Can an OpenVPN Route over TEST-NET-1 (RFC 5735) - networking

Background
I have a strange use-case where my VPN cannot be on any of the private subnets, but, also cannot use a TAP interface. The machine will be moving through different subnets, and requires access to the entire private address space by design. A single blocked IP would be considered a failure of design.
So, these are all off limits:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
In searching for a solution, I came across RFC 5735, which defines:
192.0.2.0/24 TEST-NET-1
198.51.100.0/24 TEST-NET-2
203.0.113.0/24 TEST-NET-3
As:
For use in documentation and example code. It is often used in conjunction with domain names
example.com or example.net in vendor and protocol documentation. As described in [RFC5737], addresses within this block do not legitimately appear on the public Internet and can be used without any coordination with IANA or an Internet registry.
Which, was a "Jackpot" moment for me and my use case.
Config
I configured an OpenVPN server as such:
local 0.0.0.0
port 443
proto tcp
dev tun
topology subnet
server 203.0.113.0 255.255.255.0 # TEST-NET-3 RFC 5735
push "route 203.0.113.0 255.255.255.0"
...[Snip]...
With Client:
client
nobind
dev tun
proto tcp
...[Snip]...
And ufw rules:
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 203.0.113.0/24 -o ens160 -j MASQUERADE
COMMIT
However, upon running I get /sbin/ip route add 203.0.113.0/24 via 203.0.113.1 RTNETLINK answers: File exists in the error logs. While the VPN completes the rest of its connection successfully.
No connection
Running the following commands:
Server: sudo python3 -m http.server 80
Client: curl -X GET / 203.0.113.1
Results in:
curl: (28) Failed to connect to 203.0.113.1 port 80: Connection timed out
I have tried:
/sbin/ip route replace 203.0.113.0/24 dev tun 0 on client and server.
/sbin/ip route change 203.0.113.0/24 dev tun 0 on client and server.
Adding route 203.0.113.0 255.255.255.0 to the server.
Adding push "route 203.0.113.0 255.255.255.0 127.0.0.1" to server
And none of it seems to work.
Does anyone have any idea how I can force the client to push this traffic over the VPN to my server, instead of to the public IP?

This does actually work!
Just dont forget to allow connections within your firewall. I fixed my config with:
sudo ufw allow in on tun0
However, 198.18.0.0/15 and 100.64.0.0/10 defined as Benchmarking and Shared address space respectively, may be more appropriate choices, since being able to forward TEST-NET addresses may be considered a bug.

Related

neo4 WebSocket connection to 'ws://localhost:7687/' failed: Establishing a tunnel via proxy server failed

I have neo4j community server edition 3.4.5 and which will be giving me "WebSocket connection to 'ws://localhost:7687/' failed".
I found some solution to work in firefox, chrome, IE but those are temporary solutions which work. but I don't think that just by passing proxy would be a permanent solution.
It is not working if connected to VPN(office network), otherwise working. What could be a reason for this error within an office network? How to resolve this issue.
Any idea or suggestions, Please
There can be several reasons for this issue and I probably need to know more about your setup before I can pin point the problem.
1 check:
Disconnect from the VPN, and open a command prompt (Windows+R then write cmd and press enter)
Use either telnet or putty ( https://www.putty.org/ ) and connect to 127.0.0.1 port 7687:
telnet 127.0.0.1 7687
See if you a response like this:
GET / HTTP/1.0
2 check:
Go to you proxy settings and see if you have a proxy enabled:
Firefox: Preferences/Options > Advanced > Network > Settings
IE: Tools > Options > Connections > Lan Settings
Suggest to turn off your proxy and do the check in check 1 again.
3 check:
Connect to your VPN and do the check 1 part once again
Check for error messages (that you probably would get) and then write in the command prompt:
route print
It should show a line like this:
127.0.0.0 255.0.0.0 On-link 127.0.0.1 xxx
127.0.0.1 255.255.255.255 On-link 127.0.0.1 xxx
127.255.255.255 255.255.255.255 On-link 127.0.0.1 xxx
This ensure that you still have your loop back up and running (probably is ok).
4 check:
Turn off your local firewall with VPN connected (if allowed) and try the check 1 again.
Some firewall rules change connections to "localhost" while connected to a VPN, since the new connection is "corporate" or "public".
If that worked, you need to create a rule in your firewall to allow connection to port 7687 for all addresses, this will fix your problem.
5 check:
Check your neo4j community server to listen to "127.0.0.1" and not "0.0.0.0"
Check your ports open by using netstat
netstat -a -o
It should state something like this
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:7687 machinename:0 LISTENING xxxx
or
TCP 127.0.0.1:7687 machinename:0 LISTENING xxxx
If the server is like the first line, it might be handled by a corporate firewall, but by using the 127.0.0.1 as address it should always be local.
Hopefully that will get you on the way :)
i had same problem, so Let me tell you what i came out with...
the company has a proxy server for all connections, so i change my request from IP to DNS by typing nslookup IP on command prompt terminal.
from: ws://180......:80/socket/test to: ws://mxjuppro22......:80/socket/test
then error gone and now is working like a charm!!!
hope it helps

OpenVPN: Route SquidProxy

I am trying to setup a public squid proxy that routes it's traffic via a VPN server elsewhere in the world. It's running inside a docker container on a VPS host.
Using the default settings with push gateway, I can access the squidproxy on the VPS itself and it does route it's traffic via the vpn.
However, no external IPs can access the squid proxy.
I do have docker forwarding the port 3128:3128.
It is something to do with the OpenVPN routes that are created (as the Squid proxy is accessible until OpenVPN starts)
I found it is this route that seems to "block" my external traffic.
128.0.0.0/1 via 10.91.10.5 dev tun0
(10.91.10.5 is the gateway of the VPN)
If I remove it I can access squid again but then outgoing requests don't use the VPN.
I can make my external IP work by explicitly adding it like so
ip route add 203.X.X.X via 172.18.0.1 dev eth0
(172.18.0.1 is the docker gateway)
But I need it to work with any external IPs.
I have tried ip route add 0.0.0.0 via 172.18.0.1 dev eth0.
But this doesn't work as 128.0.0.0/1 is more specific so matches first.
In conclusion
1) Need any IP to access the SquidProxy (port 3128)
2) Need all outgoing SquidProxy requests (80,443) to go via the VPN
Any help would be greatly appreciated!
UPDATE:
So I have this working
1) Start OpenVPN with the below command
openvpn --route-nopull --script-security 2 --up /etc/openvpn/up.sh
This disables it from setting up the VPN routes. So all traffic in and out is using the default route not via VPN
2) In the up.sh, I run the below commands
#!/bin/sh
/sbin/ip route add 0.0.0.0/0 dev $1 table 100
/sbin/ip rule add from all fwmark 1 table 100
/sbin/iptables -A OUTPUT -t mangle -p tcp -m multiport --dports 80,443 -j MARK --set-mark 1
/sbin/iptables -t nat -A POSTROUTING -o $1 -j MASQUERADE
I have then setup Squid to only allow ports 80 & 443. Docker has port 3128 open for access to the container.
I also needed to use --sysctl net.ipv4.conf.all.rp_filter=0 in the docker run command.

How do I connect a Docker container running in boot2docker to a network service running on another host?

I am using the latest version of boot2docker version 1.3.2, 495c19a on a windows 7 (SP1) 64 bit machine.
My docker container is running a celery process which attempts to connect to a rabbitMQ service running on the same machine that boot2docker is running on.
The Celery process running within the docker container cannot connect to RabbitMQ and reports the following :
[2014-12-02 10:28:41,141: ERROR/MainProcess] consumer: Cannot connect
to amqp:// guest:**#127.0.0.1:5672//: [Errno 111] Connection refused.
Trying again in 2.00 seconds...
I have reason to believe this is a network related issue, associated with routing from the container, to the VirtualBox host, and from the host to the RabbitMQ service running on the local machine; I do not know how to configure this and I was wondering if anyone can advise me how to proceed?
I tried setting up port 5672 in port forwarding but it didn't work (but I believe this is for incoming traffic to the VM, like boot2docker ssh).
I am running the container as docker run -i -t tagname
I am not specifying a host with -h when I run the container.
I'm sorry if this question appears rather clueless or if the answer appears obvious ... I appreciate any help!
Some additional information :
The routing table of the host VM is what boot2docker configured during installation as follows :
docker0 IP Address is 172.17.42.1
eth0 IP Address is 10.0.2.15
eth1 IP Address is 192.168.59.103
eth0 is attached to NAT (Adapter 1) in the VirtualBox VM network configuration.
Adapter 1 has port forwarding setup for ssh; default setting of host IP 127.0.0.1, host port 2022, guest port 22.
eth1 is attached to Host-only adapter (Adapter 2).
Both adapters are set to promiscuous mode (allow all).
The IP Address of the docker container is 172.17.0.33.
[2014-12-02 10:28:41,141: ERROR/MainProcess] consumer: Cannot connect to amqp:// guest:**#127.0.0.1:5672//: [Errno 111] Connection refused. Trying again in 2.00 seconds...
127.0.0.1 is a special IP address that means "me", and inside the container it means "me the container", so this is why it is not connecting to the outer host. So the first thing to do is change the IP address where you are trying to connect to Rabbit to that of the outer host where it is running.
Then you probably have to do something about routing, but let's take one step at a time.
as your RabbitMQ server is running on your Windows host, you need to tell your container that it should talk to that IP - which would probably be 192.168.59.3
most importantly, your container's 127.0.0.1 is only a loopback device to that container's services - not even the boot2docker vm's ports.
You could set up an ambassador container that has --expose=80 and uses something like socat to forward all traffic from that container to your host (see svendowideit/ambassador). Then you'd --link that ambassador container to your current image
but personally, I'd avoid that initially, and just configure your containerised app to talk to the real host's IP
You have to specifc explicitely ports for port redirection separately for boot2docker and docker.
Please try this:
c:\>boot2docker init
c:\>boot2docker up
c:\>boot2docker ssh -L 0.0.0.0:5672:localhost:5672
docker#boot2docker:~$ docker run -it -p 5672:5672 tagname

Linux squid proxy configuration

I have 3 virtual machines. I have Squid proxy installed on one of them which functions as a router. I need to configure it to accept HTTP requests from only one of the other 2 machines(IP - 172.16.2.2). The change I made to the squid.conf file is:
http_port 172.16.2.2:3128
I then changed the firewall rule in the route machine so that it redirects traffic from 172.16.2.2 bound for 80 (HTTP port number) to the default squid port 3128. The command is given below:
sudo iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
Machine 172.16.2.2 is connected to the router on eth1. However, whenn I am making sending a HTTP request from 172.16.2.2, I get a 403 Forbidden error. It says:
X-Squid-Error: ERR_ACCESS_DENIED 0
I can't understand it. Please help.
(edited for style)
http_port is used to configure where squid is listening for request, so if you include an ip address, it should be configured in the same machine that is listening. So, in your case 172.16.2.2 (the "other" machine) is not a correct configuration.

Detect conflicting forwarded ports on VM

I am using Oracle VirtualBox on Windows. I've setup NAT and forwarded ports.
When some forwarded ports are accidentally conflicting with host machine's ones, no errors are shown and all forwarded ports are failing.
Is there any possibility to detect those conflicting ports? I have used VBoxManage tool and there are neither output messages, nor verbose mode for startvm command.
Thanks
I would recommend using a combination of netstat and VBoxManage and parse the output. You can easily replace the findstr command with grep on non-Windows hosts.
First, I would get a listing of NAT ports on the VM in question. The VBoxManage showvminfo command will output a bunch of info about the configuration which you can filter to look for just the NAT rules. You will want to look for the host port and protocol fields in the output (and possibly host ip if configured) as that is what you will be looking to see if it is already in use.
C:\>vboxmanage showvminfo Linux | findstr Rule
NIC 1 Rule(0): protocol=tcp, host ip=, host port=2222, guest ip=, guest port=22
Second, using the info from above I know I need to check if anything is listening on port TCP port 2222, so I can use the netstat command to show me all the listening sockets, filtered by my criteria:
C:\>netstat -an | findstr LISTENING | findstr TCP | findstr 2222
Proto Local Address Foreign Address State
TCP 0.0.0.0:2222 0.0.0.0:0 LISTENING
Because my guest is already running I can see that it has already grabbed a connection on TCP 2222. If you don't get any output then nothing is listening on that specific port and you are safe to start your VM.

Resources