svn over vpn

[Merlin Morgenstern <me...@fastmail.fm>]

Hi there,

I am trying to get svn running over a vpn tunnel. Unvortunatelly there 
seems to be something I am missing. The tunnel is up an running, ping 
works. Subversion is set up and running as stand alone version.

After I do a checkout:
svn://10.8.0.6/test

Subversion answers:
Checkout from svn://10.8.0.6/test, revision HEAD, Fully recursive, 
Externals included Can't connect to host '10.8.0.6': Es konnte keine 
Verbindung hergestellt
werden, da der Zielcomputer die Verbindung verweigerte.


Do I have to configure subversion somehow to listen to that port 1149 of 
vpn and the ip adress?

Thank you for any help!!

Merlin

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1348224

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over vpn

[Merlin Morgenstern <me...@fastmail.fm>]

Thank you all for your help. I have solved the problem and would like to 
share it with you. Might help somebody else.

1. The ip adress of the server over vpn is 10.8.0.1 - not .6 That would 
be the client
2. On the susefirewall I had to add svnserve as a service allowed
3. the --listen directive seems not to have an influence on my goals
3. The cisco firewall stays blocked for subversion. Only allow vpn.

Result: svn is now available exclusivly over VPN-tunnel!

Thank you all for your help.


Stefan Sperling wrote:
> On Wed, Mar 18, 2009 at 01:59:33PM +0100, Merlin Morgenstern wrote:
>   
>>    Hi there,
>>    I am trying to get svn running over a vpn tunnel. Unvortunatelly there
>>    seems to be something I am missing. The tunnel is up an running, ping
>>    works. Subversion is set up and running as stand alone version.
>>    After I do a checkout:
>>    [1]svn://10.8.0.6/test
>>    Subversion answers:
>>    Checkout from [2]svn://10.8.0.6/test, revision HEAD, Fully recursive,
>>    Externals included Can't connect to host '10.8.0.6': Es konnte keine
>>    Verbindung hergestellt
>>    werden, da der Zielcomputer die Verbindung verweigerte.
>>     
>
> Please report error messages in English, not everyone here understands
> German.
>
> $ export LANG=en_US
> $ svn checkout ...
>
> (FYI the error is essentially saying "connection refused").
>
>   
>>    Do I have to configure subversion somehow to listen to that port 1149
>>    of vpn and the ip adress?
>>     
>
> svnserve can only listen on a single interface/port.
>
> You should not need to specify a port.
>
> If you need access to the svn repository via multiple
> IP addresses at the same time, use apache instead of svnserve.
>
> But did you try connecting to the IP address that svnserve normally
> listens on? Given that routing is set up appropriately on your client box,
> it should try to connect to that IP through the VPN tunnel.
> This is the most appropriate solution since VPNs are supposed to be
> transparent to applications. Whether or not your computer sends packets
> to some destination through the VPN tunnel is none of Subversion's business.
> You didn't say what operating system your client is running and what kind
> of VPN software you are using, so it's hard to give more concrete advice.
>
> Or you can try: svnserve --listen-host 10.8.0.6
> But this would mean that everyone else using the server will have
> to switch to that IP, too, and it must be reachable by them, so it
> may not be ideal.
>
> Stefan
>

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1349551

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over vpn

[Stefan Sperling <st...@elego.de>]

On Wed, Mar 18, 2009 at 03:26:47PM +0100, Merlin Morgenstern wrote:
>    my setup is like this:
>    - One Root server where a cisco firewall and a susefirewall restrict
>    all ports except of: http, htttps, ssh and udp port 1194

When talking about restrictions on ports, you should always be clear
which direction you are talking about, e.g. "from the server's point
of view, all incoming/outgoing connections are blocked ..."

>    - XP Client running openvpn-gui
>    My goal is to be only able to run subversion over VPN for security
>    reasons. I do not want to open the svn port.
>    In a test run I disabled the firewal and did a simple checkout on
>    [3]svn://server/test
>    This worked.

If it works with the firewall disabled, you will need to fix
your firewall configuration to allow connections to svnserve
through the VPN interface.

How to do this depends largely on your Linux distribution, and the way
you run OpenVPN. There should be appropriate help forums for that.
I don't think the Subversion users list is appropriate.

Good luck,
Stefan

Re: svn over vpn

[Stefan Sperling <st...@elego.de>]

On Wed, Mar 18, 2009 at 03:26:47PM +0100, Merlin Morgenstern wrote:
> 
>    Stefan Sperling wrote:
> But did you try connecting to the IP address that svnserve normally
> listens on?

By the way you never answered this question.

Stefan

Re: svn over vpn

[Stefan Sperling <st...@elego.de>]

On Wed, Mar 18, 2009 at 01:59:33PM +0100, Merlin Morgenstern wrote:
> 
>    Hi there,
>    I am trying to get svn running over a vpn tunnel. Unvortunatelly there
>    seems to be something I am missing. The tunnel is up an running, ping
>    works. Subversion is set up and running as stand alone version.
>    After I do a checkout:
>    [1]svn://10.8.0.6/test
>    Subversion answers:
>    Checkout from [2]svn://10.8.0.6/test, revision HEAD, Fully recursive,
>    Externals included Can't connect to host '10.8.0.6': Es konnte keine
>    Verbindung hergestellt
>    werden, da der Zielcomputer die Verbindung verweigerte.

Please report error messages in English, not everyone here understands
German.

$ export LANG=en_US
$ svn checkout ...

(FYI the error is essentially saying "connection refused").

>    Do I have to configure subversion somehow to listen to that port 1149
>    of vpn and the ip adress?

svnserve can only listen on a single interface/port.

You should not need to specify a port.

If you need access to the svn repository via multiple
IP addresses at the same time, use apache instead of svnserve.

But did you try connecting to the IP address that svnserve normally
listens on? Given that routing is set up appropriately on your client box,
it should try to connect to that IP through the VPN tunnel.
This is the most appropriate solution since VPNs are supposed to be
transparent to applications. Whether or not your computer sends packets
to some destination through the VPN tunnel is none of Subversion's business.
You didn't say what operating system your client is running and what kind
of VPN software you are using, so it's hard to give more concrete advice.

Or you can try: svnserve --listen-host 10.8.0.6
But this would mean that everyone else using the server will have
to switch to that IP, too, and it must be reachable by them, so it
may not be ideal.

Stefan

Re: svn over vpn

[David Weintraub <qa...@gmail.com>]

On Wed, Mar 18, 2009 at 10:34 AM, David Weintraub <qa...@gmail.com> wrote:
> I know that VPNs will block ports that they don't want people to use.
> It is very possible that your VPN is not allowing traffic on port
> 3690. Try telnetting to port 3690 on your Subversion server: You
> should get something like this:

Let me clarify: Try telneting TO your Subversion server machine over
the VPN and see if you can connect via port 3690.

Otherwise, you may need to create your own tunnel over the VPN.

--
David Weintraub
qazwart@gmail.com

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1349162

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

Re: svn over vpn

[David Weintraub <qa...@gmail.com>]

For those who don't know German, this is the translation from Babelfish:

No connection could be made, since the goal computer refused the connection.

I know that VPNs will block ports that they don't want people to use.
It is very possible that your VPN is not allowing traffic on port
3690. Try telnetting to port 3690 on your Subversion server: You
should get something like this:

$ telnet svn-server 3690
Trying x.x.x.x...
Connected to svn-server.
Escape character is '^]'.
( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries
commit-revprops depth log-revprops partial-replay ) ) )

If you don't get that, you have several choices:

1). Try to convince your system admins to allow traffic on port 3690.
2). Try svnserve on another port
3). Use tunneling to  get around this problem.

See <http://svnbook.red-bean.com/en/1.4/svn.serverconfig.svnserve.html>
for more information about tunneling. You may have to use ssh to do
the tunneling for you.

One more choice is to do Subversion over HTTP. However, this will
really involve your System Administrators (since they probably control
which machines can run webservers) and may mean you have to make
changes in your repository. Plus, all users might have to do a "svn
switch" since the URL of their chcekouts changed.

On Wed, Mar 18, 2009 at 8:59 AM, Merlin Morgenstern
<me...@fastmail.fm> wrote:
> Hi there,
>
> I am trying to get svn running over a vpn tunnel. Unvortunatelly there seems
> to be something I am missing. The tunnel is up an running, ping works.
> Subversion is set up and running as stand alone version.
>
> After I do a checkout:
> svn://10.8.0.6/test
>
> Subversion answers:
> Checkout from svn://10.8.0.6/test, revision HEAD, Fully recursive, Externals
> included Can't connect to host '10.8.0.6': Es konnte keine Verbindung
> hergestellt
> werden, da der Zielcomputer die Verbindung verweigerte.
>
>
> Do I have to configure subversion somehow to listen to that port 1149 of vpn
> and the ip adress?
>
> Thank you for any help!!
>
> Merlin



-- 
--
David Weintraub
qazwart@gmail.com

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=1348797

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].