View Single Post
Old 1st February 2011
Emile Emile is offline
Port Guard
 
Join Date: Feb 2011
Posts: 25
Default

Quote:
Originally Posted by J65nko View Post
Packets are being blocked. The first one is the first of the 3-way TCP handshake to set up a TCP connection. The others are blocked UDP packets.

Add this rule and retry.
Code:
pass out quick on egress inet proto { tcp, udp } to VPN_IP port VPN_port
BTW telling us which port you are using for VPN could give us a clue We are not interested in the IP address, only the port
Ah, in the client.ovpn I was given, the port says 3074. With my previous experience in OpenVPN, I never had to worry about a port because everything just worked out of the box and now I seem to be having issues (I have not used OpenVPN in a while either).

Anyway, here it is:

Code:
$ sudo openvpn client.ovpn     
Tue Feb  1 15:13:47 2011 OpenVPN 2.1.0 i386-unknown-openbsd4.8 [SSL] [LZO2] built on Aug 10 2010
Tue Feb  1 15:13:47 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue Feb  1 15:13:47 2011 WARNING: file 'cert.dat' is group or others accessible
Tue Feb  1 15:13:47 2011 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Feb  1 15:13:47 2011 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Tue Feb  1 15:13:47 2011 Local Options hash (VER=V4): '91138c76'
Tue Feb  1 15:13:47 2011 Expected Remote Options hash (VER=V4): 'f5a300ca'
Tue Feb  1 15:13:47 2011 Socket Buffers: R=[41600->65536] S=[9216->65536]
Tue Feb  1 15:13:47 2011 UDPv4 link local (bound): [undef]:1194
Tue Feb  1 15:13:47 2011 UDPv4 link remote: [VPN IP]:3074
Tue Feb  1 15:13:47 2011 TLS: Initial packet from [VPN IP]:3074, sid=5f02f614 7ce7e591
Tue Feb  1 15:13:56 2011 VERIFY OK: depth=1, /C=US/ST=NY/L=New_York/O=example.com/CN=example.com_CA/emailAddress=admin@example.com
Tue Feb  1 15:13:56 2011 VERIFY OK: nsCertType=SERVER
Tue Feb  1 15:13:56 2011 VERIFY OK: depth=0, /C=US/ST=NY/L=New_York/O=example.com/CN=server/emailAddress=admin@example.com
Tue Feb  1 15:13:58 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key
Tue Feb  1 15:13:58 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  1 15:13:58 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key
Tue Feb  1 15:13:58 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Feb  1 15:13:58 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Tue Feb  1 15:13:58 2011 [server] Peer Connection Initiated with [VPN IP]:3074
Tue Feb  1 15:14:00 2011 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Feb  1 15:14:00 2011 PUSH: Received control message: 'PUSH_REPLY,route 10.100.2.0 255.255.255.0,redirect-gateway,dhcp-option DNS 10.100.2.1,route-gateway 10.100.2.1,topology subnet,ping 30,ping-restart 120,ifconfig 10.100.2.106 255.255.255.0'
Tue Feb  1 15:14:00 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue Feb  1 15:14:00 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue Feb  1 15:14:00 2011 OPTIONS IMPORT: route options modified
Tue Feb  1 15:14:00 2011 OPTIONS IMPORT: route-related options modified
Tue Feb  1 15:14:00 2011 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Feb  1 15:14:00 2011 ROUTE default_gateway=192.168.1.1
Tue Feb  1 15:14:00 2011 /sbin/ifconfig tun0 destroy
Tue Feb  1 15:14:00 2011 /sbin/ifconfig tun0 create
Tue Feb  1 15:14:00 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Tue Feb  1 15:14:00 2011 /sbin/ifconfig tun0 10.100.2.106 netmask 255.255.255.0 mtu 1500 broadcast 10.100.2.255 link0
Tue Feb  1 15:14:00 2011 TUN/TAP device /dev/tun0 opened
Tue Feb  1 15:14:02 2011 /sbin/route add -net [VPN IP] 192.168.1.1 -netmask 255.255.255.255
add net [VPN IP]: gateway 192.168.1.1
Tue Feb  1 15:14:02 2011 /sbin/route add -net 0.0.0.0 10.100.2.1 -netmask 128.0.0.0
add net 0.0.0.0: gateway 10.100.2.1
Tue Feb  1 15:14:02 2011 /sbin/route add -net 128.0.0.0 10.100.2.1 -netmask 128.0.0.0
add net 128.0.0.0: gateway 10.100.2.1
Tue Feb  1 15:14:02 2011 /sbin/route add -net 10.100.2.0 10.100.2.1 -netmask 255.255.255.0
add net 10.100.2.0: gateway 10.100.2.1
Tue Feb  1 15:14:02 2011 Initialization Sequence Completed
tcpdump:

Code:
$ sudo tcpdump -eni pflog0 
tcpdump: listening on pflog0, link-type PFLOG
15:14:01.138655 rule 2/(match) block out on tun0: :: > ff02::1:ffd8:a554: [|icmp6]
15:14:08.588467 rule 2/(match) block out on nfe0: 192.168.1.4.16561 > 128.255.70.89.123: v4 client strat 0 poll 0 prec 0 [tos 0x10]
15:14:08.751031 rule 2/(match) block out on tun0: 10.100.2.106.42436 > 66.102.13.105.80: S 2924801927:2924801927(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF)
15:14:19.297303 rule 2/(match) block out on tun0: 10.100.2.106 > 66.102.13.147: icmp: echo request
15:14:20.298122 rule 2/(match) block out on tun0: 10.100.2.106 > 66.102.13.147: icmp: echo request
^C
5 packets received by filter
0 packets dropped by kernel
The last 2 are ping requests to Google, the one above that is when I tried a user to browse to Google, and before that is something that just appeared at "Initialization Sequence Completed" from OpenVPN. I didn't get any packets when I disconnected from the VPN.

Quote:
Originally Posted by jggimi View Post
Since you were never using PF until today, you are driving down a rat hole which is likely not the root cause of your problem. The default implementation should not be getting in the way of normal traffic, and OpenVPN uses standard UDP or TCP protocols.

However, OpenVPN mucks about with your routing tables, because it creates virtual subnets for VPN users.

I have not used OpenVPN in a good number of years, so I cannot look at a configuration file and have something obvious jump out at me. But I would set PF aside and look for an OpenBSD user with a functioning OpenVPN environment. A quick use of the martial arts -- Google Fu -- finds a bunch of guidance. Much of it is dated, but you may find it helpful nevertheless, including some more recent stuff from this very forum:

[Cannot post URLs]

EDIT: Ah, I see that two posts jumped in. A log that does show blocking, and J65's response. I type slow.
I don't ever recall touching /etc/hostname.tun0, but maybe I must do something with that now? I never knew it was neccessary...

I think I am currently leaning towards this problem, that I didn't set up virtual IPs correctly like all this 10.100.2.1 and stuff. Customer service guy tried to help me out anyway because they don't support *BSD and he told me to ping 10.100.1.1, 10.100.2.1 and 8.8.8.8, then a paste of route -n show. He said if I can't ping 10.100.1.1, then I am not actually on the VPN, so...I have no idea. He said he's not sure because I can't ping the gateway nor are there any error messages, so it looked like a dead end even though I was technically "connected". He told me to ask the OpenBSD people and so I Googled this forum and here I am.

Here is a route should it be of any assistance:

Code:
$ route -n show 
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
0/1                10.100.1.1         UGS        0        0     -     8 tun0 
default            192.168.1.1        UGS        9    62319     -     8 nfe0 
10.100.1/24        link#6             UC         1        0     -     4 tun0 
10.100.1/24        10.100.1.1         UGS        0        0     -     8 tun0 
10.100.1.1         link#6             UHLc       3        0     -     4 tun0 
92.241.168.20/32   192.168.1.1        UGS        0        0     -     8 nfe0 
127/8              127.0.0.1          UGRS       0        0 33200     8 lo0  
127.0.0.1          127.0.0.1          UH         7   134400 33200     4 lo0  
128/1              10.100.1.1         UGS        0        0     -     8 tun0 
192.168.1/24       link#1             UC         1        0     -     4 nfe0 
192.168.1.1        00:xx:xx:xx:xx:xx  UHLc       2     1643     -     4 nfe0 
192.168.1.4        127.0.0.1          UGHS       0        0 33200     8 lo0  
224/4              127.0.0.1          URS        0        0 33200     8 lo0  

Internet6:
Destination                        Gateway                        Flags   Refs      Use   Mtu  Prio Iface
::/104                             ::1                            UGRS       0        0     -     8 lo0  
::/96                              ::1                            UGRS       0        0     -     8 lo0  
::1                                ::1                            UH        14        0 33200     4 lo0  
::127.0.0.0/104                    ::1                            UGRS       0        0     -     8 lo0  
::224.0.0.0/100                    ::1                            UGRS       0        0     -     8 lo0  
::255.0.0.0/104                    ::1                            UGRS       0        0     -     8 lo0  
::ffff:0.0.0.0/96                  ::1                            UGRS       0        0     -     8 lo0  
2002::/24                          ::1                            UGRS       0        0     -     8 lo0  
2002:7f00::/24                     ::1                            UGRS       0        0     -     8 lo0  
2002:e000::/20                     ::1                            UGRS       0        0     -     8 lo0  
2002:ff00::/24                     ::1                            UGRS       0        0     -     8 lo0  
fe80::/10                          ::1                            UGRS      18        0     -     8 lo0  
fe80::%nfe0/64                     link#1                         UC         0        0     -     4 nfe0 
fe80::2xx:xxff:fexx:xxxx%nfe0      00:xx:xx:xx:xx:xx              HL         0        0     -     4 lo0  
fe80::%lo0/64                      fe80::1%lo0                    U          0        0     -     4 lo0  
fe80::1%lo0                        link#3                         UHL        0        0     -     4 lo0  
fe80::%tun0/64                     link#6                         UC         0        0     -     4 tun0 
fe80::fcxx:xxff:fexx:xxxx%tun0     fe:xx:xx:xx:xx:xx              HL         0        0     -     4 lo0  
fec0::/10                          ::1                            UGRS       0        0     -     8 lo0  
ff01::/16                          ::1                            UGRS       0        0     -     8 lo0  
ff01::%nfe0/32                     link#1                         UC         0        0     -     4 nfe0 
ff01::%lo0/32                      ::1                            UC         0        0     -     4 lo0  
ff01::%tun0/32                     link#6                         UC         0        0     -     4 tun0 
ff02::/16                          ::1                            UGRS      38        0     -     8 lo0  
ff02::%nfe0/32                     link#1                         UC         0        0     -     4 nfe0 
ff02::%lo0/32                      ::1                            UC         0        0     -     4 lo0  
ff02::%tun0/32                     link#6                         UC         0        0     -     4 tun0

Last edited by Emile; 1st February 2011 at 08:42 PM.
Reply With Quote