On Wednesday, 28 October 2009 07:39:18 -0700, peasthope@shaw.ca wrote: > Daniel, Hi, Peter. > > Until this instance, starting a OpenVPN client in the office I could > > verify that the tunnel is established, but I can only reach the > > OpenVPN server. The rest of hosts of my LAN is unareachables. > > ... > > I have the impression that continues existing some routing problem > > somewhere. Some idea of what can be the problem? > > For a few years now I've run a VPN similar to what you describe. > http://carnot.yi.org/NetworksPage.html > > Observe entries such as "route 172.23.4.2" and > "# route shawmail.gv.shawcable.net" in > dalton: ... myvpn.conf. > > "route 172.23.4.2" allows a machine such as > Cantor at UBC to transmit to Curie at home. > > "route shawmail.gv.shawcable.net" allows Cantor > at UBC to send a message through the tunnel to > the SMTP server of my home ISP. The server will > not accept the message unless it comes from my > LAN. With this routing, the UBC and home LANs > are in effect one LAN. The domain name for SMTP > is associated with two IP addresses. For > routing to be reliable, both addresses must > specified explicitly. > > Shorewall is a superb example of open source > software. Documentation is excellent. Now I'm doing tests but this time with the OpenVPN server in the office and a client in my house. The OpenVPN server is behind firewall of the office. In these tests the tunnel is established between the client in my house and the OpenVPN server in the office. These are the tests that I got to do: 1.- Server with IP forwarding disable and no change in the present configuration of firewall: the client in my house is only able to reach to the OpenVPN server. 2.- Server with IP forwarding enable and no change in the present configuracion of firewall: same result that (1). 3.- Server with IP forwarding enable and I added the following routing rule in firewall: I can arrive additionally at firewall, but at no other host of the same network. # route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.0.0.38 This is the configuration of the client in my house: --------------------------------------------------------------------------- # cat /etc/openvpn/client1 client proto udp dev tun remote aaa.bbb.ccc.ddd 1194 # with aaa.bbb.ccc.ddd the public IP of OpenVPN server resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key comp-lzo verb 3 ns-cert-type server --------------------------------------------------------------------------- This is the configuration of the server in the office: --------------------------------------------------------------------------- # cat /etc/openvpn/server.conf port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key # This file should be kept secret dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log verb 3 push "route 10.0.0.0 255.255.255.0" push "dhcp-option DNS 10.0.0.11" push "dhcp-option DOMAIN local.net" --------------------------------------------------------------------------- Local network: 10.0.0.0/24 VPN network: 10.8.0.0/24 In the configuration of Shorewall I only added a rule of DNAT to the OpenVPN server: --------------------------------------------------------------------------- # DGB - 20091029 - OpenVPN DNAT inet saav:10.0.0.38 udp 1194 - aaa.bbb.ccc.ddd --------------------------------------------------------------------------- According to I see comparing what you have, is something different my configuration (road warrior?), but I have the impression that the problem that is existing is of routing of the side of the office. Thanks for your reply. Regards, Daniel -- Fingerprint: BFB3 08D6 B4D1 31B2 72B9 29CE 6696 BF1B 14E6 1D37 Powered by Debian GNU/Linux Squeeze - Linux user #188.598
Attachment:
signature.asc
Description: Digital signature