Cannot do a reverse connection: any port from destination (vpn "server") to source (vpn client with openconnect)
I have two nodes. One is "frontal", which has the openconnect VPN client binary and a public IP. The other is the "server", which is inside a common VPN (University, you cannot log by ssh without an authenticated VPN connection first). To be able to log with ssh to my "server" inside the University, I need first to establish the VPN connection. Everything works fine, until I need to log or query any port of my "frontal" from the "server" (ssh, curl,... any other port). I did many tests with mtr -Trwbzc100
, tracert
, curl
, ssh
and it is impossible to connect.
If I disable the VPN connection from that "frontal" and choose another frontal "frontal2" for the new VPN connection. I can connect to the previous "frontal", but not to the new "frontal2".
Tested with two different frontal nodes, one is a common VPS provider ("frontal"), the other my own house ("frontal2"). Almost the same behavior. I have checked all the logs, disabled firewalls and even contacted with technical support of both providers. It seems the problem is related with the usage of the VPN. Almost the same behavior in both cases: when using the VPS as frontal, the last packets are dropped. Specifically, when I am about to get the last hop (compared when I don't use the VPN from that frontal). On the other side, from my own house, the mtr
has the same behavior (dropping packets on the last hop) but still I cannot connect with any service (ssh, curl, etc).
Sorry if this is possible to be disabled with any of the runtime options of the openconnect binary, but I didn't know how to find it.
Tested with both OpenConnect 7.08 and 8.05.
Questions:
- Is this a bug or it is expected behavior?
- If is a bug, what more tests can I do? how to bypass it?
- If this is expected behavior, how can I solve my situation? Any option to enable the behavior that I want with openconnect?
Appendix:
I did some tests with a few options of openconnect. For every option I have established the VPN connection, log to the "server" node and try to connect with ssh back to the "frontal2" node. None of the next combinations solved the issue:
--no-http-keepalive
--no-xmlpost
--no-dtls
--deflate
--protocol=nc
-
--protocol=pulse
(only protocolnc
orpulse
can connect)
Last, just in case it helps, I pase here some verbose info (but skipping some "sensitive information" unless someone request it).
Example executing with protocol nc
:
$ echo PASS | sudo ./openconnect --protocol=nc -v --timestamp --authgroup="AUTHGROUP" -u USER --passwd-on-stdin https://MYVPN.ES
[2019-11-27 07:34:29] GET https://MYVPN.ES/
[2019-11-27 07:34:29] Attempting to connect to server 193.144.XXX.YYY:443
[2019-11-27 07:34:29] Connected to 193.144.XXX.YYY:443
[2019-11-27 07:34:30] SSL negotiation with MYVPN.ES
[2019-11-27 07:34:30] Connected to HTTPS on MYVPN.ES
[2019-11-27 07:34:30] Got HTTP response: HTTP/1.1 302 Found
[2019-11-27 07:34:30] Location: /dana-na/auth/url_default/welcome.cgi
[2019-11-27 07:34:30] Content-Type: text/html; charset=utf-8
[2019-11-27 07:34:30] Set-Cookie: DSSIGNIN=url_default; path=/dana-na/; expires=Thu, 31-Dec-2037 00:00:00 GMT; secure
[2019-11-27 07:34:30] Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
[2019-11-27 07:34:30] Set-Cookie: DSSignInURL=/; path=/; secure
[2019-11-27 07:34:30] Connection: close
[2019-11-27 07:34:30] Content-Length: 0
[2019-11-27 07:34:30] Strict-Transport-Security: max-age=31536000
[2019-11-27 07:34:30] HTTP body length: (0)
[2019-11-27 07:34:30] GET https://MYVPN.ES/dana-na/auth/url_default/welcome.cgi
[2019-11-27 07:34:30] SSL negotiation with MYVPN.ES
[2019-11-27 07:34:30] Connected to HTTPS on MYVPN.ES
[2019-11-27 07:34:30] Got HTTP response: HTTP/1.1 200 OK
[2019-11-27 07:34:30] Content-Type: text/html; charset=utf-8
[2019-11-27 07:34:30] Date: Wed, 27 Nov 2019 06:34:30 GMT
[2019-11-27 07:34:30] x-frame-options: SAMEORIGIN
[2019-11-27 07:34:30] Pragma: no-cache
[2019-11-27 07:34:30] Cache-Control: no-store
[2019-11-27 07:34:30] Expires: -1
[2019-11-27 07:34:30] Transfer-Encoding: chunked
[2019-11-27 07:34:30] Strict-Transport-Security: max-age=31536000
[2019-11-27 07:34:30] HTTP body chunked (-2)
frmLogin
frmLogin
[2019-11-27 07:34:30] POST https://MYVPN.ES/dana-na/auth/url_default/login.cgi
[2019-11-27 07:34:30] Got HTTP response: HTTP/1.1 302 Moved
[2019-11-27 07:34:30] Set-Cookie: DSASSERTREF=x; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
[2019-11-27 07:34:30] Set-Cookie: DSID=5219b189d4235773a4ec84b978ae6522; path=/; secure
[2019-11-27 07:34:30] Set-Cookie: DSDID=89a3e200e9e91444; path=/; secure; HttpOnly
[2019-11-27 07:34:30] Set-Cookie: DSFirstAccess=1574836470; path=/; secure
[2019-11-27 07:34:30] Set-Cookie: DSSIGNIN=url_default; path=/; secure
[2019-11-27 07:34:30] Date: Wed, 27 Nov 2019 06:34:30 GMT
[2019-11-27 07:34:30] location: /dana/meeting/meeting_weekly.cgi
[2019-11-27 07:34:30] Content-Type: text/html; charset=utf-8
[2019-11-27 07:34:30] Pragma: no-cache
[2019-11-27 07:34:30] Cache-Control: no-store
[2019-11-27 07:34:30] Expires: -1
[2019-11-27 07:34:30] Content-Length: 0
[2019-11-27 07:34:30] Strict-Transport-Security: max-age=31536000
[2019-11-27 07:34:30] HTTP body length: (0)
[2019-11-27 07:34:30] GET https://MYVPN.ES/dana/meeting/meeting_weekly.cgi
[2019-11-27 07:34:34] Got HTTP response: HTTP/1.1 302 Moved
[2019-11-27 07:34:34] location: /dana/home/index.cgi
[2019-11-27 07:34:34] method: POST
[2019-11-27 07:34:34] Set-Cookie: DSLastAccess=1574836474; path=/; Secure
[2019-11-27 07:34:34] Pragma: no-cache
[2019-11-27 07:34:34] Cache-Control: no-store
[2019-11-27 07:34:34] Expires: -1
[2019-11-27 07:34:34] Transfer-Encoding: chunked
[2019-11-27 07:34:34] Strict-Transport-Security: max-age=31536000
[2019-11-27 07:34:34] HTTP body chunked (-2)
[2019-11-27 07:34:34] GET https://MYVPN.ES/dana/home/index.cgi
[2019-11-27 07:34:34] Got HTTP response: HTTP/1.1 200 OK
[2019-11-27 07:34:34] Content-Type: text/html; charset=utf-8
[2019-11-27 07:34:34] Set-Cookie: DSLastAccess=1574836474; path=/; Secure
[2019-11-27 07:34:34] Pragma: no-cache
[2019-11-27 07:34:34] Cache-Control: no-store
[2019-11-27 07:34:34] Expires: -1
[2019-11-27 07:34:34] Transfer-Encoding: chunked
[2019-11-27 07:34:34] X-Frame-Options: SAMEORIGIN
[2019-11-27 07:34:34] Strict-Transport-Security: max-age=31536000
[2019-11-27 07:34:34] HTTP body chunked (-2)
[2019-11-27 07:34:34] Got HTTP response: HTTP/1.1 200 OK
[2019-11-27 07:34:34] Content-type: application/octet-stream
[2019-11-27 07:34:34] Pragma: no-cache
[2019-11-27 07:34:34] NCP-Version: 3
[2019-11-27 07:34:34] Set-Cookie: DSLastAccess=1574836474; path=/; Secure
[2019-11-27 07:34:34] Connection: close
[2019-11-27 07:34:34] X-Frame-Options: SAMEORIGIN
[2019-11-27 07:34:34] Strict-Transport-Security: max-age=31536000
...
[2019-11-27 07:34:34] > 0010: bb 01 00 00 00 00 |......|
[2019-11-27 07:34:35] Got KMP message 301 of size 333
[2019-11-27 07:34:35] Unknown TLV group 3 attr 1 len 1: 01
[2019-11-27 07:34:35] Unknown TLV group 3 attr 2 len 1: 00
[2019-11-27 07:34:35] Received split include route 193.144.XYZ.Z/255.255.240.0
[2019-11-27 07:34:35] Received split include route 193.144.XYY.Z/255.255.224.0
[2019-11-27 07:34:35] Received MTU 1400 from server
[2019-11-27 07:34:35] Received DNS server 193.144.XXX.JJ
[2019-11-27 07:34:35] Received DNS server 193.144.XXX.YY
[2019-11-27 07:34:35] Received DNS search domain myvpn.es
[2019-11-27 07:34:35] Unknown TLV group 2 attr 3 len 4: 00 00 00 00
[2019-11-27 07:34:35] ESP compression: 0
[2019-11-27 07:34:35] ESP encryption: 0x02 (AES-128)
[2019-11-27 07:34:35] ESP HMAC: 0x02 (SHA1)
[2019-11-27 07:34:35] ESP key lifetime: 1200 seconds
[2019-11-27 07:34:35] ESP key lifetime: 0 bytes
[2019-11-27 07:34:35] ESP replay protection: 1
[2019-11-27 07:34:35] Unknown TLV group 8 attr 11 len 4: 00 00 00 00
[2019-11-27 07:34:35] ESP port: 4500
[2019-11-27 07:34:35] ESP to SSL fallback: 15 seconds
[2019-11-27 07:34:35] Unknown TLV group 8 attr 8 len 4: 00 00 00 3c
[2019-11-27 07:34:35] Received internal IP address 193.144.XYZ.Y
[2019-11-27 07:34:35] Received netmask 255.255.255.255
[2019-11-27 07:34:35] Received internal gateway address 10.200.200.200
[2019-11-27 07:34:35] ESP SPI (outbound): fa079f03
[2019-11-27 07:34:35] 64 bytes of ESP secrets
[2019-11-27 07:34:35] oNCP negotiation request outgoing:
[2019-11-27 07:34:35] > 0000: 8e 00 00 00 00 00 00 00 01 2f 01 00 00 00 01 00 |........./......|
...
[2019-11-27 07:34:35] > 0080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[2019-11-27 07:34:35] Send ESP probes
[2019-11-27 07:34:35] Connected as 193.144.XYZ.Y, using SSL, with ESP in progress
[2019-11-27 07:34:35] ESP session established with server
[2019-11-27 07:35:22] Send ESP probes for DPD
[2019-11-27 07:35:37] Send ESP probes for DPD
[2019-11-27 07:36:06] Send ESP probes for DPD
[2019-11-27 07:36:24] Send ESP probes for DPD
[2019-11-27 07:36:43] Send ESP probes for DPD
Then, with pulse
:
$ echo PASS | sudo ./openconnect --protocol=pulse -v --timestamp --authgroup="AUTHGROUP" -u USER --passwd-on-stdin https://MYVPN.ES
[2019-11-27 07:30:20] Attempting to connect to server 193.144.XYZ.Y:443
[2019-11-27 07:30:20] Connected to 193.144.XXX.YYY:443
[2019-11-27 07:30:20] SSL negotiation with MYVPN.ES
[2019-11-27 07:30:20] Connected to HTTPS on VPN.ES
[2019-11-27 07:30:20] Got HTTP response: HTTP/1.1 101 Switching Protocols
[2019-11-27 07:30:20] Content-type: application/octet-stream
[2019-11-27 07:30:20] Pragma: no-cache
[2019-11-27 07:30:20] Upgrade: IF-T/TLS 1.0
[2019-11-27 07:30:20] Connection: Upgrade
[2019-11-27 07:30:20] Strict-Transport-Security: max-age=31536000
[2019-11-27 07:30:20] > 0000: 00 00 55 97 00 00 00 01 00 00 00 14 00 00 00 00 |..U.............|
...
[2019-11-27 07:30:20] > 0020: 00 00 0d 70 80 00 00 2b 00 00 05 83 4f 70 65 6e |...p...+....Open|
[2019-11-27 07:30:20] > 0030: 20 41 6e 79 43 6f 6e 6e 65 63 74 20 56 50 4e 20 | AnyConnect VPN |
[2019-11-27 07:30:20] > 0040: 41 67 65 6e 74 20 76 38 2e 30 35 00 |Agent v8.05.|
Choose Pulse user realm:
Choose Pulse user realm:
[2019-11-27 07:30:20] > 0000: 00 00 55 97 00 00 00 06 00 00 00 38 00 00 00 04 |..U........8....|
...
Enter user credentials:
[2019-11-27 07:30:22] > 0000: 00 00 55 97 00 00 00 06 00 00 00 58 00 00 00 05 |..U........X....|
...
[2019-11-27 07:30:22] > 0010: 00 0a 4c 01 02 05 00 0c fe 00 0a 4c 00 00 00 01 |..L........L....|
[2019-11-27 07:30:22] Received split include route 193.144.XJ.0/255.255.240.0
[2019-11-27 07:30:22] Received split include route 193.144.YJ.0/255.255.224.0
[2019-11-27 07:30:22] Unknown attr 0x4000 len 1: 01
[2019-11-27 07:30:22] Unknown attr 0x4001 len 1: 00
[2019-11-27 07:30:22] Unknown attr 0x401f len 1: 00
[2019-11-27 07:30:22] Unknown attr 0x4020 len 1: 00
[2019-11-27 07:30:22] Unknown attr 0x4021 len 1: 00
[2019-11-27 07:30:22] Received MTU 1400 from server
[2019-11-27 07:30:22] Received DNS server 193.144.XXX.ZZ
[2019-11-27 07:30:22] Received DNS server 193.144.XXX.ZY
[2019-11-27 07:30:22] Received DNS search domain MYVPN.ES
[2019-11-27 07:30:22] Unknown attr 0x4007 len 4: 00 00 00 00
[2019-11-27 07:30:22] Unknown attr 0x4019 len 1: 01
[2019-11-27 07:30:22] ESP only: 0
[2019-11-27 07:30:22] Unknown attr 0x400f len 2: 00 00
[2019-11-27 07:30:22] ESP encryption: 0x0002 (AES-128)
[2019-11-27 07:30:22] ESP HMAC: 0x0002 (SHA1)
[2019-11-27 07:30:22] ESP key lifetime: 1200 seconds
[2019-11-27 07:30:22] ESP key lifetime: 0 bytes
[2019-11-27 07:30:22] ESP replay protection: 1
[2019-11-27 07:30:22] Unknown attr 0x4015 len 4: 00 00 00 00
[2019-11-27 07:30:22] ESP port: 4500
[2019-11-27 07:30:22] ESP to SSL fallback: 15 seconds
[2019-11-27 07:30:22] Unknown attr 0x4018 len 4: 00 00 00 3c
[2019-11-27 07:30:22] Received internal Legacy IP address 193.144.XXX.YYY
[2019-11-27 07:30:22] Received netmask 255.255.255.255
[2019-11-27 07:30:22] Received internal gateway address 10.200.200.200
[2019-11-27 07:30:22] Unknown attr 0x400c len 1: 00
[2019-11-27 07:30:22] Unknown attr 0x400d len 1: 00
[2019-11-27 07:30:22] Unknown attr 0x400e len 1: 00
[2019-11-27 07:30:22] Unknown attr 0x401b len 1: 00
[2019-11-27 07:30:22] Unknown attr 0x401c len 1: 00
[2019-11-27 07:30:22] Unknown attr 0x13 len 1: 00
[2019-11-27 07:30:22] Unknown attr 0x14 len 1: 00
[2019-11-27 07:30:22] 64 bytes of ESP secrets
[2019-11-27 07:30:22] ESP SPI (outbound): 1331be79
[2019-11-27 07:30:22] > 0000: 00 00 0a 4c 00 00 00 01 00 00 00 c0 00 00 00 07 |...L............|
...
[2019-11-27 07:30:22] > 0010: 6e 63 6d 6f 3d 31 0a 00 |ncmo=1..|
[2019-11-27 07:30:22] Send ESP probes
[2019-11-27 07:30:22] Connected as 193.144.XXX.YYY, using SSL, with ESP in progress
[2019-11-27 07:30:22] ESP session established with server
[2019-11-27 07:31:07] Send ESP probes for DPD
[2019-11-27 07:31:22] Send ESP probes for DPD
[2019-11-27 07:31:43] Send ESP probes for DPD
[2019-11-27 07:32:56] Send ESP probes for DPD
[2019-11-27 07:33:22] Send ESP probes for DPD
Finally, the tunnels are usually like this:
$ sudo lsof -i -n | grep openc
lt-openco 13430 root 5u IPv4 3305614 0t0 TCP 192.168.X.Y:34574->193.144.XXX.Y:https (ESTABLISHED)
lt-openco 13430 root 6u IPv4 3306181 0t0 UDP 192.168.X.Y:38440->193.144.XXX.Y:ipsec-nat-t
It is important to note that If write from the "server" curl MYFRONTAL:8080
, and I do in the "frontal":
$ sudo tcpdump -vv -n -s 1500 -i eth0 tcp port 8080
12:32:54.369025 IP (tos 0x0, ttl 251, id 706, offset 0, flags [none], proto TCP (6), length 40)
95.213.XXX.YYY.54370 > 46.101.JJJ.YYY.8080: Flags [S], cksum 0x2a81 (correct), seq 1867839961, win 1024, length 0
...
I can see the packets :), but nothing from there (never reach the nc -l 8080
process, and my firewall is disabled).