Openvpn through an ISA server on linux

From Foomagic

Jump to: navigation, search

If you need to tunnel through an ISA server thats in anal mode, hopefully this may help in the couple of areas that I got tripped up in. Following the Openvpn howto covers the topic well. I have mine running on port 443 as the ISA server in question only allows ports 80 and 443. This isn't much good to me as it means no ssh, no irc, no chat and most importantly no mail. Luckily I had access to a connection that I could use briefly to ssh to my server and install and configure openvpn as the server. My configs are pretty much standard as per the howto, but i'll include them here for completeness. Server is running on debian stable, with client on debian sid. 

server.conf

port 443
proto tcp-server
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/foo.crt
key /etc/openvpn/foo.key
dh /etc/openvpn/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"
keepalive 10 20 
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
up /etc/openvpn/iptables.up
down /etc/openvpn/iptables.down
verb 3

client.conf

client
dev tun
proto tcp-client
remote foomagic.org 443
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
http-proxy-retry
http-proxy <your proxy ip> 8080 /etc/openvpn/proxy auth ntlm   
ca /etc/openvpn/ca.crt
cert /etc/openvpn/foo.crt
key /etc/openvpn/foo.key
ns-cert-type server
comp-lzo
up /etc/openvpn/resolve.up
down /etc/openvpn/dh.up
verb 3

The initial problem I had was getting through the proxy. I wasn't sure what the problem was as I have never had to try and work with one before. The only usefull info that openvpn would give me, even with log verbosity the highest, was the following error. 

OpenVPN 2.1_rc4 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec  9 2007
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): '69109d17'
Expected Remote Options hash (VER=V4): 'c0103fa8'
NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Attempting to establish TCP connection with XXX:XXX:XXX:XXX:8080 [nonblock]
TCP connection established with XXX:XXX:XXX:XXX:8080
Send to HTTP proxy: 'CONNECT foomagic.org:443 HTTP/1.0'
Attempting Basic Proxy-Authorization
HTTP proxy returned: 'HTTP/1.1 502 Proxy Error ( The ISA Server denies the specified Uniform Resource Locator  (URL).  )'
HTTP proxy returned bad status
TCP/UDP: Closing socket
SIGUSR1[soft,init_instance] received, process restarting
Restart pause, 5 second(s)

Seeing as when using a web browser on the network, setting the proxy in firefox just opens an ordinary user/pass box, I assumed that the proxy used basic authorisation. After much googling and frustration, I tried 'auth ntlm' for the proxy, and I could then connect to my box at home. Now I could ssh to my home box, but not get past it to the rest of the LAN or out to the internet. The howto mentions that you need to enable masquerading, but not that you have to add FORWARD rules to iptables as well. These rules should get you that basic forwarding and masquerading setup. 


echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


Now you should have pretty much all of your net traffic going through the vpn (if you have the same configs as above) Upon firing up wireshark, I noted that DNS requests were still going out to the proxy, even though I had the DNS push option set in the server.conf. It turns out that the linux clients won't use that info when pushed, but its stored in a 'foreign_option-*' environment variable (see man openvpn) To make sure your DNS queries go through the VPN, either manually edit your resolv.conf to use your home gateway, or you can use the update-resolv-conf script included with openvpn. The only thing I didn't like with that, is that it prepends the info at the start of the file, and leaves the proxy DNS servers there as well. I didnt really want them left there, so I made a terrible little script to echo that variable to resolv.conf, and then run dhclient again when the tunnnel goes down, when openvpn exits. These scripts can be run with the 'up' and 'down' directives in the server and client conf files.

Retrieved from "http://www.foomagic.org/wiki/index.php/Openvpn_through_an_ISA_server_on_linux"
Personal tools