Re: OpenVPN

To: debian-user@lists.debian.org
Subject: Re: OpenVPN
From: "H.S." <hs.samix@gmail.com>
Date: Sun, 08 Nov 2009 12:44:26 -0500
Message-id: <[🔎] hd701r$8qo$1@ger.gmane.org>
In-reply-to: <20091028092405.GA4778@defiant.freesoftware.org>
References: <20091028092405.GA4778@defiant.freesoftware.org>

Daniel Bareiro wrote:
> Hi all!
> 
> I was making a first attempt to establish a VPN between my house and the
> office. The scenery from the side of my house is the following one:
>                                                           ________
> +----------+     +-----------+     +----------+      ____/        \___
> | OpenVPN  |_____| GNU/Linux |_____| ADSL     |_____/     Internet    \
> | server   |     | Firewall  |     | Router   |     \____         ____/
> +----------+     +-----------+     +----------+          \_______/
> 
> Local network: 10.1.0.0/24
> VPN network:   10.8.0.0/24

I am new to OpenVPN (even to VPN). I just finished installing it on home
lan's gateway (router machine, running Debian Testing). My setup at home is:
              --------------------
_________     |      Router m/c   |        ________
ADSLModem|-->{eth1  and OpenVPN eth0}---->| Switch |--> Home lan
---------'    |        server   ath0}--,   --------    192.168.0.0/24
              --------------------     |
                                       `--> To Home wifi
                                            192.168.5.0/24

VPN network: 172.16.15.0/24

NB: The VPN server is configured to allow the clients to talk to home
lan (and not to home wlan). The primarily because I want to test my
setup from within my home, so I make my wlan as a remote network for VPN
testing purposes.

Also, I am using tun devices for my VPN (the networks are routed, not
bridged).

Now, to get VPN clients to talk to my home lan and to the internet
though my modem, I needed to allow forwarding and postrouting in my
iptables firewall. The rules I added are as follows.
    ###############################################################
    # VPN traffice
    #allow VPN clients to connect from WAN
    $IPTABLES -A INPUT  -p udp --dport 1194 -j ACCEPT
    $IPTABLES -A INPUT  -p tcp --dport 1194 -j ACCEPT
    #now, allow traffice from vpn servers (this is a very liberal
rule, fine tune later)
    $IPTABLES -A INPUT  -i tun+ -j ACCEPT
    $IPTABLES -A OUTPUT -o tun+ -j ACCEPT
    $IPTABLES -A FORWARD -i tun+ -j ACCEPT
    $IPTABLES -A FORWARD -o tun+ -i ppp0 -m state --state
ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i ath0 -o tun+ -j ACCEPT
    $IPTABLES -A FORWARD -i eth0 -o tun+ -j ACCEPT

    #and also
    $IPTABLES  -t nat -A POSTROUTING -s 172.16.15.0/24 -o $EXTIF -j
MASQUERADE
    ###############################################################

In your case, allow port forwarding from you firewall to the VPN server.
This needs to be configured on your firewall/router machine.

Next, to let your VPN clients talk to your lan, you need to setup
forwarding and masquarading on your VPN server machine. And in your
case, I think $EXTIF is going to be your lan card of your VPN server. In
the rules example above, you need to change the devices according to
your setup (you probably won't have ath0 line).

Hope this is helpful in some way. If you have further questions about my
setup, let me know.

Regards.
->HS

-- 

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.

Reply to:

Prev by Date: Re: Lost my window manager
Next by Date: Re: OpenVPN
Previous by thread: Re: OpenVPN
Next by thread: Re: OpenVPN
Index(es):
- Date
- Thread