[KLUG Members] OpenVPN & DHCP
Mike Williams
knightperson at zuzax.com
Wed Jun 22 19:52:38 EDT 2005
>
> From:
> bill <bill at billtron.com>
>
>
Gonna try my hand at ASCII art here. Assuming this is even readable,
have I got the configuration right?
(static IP of some sort)
+------------------+
| |
| hardware firewall|
| |
| (UDP 1194) |
| | |
+-----+------------+
\ /
|
Windows client SuSE Open VPN Server
(ppp dialup dynamic IP) (192.168.0.104 static)
+-------------------+ +-------------------------+
| | | |
|(tun:192.168.1.6) | . . . . . . . . . . | (tun:192.168.1.1) |
| | | |
+-------------------+ +-------------------------+
Based on this the OpenVPN config file on the SuSE box will say something
like this:
ifconfig 192.168.1.1 192.168.1.6 # Local tunnel IP then remote
route 192.168.1.6 255.255.255.255 # (might not be necessary )
The Windows box will have
Ifconfig 192.168.1.6 192.168.1.1
remote [Internet IP of the hardware firewall at the other end]
route 192.168.1.1 255.255.255.255 # (again, might not be necessary)
route 192.168.0.0 255.255.255.0 # if you want the Windows box to access
the
server's LAN, not just the server.
OpenVPN is supposed to allow a dynamic connection at one end, but if
it's not working you might have to get set up with a dynamic DNS service
somewhere so you have a name to give the client. I assume your Server
has a static IP and/or a DNS name that reaches it?
>>>
>>>> >I can connect and, once I disable the software firewall on the OpenVPN
>>>> >box, the client can ping to the tun0 interface (192.168.1.1)
>>>> >
>>>
>>>
>>> OK, that's a start.
>>>
>>
>>
>>>> >But, the client cannot ping any of the LAN IPs, not even the one on the
>>>> >OpenVPN box, 192.168.0.104
>>>> >
>>>
>>>
>>> Could be a firewall problem on the Windows box. I haven't tried it with
>>> a Windows client, so I don't know what you have to do to the Windows
>>> firewall to make it work.
>>
>
>The Win box is not using the Windows firewall. It uses Zonealarm which
>records an alert for each blocked transmission. I have the vpn adapter
>configured as a "trusted" network and I am not getting alerts about that
>adapter while VPN is up.
>
Probably OK, although it would be worth trying it with ZA disabled to
completely rule it out.
>
>If I have the SUSE firewall disabled, will I still be able to do this?
>
>
No, but you won't need to. The purpose of all that stuff was to
persuade SuSE firewall to allow OpenVPN to do what it needed to do. If
you're not using IPTables at all, you should be fine as long as the
hardware firewall knows to forward OpenVPN packets (udp 1194 or
whatever) to the OpenVPN server on your LAN.
>>> BTW, in the unlikely event that anybody from SuSE reads this, my thanks
>>> to the coder who put the comments in /etc/sysconfig/SuSEfirewall2. It's
>>> the best commenting I've ever seen in a config file. If you're ever in
>>> Grand Rapids, I'll buy you a beer!
>>
>
>That's good news it's well commented, because the YAST configurator
>doesn't work as expected. When I told it to allow VNC it didn't work.
>When I told it to open the port manually, it did. Same with VPN,
>telling it to allow it didn't work, telling it to allow UPN 1194 did (at
>least to make the vpn connection).
>
I found the YAST firewall configurator in 9.3 to be very good. I didn't
have to go around it until I started doing really complicated stuff like
OpenVPN.
More information about the Members
mailing list