[KLUG Members] OpenVPN & DHCP

[bill]

On Tue, 2005-06-21 at 13:23, Mike Williams wrote:

> >Winxp client - internet - hwfirewall - OpenVPN server on inside LAN	
> >
> >The Winbox is using Dial up. (some dialup IP & 192.168.1.6 for vpn)
> >
> >Openvpn is on the internal LAN at 192.168.0.104
> >
> >	OpenVPN server.conf says 192.168.1.0 255.255.255.0
> >	Ifconfig says tun0 is 192.168.1.1
> >  
> >
> That's the near side IP?

I don't know what "near side" means.

Server LAN is	192.168.0.x
Tunnel is	192.168.1.x

> >	Using tun not tap (routing not bridging)
> >	OpenVPN server is using one physical eth device
> >
> >I can connect and, once I disable the software firewall on the OpenVPN
> >box, the client can ping to the tun0 interface (192.168.1.1)
> >
> OK, that's a start.
> 
> >But, the client cannot ping any of the LAN IPs, not even the one on the
> >OpenVPN box, 192.168.0.104
> >
> Could be a firewall problem on the Windows box.  I haven't tried it with 
> a Windows client, so I don't know what you have to do to the Windows 
> firewall to make it work.

The Win box is not using the Windows firewall.  It uses Zonealarm which
records an alert for each blocked transmission.  I have the vpn adapter
configured as a "trusted" network and I am not getting alerts about that
adapter while VPN is up.

> >        echo 1 > /proc/sys/net/ipv4/ip_forward

> That just turns on IP forwarding, which you can also do from YAST.  
> You'll also need to use YAST to add a service on the external interface 
> for the port number that the packets come in as before they're 
> decrypted.  Custom, UDP, 1194, or whatever port you have OpenVPN using.

I'll look into "adding a service on the external interface."  I hope
that's not a firewall configuration.

I had configured the SUSE Server software firewall to allow 1194, which
allowed me to connect, but I couldn't ping.  Once I disabled the SUSE
firewall completely I was able to ping the tunnel IP.  Note that the
OpenVPN SUSE server is behind a hardware firewall so I don't really need
the SUSE firewall.

> Now comes the part where you have to attack /etc/sysconfig/SuSEfirewall2 
> with your favorite text editor.  You need to add tun0 as an additional 
> internal interface (section 3), and you need to tell it to allow packet 
> forwarding within the same class, not just between classes (section 
> 23).  Classes in this case means internal, external, and DMZ.

If I have the SUSE firewall disabled, will I still be able to do this?

> BTW, in the unlikely event that anybody from SuSE reads this, my thanks 
> to the coder who put the comments in /etc/sysconfig/SuSEfirewall2.  It's 
> the best commenting I've ever seen in a config file.  If you're ever in 
> Grand Rapids, I'll buy you a beer!

That's good news it's well commented, because the YAST configurator
doesn't work as expected.  When I told it to allow VNC it didn't work. 
When I told it to open the port manually, it did.  Same with VPN,
telling it to allow it didn't work, telling it to allow UPN 1194 did (at
least to make the vpn connection).

kind regards,

bill