OpenVPN on OpenVZ with Ubuntu 16.04

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenVPN on OpenVZ with Ubuntu 16.04

Helmut Schneider
Hi,

I set up OpenVPN on Ubuntu 16.04. From the shell I can conect to all
services behind the VPN server:

helmut@h2786452:~$ sudo tcpdump -n -i tun0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
21:44:17.180104 IP 10.0.124.18.32836 > 192.168.124.249.25: Flags [S],
seq 239848268, win 14600, options [mss 1460,sackOK,TS val 2150393196
ecr 0,nop,wscale 7], length 0
21:44:17.205351 IP 192.168.124.249.25 > 10.0.124.18.32836: Flags [S.],
seq 2923799854, ack 239848269, win 8192, options [mss 1288,nop,wscale
8,sackOK,TS val 100173603 ecr 2150393196], length 0
21:44:17.205401 IP 10.0.124.18.32836 > 192.168.124.249.25: Flags [.],
ack 1, win 115, options [nop,nop,TS val 2150393222 ecr 100173603],
length 0
[...]
helmut@h2786452:~$

My VM is running on OpenVZ with a public IP. Postfix is bound to that
public IP. When it tries to forward mails to my Postfix server is seems
to use the public IP:

21:48:53.945114 IP 81.169.210.199.45236 > 192.168.124.249.25: Flags
[S], seq 4069537415, win 14600, options [mss 1460,sackOK,TS val
2150669961 ecr 0,nop,wscale 7], length 0
21:48:54.944247 IP 81.169.210.199.45236 > 192.168.124.249.25: Flags
[S], seq 4069537415, win 14600, options [mss 1460,sackOK,TS val
2150670961 ecr 0,nop,wscale 7], length 0
21:48:56.944277 IP 81.169.210.199.45236 > 192.168.124.249.25: Flags
[S], seq 4069537415, win 14600, options [mss 1460,sackOK,TS val
2150672961 ecr 0,nop,wscale 7], length 0
21:49:00.944260 IP 81.169.210.199.45236 > 192.168.124.249.25: Flags
[S], seq 4069537415, win 14600, options [mss 1460,sackOK,TS val
2150676961 ecr 0,nop,wscale 7], length 0
21:49:08.944250 IP 81.169.210.199.45236 > 192.168.124.249.25: Flags
[S], seq 4069537415, win 14600, options [mss 1460,sackOK,TS val
2150684961 ecr 0,nop,wscale 7], length 0

The packages never reach my OpenVPN server and I'm not sure if is
related to OpenVPN or a NAT rule. How would a NAT rule (iptables) look
like? Or other ideas?

Thank you!


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenVPN on OpenVZ with Ubuntu 16.04

Ken D'Ambrosio


On 2018-07-29 15:53, Helmut Schneider wrote:
> Hi,
>
> I set up OpenVPN on Ubuntu 16.04. From the shell I can conect to all
> services behind the VPN server:

OK.  What would be really helpful is if
a) you tried not to use pronouns (e.g., "when it tries to forward
mails", I'm not sure what "it" refers to),
b) you specified which hosts have which IPs, and
c) said which host is trying to send e-mail where, and by what
mechanism.

Unless you've set up firewall rules, it's much more likely either an MX
issue (where your mail client is pulling hosts/IPs from MX record
lookups), or a routing issue.  But without getting the additional stuff
mentioned above, it's super-duper hard to know.

-Ken


> helmut@h2786452:~$ sudo tcpdump -n -i tun0 port 25
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
> 21:44:17.180104 IP 10.0.124.18.32836 > 192.168.124.249.25: Flags [S],
> seq 239848268, win 14600, options [mss 1460,sackOK,TS val 2150393196
> ecr 0,nop,wscale 7], length 0
> 21:44:17.205351 IP 192.168.124.249.25 > 10.0.124.18.32836: Flags [S.],
> seq 2923799854, ack 239848269, win 8192, options [mss 1288,nop,wscale
> 8,sackOK,TS val 100173603 ecr 2150393196], length 0
> 21:44:17.205401 IP 10.0.124.18.32836 > 192.168.124.249.25: Flags [.],
> ack 1, win 115, options [nop,nop,TS val 2150393222 ecr 100173603],
> length 0
> [...]
> helmut@h2786452:~$
>
> My VM is running on OpenVZ with a public IP. Postfix is bound to that
> public IP. When it tries to forward mails to my Postfix server is seems
> to use the public IP:
>
> 21:48:53.945114 IP 81.169.210.199.45236 > 192.168.124.249.25: Flags
> [S], seq 4069537415, win 14600, options [mss 1460,sackOK,TS val
> 2150669961 ecr 0,nop,wscale 7], length 0
> 21:48:54.944247 IP 81.169.210.199.45236 > 192.168.124.249.25: Flags
> [S], seq 4069537415, win 14600, options [mss 1460,sackOK,TS val
> 2150670961 ecr 0,nop,wscale 7], length 0
> 21:48:56.944277 IP 81.169.210.199.45236 > 192.168.124.249.25: Flags
> [S], seq 4069537415, win 14600, options [mss 1460,sackOK,TS val
> 2150672961 ecr 0,nop,wscale 7], length 0
> 21:49:00.944260 IP 81.169.210.199.45236 > 192.168.124.249.25: Flags
> [S], seq 4069537415, win 14600, options [mss 1460,sackOK,TS val
> 2150676961 ecr 0,nop,wscale 7], length 0
> 21:49:08.944250 IP 81.169.210.199.45236 > 192.168.124.249.25: Flags
> [S], seq 4069537415, win 14600, options [mss 1460,sackOK,TS val
> 2150684961 ecr 0,nop,wscale 7], length 0
>
> The packages never reach my OpenVPN server and I'm not sure if is
> related to OpenVPN or a NAT rule. How would a NAT rule (iptables) look
> like? Or other ideas?
>
> Thank you!

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenVPN on OpenVZ with Ubuntu 16.04

Helmut Schneider
Ken D'Ambrosio wrote:

> On 2018-07-29 15:53, Helmut Schneider wrote:
> > Hi,
> >
> > I set up OpenVPN on Ubuntu 16.04. From the shell I can conect to all
> > services behind the VPN server:
>
> OK.  What would be really helpful is if
> a) you tried not to use pronouns (e.g., "when it tries to forward
> mails", I'm not sure what "it" refers to),
> b) you specified which hosts have which IPs, and
> c) said which host is trying to send e-mail where, and by what
> mechanism.

Sure, if it helps:

- Ubuntu VM with public IP 81.169.210.199 and tun0 IP 10.0.124.18
- FreeBSD VM with tun0 IP 10.0.124.17 and em0 with IP 192.168.124.35
- Exchange Server with IP 192.168.124.249

Postfix is listening 81.169.210.199 and tries to send emails to the
Exchange server. traceroute works fine:

helmut@h2786452:~$ sudo traceroute -I exchange01
traceroute to exchange01 (192.168.124.249), 30 hops max, 60 byte packets
 1  bsdhelmut-tun0 (10.0.124.129)  19.679 ms  19.645 ms  19.739 ms
 2  exchange01 (192.168.124.249)  20.362 ms  20.303 ms  20.754 ms
helmut@h2786452:~$

> Unless you've set up firewall rules, it's much more likely either an

No firewall rules, telnet works fine:

helmut@h2786452:~$ telnet exchange01 25
Trying 192.168.124.249...
Connected to exchange01
Escape character is '^]'.
220 exchange01 Microsoft ESMTP MAIL Service ready at Mon, 30 Jul 2018
10:08:21 +0200
quit
221 2.0.0 Service closing transmission channel
Connection closed by foreign host.
helmut@h2786452:~$

> MX issue (where your mail client is pulling hosts/IPs from MX record
> lookups), or a routing issue.

Postfix uses a transport file to find the correct MX. The Postfix log
says:

Jul 30 10:33:41 h2786452 postfix-in/smtp[31709]: 205113E0393:
to=<[hidden email]>, relay=none, delay=30,
delays=0.02/0.03/30/0, dsn=4.4.1, status=deferred (connect to
exchange01[192.168.124.249]:25: Connection timed out)


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenVPN on OpenVZ with Ubuntu 16.04

Helmut Schneider
In reply to this post by Helmut Schneider
Helmut Schneider wrote:

> The packages never reach my OpenVPN server and I'm not sure if is
> related to OpenVPN or a NAT rule. How would a NAT rule (iptables) look
> like? Or other ideas?

Answering myself:

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: OpenVPN on OpenVZ with Ubuntu 16.04

Ken D'Ambrosio
In reply to this post by Helmut Schneider
On 2018-07-30 04:33, Helmut Schneider wrote:

[hidden email]~$ telnet exchange01 25
Trying 192.168.124.249...
Connected to exchange01
Escape character is '^]'.
220 exchange01 Microsoft ESMTP MAIL Service ready at Mon, 30 Jul 2018
10:08:21 +0200

Thanks much for the info!  That helps a lot.  I do find the telnet "working" to be very interesting.  I suggest going through an entire transaction via telnet, to see what happens.  (Replace, of course, the info below with appropriate info; green text is server-side response.)

telnet exchange01 25
Trying 192.168.124.249...
Connected to exchange01
Escape character is '^]'.
220 exchange01 Microsoft ESMTP MAIL Service ready at Mon, 30 Jul 2018
helo sendingdomain.com
250 exchange01
mail from: <[hidden email]>
250 2.1.0 Ok
rcpt to: <[hidden email]>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: This is a test
 
Some data here.
. <CR>
250 2.0.0 Ok: queued as EB7048D95
 
Now, of course, not everything above will be the same as with your transaction, but I'm betting something goes off the rails in a very different manner, and I'd be quite interested in seeing that transaction.
 
-Ken

--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users