Vyos newbe trying to get OpenVPN Working

s4rs · December 9, 2016, 1:44am

I am working in my home lab trying to get OpenVPN working with Vyos. I googled and followed an online step by step here OpenVPN HowTo. However when I try to connect noting. I did a wireshark trace and I see a 0011 1… = Opcode: P_CONTROL_HARD_RESET_CLIENT_V2 (0x07). Searching it appears traffic is getting rejected. In the lab my wan is 192.168.88.0/24 and lan in 192.168.1.0/24. I was able to send other traffic through the firewall like iperf and SSH. Just not sure why this is failing. Any troubleshooting tips would be greatly appreciated. I am sure there is a way to log and view traffic I come up empty with searches.

my config

firewall { name OUTSIDE-IN { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept destination { address 192.168.1.106 port 5201 } protocol tcp state { new enable } } rule 40 { action accept destination { port openvpn } protocol udp } } name OUTSIDE-LOCAL { default-action drop rule 10 { action accept state { established enable related enable } } rule 20 { action accept icmp { type-name echo-request } protocol icmp state { new enable } } rule 30 { action drop destination { port 22 } protocol tcp recent { count 4 time 60 } state { new enable } } rule 31 { action accept destination { port 22 } protocol tcp state { new enable } } } } interfaces { ethernet eth1 { address dhcp description OUTSIDE firewall { in { name OUTSIDE-IN } local { name OUTSIDE-LOCAL } } hw-id 00:e8:4c:68:48:56 } ethernet eth2 { address 192.168.1.254/24 description INSIDE hw-id 00:e8:4c:68:48:57 } loopback lo { } openvpn vtun0 { mode server openvpn-option "--user nobody --group nogroup" openvpn-option --comp-lzo openvpn-option "--persist-key --persist-tun" openvpn-option "--status openvpn-status.log" openvpn-option "--verb 3" openvpn-option "--mute 10" openvpn-option "--dev vtun0" server { domain-name photis.net name-server 192.168.1.254 push-route 192.168.1.0/24 subnet 10.10.2.0/24 } tls { ca-cert-file /config/auth/ca.crt cert-file /config/auth/vyosOpenVPN.crt dh-file /config/auth/dh2048.pem key-file /config/auth/vyosOpenVPN.key } } wireless wlan0 { hw-id 00:24:d6:92:a6:94 physical-device phy0 } } nat { destination { rule 10 { description "Port Forward: iperf to 192.168.1.106" destination { port 5201 } inbound-interface eth1 protocol tcp translation { address 192.168.1.106 } } } source { rule 100 { outbound-interface eth1 source { address 192.168.1.0/24 } translation { address masquerade } } rule 110 { description "NAT Reflection INSIDE" destination { address 192.168.1.0/24 } outbound-interface eth2 source { address 192.168.1.0/24 } translation { address masquerade } } } } service { dhcp-server { disabled false shared-network-name LAN { subnet 192.168.1.0/24 { default-router 192.168.1.254 dns-server 192.168.1.254 domain-name photis.net lease 3600 start 192.168.1.106 { stop 192.168.1.160 } } } } dns { forwarding { cache-size 0 listen-on eth2 listen-on vtun0 name-server 192.168.1.254 name-server 8.8.8.8 } } ssh { port 22 } } system { config-management { commit-revisions 20 } console { device ttyS0 { speed 115200 } } login { user vyos { authentication { encrypted-password **************** plaintext-password **************** } level admin } } ntp { server 0.pool.ntp.org { } server 1.pool.ntp.org { } server 2.pool.ntp.org { } } package { repository community { components main distribution helium url http://packages.vyos.net/vyos } } syslog { global { facility all { level notice } facility protocols { level debug } } } }

syncer · December 9, 2016, 6:33pm

Hello,
i´m usually configuring firewall after everything is working
so my advice will be to disable a firewall and finish with OpenVPN
once it works, you can continue with FW

s4rs · December 9, 2016, 6:58pm

I started from scratch and merged tutorials from the vyos user guide and Spark Labs. Everything is working now.

I did a diff on the two configurations and found the problem. In rule 40 I used openvpn as the port number instead of 1194… I am testing different router software and some let you use a name then translate that name to a port. I thought thats what was implied in the first tutorial. Looking back I don’t think it was and you need to put in the actual port number.

This is an assumption on my part since I haven’t reloaded and tested the previous config. However it does make sense since I never saw packet flow through the router. Is my assumption correct you need to specify a number not a well known service port name?

Thanks.

dmbaturin · December 9, 2016, 10:25pm

I tried it on my own router, a rule like

rule 10 {
action accept
destination {
port openvpn
}
protocol udp
}

correctly generates “-A Test -p udp -m comment --comment Test-10 -m udp --dport 1194 -j RETURN”.

The problem I see with your original config is that the rule about openvpn is in firewall assigned in “in” rather than “local” direction. If you run openvpn on vyos, it’s local traffic, and is processed by the local firewall (in = FORWARD, local = INPUT).

s4rs · December 11, 2016, 12:31pm

I thought about that but since rule 20 worked I thought it was correct. Can you explain why rule 20 worked while rule 40 didn’t?

rule 20 { action accept destination { address 192.168.1.106 port 5201 } protocol tcp state { new enable } }

16again · December 11, 2016, 7:10pm

asking about rule 20 & 40 suggests me , the difference between _LOCAL and _IN isn’t clear.
afaik , best explanation around: https://community.ubnt.com/t5/EdgeMAX/Layman-s-firewall-explanation/td-p/1436103

s4rs · December 11, 2016, 9:13pm

Thanks for the link. After reading the link I am wondering if rule 40 would have worked if I added the OpenVPN tun interface to it?