Hi all!
I was making a first attempt to establish a VPN between my house and the
office. The scenery from the side of my house is the following one:
________
+----------+ +-----------+ +----------+ ____/ \___
| OpenVPN |_____| GNU/Linux |_____| ADSL |_____/ Internet \
| server | | Firewall | | Router | \____ ____/
+----------+ +-----------+ +----------+ \_______/
Local network: 10.1.0.0/24
VPN network: 10.8.0.0/24
In the GNU/Linux firewall configuration (using Shorewall), I only added a
DNAT rule to the OpenVPN server. I believe that it is the unique thing that
it would be being necessary.
Besides this, in router I added a rule doing forwarding of the
originating traffic of its own WAN with port 1194 to the interface that
it has in the other end that it gives with GNU/Linux firewall.
Until this instance, starting a OpenVPN client in the office I could
verify that the tunnel is established, but I can only reach the OpenVPN
server. The rest of hosts of my LAN is unareachables.
The following one is a capture with tcpump in the OpenVPN server when I
doing ping from the office to one host of my house:
# tcpdump -i tun0
tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
07:08:17.231084 IP 10.8.0.6 > ns1.freesoftware.org: ICMP echo request, id 47698, seq 1, length 64
07:08:18.233021 IP 10.8.0.6 > ns1.freesoftware.org: ICMP echo request, id 47698, seq 2, length 64
07:08:19.231793 IP 10.8.0.6 > ns1.freesoftware.org: ICMP echo request, id 47698, seq 3, length 64
Apparently it would be lacking some way that causes that the packages
could return.
Then I tried adding the following thing:
* To add in my GNU/Linux firewall a rule so that all the traffic that
goes to the network 10.8.0.0/24 is reached through the IP of the
OpenVPN server:
# route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.1.0.4
* Enable forwarding in the OpenVPN server:
# echo 1 > /proc/sys/net/ipv4/ip_forward
And I repeated the test:
07:13:17.213590 IP 10.8.0.6 > ns1.freesoftware.org: ICMP echo request, id 55380, seq 1, length 64
07:13:17.213942 IP ns1.freesoftware.org > 10.8.0.6: ICMP echo reply, id 55380, seq 1, length 64
07:13:18.215097 IP 10.8.0.6 > ns1.freesoftware.org: ICMP echo request, id 55380, seq 2, length 64
07:13:18.215433 IP ns1.freesoftware.org > 10.8.0.6: ICMP echo reply, id 55380, seq 2, length 64
07:13:19.215920 IP 10.8.0.6 > ns1.freesoftware.org: ICMP echo request, id 55380, seq 3, length 64
07:13:19.216272 IP ns1.freesoftware.org > 10.8.0.6: ICMP echo reply, id 55380, seq 3, length 64
This way already I could reach with ping/nmap at the other hosts from the
network. But in tests that I was doing there are moments at which when
trying to login using ssh I can get it and in others I cannot. In this
second case, tcpdump showed a similar problem to which commented above.
I have the impression that continues existing some routing problem
somewhere. Some idea of what can be the problem?
Thanks in advance for your reply.
Regards,
Daniel
--
Fingerprint: BFB3 08D6 B4D1 31B2 72B9 29CE 6696 BF1B 14E6 1D37
Powered by Debian GNU/Linux Squeeze - Linux user #188.598
Attachment:
signature.asc
Description: Digital signature