[KLUG Members] OpenVPN & DHCP

Mike Williams knightperson at zuzax.com
Tue Jun 21 13:23:23 EDT 2005

Previous message: [KLUG Members] Party nag ...
Next message: [KLUG Members] OpenVPN & DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> From:
> bill <bill at billtron.com>
>
>
>On Mon, 2005-06-20 at 08:27, Adam Tauno Williams wrote:
>  
>
>>>> > I'm getting very close to testing an OpenVPN setup, but have become
>>>> > stumped at the server config.
>>>      
>>>
>>> 
>>> Perhaps a little ASCII art would help clarify this for us.
>>    
>>
>
>O.K. So now I'm testing.
>
>Winxp client - internet - fwfirewall - OpenVPN server on inside LAN	
>
>The Winbox is using Dial up. (some dialup IP & 192.168.1.6 for vpn)
>
>Openvpn is on the internal LAN at 192.168.0.104
>
>	OpenVPN server.conf says 192.168.1.0 255.255.255.0
>	Ifconfig says tun0 is 192.168.1.1
>  
>
That's the near side IP?

>	Using tun not tap (routing not bridging)
>	OpenVPN server is using one physical eth device
>
>I can connect and, once I disable the software firewall on the OpenVPN
>box, the client can ping to the tun0 interface (192.168.1.1)
>
>  
>
OK, that's a start.

>But, the client cannot ping any of the LAN IPs, not even the one on the
>OpenVPN box, 192.168.0.104
>  
>
Could be a firewall problem on the Windows box.  I haven't tried it with 
a Windows client, so I don't know what you have to do to the Windows 
firewall to make it work.

>A quick check of the OpenVPN docs says:
>
>
>On Linux, use the command:
>
>
>        echo 1 > /proc/sys/net/ipv4/ip_forward
>        
>I did that, as root, while the OpenVPN connection was up but the client
>still can't ping the remote LAN.
>
>  
>
That just turns on IP forwarding, which you can also do from YAST.  
You'll also need to use YAST to add a service on the external interface 
for the port number that the packets come in as before they're 
decrypted.  Custom, UDP, 1194, or whatever port you have OpenVPN using.

Now comes the part where you have to attack /etc/sysconfig/SuSEfirewall2 
with your favorite text editor.  You need to add tun0 as an additional 
internal interface (section 3), and you need to tell it to allow packet 
forwarding within the same class, not just between classes (section 
23).  Classes in this case means internal, external, and DMZ.

BTW, in the unlikely event that anybody from SuSE reads this, my thanks 
to the coder who put the comments in /etc/sysconfig/SuSEfirewall2.  It's 
the best commenting I've ever seen in a config file.  If you're ever in 
Grand Rapids, I'll buy you a beer!

Previous message: [KLUG Members] Party nag ...
Next message: [KLUG Members] OpenVPN & DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list