www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Move profile between platforms - few weird issues

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
squigley



Joined: 26 May 2016
Posts: 14

PostPosted: Sun Jun 11, 2017 9:23 pm    Post subject: Move profile between platforms - few weird issues Reply with quote

I bought a Raspberry Pi 3 to replace my x86 system running ZS (3.7.1).

As I have a bunch of config, bonded VPNs, 4 WAN connections, SSL cert, port forwarding etc, I don't want to have to reconfigure everything manually.

I made a "backup without logs" from my x86 system, and I "restore profile" to the Raspberry Pi (running 3.7.1A). This mostly worked, but I had to remove and recreate the WAN interfaces since they were bound to a NIC which didn't exist on the Pi etc. I also VLAN tagged the 5 interfaces (LAN + 4x WAN) so I can use the single ethernet port on the Pi, and this is plugged into a Linksys AP with matching VLAN tags.

DHCP also wasn't running until I disabled and re-enabled it, for it to realise the LAN subnet was now a VLAN tagged interface.

The main weird issue I can't seem to resolve is with the VPNs. Initially they wouldn't connect from the Pi as I had configured them on the x86 system to use padlock engine (built into the CPU of the AMD in the x86, not in the Pi..) so I disabled this, and now the VPNs connect, and traffic will pass (but the interfaces and the bond interface aren't/weren't working properly, and I had to manually bring up the VPN00 interfaces, and ifenslave them into the BOND00 interface), but ZS continues to show them as stuck "connecting to remote peer".

This also seems to interfere with the bonding, as the wrong/non primary VPN of the bond interface is being used, and traffic seems to stop and restart across the VPN constantly. Running a pcap I can see ARP requests being sent from ZS, but not arriving on the other end's tap interface, and then all of a sudden it will start working again.

Is there some file(s) which is different between these platforms I have mucked up by bringing over the profile from a different platform? Is the version difference between 3.7.1 and 3.7.1A part of the problem? Is there something I can fix, or should I just cut my losses and delete the profiles and start all over again and configure it manually rather than trying to import my config from the x86 platform to the Pi platform?
Back to top
View user's profile Send private message
squigley



Joined: 26 May 2016
Posts: 14

PostPosted: Sun Jun 11, 2017 10:08 pm    Post subject: Reply with quote

I realised I could connect the LAN interface using the WiFi interface on the Pi, rather than VLAN tagging the single port and just use it for my 4 WAN connections (in /29 subnets), in case that was the problem, since it was the only real difference from the x86 system.

I rebooted into the original profile, and I configured things that way from scratch, rather than trying to import the config.

I setup the net balancer and the VPNs exactly the same, exporting and importing the X509 certs etc, and yet the VPN still gets stuck on "connecting to peer", even though it comes up, and the log file has "Initialization Sequence Completed" at the end.

Now I'm confused as to why it's not working out that the VPN has connected.
Back to top
View user's profile Send private message
squigley



Joined: 26 May 2016
Posts: 14

PostPosted: Mon Jun 12, 2017 2:23 pm    Post subject: Reply with quote

So I continued fiddling with no success. Doing a sanity check, I moved the x86 box to another LAN IP, and WAN IPs, and changed the VPN config to exactly match the Raspberry Pi.. The VPNs connect with no issues.

I think there's something funny/broken with the VPN LAN to LAN support in 3.7.1A
Back to top
View user's profile Send private message
squigley



Joined: 26 May 2016
Posts: 14

PostPosted: Fri Jun 30, 2017 6:18 am    Post subject: Reply with quote

I've just got back to Canada from a 2 week vacation to Australia and have started looking at this again. With exactly the same config on both systems, only one will have the VPN connect. There must be something different..

I looked in the log files on both systems to compare, after connecting, and attempting to compare. I notice that the OpenVPN versions are very different.

The x86 system which works is running:

OpenVPN 2.4.0 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Jan 4 2017 library versions: OpenSSL 1.0.2j 26 Sep 2016, LZO 2.03

The RPi is running:

OpenVPN 2.3.10 armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jan 29 2016 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09

My server/remote system is running:

OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014


So I'm beginning to suspect an issue with 2.3.10 armv7l-unknown-linux-gnueabihf.
Back to top
View user's profile Send private message
squigley



Joined: 26 May 2016
Posts: 14

PostPosted: Thu Jul 06, 2017 6:18 pm    Post subject: Reply with quote

Replying to myself..

I'm now thinking the issue is with the scripts that surround bringing the VPN up.

When I check the log from starting the VPN, it says that interface VPN00 is down.

I logged in to get a shell, and I can't even run a tcpdump on the interface as "that interface is not up". When I manually bring it up "ifconfig VPN00 up", then I can tcpdump and I see the traffic, and it will work. If I restart the VPN it will take the interface down, but not bring it back up again.

I'm wondering if my attempt to restore the profile from the x86 system may have mucked with some scripts causing a mismatch between the Pi image and the x86 install?
Back to top
View user's profile Send private message
squigley



Joined: 26 May 2016
Posts: 14

PostPosted: Tue Jul 18, 2017 6:55 pm    Post subject: Reply with quote

Continuing to talk to myself..

I tried re-imaging the SD card's non profile partitions, and this made no difference.

For now I have gone back to the x86 system as my router.

I have ordered an Orange Pi and will try again there.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group