redfive

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 225 total)
  • Author
    Posts
  • redfive
    Participant

    Well done !! πŸ˜‰
    This is the ‘basic’ OpenVpn H2L, when you are ready, we can start to try something slightly different …..
    Cheers,
    jonatha
    P.S. the S.NAT, in the openvpn, has its function, it a topology like yours, where all the hosts have ZS as default gateway, is not necessary, but think at another type of topology, where, maybe, ZS (10.1.1.254) is a simply host used only as VPN server, placed in a existing network (eg. 10.1.1.0/24) with other hosts, and the default gateway is another router (10.1.1.1)….whithout the SNAT, incoming packets destinated to the lan hosts, will be forwarded out with their real ip address (something like 192.168.250.10)….. the host, eg 10.1.1.25, for reply to the host 192.168.250.10 will forward the packet to its default gateway (10.1.1.1), in this case, or the deafult gateway has a static route for the network 192.168.250.0/24 or the packet will be lost.
    With the SNAT, the source ip address of all packets that are arrived via vpn and that are forwarded out by ZS from one of its interface, will be translated with the ip address of the outgoing interface (10.1.1.254), so , for the host (10.1.1.25) is easy to reply
    This is the output with the SNAT checked

    Chain OpenVPN added, in detail

    redfive
    Participant

    Yes, it does look correct … you should be able to reach, while connected via vpn, (only) the host 10.10.10.2.
    The connected clients will obtain an ip address from the vpn server, ‘Client IP Address Assignment’ , starting from 192.168.250.50 up to 192.168.250.55, based on your config
    Try and report …….. πŸ˜‰
    IMHO, OpenVpn In ZS (I use openvpn on debian , on UBNT EdgeRouter …) is the simpler VPN service ever tried…. goes alone !! Like eat an ice cream, compared, for eg., to configure, via cli, the ezvpn with PKI on a cisco ISR…
    If all is ok , and you are still interested, I’ll post some configs for obtain other goals
    Cheers,
    jonatha
    P.S. if you are using the firewall, you have to create some rules in INPUT and FORWARDING, for allowing the vpn users to go where you want (but this is the same in each fw, where the firewall is used)

    redfive
    Participant

    Fast way… if you want to reach only one host, declare, with the ‘Net’ button , only its ip address with a /32 mask ….
    jonatha

    redfive
    Participant

    Isn’t difficult, is ‘only’ …highly customizable …
    Well, let’s start from the beginning…. by default, ZS uses, for the VPN99, the ip address 192.168.254.254/24 …. leave it as is, remove the flag ‘Source Nat’, then via the ‘Net’ button, declare the network 10.10.10.0/24, save….. after that the vpn connection is established, from the command prompt, issue

    netstat -r | find "10.10.10.0"

    You should see something like

    10.10.10.0 255.255.255.0 192.168.250.x 192.168.250.254  21 

    And you should be able to reach the hosts on 10.10.10.0/24 network (if fw rules allow) … this is the first step …
    (the nice has still to come, don’t give up … πŸ˜‰ )
    Cheers,
    jonatha

    redfive
    Participant

    Something is unclear … are you using the VPN99 bridged with the ‘lan’ ? Or is on its own subnet ? The ip addresses seem the same ….. Anyway, you need L2 visibility among the vpn users and the lan hosts, or is enough, for VPN users, L3 visibility only to that specific host (and maybe, for the admin, the access to the whole network …) ?
    In the second case,…. ZS, for the H2L, by default uses the full-tunnel (–push-redirect-gateway, all clients traffic will flow through the vpn tunnel…. so, you may try, for starting, by using a dedicated network for the VPN99 ( eg. 192.168.240.1/28), and, via the ‘Net’ button, declare the networks which will be reacheable via the vpn tunnel ( as the cisco split-tunnel) , in your case 10.10.10.0/24, in this way, the normal traffic will flow through its normal way, while only the traffic destinated to the 10.10.10.0/24 will be ‘pushed’ in the vpn tunnel…..

    redfive
    Participant

    I’m still at work, later I’ll take a look in depth, in the meanwhile …. how is ‘placed’ the ZS box in your network ? Is a simply host ? Is the ZS the default gateway also for the hosts in your lan ?

    redfive
    Participant

    If you declare ‘Only password’ as auth method, then you don’t need the client cert-key, only the CA cert on client side, the vpn server will act, basically, as an SSL server, where the client will trust the server certificate (thanks to the CA cert of the CA which has signed the server cert)
    Cheers,
    jonatha

    redfive
    Participant

    Don’t worry, we are all here for learn something …. I too ( and I do have much to learn)
    But, most important … is now running ??
    Next step is the static ip assignement to vpn users …
    Let me know
    Cheers,
    jonatha

    redfive
    Participant

    The user vpn0 will have its own cert and private key, just like the admin …
    Cheers,
    jonatha

    redfive
    Participant

    No, I’m saying that you have to download the CA. pem and the user cert (admin) with private key, (not the host cert) πŸ˜€
    Cheers,
    jonatha

    redfive
    Participant

    Directly from Zs, for starting, let’s make things simple …. download, from ZS (SECURITY, X.509 CA, admin, export button, key and PEM) the admin certificate with the private key in .pem format, if the cert is named, eg., admin.earthlovesme.ca, in the vpn client’s config, after cert put admin.earthlovesme.ca.pem, the same after key,
    then, try to connect via vpn, use admin as usr and the admin pwd
    Cheers,
    jonatha

    redfive
    Participant

    It’s funny, personally I’ve found the configuration of the VPNs in ZS much more easier than in most other appliances … anyway, this is one of my (client side) config

    remote xxxx.dyndns.org 1198
    proto tcp
    auth-user-pass
    ca my.ca.file.pem
    cert admin.cert.pem
    key admin.-key.pem
    remote-cert-eku 'TLS Web Server Authentication'
    verify-x509-name 'C=it, ST=xx, L=xx, O=xxxx, OU=server01, CN=server01.xxxx, emailAddress=xxxxxxx@libero.it'
    cipher AES-128-CBC
    auth RSA-SHA224
    comp-lzo
    verb 3
    mute 20
    resolv-retry infinite
    nobind
    client
    dev tap
    persist-key
    persist-tun
    auth-nocache
    route-method exe
    route-delay 2
    script-security 3

    You may try something like

    remote your.fqdn|ip 1194
    proto tcp
    auth-user-pass
    ca your.ca.file.pem
    cert user.cert.pem
    key user.-key.pem
    remote-cert-eku 'TLS Web Server Authentication'
    verify-x509-name 'C=xx, ST=xx, L=xx, O=xxxx, OU=xxxxxx, CN=xxxxx.xxxx, emailAddress=xxxxxxx@xxxxxx'
    comp-lzo
    verb 3
    mute 20
    resolv-retry infinite
    nobind
    client
    dev tap
    persist-key
    persist-tun
    auth-nocache
    route-method exe
    route-delay 2
    script-security 3

    Firstly, I’d advise to install openvpn 2.3.10, then, about the above config, for the
    verify-x509-name
    you have to replace the voices with those that appear in your host-cert, that one which you are using for the vpn-server, and only those which are present, eg. if your host cert is for the host router.earthlovesme.ca, and you have only the CN and the OU in the cert, use only
    verify-x509-name ‘OU=Hosts, CN=router.earthlovesme.ca’
    Once you’ll have the vpn running, I’ll post how to give static ip addresses based on username/common-name, so you can use firwall rules user-based …..
    cheers,
    jonatha

    redfive
    Participant

    With cisco, things not always go so fine and smoothly… (eg, fort make the vpn-client work, on win8.1, was required to install also the citrix DNE, other story, btw …)
    Could you post the ‘sanitized’ client config ? Also, the cert. on the server is local, but which is ? Is the cert for the host router.earthlovesme.ca, or another one ?
    Cheers,
    jonatha

    redfive
    Participant

    Hi DrmCa, you may try as follows … firstly, install openvpn 2.3.10, then …
    On ZS, in the vpn section, X.509 Configuration, X.509 Host Certificate, are you using local or imported ? In the first case, the client must hace , as CA certificate, the CA certificate of ZS itself ( without the private key),
    SECURITY, X.509 CA, Setup, export button (uncheck the flag ‘key’).
    In the second case, the client must have the CA certificate of the CA which has signed the imported certificate that you are using in ZS for the vpn server (and which could also be the same that you are using for the https server…).
    For eg, personally I use for ZS as well as for the client, certificates which have been generated from an external CA, so for my, an additional step is importing the ‘external’ CA certificate in ‘Trusted CAs’, and still in vpn section, X.509 Configuration, authentication button
    ‘Allow the X.509 VPN access with the certificates signed by the following Trusted CAs:’ , check the imported CA certificate ……
    Cheers,
    jonatha

    in reply to: Blocking Websites #54099
    redfive
    Participant

    You should create a firewall rule, in the FORWARD chain, then in the ‘IPTABLES Parameters’, add

    -m ndpi --youtube

    If you know a bit how iptables work, should be easy …
    Cheers,
    jonatha

Viewing 15 posts - 1 through 15 (of 225 total)