dokucama

User Tools

Site Tools

Trace: linux kubernetes
network_stuff:vpn_troubleshooting

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
network_stuff:vpn_troubleshooting [2018/04/19 16:40] jotasandokunetwork_stuff:vpn_troubleshooting [2023/11/02 14:38] (current) – external edit 127.0.0.1
Line 41: Line 41:
   * http://www.fir3net.com/Checkpoint/how-do-i-create-an-ssl-vpn-on-a-checkpoint-gateway.html   * http://www.fir3net.com/Checkpoint/how-do-i-create-an-ssl-vpn-on-a-checkpoint-gateway.html
  
-**OPENVPN**+**OPENVPN SERVER FEDORA**
   * **Installation**: [[https://chichivica.github.io/2017/08/02/Install-OpenVPN-on-Fedora-26/]]   * **Installation**: [[https://chichivica.github.io/2017/08/02/Install-OpenVPN-on-Fedora-26/]]
     *  pki, ca, server and client cert (after being generated) + configuration , in : /etc/openvpn/server     *  pki, ca, server and client cert (after being generated) + configuration , in : /etc/openvpn/server
Line 57: Line 57:
   # also enable ip forwarding with sysctl.conf and don't forget systemctl restart network.service   # also enable ip forwarding with sysctl.conf and don't forget systemctl restart network.service
  
-**Operation**\\ +Start server:
   systemctl start openvpn-server@server.service # Server   systemctl start openvpn-server@server.service # Server
-  openvpn --config /home/jotasan/client1.ovpn  # client+ 
 +Create ovpn file and start client: 
 +[[https://gist.github.com/dmytro/0606cb32e42fc0918466|generate_openvpn_config.sh]] 
 +  openvpn --config /home/jaime/ovpnrpi/client4.ovpn  # client
      
  
Line 66: Line 68:
   systemctl stop firewalld   systemctl stop firewalld
   systemctl start firewalld   systemctl start firewalld
 +
 +
 + 
  
  
 ---- ----
 +**OPENWRT CLIENT OPENVPN**:\\
 +In LuCi:
 +  * Click Update-list
 +  * Then INSTALL: luci-app-openvpn openvpn-easy-rsa openvpn-openssl
 +  * Press OK on each of them to download and install them.
 +
 +In CLI, Have these files: 
 +
 +  root@OpenWrt:/etc/config# cat /etc/config/openvpn
 +  config openvpn 'camarreal_ovpn'
 +    option config '/etc/openvpn/forsythia-client.ovpn'   # This is 'raw' the file generated in the openvpn server by doing "pivpn add nopass"
 +    option enabled '1'
 +    
 +Firewall and network config (from [[https://wiki.turris.cz/doc/en/howto/openvpn]] among other sources):
 +
 +
 +  root@OpenWrt:/etc/config# cat /etc/config/firewall
 +  config zone 'wan'                               
 +          option name 'wan'                      
 +          list network 'wan'                      
 +          list network 'wan6'                     
 +          option output 'ACCEPT'                 
 +          option forward 'REJECT'                
 +          option masq '1'                         
 +          option mtu_fix '1'                      
 +          option input 'REJECT'                  
 +          list device 'tun0'    
 +  
 +  root@OpenWrt:/etc/config# cat /etc/config/network 
 +  config interface 'vpn'         
 +          option proto 'none'
 +          option ifname 'tun0'   
 +
 +
 +----
 +
  
 LINUX VPN-CLIENT\\ LINUX VPN-CLIENT\\
 [[https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#linux]] [[https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#linux]]
 +\\
 +START:\\
 +  mkdir -p /var/run/xl2tpd
 +  touch /var/run/xl2tpd/l2tp-control
 +  service strongswan restart
 +  service xl2tpd restart
 +  strongswan up myvpn
 +  echo "c myvpn" > /var/run/xl2tpd/l2tp-control
 +  ip route add 0/0 dev ppp0
 +\\
 +STOP:\\
 +  ip route del 0/0 dev ppp0
 +  echo "d myvpn" > /var/run/xl2tpd/l2tp-control
 +  strongswan down myvpn
 +  
 +INVESTIGATE WHY CRASHES SOMETIMES:
 +  May  9 05:16:22 observium xl2tpd: xl2tpd[23954]: Maximum retries exceeded for tunnel 23919.  Closing.
 +  May  9 05:16:22 observium xl2tpd: xl2tpd[23954]: Connection 61860 closed to 148.64.56.150, port 1701 (Timeout) 
 +
 +
 +LIBRESWAN STRONGSWAN NOTES:
 +  * [[https://docs.cloud.mycompany2.com/en-us/iaas/Content/Network/Concepts/libreswan.htm]]
 +  * [[https://dc77312.wordpress.com/2019/01/08/libreswan-ipsec-vpn-on-centos-7-and-windows-10/]]
 +  * pluto is is an IKE ("IPsec Key Exchange") daemon
 +
 +  yum install libreswan
 +  ipsec initnss
 +  systemctl enable ipsec
 +  systemctl start ipsec
 +  
 +  # Use this to add and bring up the tunnel and see the exchange!
 +  ipsec auto --add mycompany2-tunnel-1
 +  ipsec auto --up mycompany2-tunnel-1
 +
 +
 +  * In the vnic: "tick skip Source/Dest Checks"
 +  * modify  /etc/sysctl.conf for forwarding [[https://www.tecmint.com/setup-ipsec-vpn-with-strongswan-on-centos-rhel-8/|External Link]]. In '/etc/sysctl.d' create a file named 50-libreswan.conf with that content
 +
 +  # https://libreswan.org/man/ipsec.conf.5.html
 +  conn mycompany2-tunnel-1
 +       left=10.156.0.23
 +       # leftid=193.123.39.207 # This is the public IP (nat-t)
 +       right=148.64.56.151
 +       authby=secret
 +       leftsubnet=10.181.181.0/24
 +       rightsubnet=10.8.0.8/23
 +       auto=start
 +       mark=5/0xffffffff # Needs to be unique across all tunnels
 +       vti-interface=vti0
 +       vti-routing=no
 +       ikev2=insist # To use IKEv2, change to ikev2=insist
 +       ike=aes_cbc256-sha2_384;modp1536     # "cipher-hash;modpgroup,.."IKE encryption/authentication algorithm (and dh-modpgroup) to be used for the connection (phase 1 aka ISAKMP SA). 
 +       phase2alg=aes_gcm256;modp1536  # (alias esp) . Algorithms that will be offered/accepted for a phase2 negotiatio (~transform set) .format for ESP is ENC-AUTH followed by one optional PFSgroup. For instance, "3des-md5" or "aes256-sha1;modp2048" or "aes-sha1,aes-md5". When specifying multiple algorithms, specify the PFSgroup last, e.g. "3des-md5,aes256-sha1;modp2048"
 +       encapsulation=yes
 +       ikelifetime=28800s
 +       salifetime=3600s
 +       
 +       
 +  cat /etc/ipsec.d/oci-ipsec.secrets
 +  my-pub-ip x-end-pub-ip : PSK "a64-charslongrandomstringgeneratedwithpwgenoropensslorothertool"
 +
 +
 +----
  
 +CLASSY IPSEC-VPN TROUBLESHOOT:
 +  * [[http://www.twine-networks.com/blog/posts/5-troubleshooting-ipsec-log-messages]]
 +  * [[https://www.blackhole-networks.com/IKE_Modes/ikev1-quick.html]]
network_stuff/vpn_troubleshooting.1524156008.txt.gz · Last modified: (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki