#StackBounty: #command-line #vpn #openconnect Connect to openconnect server from the command line?

Bounty: 50

I tried finding a similar question and did but there’s a caveat though, older questions use --no-cert-check option which is removed due to security reasons and I don’t know the exact fingerprint for the server as it will change from time to time. I need to pass two inputs to the openconnect command using something like echo -e "arg1narg2" but was not successful.

How can I do it? (below is the command I used):

echo -e "yesnmypassword" | openconnect serveraddress --user="myuser" --passwd-on-stdin


Get this bounty!!!

#StackBounty: #vpn #docker #containers #wireguard #routes site2site wireguard with docker : routing problems

Bounty: 100

Disclaimer: repost from stackoverflow: https://stackoverflow.com/questions/67917278/site2site-wireguard-with-docker-routing-problems

I am trying to have two containers, running on two RPI, act as a site-to-site VPN between Network 1 and Network 2.

With the setup below, I am able to ping from within the container each other network:

  • from docker container 1 I can ping an address 192.168.1.1
  • from docker container 2 I can ping the address 192.168.10.1

But if I try to ping 192.168.1.1 from the System1 host (192.168.10.100) I have errors (see below image to visualize what I am trying to do).

I understand I have to add a static route on system1 host (192.168.10.100) to direct the traffic for 192.168.1.0/24 through the wireguard container (172.17.0.5), thus I run:

$i p route add 192.168.1.0/24 via 172.17.0.5
$ ip route
default via 192.168.10.1 dev eth0 proto dhcp src 192.168.10.100 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
172.18.0.0/16 dev br-e19a4f1b7646 proto kernel scope link src 172.18.0.1 linkdown 
172.19.0.0/16 dev br-19684dacea29 proto kernel scope link src 172.19.0.1 
172.20.0.0/16 dev br-446863cf7cef proto kernel scope link src 172.20.0.1 
172.21.0.0/16 dev br-6800ed9b4dd6 proto kernel scope link src 172.21.0.1 linkdown 
172.22.0.0/16 dev br-8f8f439a7a28 proto kernel scope link src 172.22.0.1 linkdown 
192.168.1.0/24 via 172.17.0.5 dev docker0 
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.100 
192.168.10.1 dev eth0 proto dhcp scope link src 192.168.10.100 metric 100 

but the ping to 192.168.1.1 still fails.

by running tcpdump on the container 2 I see that some packets are indeed reaching the container :

root@936de7c0d7eb:/# tcpdump -n -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:11:19.885845 IP [publicIPsystem1].56200 > 172.17.0.6.56100: UDP, length 128
10:11:30.440764 IP 172.17.0.6.56100 > [publicIPsystem1].56200: UDP, length 32
10:11:35.480625 ARP, Request who-has 172.17.0.1 tell 172.17.0.6, length 28
10:11:35.480755 ARP, Reply 172.17.0.1 is-at 02:42:24:e5:ac:38, length 28

so I guess it is not a routing problem on system 1.

Can anyone tell me how to diagnose this further?


EDIT 1:
I have done the following test:

  1. run ‘tcpdump -ni any’ on container 2
  2. sent a ping from System 1 (from the host system) ‘ping -c 1 192.168.1.1 .
    On container 2 tcpdump records the following:
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
    15:04:47.495066 IP [publicIPsystem1].56200 > 172.17.0.3.56100: UDP, length 128
    15:04:58.120761 IP 172.17.0.3.56100 > [publicIPsystem1].56200: UDP, length 32
  1. sent a ping from container (within the container) ‘ping -c 1 192.168.1.1 .
    On container 2 tcpdump records the following:
# tcpdump -ni any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:05:48.120717 IP [publicIPsystem1].56200 > 172.17.0.3.56100: UDP, length 128
15:05:48.120871 IP 10.13.18.2 > 192.168.1.1: ICMP echo request, id 747, seq 1, length 64
15:05:48.120963 IP 172.17.0.3 > 192.168.1.1: ICMP echo request, id 747, seq 1, length 64
15:05:48.121955 IP 192.168.1.1 > 172.17.0.3: ICMP echo reply, id 747, seq 1, length 64
15:05:48.122054 IP 192.168.1.1 > 10.13.18.2: ICMP echo reply, id 747, seq 1, length 64
15:05:48.122246 IP 172.17.0.3.56100 > [publicIPsystem1].56200: UDP, length 128
15:05:53.160617 ARP, Request who-has 172.17.0.1 tell 172.17.0.3, length 28
15:05:53.160636 ARP, Request who-has 172.17.0.3 tell 172.17.0.1, length 28
15:05:53.160745 ARP, Reply 172.17.0.3 is-at 02:42:ac:11:00:03, length 28
15:05:53.160738 ARP, Reply 172.17.0.1 is-at 02:42:24:e5:ac:38, length 28
15:05:58.672032 IP [publicIPsystem1].56200 > 172.17.0.3.56100: UDP, length 32

so, It seems that packets are treated differently from container 2 depending on something that I am currently missing.. could it be an iptables problem?


enter image description here

Site 1 Site 2
Network 1 IP range 192.168.10.0/24 192.168.1.0/24
host system address 192.168.10.100 192.168.1.100
bridge docker0 range 172.17.0.0/16 172.17.0.0/16
container address 172.17.0.5 172.17.0.6

System 1 – wg0.conf

[Interface]
Address = 10.13.18.2
PrivateKey = *privatekey*
ListenPort = 56200
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = *publickey*
Endpoint = *system2address*:56100
AllowedIPs = 10.13.18.1/32 , 192.168.1.0/24

System 2 – wg0.conf

[Interface]
Address = 10.13.18.1
ListenPort = 56100
PrivateKey = *privatekey*
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# peer_casaleuven
PublicKey = *publickey*
AllowedIPs = 10.13.18.2/32 , 192.168.10.0/24
Endpoint = *system1address*:56200


Get this bounty!!!

#StackBounty: #linux #vpn #routing #strongswan #libreswan VPN traffic routing issue between two VPN connections – AWS and Generic IKEv2…

Bounty: 500

Have several sites, one of them acts as intermediary router between two:

  1. AWS VPC (10.10.0.0/24)
  2. Libreswan VPN Server (10.20.0.0/24)
  3. Mikrotik VPN Router (10.30.0.0/24)

host1 resides at AWS VPC, host2 is connected to Mikrotik

VPN’s are up, each connection is working separately, statuses look fine.

host2 pings host1, packets arrive through libreswan to host1, host1 replies, all packets arrive at libreswan, but are not passed to host2. Also, packets initiated from host2 are able to reach libreswan, but are not passed to host1. I suppose, that all is stateless for ipsec and is the same problem.

iptables nat (manual config):

-A POSTROUTING -j ACCEPT -d 10.10.0.0/24
-A POSTROUTING -j ACCEPT -d 10.20.0.0/24

iptables filter (manual config):

-A FORWARD -j ACCEPT

routing table @ libreswan (ip route, added by libreswan):

10.10.0.0/24 dev eth0 scope link mtu 1436
10.20.0.0/24 dev eth0 scope link mtu 1436

Similar connections with many combinations to other sites works fine in any way – difference is in AWS-Libreswan VPN connection.

Is there something i am missing? Where should i look?


Get this bounty!!!

#StackBounty: #python #windows #vpn #ping How to route internet traffic via VPN Client (Ping from Python code is not working)

Bounty: 100

from os import system
system("ping www.twitter.com")
system("ping www.yahoo.com")
system("ping www.facebook.com")

I am in China, and Twitter and Facebook are banned here. I can open them in the browser using VPN Client software.

I have to download tweets from Twitter. So I need to ping the websites using Python to get tweets. I cannot ping the websites though.

How do I make my Python code use the VPN.

Output of the above code:

Pinging www.twitter.com [108.160.169.186] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 108.160.169.186:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Pinging new-fp-shed.wg1.b.yahoo.com [180.222.102.201] with 32 bytes of data:
Reply from 180.222.102.201: bytes=32 time=258ms TTL=42
Reply from 180.222.102.201: bytes=32 time=229ms TTL=42
Reply from 180.222.102.201: bytes=32 time=230ms TTL=42
Request timed out.

Ping statistics for 180.222.102.201:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 229ms, Maximum = 258ms, Average = 239ms

Pinging www.facebook.com [69.63.184.14] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 69.63.184.14:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

OS: Windows 10 (updated to latest edition). Using PyCharm as my IDE.


Get this bounty!!!

#StackBounty: #windows-10 #vpn #sstp VPN adapter settings keep reverting on Windows 10

Bounty: 50

A few times a day, my VPN connection will disconnect. When I attempt to reconnect I get an error that says my username and password is not recognized.

VPN Error Message

To resolve this, I need to go into the settings for my VPN adapter, and uncheck the box that says "Automatically use my Windows logon name and password". I also change the VPN type from Automatic to SSTP.

enter image description here

After making these changes, I am able to connect to the VPN again. (I have to reeneter my credentials). A few hours later, my VPN will disconnect, and I have to repeat this process all over again.

What is making Windows revert these settings? Is there anything I can do to fix this.

My IT department insists this is a problem with my PC, and not a problem with the VPN service.

I am using Windows 10 Pro 20H2. I am not connected to a domain.


Get this bounty!!!

#StackBounty: #vpn #routing #openvpn Route subnet through a VPN gateway with OpenVPN

Bounty: 50

A small company I work at is getting rid of an office soon and it has fallen onto me to migrate the currently
on-prem-hosted VPN (just a Zyxel Zywall 110 device) into a cloud-based VM. I am not that experienced in networking (backend-dev-turned-ops)
so I would like to validate if the following approach will work.


I have a dedicated VM where I’ve set up OpenVPN Access Server and the basics are working well, people can connect,
all good.

There is one catch though, the current VPN forwards a certain IP range through a "tunnel" into a client’s internal network.
It looks like this:

if addr in '172.30.239.0/25':
    route through gw 194.xxx.xxx.xxx
else:
    route through gw 0.0.0.0

Where the connection from our router to the client’s VPN GW is done via IKEv1 with pre-shared key (judging from the router’s web UI).

Some ascii art depicting the setup below. I am replacing Router with a VM.

            +-----------------+           [     Client infra, this has to stay the same     ]
            | Router          |           194.xxx.xxx.xxx            e.g. 172.30.239.75
            | --------------- |   IKEv1   +-------------+       +-------------------------+
User -----> | 172.30.239.0/25-| --------> | VPN gateway |-----> | Internal network server |
            |     default     |           +-------------+       +-------------------------+
            |        |        |
            +--------+--------+
                     |
                     |
                 internet

The OpenVPN Access Server does not support anything like this by itself (or I haven’t been able to find that config), so I thought I could do it on the VM level.
If I connect the OS to the VPN gateway with something like Strongswan and configure appropriate routing in iptables, could
this work? Would the traffic of users connected to the OpenVPN server going to the 172.30.239.0/25 range get routed
through to the Strongswan’s connection, or is this approach fundamentally wrong? What are my options?

Thanks!


Get this bounty!!!

#StackBounty: #vpn #windows-server #hosts Can't access second site on IIS when connected on a VPN

Bounty: 50

I have a Windows Server which has my dev website on it and can be accessed via IP or server name http://servername on the actual server or http://servername.org.com on my home PC which is connecting to the same network via VPN.

I’ve created an additional site on my IIS test1 which uses the same port as my default. Unassigned IP address and with the host name test1.com. Within my hosts file, I have also added:

127.0.0.1 test1.com

On my actual server which I connect to via RDP, I can access this second website via the the URL of test1.com on a web browser and it works fine but when I do the same on my home PC, it does not work even though I’m connected to the same network via VPN. I’ve tried out different combinations of the URL such as http://servername.org.com./test1.com to no avail.

What would I need to do to accomplish this? Also, just a tag on question to this. Say my default website is version 1 of that website and I want to create version 2. What would be the best approach to managing this on my server?

  1. http://servername.org.com/v1/index.html for version 1 and the same for v2 but different directory.
  2. Or create a new website on my IIS per iteration so http://servername-v1.org.com and http://servername-v2.org.com

Or does it not really matter? Those different versions would just be dev versions. I currently do it the number 1 way but wondered if there was an actual proper way of doing this.


Get this bounty!!!

#StackBounty: #vpn #windows-server #hosts Can't access second site on IIS when connected on a VPN

Bounty: 50

I have a Windows Server which has my dev website on it and can be accessed via IP or server name http://servername on the actual server or http://servername.org.com on my home PC which is connecting to the same network via VPN.

I’ve created an additional site on my IIS test1 which uses the same port as my default. Unassigned IP address and with the host name test1.com. Within my hosts file, I have also added:

127.0.0.1 test1.com

On my actual server which I connect to via RDP, I can access this second website via the the URL of test1.com on a web browser and it works fine but when I do the same on my home PC, it does not work even though I’m connected to the same network via VPN. I’ve tried out different combinations of the URL such as http://servername.org.com./test1.com to no avail.

What would I need to do to accomplish this? Also, just a tag on question to this. Say my default website is version 1 of that website and I want to create version 2. What would be the best approach to managing this on my server?

  1. http://servername.org.com/v1/index.html for version 1 and the same for v2 but different directory.
  2. Or create a new website on my IIS per iteration so http://servername-v1.org.com and http://servername-v2.org.com

Or does it not really matter? Those different versions would just be dev versions. I currently do it the number 1 way but wondered if there was an actual proper way of doing this.


Get this bounty!!!

#StackBounty: #vpn #windows-server #hosts Can't access second site on IIS when connected on a VPN

Bounty: 50

I have a Windows Server which has my dev website on it and can be accessed via IP or server name http://servername on the actual server or http://servername.org.com on my home PC which is connecting to the same network via VPN.

I’ve created an additional site on my IIS test1 which uses the same port as my default. Unassigned IP address and with the host name test1.com. Within my hosts file, I have also added:

127.0.0.1 test1.com

On my actual server which I connect to via RDP, I can access this second website via the the URL of test1.com on a web browser and it works fine but when I do the same on my home PC, it does not work even though I’m connected to the same network via VPN. I’ve tried out different combinations of the URL such as http://servername.org.com./test1.com to no avail.

What would I need to do to accomplish this? Also, just a tag on question to this. Say my default website is version 1 of that website and I want to create version 2. What would be the best approach to managing this on my server?

  1. http://servername.org.com/v1/index.html for version 1 and the same for v2 but different directory.
  2. Or create a new website on my IIS per iteration so http://servername-v1.org.com and http://servername-v2.org.com

Or does it not really matter? Those different versions would just be dev versions. I currently do it the number 1 way but wondered if there was an actual proper way of doing this.


Get this bounty!!!

#StackBounty: #debian #iis #vpn #apache2 #curl Issue with api request from linux

Bounty: 50

I have issue with http bearer auth json post to api.

Used apps or and php methods

  • wget
  • console curl
  • php curl
  • file get contents

Sucessfull scenarios – post request

  1. Computer connected to same network as server.
  • request from wsl1 Debian
  • request from xammp php curl
  • request with empty json payload or payload only with id from:
    • virtual box Debian
    • wsl2 Debian
    • server
  • request with form encoded payload from all typem of connections
  1. Computer connected to vpn
  • request from xammp php curl
  • request from virtual box Debian with vpn connection
  • request from wsl1 and wsl2 Debian

Sucessfull scenarios – get request

All typem of connections

Fail scenarios

  1. Computer connected to same network as server
  • request from server with complete payload
  • request from virtual box Debian with full payload
  • request from wsl2 Debian with full payload

Fail symptoms

Sucessfull handshake and http post request. Response from server about window scalling. Eny response after first ack tcp request from server. Few retransmissions and api close connection

Api configuration

  • iis 8.5
  • ASP.net
  • http 1.1
  • auth bearer
  • encoding chunked

Client configuration

  • windows, Apache, php 7.0 – all types of connections work
  • Debian 9, curl – connections work only from a other network or by vpn

Any suggestions?

Edit 1

I have made some screenshots from wireshark. All machines are in same netwrok as tested server – not api.

Successfull

Fail

Edit 2

I have done some research and i discovered that it does not work also from other hosting provider. FreeBSD os and console curl. Maybe that information will be helpfull.


Get this bounty!!!