Forum Replies Created
-
Posts
-
Well done !! π
This is the ‘basic’ OpenVpn H2L, when you are ready, we can start to try something slightly different …..
Cheers,
jonatha
P.S. the S.NAT, in the openvpn, has its function, it a topology like yours, where all the hosts have ZS as default gateway, is not necessary, but think at another type of topology, where, maybe, ZS (10.1.1.254) is a simply host used only as VPN server, placed in a existing network (eg. 10.1.1.0/24) with other hosts, and the default gateway is another router (10.1.1.1)….whithout the SNAT, incoming packets destinated to the lan hosts, will be forwarded out with their real ip address (something like 192.168.250.10)….. the host, eg 10.1.1.25, for reply to the host 192.168.250.10 will forward the packet to its default gateway (10.1.1.1), in this case, or the deafult gateway has a static route for the network 192.168.250.0/24 or the packet will be lost.
With the SNAT, the source ip address of all packets that are arrived via vpn and that are forwarded out by ZS from one of its interface, will be translated with the ip address of the outgoing interface (10.1.1.254), so , for the host (10.1.1.25) is easy to reply
This is the output with the SNAT checked
Chain OpenVPN added, in detail
Yes, it does look correct … you should be able to reach, while connected via vpn, (only) the host 10.10.10.2.
The connected clients will obtain an ip address from the vpn server, ‘Client IP Address Assignment’ , starting from 192.168.250.50 up to 192.168.250.55, based on your config
Try and report …….. π
IMHO, OpenVpn In ZS (I use openvpn on debian , on UBNT EdgeRouter …) is the simpler VPN service ever tried…. goes alone !! Like eat an ice cream, compared, for eg., to configure, via cli, the ezvpn with PKI on a cisco ISR…
If all is ok , and you are still interested, I’ll post some configs for obtain other goals
Cheers,
jonatha
P.S. if you are using the firewall, you have to create some rules in INPUT and FORWARDING, for allowing the vpn users to go where you want (but this is the same in each fw, where the firewall is used)Fast way… if you want to reach only one host, declare, with the ‘Net’ button , only its ip address with a /32 mask ….
jonathaIsn’t difficult, is ‘only’ …highly customizable …
Well, let’s start from the beginning…. by default, ZS uses, for the VPN99, the ip address 192.168.254.254/24 …. leave it as is, remove the flag ‘Source Nat’, then via the ‘Net’ button, declare the network 10.10.10.0/24, save….. after that the vpn connection is established, from the command prompt, issuenetstat -r | find "10.10.10.0"You should see something like
10.10.10.0 255.255.255.0 192.168.250.x 192.168.250.254 21And you should be able to reach the hosts on 10.10.10.0/24 network (if fw rules allow) … this is the first step …
(the nice has still to come, don’t give up … π )
Cheers,
jonathaSomething is unclear … are you using the VPN99 bridged with the ‘lan’ ? Or is on its own subnet ? The ip addresses seem the same ….. Anyway, you need L2 visibility among the vpn users and the lan hosts, or is enough, for VPN users, L3 visibility only to that specific host (and maybe, for the admin, the access to the whole network …) ?
In the second case,…. ZS, for the H2L, by default uses the full-tunnel (–push-redirect-gateway, all clients traffic will flow through the vpn tunnel…. so, you may try, for starting, by using a dedicated network for the VPN99 ( eg. 192.168.240.1/28), and, via the ‘Net’ button, declare the networks which will be reacheable via the vpn tunnel ( as the cisco split-tunnel) , in your case 10.10.10.0/24, in this way, the normal traffic will flow through its normal way, while only the traffic destinated to the 10.10.10.0/24 will be ‘pushed’ in the vpn tunnel…..I’m still at work, later I’ll take a look in depth, in the meanwhile …. how is ‘placed’ the ZS box in your network ? Is a simply host ? Is the ZS the default gateway also for the hosts in your lan ?
If you declare ‘Only password’ as auth method, then you don’t need the client cert-key, only the CA cert on client side, the vpn server will act, basically, as an SSL server, where the client will trust the server certificate (thanks to the CA cert of the CA which has signed the server cert)
Cheers,
jonathaDon’t worry, we are all here for learn something …. I too ( and I do have much to learn)
But, most important … is now running ??
Next step is the static ip assignement to vpn users …
Let me know
Cheers,
jonathaNo, I’m saying that you have to download the CA. pem and the user cert (admin) with private key, (not the host cert) π
Cheers,
jonathaDirectly from Zs, for starting, let’s make things simple …. download, from ZS (SECURITY, X.509 CA, admin, export button, key and PEM) the admin certificate with the private key in .pem format, if the cert is named, eg., admin.earthlovesme.ca, in the vpn client’s config, after cert put admin.earthlovesme.ca.pem, the same after key,
then, try to connect via vpn, use admin as usr and the admin pwd
Cheers,
jonathaIt’s funny, personally I’ve found the configuration of the VPNs in ZS much more easier than in most other appliances … anyway, this is one of my (client side) config
remote xxxx.dyndns.org 1198
proto tcp
auth-user-pass
ca my.ca.file.pem
cert admin.cert.pem
key admin.-key.pem
remote-cert-eku 'TLS Web Server Authentication'
verify-x509-name 'C=it, ST=xx, L=xx, O=xxxx, OU=server01, CN=server01.xxxx, emailAddress=xxxxxxx@libero.it'
cipher AES-128-CBC
auth RSA-SHA224
comp-lzo
verb 3
mute 20
resolv-retry infinite
nobind
client
dev tap
persist-key
persist-tun
auth-nocache
route-method exe
route-delay 2
script-security 3You may try something like
remote your.fqdn|ip 1194
proto tcp
auth-user-pass
ca your.ca.file.pem
cert user.cert.pem
key user.-key.pem
remote-cert-eku 'TLS Web Server Authentication'
verify-x509-name 'C=xx, ST=xx, L=xx, O=xxxx, OU=xxxxxx, CN=xxxxx.xxxx, emailAddress=xxxxxxx@xxxxxx'
comp-lzo
verb 3
mute 20
resolv-retry infinite
nobind
client
dev tap
persist-key
persist-tun
auth-nocache
route-method exe
route-delay 2
script-security 3Firstly, I’d advise to install openvpn 2.3.10, then, about the above config, for the
verify-x509-name
you have to replace the voices with those that appear in your host-cert, that one which you are using for the vpn-server, and only those which are present, eg. if your host cert is for the host router.earthlovesme.ca, and you have only the CN and the OU in the cert, use only
verify-x509-name ‘OU=Hosts, CN=router.earthlovesme.ca’
Once you’ll have the vpn running, I’ll post how to give static ip addresses based on username/common-name, so you can use firwall rules user-based …..
cheers,
jonathaWith cisco, things not always go so fine and smoothly… (eg, fort make the vpn-client work, on win8.1, was required to install also the citrix DNE, other story, btw …)
Could you post the ‘sanitized’ client config ? Also, the cert. on the server is local, but which is ? Is the cert for the host router.earthlovesme.ca, or another one ?
Cheers,
jonathaHi DrmCa, you may try as follows … firstly, install openvpn 2.3.10, then …
On ZS, in the vpn section, X.509 Configuration, X.509 Host Certificate, are you using local or imported ? In the first case, the client must hace , as CA certificate, the CA certificate of ZS itself ( without the private key),
SECURITY, X.509 CA, Setup, export button (uncheck the flag ‘key’).
In the second case, the client must have the CA certificate of the CA which has signed the imported certificate that you are using in ZS for the vpn server (and which could also be the same that you are using for the https server…).
For eg, personally I use for ZS as well as for the client, certificates which have been generated from an external CA, so for my, an additional step is importing the ‘external’ CA certificate in ‘Trusted CAs’, and still in vpn section, X.509 Configuration, authentication button
‘Allow the X.509 VPN access with the certificates signed by the following Trusted CAs:’ , check the imported CA certificate ……
Cheers,
jonatha
