linode_jumpbox_config/wiki/Home#rst-header-intended-solution
0 new messages