how to tunnel proprietary VPN through OpenVPN jumpbox?

Discussion in 'Linux Networking' started by Tom Roche, Jan 16, 2015.

  1. Tom Roche

    Tom Roche Guest

    * If there is a better newsgroup (or other channel) for this question, please let me know.
    * Post contains one ASCII-art diagram, also available via link.
    * Links in footnotes @ end of post.
    * Apologies if this is tl;dr but the problem seems somewhat complex (at least to me)

    SUMMARY: I seek to tunnel an F5 SSL VPN (hard requirement) through an OpenVPN server (apparently required) in order to shell into a compute cluster behind a firewall. I can access the required F5 remote-access website (RAW) through the OpenVPN tunnel, but lose DNS once I activate the F5VPN using theRAW's web GUI. I suspect this is due to a problem with my OpenVPN configuration, since direct access using the F5VPN (unfortunately now disallowed) worked for me in the past; specifically I suspect my OpenVPN server is not enabling my F5VPN client to see/use the DNS server(s) inside the firewall.

    How to fix? Alternatively,

    * what else do I need to learn/discover before a fix can be applied?
    * where else should I go for help?
    * is there a better way to do what I need?


    This seems pretty complicated (to me, anyway), and I'm hoping to make whatever I discover available for others, so I'm maintaining my code/configs as project=linode_jumpbox_config[1] and documenting @ that project's wiki[2](which has a glossary[3] which may clarify terms used below).

    The details on what I'm trying to do[4] are hopefully summarized by this ASCII art (web-rendered here[4] in case you're not reading this in monospace):

    +----------+ +-----------+ +---------------+ | +---------+
    | laptop + | | linode + | | remote-access | | | cluster |
    | F5NAP + | <--> | OpenVPN + | <---> | website + | <-|-> | node(s) |
    | OpenVPN | | security | | F5VPN | | | |
    +----------+ +-----------+ +---------------+ | +---------+[/code]

    Both laptop and linode are running Debian, and I configure them. I know almost nothing about what agency=='US EPA'[5] runs, and have even less control. The agency requires me to run an F5NAP=='F5 Network Access Plugin'[6] in order to access the agency's F5VPN which enables access to compute clusters on which I need to do research (I'm a student). In the past I could run the F5NAP directly from my laptop to access the F5VPN[7], but this was recently broken by access-policy change[8].

    To accommodate the new policies, I'm trying to tunnel through a linode jumpbox[1], such that the linode satisfies all the new requirements (notably, static IP#[8]). Most of the linode's pre-OpenVPN networking is configured bythis bash script[9], which (hopefully) automates this manual procedure[10].. (Details on the entire networking+OpenVPN install+configuration starts here[11], and is mostly automated. The automating scripts[12] unfortunately need more structure and commenting, but should be relatively readable. Questions are welcomed; pull requests even more so.)

    My implementation of my design works only for the following sequence (details here[13]), after which it fails:

    1. I can start an OpenVPN server on my linode[14] (via SSH from my laptop) apparently successfully.

    2. On my laptop, if I browse to (e.g.) , I see a "normal" (for my ISP) IP#.

    3. I can then start an OpenVPN client on my laptop[15] (in a bash shell/terminal), again apparently successfully.

    4. On my laptop, if I browse to (using my normal,Debian-packaged browser=Firefox), as expected I now see the IP# of my linode. This is essential, since that IP# is on the agency's whitelist.

    5. On my laptop, I can start my F5NAP'ed Firefox[6], and with that browse to , and still see my linode's IP#.

    6. Using the F5NAP'ed Firefox (on my laptop), I can browse to the agency's remote-access website and login normally.

    7. Using (from the F5NAP'ed Firefox on my laptop) the web GUI provided (post-authentication) by the remote-access website, I can start the F5VPN, and see status==Connected in the F5VPN UI. This is what I expect from "the good old days" when I could run the F5VPN directly from my laptop[16].

    At this point, in "the good old days," I could go to any shell/gnome-terminal on my laptop, utter `ssh`, and get to work. But not now :-(

    Currently I am broken at this point in the sequence (details here[17]). Specifically, I lose DNS, which

    * (immediately) causes SSH to fail, preventing me from running SSH to any cluster login node (which is the whole point of this exercise).

    * (eventually) breaks the OpenVPN tunnel, which means the F5VPN no longer sees the registered/whitelisted IP#, causing it to drop my connection.

    How to fix or debug? Complications for debugging/support include:

    1. F5 (the agency's VPN vendor) is completely proprietary, and barely supports Linux. My attempts to get support from them have been mostly ignored.

    2. The agency barely supports Linux internally, for users. (Of course the scientific-research clusters which we seek to use are *all* Linux, but they're supported by separate contractors who only support the clusters themselves, not access *to* the clusters.) The agency barely *tolerates* Linux for remote access, and especially by non-employees like me. (I'm a student.)

    Net: I suspect I can get answers to some direct, specific questions from agency support, but I know (from bitter experience) that I cannot get supportif I just say to them (as I am to you now) "this isn't working--what should I do?" I know especially that I cannot get help with anything related to a Linux client: agency client-side support is (AFAICS) *strictly* limited to Windows XP (no lie!)

    How to fix this problem? (FWIW, I will document the fix @ project wiki[2], and my effusive praise for anyone who provides any assistance will last long as its git repo does :) Alternatively,

    * what else do I need to learn/discover before a fix can be applied?
    * where else should I go for help?
    * is there a better way to do what I need?

    If feasible, please reply to me as well as to the group, and thanks in advance! Tom Roche <>

    [5]: , part of the US Federal government.
    Tom Roche, Jan 16, 2015
    1. Advertisements

  2. Tom Roche

    Chris Davies Guest

    Set your OpenVPN client to accept DNS settings from the server. The
    keyword here is "pull", which presupposes the server is actually trying
    to push them. (This keyword will also pull routing, so you may want
    "route-nopull" if you prefer to define your own.)

    You will also need these three lines, which allows a Linux-based client
    to make use of the DNS settings it's been given:

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

    Check your DNS settings in /etc/resolv.conf after your OpenVPN client
    has connected, to confirm that you have the correct values.

    Chris Davies, Jan 16, 2015
    1. Advertisements

  3. Tom Roche a écrit :
    One thing I don't understand. In you web page, you wrote :
    But your ping command requires name resolution to retrieve the IP
    address to send the packets to. Does it send a DNS request or did you
    add to your /etc/hosts file ? If the former, can you
    capture and compare the DNS traffic of the two commands ?
    Pascal Hambourg, Jan 16, 2015
  4. Tom Roche

    Tom Roche Guest

    Tom Roche Thu, 15 Jan 2015 22:07:22 -0800 (PST)[1]
    Chris Davies Fri, 16 Jan 2015 14:25:15 +0000[2]
    Apologies for dullness on my part, but I am a newbie (particularly to OpenVPN, but I'm not so strong on Linux networking either--I'm basically a developer who's been forced to do much more administration than I would prefer).What exactly should I add to my client.conf?[3] (Note I will cheerfully RTFM if pointed to documentation.)

    I had the latter 2 lines (see my client.conf[3]); I will add the first.

    Pascal Hambourg Fri, 16 Jan 2015 22:56:46 +0100[4]
    Good point! I'm not sure if that's cut-n-paste error on my part, or an artifact of the name-resolution process. I will rebuild the server[5] and attempt to reproduce.
    I can certainly say I did *not* add and have not added to /etc/hosts on either my OpenVPN server or client.
    How would I do that? Seriously--I don't know, but would cheerfully RTFM if pointed to documentation.

    Your assistance is appreciated! Tom Roche <>

    Tom Roche, Jan 17, 2015
  5. Tom Roche a écrit :
    In console : tcpdump, tshark
    In GUI : wireshark
    Filter on "port 53" for DNS traffic. Ex :
    tcpdump -n -i any port 53
    Pascal Hambourg, Jan 17, 2015
  6. Tom Roche

    Tom Roche Guest

    [Apologies for any duplicate messages: I tried to send the following via `inews` but I don't have that correctly configured. Someday I have gotta setup `gnus`.]

    I have just finished

    1. clarifying logging. Main log no longer goes to syslog, status log path is no longer default, both paths are set in client.conf[1] and server.conf[2].
    2. documenting logging. The evolution of the logs through the various stages of my problem are now hopefully documented helpfully for both client[3] and server[4].
    3. improving code[5] (hopefully) by increasing parameterization (most variables should only get set once, and more get set by the user's and automating some setup/cleanup
    4. rerunning the problem after rebuilding server and relevant bits of the client

    The main difference now is, the behavior I reported that confused Pascal Hambourg[6] has now disappeared (if it was ever there): after I connect to the F5VPN[7] (which is the proprietary VPN I need to tunnel through an OpenVPN) I completely lose all connectivity (both DNS and raw `ping`) until I disconnect from the F5VPN.

    Chris Davies Fri, 16 Jan 2015 14:25:15 +0000[8]
    Tom Roche Sat, 17 Jan 2015 13:28:58 -0800 (PST)[9]
    I would still very much like to know how to do this. Note again my current client.conf contents[1].

    Pascal Hambourg Sat, 17 Jan 2015 23:47:19 +0100[10]
    I hope to try that tomorrow.

    your assistance (and tolerance of newbie stumbling) is appreciated, Tom Roche <>

    Tom Roche, Jan 19, 2015
  7. Tom Roche

    Tauno Voipio Guest

    (if it was ever there): after I connect to the F5VPN[7] (which is the
    proprietary VPN I need to tunnel
    through an OpenVPN) I completely lose all connectivity (both DNS and raw
    `ping`) until I disconnect from the F5VPN.

    This is a default behavior in most commercial VPN's. Its purpose
    is to prevent sneak paths to/from the VPN's tunneled network via
    the client computer.

    It seems to me that you're attempting to do something that the
    VPN target network's owner does not like.
    Tauno Voipio, Jan 19, 2015
  8. Tom Roche

    Tom Roche Guest

    Tauno Voipio Mon, 19 Jan 2015 10:31:57 +0200[1]
    Since you may not have read this[2] or found it unclear:

    1. Neither of the VPNs I'm using are commercial in the sense of "commercialservice." The government agency whose cluster I'm trying to reach owns theinstance of the proprietary VPN[3] they've deployed (hardware and software), and I rent the hardware on which I have deployed the OpenVPN .

    2. Similarly, the compute cluster to which I'm trying to tunnel is not a commercial service: it's a government-run scientific research facility.

    3. No one at the agency has said "you can't do this," and they are usually fairly upfront/agressive about usage they prohibit.

    4. As previously noted[4], I am still quite inexperienced with Linux networking and advanced IP networking generally, and OpenVPN in particular.

    I Could Be Wrong, but given the above, ISTM reasonable to conclude that "user error" on my end is more likely than blockage on the agency end.

    Tom Roche, Jan 19, 2015
  9. Tom Roche

    Tauno Voipio Guest

    The blockage is at your end. The tunneling client code in your host
    kills other network routes when tunneling is activated.

    By 'commercial' I intended to say 'ready-made, not open'.

    Is it possible to make a sketch of the networking you'd like to set up?

    Please check what the following commands (as root) report:

    route -n

    in different situations:

    a) when your VPN client is off
    b) when your VPN client is activated

    OpenVPN is pretty clear. In default configuration, it tunnels the client
    network frames (either Ethernet (layer 2) or IP (layer 3))
    using UDP port 1194 to transfer the encrypted packets.

    If you have a separate box running OpenVPN, it seems to me that
    it has a firewall set up so that only the client network (tunnel
    inside) packets are transferred.
    Tauno Voipio, Jan 19, 2015
  10. Tom Roche

    Tom Roche Guest

    Tauno Voipio Mon, 19 Jan 2015 20:45:19 +0200 [1] (rearranged)
    Not only is it possible, it's online[2] :)
    That's entirely possible! And I hadn't thought about that (probably because, as previously mentioned,

    Tom Roche Sat, 17 Jan 2015 13:28:58 -0800 (PST)[3]
    ), so thanks for the suggestion. I have now added a section on the server firewall[4] to the doc: does that look problematic? If so, how should the server's iptables (possibly et al) be changed?
    OK. IIUC, you want these run on/from the client (as defined here[5]) and not the server (ditto): if so, see the (slightly edited) output here[6].

    .... and thanks for your assistance! Note that I will be keeping the results of this project online[7] for the benefit of the next poor bastard in my situation, so your assistance will hopefully not be wasted.

    Tom Roche, Jan 19, 2015
  11. Tom Roche

    Chris Davies Guest

    Without the first the others cannot run.

    Chris Davies, Jan 22, 2015
  12. Tom Roche

    Tom Roche Guest

    Chris Davies Fri, 16 Jan 2015 14:25:15 +0000 [1]
    Tom Roche Sat, 17 Jan 2015 13:28:58 -0800 (PST) [2]
    Chris Davies Thu, 22 Jan 2015 15:09:16 +0000 [4]
    True that! however that did not affect this problem, since (dunno why) I was adding `--script-security 2` to my client-starting commandline rather than putting it in the client.conf (which is more reproducible).

    What may actually be significant is, I now see what appears to be the root of my problem (IIUC, which I may not be, because my networking knowledge isstill rather thin): connecting to the F5VPN changes my client's `route`ing(see state#=4 here[5]) in a manner that I suspect conflicts with the `iptables` currently on my server/jumpbox[6] (through which I seek to tunnel[7]). Does that seem correct? If so, how to fix?

    Tom Roche, Jan 22, 2015
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.