ZeroShell as VPN Client to replace openVPN GUI on XP (Help)

Home Page Forums Network Management Networking ZeroShell as VPN Client to replace openVPN GUI on XP (Help)

This topic contains 15 replies, has 0 voices, and was last updated by  Andy22 9 years, 11 months ago.

Viewing 15 posts - 1 through 15 (of 17 total)
  • Author
    Posts
  • #41821

    Andy22
    Member

    Simply put i want to replace my openVPN gui client on windows xp with zeroshell.

    I already have a thinclient with zeroshell setup and running as a router, with ETH00 as WAN on my dsl modem and ETH01 as LAN connected to my old router as switch.

    I also can run the openvpn config file from the shell and i get a valid openVPN connection to the Server of my VPN provider.
    The only thing that dont work is that after the openVPN connection is started i cant browse/ping the internet anymore?

    I guess i miss the last part to tell zeroshell that any DHCP client computer will use the vpn tunnel?

    I mainly want to be able to connect 2 xp machines and a xbox360 to the zeroshell router and using the setup VPN tunnel to access region blocked content like pandora.

    Can someone hint me to the missing part to actually rout all traffic from the dhcp clients through the tunnel?

    Thx

    ADD: I also have the problem that the windows config file has “auth-user-pass” in it, but if i setup VPn via webinterface how im supposed to enter the user/pass?
    I tryed “auth-user-pass passfile.txt” but the openVPn version in zeroshell dont support possword via file.
    So how i do this under zeroshell?

    #48527

    Andy22
    Member

    Here is the screen after running openVPN from the shell:

    2009 Control Channel Authentication: using ‘/Database/1/ta.key’ as a OpenVPN static key file
    2009 Outgoing Control Channel Authentication: Using 160 bit message hash ‘RIPEMD160’ for HMAC authentication
    2009 Incoming Control Channel Authentication: Using 160 bit message hash ‘RIPEMD160’ for HMAC authentication
    2009 LZO compression initialized
    2009 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
    2009 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    2009 Local Options hash (VER=V4): ‘228dbca3’
    2009 Expected Remote Options hash (VER=V4): ‘7d871fb9’
    2009 UDPv4 link local: [undef]
    2009 UDPv4 link remote: 208.85.2.66:443
    2009 VERIFY OK: depth=1, /C=DE/ST=General/L=General/O=Universal_ … ddress.com
    2009 VERIFY OK: nsCertType=SERVER
    2009 VERIFY OK: depth=0, /C=US/ST=General/L=General/O=Universal_ … ovider.com
    2009 Data Channel Encrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
    2009 Data Channel Encrypt: Using 160 bit message hash ‘RIPEMD160’ for HMAC authentication
    2009 Data Channel Decrypt: Cipher ‘AES-256-CBC’ initialized with 256 bit key
    2009 Data Channel Decrypt: Using 160 bit message hash ‘RIPEMD160’ for HMAC authentication
    2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    2009 [ny] Peer Connection Initiated with 208.85.2.66:443
    2009 TUN/TAP device tun1 opened
    2009 /sbin/ifconfig tun1 10.88.0.126 pointopoint 10.88.0.125 mtu 1500
    2009 Initialization Sequence Completed

    Here are my network interfaces, i have setup ETH1 as WAN connected to the modem and ETH0 as lan:

    ********* VIA Technologies, Inc. VT6102 [Rhine-II] (rev 74)
    Status: 100Mb/s Full Duplex
    ETH00 Link encap:Ethernet HWaddr 00:14:38:BB:BF:2F
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1522 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2102 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:215030 (209.9 Kb) TX bytes:1927782 (1.8 Mb)
    Interrupt:15 Base address:0x4000
    IP 192.168.0.1/24 brd 192.168.0.255
    ********* Unknown Model
    Status: 100Mb/s Full Duplex
    ETH01 Link encap:Ethernet HWaddr 00:80:C8:3B:3A:71
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1601 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1232 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1739593 (1.6 Mb) TX bytes:186793 (182.4 Kb)
    ********* Host-to-LAN OpenVPN Interface
    Status: Connections from Road Warrior clients not accepted
    VPN99 Link encap:Ethernet HWaddr 00:FF:C1:B3:72:A1
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
    IP 192.168.250.254/24 brd 192.168.250.255
    ********* WAN
    Status: Connected
    ppp0 Link encap:Point-to-Point Protocol
    inet addr:84.63.111.155 P-t-P:84.63.96.1 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1
    RX packets:1573 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1205 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:1725545 (1.6 Mb) TX bytes:154501 (150.8 Kb)
    IP 84.63.111.155 peer 84.63.96.1/32

    Routing table:

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    dslb-084-063-09 * 255.255.255.255 UH 0 0 0 ppp0
    192.168.0.0 * 255.255.255.0 U 0 0 0 ETH00
    192.168.250.0 * 255.255.255.0 U 0 0 0 VPN99
    default dslb-084-063-09 0.0.0.0 UG 0 0 0 ppp0

    Any advice whats missing?

    #48528

    ppalias
    Member

    It looks s bit complicated here. It would be much more helpful if you provided the configuration file for the openvpn.
    Some remarks are that on the interface list there is no interface that corresponds to tun1 and your routing table has gateway of last resort the ppp0.

    #48529

    Andy22
    Member

    @ppalias wrote:

    It looks s bit complicated here. It would be much more helpful if you provided the configuration file for the openvpn.
    Some remarks are that on the interface list there is no interface that corresponds to tun1 and your routing table has gateway of last resort the ppp0.

    Here is the config i got from my VPN provider that works under XP with openVPNGUI:

    float
    remote 208.85.2.66 443
    dev tun
    persist-key
    persist-tun
    proto udp
    pull
    route-method exe
    route-delay 2
    nobind
    tun-mtu 1500
    comp-lzo
    auth-user-pass
    auth RSA-RIPEMD160
    cipher AES-256-CBC
    tls-cipher DHE-RSA-AES256-SHA
    tls-client
    client
    tls-auth ta.key 1
    ns-cert-type server
    ca ca.crt
    cert mycert.crt
    key mykey.key
    keepalive 10 60
    resolv-retry 86400
    verb 1

    #48530

    Andy22
    Member

    Here is the route config after i started openVPN which also adds the TUN0 device.
    As far as i can understand i need to foreward all client trafic from eth00 to the tun0? If so how do i setup this?

    root@zeroshell 1> route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.88.0.1 10.88.0.125 255.255.255.255 UGH 0 0 0 tun0
    dslb-088-077-19 * 255.255.255.255 UH 0 0 0 ppp0
    208-85-2-66.uni dslb-088-077-19 255.255.255.255 UGH 0 0 0 ppp0
    10.88.0.125 * 255.255.255.255 UH 0 0 0 tun0
    192.168.0.0 * 255.255.255.0 U 0 0 0 ETH00
    192.168.250.0 10.88.0.125 255.255.255.0 UG 0 0 0 tun0
    default 10.88.0.125 128.0.0.0 UG 0 0 0 tun0
    128.0.0.0 10.88.0.125 128.0.0.0 UG 0 0 0 tun0
    default dslb-088-077-19 0.0.0.0 UG 0 0 0 ppp0

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.88.0.126 P-t-P:10.88.0.125 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:2 errors:0 dropped:0 overruns:0 frame:0
    TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:413 (413.0 b) TX bytes:606 (606.0 b)

    PS: What im also not fully understand is that after the zeroshell has established a connection to the vpnserver, do the client DHCP network machines (XP machine) keep its DHCP ip/gateway or need this tobe updated somehow?
    I expect they keep there normal ip/gateway and zeroshell routes the traffic internally?

    #48531

    ppalias
    Member
    route -n 

    is better than

    route

    You have to add static routes for the hosts or networks that will be forwarded via the vpn tunnel instead of the default gateway.
    You can add it on Network->Router->Static Routes.
    Otherwise if you want to forward traffic depending on policy, you will have to do it on Network->NetBalancer->Balancing Rules.

    PS: Yes your assumption is correct. All routing is done on ZS.

    #48532

    Andy22
    Member

    @ppalias wrote:

    route -n 

    is better than

    route

    You have to add static routes for the hosts or networks that will be forwarded via the vpn tunnel instead of the default gateway.
    You can add it on Network->Router->Static Routes.
    Otherwise if you want to forward traffic depending on policy, you will have to do it on Network->NetBalancer->Balancing Rules.

    PS: Yes your assumption is correct. All routing is done on ZS.

    THX finally a hint, im trying to get this working since a week…
    Its kinda frustrating since i already noticed im 95% there, but cant figure out the last step since im not a network pro.

    I will try your settings, btw do i need to bridge some of the interfaces and ima lso unsure how the VPN99 interface relates to the TUN0 i get if i start openVPN?

    Im also unsure what firewall entries i need to add and what this “Forward” thinggy is i can add, also which interfaces do i have to add to the NAT?

    Can u maybe also give me an example of a static route assuming my LAN is incoming from ETH00 via 192.168.0.100?

    PS: A friend of mine also just noticed that my default gateway is still on PPPoE so he told me i need to delete this route and create a new to the TUN0 interface, is there a way to do this automatically via openvpn config? Since after i stop openvpn i want my old gateway back?

    #48533

    ppalias
    Member

    @andy22 wrote:

    @ppalias wrote:

    route -n 

    is better than

    route

    You have to add static routes for the hosts or networks that will be forwarded via the vpn tunnel instead of the default gateway.
    You can add it on Network->Router->Static Routes.
    Otherwise if you want to forward traffic depending on policy, you will have to do it on Network->NetBalancer->Balancing Rules.

    PS: Yes your assumption is correct. All routing is done on ZS.

    THX finally a hint, im trying to get this working since a week…
    Its kinda frustrating since i already noticed im 95% there, but cant figure out the last step since im not a network pro.

    I will try your settings, btw do i need to bridge some of the interfaces and ima lso unsure how the VPN99 interface relates to the TUN0 i get if i start openVPN?

    No need for bridging unless you need it. vpn99 is the openpvn interface that is used on the server side. Tun0 comes up when you connect as a client or a p2p connection.

    @andy22 wrote:

    Im also unsure what firewall entries i need to add and what this “Forward” thinggy is i can add, also which interfaces do i have to add to the NAT?

    As a principal on firewalls you block everything except the connections you permit. However since ZS acts also as a router I strongly advise you to apply a DROP policy only on the INPUT and add specific ALLOW statements. OUTPUT and FORWARD better be ALLOW.
    Regarding NAT, you should apply it on the interfaces that connect you to the internet, in this case ppp0.

    @andy22 wrote:

    Can u maybe also give me an example of a static route assuming my LAN is incoming from ETH00 via 192.168.0.100?

    static route is for a destination network/host ( for example 146.124.0.0/16 via tun0)
    policy routing is used for traffic incoming from ETH00 (for example traffic coming from ETH00 use gateway tun0)

    @andy22 wrote:

    PS: A friend of mine also just noticed that my default gateway is still on PPPoE so he told me i need to delete this route and create a new to the TUN0 interface, is there a way to do this automatically via openvpn config? Since after i stop openvpn i want my old gateway back?

    This is not necessary. You could do that in order to redirect all your traffic via the tunnel. It can be achieved by adding the parameter

    --route-gateway gw

    Check the documentation of openvpn for more information.

    #48534

    Andy22
    Member

    I still dont get it… sorry.

    I just confirmed via routepath command that if i started my openvpn the tunnel is working and from the router aka (ZS) the tunnel is used.

    I still dont have a clue what to enter in the static route field?

    There is “Destination” “Netmask” “Gateway” and i can select “Network/Host” + “Gateway/Interface”, “metric” what exactly do i have to enter and where do i get the values from?

    Like i sayed my xp client has 192.168.0.100, sorry but i still dont get it…

    I also tryed “–route-gateway gw” but what is my gateway?

    #48535

    ppalias
    Member

    Well if you provide me the network you want to access via the tunnel I can provide you what to enter on the static route configuration.

    Regarding –route-gateway, your gateway is the IP address of the other end in the tunnel.

    #48536

    Andy22
    Member

    @ppalias wrote:

    Well if you provide me the network you want to access via the tunnel I can provide you what to enter on the static route configuration.

    Regarding –route-gateway, your gateway is the IP address of the other end in the tunnel.

    I was under the impression that all u need are shown via this?

    root@zeroshell 1> route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.88.0.1 10.88.0.125 255.255.255.255 UGH 0 0 0 tun0
    dslb-088-077-19 * 255.255.255.255 UH 0 0 0 ppp0
    208-85-2-66.uni dslb-088-077-19 255.255.255.255 UGH 0 0 0 ppp0
    10.88.0.125 * 255.255.255.255 UH 0 0 0 tun0
    192.168.0.0 * 255.255.255.0 U 0 0 0 ETH00
    192.168.250.0 10.88.0.125 255.255.255.0 UG 0 0 0 tun0
    default 10.88.0.125 128.0.0.0 UG 0 0 0 tun0
    128.0.0.0 10.88.0.125 128.0.0.0 UG 0 0 0 tun0
    default dslb-088-077-19 0.0.0.0 UG 0 0 0 ppp0

    Those i seem to get from my VPN provider server via openVPN
    10.88.0.1 10.88.0.125

    “network you want to access via the tunnel” um this means? All i want is that one machine in my local lan 192.168.0.100 that is connected to the ZS router/thinclient simply uses the tunnel to route all traffic to bypass region protection like Hulu, in advance i want also add a xbox360 to access xboxlive also using the vpn.

    In a later configuration i will add a second NIC to my windows machine and want to configure it so that i add the second NIC as proxy in firefox so i have 2 connections to the router 1 VPN and 1 normal. Than the VPN is used by my media center software via proxy to watch hulu and the normal should be used for all normal traffic or torrent/ftp.

    Does this makes sense to u? I just started this whole router openVPN thingie to automatically get the vpn routing and also the xbox360 dont support openvpn.

    If u need more information pls tell me, since im really starting to feel like an idiot, since i already know the tunnel is working but i lack the knowledge to interpret all this network tech stuff correctly…:(

    thx

    PS: Whats also strange, before i start openvpn my xp client can use the internet just fine and gets its stuff from dhcp, gateway is 192.168.0.1. Than i start openvpn and on the router machine i can ping and traceroute to for example http://www.google.com and i see that the tunnel is used automatically without adding anything just using my provider openvpn config file. So why does my connected client xp machine only can access the ZS webinterface from this point on, until i stop the openvpn process? If the gateway is already the router and the router itself can use the tunnel automatically, shouldn’t the client traffic using the router as gateway work the same?

    Also note that i start openvpn manually from the shell since ZS’s openvpn version dont support login/pw files as input and just stdin. So i have to manually enter the it via shell. So i dont config openvpn via webinterface.
    (U know a way to support automatic login or how do i replace the openvpn version with a version that supports it?)

    In in ZS webinterface for example on the NAT page i also dont see the TUN0 interface after starting openvpn, maybe its a NAT problem?

    #48537

    ppalias
    Member

    Network->NetBalancer->Balancing Rules
    Add a rule for traffic with source 192.168.0.100 to have gateway via tun0.

    Regarding your PS:
    Paste here the output of “route print” command in cmd in Windows XP, before and after running the Openvpn.

    #48538

    Andy22
    Member

    Its still not working, first of all there is no interface “TUN0” in the “TARGET GATEWAY” field under balancing rules.

    I tryed to add a new gateway under “Manage” but here again what ip i have to use? I tryed “10.88.0.1” “10.88.0.125” “10.88.0.126” “10.88.0.0”?

    In the balancing rule do i just have to fill in “Source IP (*)” -> “192.168.0.100” and leave all other free and just choose the gateway?

    It looks like this than with the manually added tun0 gateway.
    “MARK all opt — in * out * 192.168.0.100 -> 0.0.0.0/0 MARK set 0x65 tun0 (10.88.0.1)”

    Also does it matter if the “Status” on the first page left-top at “NET BALANCER” is enabled/disabled? Aka does the balancing rule apply if it is disabled or is this “Status” just for teh gateways?

    Thats the routing after i started openVPN

    root@zeroshell root> route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.88.0.1 10.88.0.125 255.255.255.255 UGH 0 0 0 tun0
    208.85.2.66 88.76.32.1 255.255.255.255 UGH 0 0 0 ppp0
    88.76.32.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
    10.88.0.125 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ETH00
    192.168.250.0 0.0.0.0 255.255.255.0 U 0 0 0 VPN99
    0.0.0.0 10.88.0.125 128.0.0.0 UG 0 0 0 tun0
    128.0.0.0 10.88.0.125 128.0.0.0 UG 0 0 0 tun0
    0.0.0.0 88.76.32.1 0.0.0.0 UG 0 0 0 ppp0

    That is what i see if i trace a route from the ZS machine directly after openvpn is started:

    tracepath www.google.com
    1: 10.88.0.126 (10.88.0.126) 1.105ms pmtu 1500
    1: 10.88.0.1 (10.88.0.1) 105.492ms
    2: 208-85-2-65.turnkeyinternet.net (208.85.2.65) 105.621ms
    3: c6509-ny1-i0ge2.turnkeyinternet.net (64.128.116.9) 105.589ms
    4: jm20-ny1-ge-0-1-0.turnkeyinternet.net (64.128.116.1) asymm 5 105.233ms
    5: turnkey-ge-rtr1.alb.twtelcom.net (66.195.77.149) asymm 6 106.561ms
    6: 66.192.243.234 (66.192.243.234) asymm 8 114.665ms
    7: no reply

    Thats what xp sees after i started openvpn:


    tracert www.google.com
    Tracing route to www.l.google.com [66.102.1.104]
    over a maximum of 30 hops:
    1 1 ms 1 ms 1 ms 192.168.0.1
    2

    This is how the xp machine looks BEFORE and AFTER i start openvpn:


    C:Documents and SettingsAdministrator>route print
    ===========================================================================
    Interface List
    0x1 ......... MS TCP Loopback interface
    0x3 ......... TAP-Win32 Adapter V9 - cFosSpeed Miniport
    0x50002 ..... Realtek PCIe GBE Family Controller
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 20
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.0.0 255.255.255.0 192.168.0.100 192.168.0.100 20
    192.168.0.100 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.168.0.255 255.255.255.255 192.168.0.100 192.168.0.100 20
    224.0.0.0 240.0.0.0 192.168.0.100 192.168.0.100 20
    255.255.255.255 255.255.255.255 192.168.0.100 192.168.0.100 1
    255.255.255.255 255.255.255.255 192.168.0.100 3 1
    Default Gateway: 192.168.0.1
    ===========================================================================
    Persistent Routes:
    None

    AFTER i stop openvpn it looks like this:

    root@zeroshell root> route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    208.85.2.66 88.76.32.1 255.255.255.255 UGH 0 0 0 ppp0
    88.76.32.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
    192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ETH00
    192.168.250.0 0.0.0.0 255.255.255.0 U 0 0 0 VPN99
    0.0.0.0 0.0.0.0 0.0.0.0 U 1 0 0 ppp0

    Again im thankful for any advice tip/hint!

    PS: I also tryed to enable and disable the default route option in the ppp0 interface, but that openvpn complains that it cant redirect a valid default route. “NOTE: unable to redirect default gateway — Cannot read current default gateway from system”

    #48539

    ppalias
    Member

    OK it seems to be more complicated than I had imagined. Give me some time to reproduce it on my ZS and maybe I shall be able to assist you.

    #48540

    Andy22
    Member

    @ppalias wrote:

    OK it seems to be more complicated than I had imagined. Give me some time to reproduce it on my ZS and maybe I shall be able to assist you.

    Thx a bunch, i have no clue why its not working and im getting tired on spending 2 hours a day installing and randomly creating routes/rules…

    I also just got me a 4GB flash chip to replace my 64MB on teh thinclient tobe able to install and test other firewall/router software. I just tested pfsense and it looks similar out there, i can start the tunnel via shell all looks fine but i cant get the windows dhcp client to route through the established tunnel…

    PS: Is it really such a uncommon configuration to try transparently route client traffic through a vpntunnel, while the router itself establish the client connection? Since this way u also don’t need to install/config any software on the client machines and ofc the xbox360 cant install vpn software.

    Im the only “fool” out there trying this?

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.