pan-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Pan-users] Pan2 doesn't work within the vpn environment?


From: Hongyi Zhao
Subject: Re: [Pan-users] Pan2 doesn't work within the vpn environment?
Date: Sun, 29 Mar 2015 12:31:21 +0800

Hi Pan2 developers,

I use openvpn.   The openvpn config file used for connection is somthing as follows:

-------------
address@hidden:~/srv_enumeration/2015-03-29-12-06-37_ovpn$ cat vpngate_58.19.210.249_tcp_1722.ovpn
###############################################################################
# OpenVPN 2.0 Sample Configuration File
# for PacketiX VPN / SoftEther VPN Server
#
# !!! AUTO-GENERATED BY SOFTETHER VPN SERVER MANAGEMENT TOOL !!!
#
# !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!!
#
# This configuration file is auto-generated. You might use this config file
# in order to connect to the PacketiX VPN / SoftEther VPN Server.
# However, before you try it, you should review the descriptions of the file
# to determine the necessity to modify to suitable for your real environment.
# If necessary, you have to modify a little adequately on the file.
# For example, the IP address or the hostname as a destination VPN Server
# should be confirmed.
#
# Note that to use OpenVPN 2.0, you have to put the certification file of
# the destination VPN Server on the OpenVPN Client computer when you use this
# config file. Please refer the below descriptions carefully.


###############################################################################
# Specify the type of the layer of the VPN connection.
#
# To connect to the VPN Server as a "Remote-Access VPN Client PC",
#  specify 'dev tun'. (Layer-3 IP Routing Mode)
#
# To connect to the VPN Server as a bridging equipment of "Site-to-Site VPN",
#  specify 'dev tap'. (Layer-2 Ethernet Bridgine Mode)

dev tun


###############################################################################
# Specify the underlying protocol beyond the Internet.
# Note that this setting must be correspond with the listening setting on
# the VPN Server.
#
# Specify either 'proto tcp' or 'proto udp'.

proto tcp


###############################################################################
# The destination hostname / IP address, and port number of
# the target VPN Server.
#
# You have to specify as 'remote <HOSTNAME> <PORT>'. You can also
# specify the IP address instead of the hostname.
#
# Note that the auto-generated below hostname are a "auto-detected
# IP address" of the VPN Server. You have to confirm the correctness
# beforehand.
#
# When you want to connect to the VPN Server by using TCP protocol,
# the port number of the destination TCP port should be same as one of
# the available TCP listeners on the VPN Server.
#
# When you use UDP protocol, the port number must same as the configuration
# setting of "OpenVPN Server Compatible Function" on the VPN Server.

remote 58.19.210.249 1722


###############################################################################
# The HTTP/HTTPS proxy setting.
#
# Only if you have to use the Internet via a proxy, uncomment the below
# two lines and specify the proxy address and the port number.
# In the case of using proxy-authentication, refer the OpenVPN manual.

;http-proxy-retry
;http-proxy [proxy server] [proxy port]


###############################################################################
# The encryption and authentication algorithm.
#
# Default setting is good. Modify it as you prefer.
# When you specify an unsupported algorithm, the error will occur.
#
# The supported algorithms are as follows:
#  cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC
#          CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC
#          RC2-40-CBC RC2-64-CBC RC2-CBC
#  auth:   SHA SHA1 MD5 MD4 RMD160

cipher AES-128-CBC
auth SHA1


###############################################################################
# Other parameters necessary to connect to the VPN Server.
#
# It is not recommended to modify it unless you have a particular need.

resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
#auth-user-pass


###############################################################################
# The certificate file of the destination VPN Server.
#
# The CA certificate file is embedded in the inline format.
# You can replace this CA contents if necessary.
# Please note that if the server certificate is not a self-signed, you have to
# specify the signer's root certificate (CA) here.

<ca>
-----BEGIN CERTIFICATE-----
MIIDLjCCAhagAwIBAgIFFDGVc4QwDQYJKoZIhvcNAQELBQAwTjEdMBsGA1UEAwwU
cW15MHRlejlvMmx4OXk5aS5vcmcxIDAeBgNVBAoMFzN0NGoxdjhkOTE3IHFqcmxk
dHVsbDUzMQswCQYDVQQGEwJVUzAeFw0xNTAzMjgxMzI5MjZaFw0xODExMjUxMzI5
MjZaME4xHTAbBgNVBAMMFHFteTB0ZXo5bzJseDl5OWkub3JnMSAwHgYDVQQKDBcz
dDRqMXY4ZDkxNyBxanJsZHR1bGw1MzELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC9IXppZoQQ1F4GPr7lrEsfAAGpxS8OUVNq8Mnl
AxvdiRYUVvEsHjfMJ5KEGNVAkD90QQKEanh6QaTg6OatOml/s27mNCeSb7H4Rlpz
J/AApI+RrTdSWrWAIRwfIx0uuIBwDER7gMhF27Fo54kLaINA9g5KN+P6IU+yLU3y
LQqMFn/eE8fGTXejUX916I4pyrwv3L4DQg5WrgJF1TJNfcEE/QU7yN6XsVAEG4TH
Wnna9Y3NpmHz/aFgzFDcE9bFR+l0KsVU4F9sAolWOoOQzSB+zF+u5Tj112gsEYJ3
TBl7IY2z5fxjudsSgQL2uKVemxCsTbkJPxlr/1ETy5+b+3H3AgMBAAGjEzARMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKx5GwIehB7Zj71H8QIW
f+JjWFkZ5l3YSA1pk19vtYVn1Ssk+c1pWrmZC4hGQCWSA/2lW6WXPpraiIXL/nnT
S7Il8D0eeETWTZ+Y1Rk8FE0iWZlQuMb9Bu1645PFlbKrqnrM5qSEBcO/yQo1gmA6
LXYcUgBM8/GpQklQr9YybOfRmTz9BjslZI9qsCDSxUkw8jCyq4tIJFMfgdeLWVRO
P9Z66pk4yCk6pw1A8/ShiXWVZMlQRoHkI84Y1/tIo3JOAY6XZ/YnqsOEeDA1U0/B
JJweIAIE2bg9oFtgOjmPewTqEMqwQHLB7qVTrGA9PE0LZbw7QxTzBAMTyAkiLEdo
Qto=
-----END CERTIFICATE-----

</ca>


###############################################################################
# The client certificate file (dummy).
#
# In some implementations of OpenVPN Client software
# (for example: OpenVPN Client for iOS),
# a pair of client certificate and private key must be included on the
# configuration file due to the limitation of the client.
# So this sample configuration file has a dummy pair of client certificate
# and private key as follows.

<cert>
-----BEGIN CERTIFICATE-----
MIICxjCCAa4CAQAwDQYJKoZIhvcNAQEFBQAwKTEaMBgGA1UEAxMRVlBOR2F0ZUNs
aWVudENlcnQxCzAJBgNVBAYTAkpQMB4XDTEzMDIxMTAzNDk0OVoXDTM3MDExOTAz
MTQwN1owKTEaMBgGA1UEAxMRVlBOR2F0ZUNsaWVudENlcnQxCzAJBgNVBAYTAkpQ
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5h2lgQQYUjwoKYJbzVZA
5VcIGd5otPc/qZRMt0KItCFA0s9RwReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD
4W8GmJe8zapJnLsD39OSMRCzZJnczW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQ
CjntLIWk5OLLVkFt9/tScc1GDtci55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67
XCKJnGB5nlQ+HsMYPV/O49Ld91ZN/2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6h
p/0yXnTB//mWutBGpdUlIbwiITbAmrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGD
ywIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQChO5hgcw/4oWfoEFLu9kBa1B//kxH8
hQkChVNn8BRC7Y0URQitPl3DKEed9URBDdg2KOAz77bb6ENPiliD+a38UJHIRMqe
UBHhllOHIzvDhHFbaovALBQceeBzdkQxsKQESKmQmR832950UCovoyRB61UyAV7h
+mZhYPGRKXKSJI6s0Egg/Cri+Cwk4bjJfrb5hVse11yh4D9MHhwSfCOH+0z4hPUT
Fku7dGavURO5SVxMn/sL6En5D+oSeXkadHpDs+Airym2YHh15h0+jPSOoR6yiVp/
6zZeZkrN43kuS73KpKDFjfFPh8t4r1gOIjttkNcQqBccusnplQ7HJpsk
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5h2lgQQYUjwoKYJbzVZA5VcIGd5otPc/qZRMt0KItCFA0s9R
wReNVa9fDRFLRBhcITOlv3FBcW3E8h1Us7RD4W8GmJe8zapJnLsD39OSMRCzZJnc
zW4OCH1PZRZWKqDtjlNca9AF8a65jTmlDxCQCjntLIWk5OLLVkFt9/tScc1GDtci
55ofhaNAYMPiH7V8+1g66pGHXAoWK6AQVH67XCKJnGB5nlQ+HsMYPV/O49Ld91ZN
/2tHkcaLLyNtywxVPRSsRh480jju0fcCsv6hp/0yXnTB//mWutBGpdUlIbwiITbA
mrsbYnjigRvnPqX1RNJUbi9Fp6C2c/HIFJGDywIDAQABAoIBAERV7X5AvxA8uRiK
k8SIpsD0dX1pJOMIwakUVyvc4EfN0DhKRNb4rYoSiEGTLyzLpyBc/A28Dlkm5eOY
fjzXfYkGtYi/Ftxkg3O9vcrMQ4+6i+uGHaIL2rL+s4MrfO8v1xv6+Wky33EEGCou
QiwVGRFQXnRoQ62NBCFbUNLhmXwdj1akZzLU4p5R4zA3QhdxwEIatVLt0+7owLQ3
lP8sfXhppPOXjTqMD4QkYwzPAa8/zF7acn4kryrUP7Q6PAfd0zEVqNy9ZCZ9ffho
zXedFj486IFoc5gnTp2N6jsnVj4LCGIhlVHlYGozKKFqJcQVGsHCqq1oz2zjW6LS
oRYIHgECgYEA8zZrkCwNYSXJuODJ3m/hOLVxcxgJuwXoiErWd0E42vPanjjVMhnt
KY5l8qGMJ6FhK9LYx2qCrf/E0XtUAZ2wVq3ORTyGnsMWre9tLYs55X+ZN10Tc75z
4hacbU0hqKN1HiDmsMRY3/2NaZHoy7MKnwJJBaG48l9CCTlVwMHocIECgYEA8jby
dGjxTH+6XHWNizb5SRbZxAnyEeJeRwTMh0gGzwGPpH/sZYGzyu0SySXWCnZh3Rgq
5uLlNxtrXrljZlyi2nQdQgsq2YrWUs0+zgU+22uQsZpSAftmhVrtvet6MjVjbByY
DADciEVUdJYIXk+qnFUJyeroLIkTj7WYKZ6RjksCgYBoCFIwRDeg42oK89RFmnOr
LymNAq4+2oMhsWlVb4ejWIWeAk9nc+GXUfrXszRhS01mUnU5r5ygUvRcarV/T3U7
TnMZ+I7Y4DgWRIDd51znhxIBtYV5j/C/t85HjqOkH+8b6RTkbchaX3mau7fpUfds
Fq0nhIq42fhEO8srfYYwgQKBgQCyhi1N/8taRwpk+3/IDEzQwjbfdzUkWWSDk9Xs
H/pkuRHWfTMP3flWqEYgW/LW40peW2HDq5imdV8+AgZxe/XMbaji9Lgwf1RY005n
KxaZQz7yqHupWlLGF68DPHxkZVVSagDnV/sztWX6SFsCqFVnxIXifXGC4cW5Nm9g
va8q4QKBgQCEhLVeUfdwKvkZ94g/GFz731Z2hrdVhgMZaU/u6t0V95+YezPNCQZB
wmE9Mmlbq1emDeROivjCfoGhR3kZXW1pTKlLh6ZMUQUOpptdXva8XxfoqQwa3enA
M7muBbF0XN7VO80iJPv+PmIZdEIAkpwKfi201YB+BafCIuGxIF50Vg==
-----END RSA PRIVATE KEY-----

</key>

-------------

And the connection log on stdout is as follows:

-----------
address@hidden:~/srv_enumeration/2015-03-29-12-06-37_ovpn$ sudo openvpn vpngate_58.19.210.249_tcp_1722.ovpn
Sun Mar 29 12:19:19 2015 OpenVPN 2.3_git [git:master/ec2fbf374f018366] x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [SNAPPY] [LZ4] [EPOLL] [MH] [IPv6] built on Mar 24 2015
Sun Mar 29 12:19:19 2015 library versions: OpenSSL 1.0.1e 11 Feb 2013, LZO 2.06
Sun Mar 29 12:19:19 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Mar 29 12:19:19 2015 TCP/UDP: Preserving recently used remote address: [AF_INET]58.19.210.249:1722
Sun Mar 29 12:19:19 2015 Socket Buffers: R=[87380->131072] S=[16384->131072]
Sun Mar 29 12:19:19 2015 Attempting to establish TCP connection with [AF_INET]58.19.210.249:1722 [nonblock]
Sun Mar 29 12:19:20 2015 TCP connection established with [AF_INET]58.19.210.249:1722
Sun Mar 29 12:19:20 2015 TCP_CLIENT link local: (not bound)
Sun Mar 29 12:19:20 2015 TCP_CLIENT link remote: [AF_INET]58.19.210.249:1722
Sun Mar 29 12:19:20 2015 TLS: Initial packet from [AF_INET]58.19.210.249:1722, sid=ac2bd730 591add7f
Sun Mar 29 12:19:20 2015 VERIFY OK: depth=0, CN=qmy0tez9o2lx9y9i.org, O=3t4j1v8d917 qjrldtull53, C=US
Sun Mar 29 12:19:21 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Mar 29 12:19:21 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 29 12:19:21 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Mar 29 12:19:21 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 29 12:19:21 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Mar 29 12:19:21 2015 [qmy0tez9o2lx9y9i.org] Peer Connection Initiated with [AF_INET]58.19.210.249:1722
Sun Mar 29 12:19:23 2015 SENT CONTROL [qmy0tez9o2lx9y9i.org]: 'PUSH_REQUEST' (status=1)
Sun Mar 29 12:19:23 2015 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.38.205 10.211.38.206,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.38.206,redirect-gateway def1'
Sun Mar 29 12:19:23 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sun Mar 29 12:19:23 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sun Mar 29 12:19:23 2015 OPTIONS IMPORT: route options modified
Sun Mar 29 12:19:23 2015 OPTIONS IMPORT: route-related options modified
Sun Mar 29 12:19:23 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Mar 29 12:19:23 2015 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=c8:60:00:df:24:23
Sun Mar 29 12:19:23 2015 TUN/TAP device tun0 opened
Sun Mar 29 12:19:23 2015 TUN/TAP TX queue length set to 100
Sun Mar 29 12:19:23 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Mar 29 12:19:23 2015 /sbin/ifconfig tun0 10.211.38.205 pointopoint 10.211.38.206 mtu 1500
Sun Mar 29 12:19:23 2015 /sbin/route add -net 58.19.210.249 netmask 255.255.255.255 gw 192.168.0.1
SIOCADDRT: File exists
Sun Mar 29 12:19:23 2015 ERROR: Linux route add command failed: external program exited with error status: 7
Sun Mar 29 12:19:23 2015 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.211.38.206
Sun Mar 29 12:19:23 2015 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.211.38.206
Sun Mar 29 12:19:23 2015 Initialization Sequence Completed

-----------


The route table in my box is as follows when the openvpn successed for connection:

----------
address@hidden:~$ ip route
0.0.0.0/1 via 10.211.38.206 dev tun0
default via 192.168.0.1 dev eth0  proto static
10.211.38.206 dev tun0  proto kernel  scope link  src 10.211.38.205
58.19.210.249 via 192.168.0.1 dev eth0
128.0.0.0/1 via 10.211.38.206 dev tun0
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.3
-------------

And the ifconfig info are as follows:

----------------
address@hidden:~$ sudo ifconfig
eth0      Link encap:Ethernet  HWaddr c8:60:00:df:24:23 
          inet addr:192.168.0.3  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::ca60:ff:fedf:2423/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:57686 errors:0 dropped:0 overruns:0 frame:0
          TX packets:91560 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:23860896 (22.7 MiB)  TX bytes:14247297 (13.5 MiB)
          Interrupt:20 Memory:f7300000-f7320000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:13230 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13230 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1247508 (1.1 MiB)  TX bytes:1247508 (1.1 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.211.38.205  P-t-P:10.211.38.206  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3177 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2661 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2536146 (2.4 MiB)  TX bytes:523958 (511.6 KiB)
------------------

Regards

2015-03-28 11:15 GMT+08:00 Jim Henderson <address@hidden>:
On Sat, 28 Mar 2015 10:25:12 +0800, Hongyi Zhao wrote:


> I use pan2 (Pan 0.140, GIT 048fecd ).  I found a strange issue:
>
> When I using a vpn method to access the internet, the pan2 will failed
> to access to
>  news servers.

Almost certainly a VPN issue, as pan has no network routing logic built
into it - it depends on your network routing configuration.

In order to diagnose this, we'll need to know a little about what the VPN
software you're using is and how it's configured.  My guess is that it's
not configured for a split tunnel, and sends all traffic back to your
corporate network, where it's subjected to firewall rules in the
corporate firewall - and your corporate firewall probably blocks port 119
(used for NNTP traffic).

Jim

--
 Jim Henderson
 Please keep on-topic replies on the list so everyone benefits


_______________________________________________
Pan-users mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/pan-users



--
Hongyi Zhao <address@hidden>
Xinjiang Technical Institute of Physics and Chemistry
Chinese Academy of Sciences
GnuPG DSA: 0xD108493

reply via email to

[Prev in Thread] Current Thread [Next in Thread]