network_stuff:vpn_troubleshooting
This is an old revision of the document!
Cisco
Juniper SRX
Juniper Netscreen
Checkpoint
OPENVPN SERVER FEDORA
-
- pki, ca, server and client cert (after being generated) + configuration , in : /etc/openvpn/server
- For logs:
/etc/openvpn/server/openvpn.log /etc/openvpn/server/openvpn-status.log
- On the server:
systemctl enable firewalld systemctl start firewalld firewall-cmd --permanent --add-service openvpn firewall-cmd --permanent --add-masquerade # also enable ip forwarding with sysctl.conf and don't forget systemctl restart network.service
Start server:
systemctl start openvpn-server@server.service # Server
Create ovpn file and start client: generate_openvpn_config.sh
openvpn --config /home/jaime/ovpnrpi/client4.ovpn # client
If redirection fails:
systemctl stop firewalld systemctl start firewalld
OPENVPN SERVER RASPBERRY PI
https://dzone.com/articles/how-to-setup-an-openvpn-server-on-a-raspberry-pi
curl -L https://install.pivpn.io | bash # set it as static, you shoud have configured the dhcp reservation and port forwarding in the gw before this! pivpn add nopass # to create profiles. IMPORTANT: in the .ovpn you have the static pub ip, Replece it with the DNS entry! # /var/log/openvpn-status.log # just 3-4 lines with status /var/log/openvpn.log /etc/openvpn/server.conf # all fields nicely explained here : https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/server.conf
OPENWRT CLIENT OPENVPN:
In LuCi:
- Click Update-list
- Then INSTALL: luci-app-openvpn openvpn-easy-rsa openvpn-openssl
- Press OK on each of them to download and install them.
In CLI, Have these files:
root@OpenWrt:/etc/config# cat /etc/config/openvpn config openvpn 'camarreal_ovpn' option config '/etc/openvpn/forsythia-client.ovpn' # This is 'raw' the file generated in the openvpn server by doing "pivpn add nopass" option enabled '1'
Firewall and network config (from https://wiki.turris.cz/doc/en/howto/openvpn among other sources):
root@OpenWrt:/etc/config# cat /etc/config/firewall
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
list device 'tun0'
root@OpenWrt:/etc/config# cat /etc/config/network
config interface 'vpn'
option proto 'none'
option ifname 'tun0'
LINUX VPN-CLIENT
https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#linux
START:
mkdir -p /var/run/xl2tpd touch /var/run/xl2tpd/l2tp-control service strongswan restart service xl2tpd restart strongswan up myvpn echo "c myvpn" > /var/run/xl2tpd/l2tp-control ip route add 0/0 dev ppp0
STOP:
ip route del 0/0 dev ppp0 echo "d myvpn" > /var/run/xl2tpd/l2tp-control strongswan down myvpn
INVESTIGATE WHY CRASHES SOMETIMES:
May 9 05:16:22 observium xl2tpd: xl2tpd[23954]: Maximum retries exceeded for tunnel 23919. Closing. May 9 05:16:22 observium xl2tpd: xl2tpd[23954]: Connection 61860 closed to 148.64.56.150, port 1701 (Timeout)
LIBRESWAN STRONGSWAN NOTES:
- pluto is is an IKE (“IPsec Key Exchange”) daemon
yum install libreswan ipsec initnss systemctl enable ipsec systemctl start ipsec
- In the vnic: “tick skip Source/Dest Checks”
- modify /etc/sysctl.conf for forwarding External Link. In '/etc/sysctl.d' create a file named 50-libreswan.conf with that content
# https://libreswan.org/man/ipsec.conf.5.html
conn oracle-tunnel-1
left=10.156.0.23
# leftid=193.123.39.207 # This is the public IP (nat-t)
right=148.64.56.151
authby=secret
leftsubnet=10.181.181.0/24
rightsubnet=10.8.0.8/23
auto=start
mark=5/0xffffffff # Needs to be unique across all tunnels
vti-interface=vti0
vti-routing=no
ikev2=insist # To use IKEv2, change to ikev2=insist
ike=aes_cbc256-sha2_384;modp1536 # "cipher-hash;modpgroup,.."IKE encryption/authentication algorithm to be used for the connection (phase 1 aka ISAKMP SA).
phase2alg=aes_gcm256;modp1536 # (alias esp) . Algorithms that will be offered/accepted for a phase2 negotiatio (~transform set) .format for ESP is ENC-AUTH followed by one optional PFSgroup. For instance, "3des-md5" or "aes256-sha1;modp2048" or "aes-sha1,aes-md5". When specifying multiple algorithms, specify the PFSgroup last, e.g. "3des-md5,aes256-sha1;modp2048".
encapsulation=yes
ikelifetime=28800s
salifetime=3600s
cat /etc/ipsec.d/oci-ipsec.secrets
my-pub-ip x-end-pub-ip : PSK "a64-charslongrandomstringgeneratedwithpwgenoropensslorothertool"
network_stuff/vpn_troubleshooting.1590595938.txt.gz · Last modified: (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
