plugout.net

[spidercat]

Hi,

is there a way to obtain an iptables nat module that can be used with NS2 FW15 firmware version ?
Thanks a lot
Spider

[Jocko]

Hi spidercat,

:scratch :scratch

Code: Select all

root@Kappa:/ # which iptables
/usr/sbin/iptables


So iptables is already available for nwsp2 :whistle

For your SPD you have to wait fvdw

[spidercat]

Thanks for your reply.
iptables is present but not all modules are inside.
infact there isn't the nat table that I need :

# iptables -t nat -L
iptables v1.4.12.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I see that what I need is available for Philips SPD8020 (take a look at this thread : viewtopic.php?f=5&t=1305&hilit=openvpn ).
is there a way to obtain the same module for NS2 fw firmware ?
Thanks a lot again
have a nice day

[fvdw]

Indeed the nat tables are not enabled in the current kernel

Code: Select all

# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_IP_NF_IPTABLES=y
# CONFIG_IP_NF_MATCH_AH is not set
# CONFIG_IP_NF_MATCH_ECN is not set
# CONFIG_IP_NF_MATCH_RPFILTER is not set
# CONFIG_IP_NF_MATCH_TTL is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_ULOG is not set
# CONFIG_NF_NAT_IPV4 is not set
CONFIG_IP_NF_MANGLE=y
# CONFIG_IP_NF_TARGET_CLUSTERIP is not set


I will recompile the kernel with those enabled as well

ps as far as I know this module is not required to get openVPN working, but no problem to include it

[spidercat]

Thank you very much for your help !

using OpenVPN i'm not able to make it work using TUN as virtual adapter.
The client connects but don't communicate with the server.
I tryed different server.conf configurations, subnet, server, etc...but always the same result.
In no one of cases i wasn't even able to ping virtual TUN adapter IP from the server console (local IP)
The only way I've found is use TAP instead.
In this configuration i'm able to connect and client can ping, browse, etc.. the server (NS2), but not the other devices that are connected on the same NS2 network.
I think that using iptables nat table I can implement nat between eth0 and tap0 and make everything work as i would.
Thanks a lot
Bye

[fvdw]

then you must still be doing something wrong.
I got openvpn here working just fine without using NAT tables. However the setup is critical.

anyhow the kernel is compiled I will sent it you by pm in a minute
(ps The kernel is not suitable for fvdw-sl versions lower then 15-0)

[spidercat]

Thanks a lot fvdw.
I'll try this solution maybe on Monday.
I'm very interested about your server.conf/client/CCD setup that make it works, I've tried for days without success :-(
Thank you very much for your work !
Bye

[fvdw]

pm sent with kernel

I will look at the setup files I have used that time, its a while ago but I still should have them

[fvdw]

found some notes and files used that time

ps if you use windows 7 enable icmp echo response in windows 7 otherwise you will not be able to ping the client from the server
(windows firewall inbound rules)

This was a the server ovpn file I used for single user

Code: Select all

# this allows only 1 client to be connected
# server will get 10.8.0.1 and client 10.8.02
dev tun
ifconfig 10.8.0.1 10.8.0.2
secret /etc/openvpn/ta.key


This the client ovpn file

Code: Select all

# this allows singel connection to server that has remote IP
# server wil get 10.8.0.1 and client 10.8.0.2
# this file is for the client
remote 192.168.1.197
dev tun
ifconfig 10.8.0.2 10.8.0.1
secret ta.key


simple ovpn file for server for multi users

Code: Select all

port 1194
proto udp
# server IP in the LAN
local 192.168.1.197
dev tun
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
push "route 10.9.0.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
#push "redirect-gateway def1"
keepalive 10 120
persist-tun
persist-key
user nobody
group nobody
verb 3
client-to-client
daemon

the client ovpn file for multi users I used

Code: Select all

port 1194
proto udp
client
# IP of VPN server to be contacted
remote 192.168.1.197
dev tun
ca ca.crt
cert EXAMPLE.crt
key EXAMPLE.key
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
ns-cert-type server

note that cert and key file should have the right name for certificate and key files you use

Making the certificate and key files is another story

[fvdw]

I did a quick test with the current kernel so without NAT

it works (I used the multi user configuration file)
This is the output on the nas when starting openvpn using openvpn.conf (the multi user one) in /etc/openvpn
Of course the files server.crt server.key ca.crt dh1024.pem ta.key must be in /etc/openvpn folder as well
And the windows 7 pc must have a virtual network adapter TAP-Win32

Code: Select all

openvpn --config /etc/openvpn/openvpn.conf

output in syslog, so it is up and running

Code: Select all

Dec  7 18:10:13 (none) daemon.notice openvpn[13037]: OpenVPN 2.2.2 armv5tel-unknown-linux-gnueabi [SSL] [EPOLL] [eurephia] built on May 12 2012
Dec  7 18:10:13 (none) daemon.warn openvpn[13037]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes
Dec  7 18:10:13 (none) daemon.warn openvpn[13037]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Dec  7 18:10:14 (none) daemon.notice openvpn[13037]: Diffie-Hellman initialized with 1024 bit key
Dec  7 18:10:14 (none) daemon.warn openvpn[13037]: WARNING: file '/etc/openvpn/server.key' is group or others accessible
Dec  7 18:10:14 (none) daemon.notice openvpn[13037]: TLS-Auth MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec  7 18:10:14 (none) daemon.notice openvpn[13037]: Socket Buffers: R=[163840->131072] S=[163840->131072]
Dec  7 18:10:14 (none) daemon.notice openvpn[13037]: ROUTE default_gateway=192.168.1.1
Dec  7 18:10:14 (none) daemon.notice openvpn[13037]: TUN/TAP device tun0 opened
Dec  7 18:10:14 (none) daemon.notice openvpn[13037]: TUN/TAP TX queue length set to 100
Dec  7 18:10:14 (none) daemon.notice openvpn[13037]: /sbin/ifconfig tun0 10.9.0.1 pointopoint 10.9.0.2 mtu 1500
Dec  7 18:10:14 (none) daemon.notice openvpn[13037]: /sbin/route add -net 10.9.0.0 netmask 255.255.255.0 gw 10.9.0.2
Dec  7 18:10:14 (none) daemon.notice openvpn[13037]: Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Dec  7 18:10:14 (none) daemon.notice openvpn[13044]: GID set to nobody
Dec  7 18:10:14 (none) daemon.notice openvpn[13044]: UID set to nobody
Dec  7 18:10:14 (none) daemon.notice openvpn[13044]: UDPv4 link local (bound): 192.168.1.188:1194
Dec  7 18:10:14 (none) daemon.notice openvpn[13044]: UDPv4 link remote: [undef]
Dec  7 18:10:14 (none) daemon.notice openvpn[13044]: MULTI: multi_init called, r=256 v=256
Dec  7 18:10:14 (none) daemon.notice openvpn[13044]: IFCONFIG POOL: base=10.9.0.4 size=62
Dec  7 18:10:14 (none) daemon.notice openvpn[13044]: IFCONFIG POOL LIST
Dec  7 18:10:14 (none) daemon.notice openvpn[13044]: Initialization Sequence Completed

connecting with remote pc running windows 7 and openVPN gui and using the client multi user ovpn file and of course the appropiate files
ca.crt ta.key EXAMPLE.crt EXAMPLE .key

Code: Select all

Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: MULTI: multi_create_instance called
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 Re-using SSL/TLS context
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 Local Options hash (VER=V4): '239669a8'
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 Expected Remote Options hash (VER=V4): '3514370b'
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 TLS: Initial packet from 192.168.1.44:54098, sid=c6975e0b 5c6cf2fa
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 VERIFY OK: depth=1, /C=NL/ST=ALL/L=city/O=Fvdw-SL/OU=changeme/CN=changeme/name=changeme/emailAddress=xxxxxxx@xxxxxx.xx
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 VERIFY OK: depth=0, /C=NL/ST=ALL/L=city/O=Fvdw-SL/OU=changeme/CN=EXAMPLE/name=client1/emailAddress=xxxxx@xxxxx.xxx
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: 192.168.1.44:54098 [EXAMPLE] Peer Connection Initiated with 192.168.1.44:54098
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: MULTI: new connection by client 'EXAMPLE' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: MULTI: Learn: 10.9.0.6 -> FRANS-W7/192.168.1.44:54098
Dec  7 18:17:16 (none) daemon.notice openvpn[13044]: MULTI: primary virtual IP for EXAMPLE/192.168.1.44:54098: 10.9.0.6
Dec  7 18:17:18 (none) daemon.notice openvpn[13044]: FRANS-W7/192.168.1.44:54098 PUSH: Received control message: 'PUSH_REQUEST'
Dec  7 18:17:18 (none) daemon.notice openvpn[13044]: FRANS-W7/192.168.1.44:54098 SENT CONTROL [FRANS-W7]: 'PUSH_REPLY,route 10.9.0.0 255.255.255.0,dhcp-option DNS 192.168.1.1,route 10.9.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.9.0.6 10.9.0.5'
Dec  7 18:17:18 (none) daemon.warn openvpn[13044]: FRANS-W7/192.168.1.44:54098 IPv6 in tun mode is not supported in OpenVPN 2.2


on the windows 7 pc a new adapter is now present

openvpn1.JPG

status of the connection on win7 pc

openvpn2.JPG