[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] arbitrary routes not working


  • Subject: Re: [Openvpn-users] arbitrary routes not working
  • From: Florin Andrei <florin@xxxxxxxxxxxxxxx>
  • Date: 30 Jan 2004 16:43:32 -0800

The firewall has a different access model to the DMZ for "internal"
systems than for "external".
Besides, there are certain types of traffic between "internal" systems
(and road warriors are considered "internal") and DMZ that i do not want
to send over the Internet unencrypted.

On Wed, 2004-01-28 at 23:04, rsalles wrote:
> Excuse-me to ask you: Why do you need a VPN tunnel to acces a Public 
> Internet link... The DMZ public ip address is reacheable trough the 
> default gateway. If you want to bypass the firewall rules to access the 
> DMZ server, this is another question (iptables/firewall in general) and is 
> not directly related to OpenVPN.
> 
> 
> HTH,
> 
> 
> RSalles
> 
> 
> On Wed, 28 Jan 2004, Florin Andrei wrote:
> 
> > Now i know why there are so many raving user testimonials: those are
> > probably people like me who, after banging their heads in the IPSec
> > wall, suddenly stumble upon OpenVPN and poof! everything works. :-)
> > 
> > Well, almost everything. I can't seem to find a way to add static routes
> > through the tunnel.
> > 
> > My OpenVPN server is on Linux, i'm using the bridging model, i'm testing
> > with a Win2K road-warrior. The OpenVPN version is 1.6beta1
> > 
> > The Linux thing is a classic 3-interface firewall, eth2 facing the
> > Internet, eth1 facing the internal network on a private 192.168.1.0/24
> > address space (will be NATed once i finish up the VPN configuration, now
> > i'm only playing with dummy systems), eth0 facing a /26 DMZ on public
> > addresses which is not NATed but is publicly accessible (only slightly
> > filtered with iptables).
> > 
> > My goals are:
> > - to assign the road-warrior an address in the internal, private address
> > space and let it see the internal network
> > - to make the tunnel work through whatever firewall may happen to be on
> > the road-warrior side (NATing or not)
> > - to enable the road warrior to access the DMZ (which is on public,
> > non-NATed addresses) through the VPN tunnel
> > 
> > I can easily achieve the first 2 goals, thanks to this excellent piece
> > of software which is OpenVPN.
> > I cannot achieve the 3rd goal.
> > 
> > I'll describe first my entire configuration. At the end of this message
> > i'll describe the symptoms.
> > 
> > Here's the config file on the client (public addresses are obfuscated):
> > 
> > ########### road-warrior ############
> > remote X.Y.Z.189
> > port 5000
> > dev tap
> > fragment 1400
> > mssfix
> > ifconfig 192.168.1.252 255.255.255.0
> > ifconfig-nowarn
> > #route X.Y.Z.192 255.255.255.192 vpn_gateway
> > secret test-key.txt
> > ping 10
> > verb 3
> > #####################################
> > 
> > Here's the config on the server (some obfuscation may occur :-D):
> > 
> > ############### server ##############
> > local X.Y.Z.189
> > port 5000
> > dev tap0
> > fragment 1400
> > mssfix
> > secret test-key.txt
> > persist-key
> > persist-tun
> > ping-timer-rem
> > ping-restart 60
> > ping 10
> > user xxxxxx
> > group xxxxxx
> > verb 3
> > #####################################
> > 
> > Here's the script i used on the server to fire up the bridging stuff
> > (lots of "sleep 1" otherwise eth1 got mangled):
> > 
> > ########## warp engines on ##########
> > maxtap=15
> > . /etc/sysconfig/network-scripts/ifcfg-eth1
> > modprobe tun
> > modprobe bridge
> > ifconfig eth1 down
> > for i in `seq 0 ${maxtap}`; do
> >     openvpn --mktun --dev tap${i}
> > done
> > sleep 1
> > brctl addbr br0
> > brctl addif br0 eth1
> > sleep 1
> > for i in `seq 0 ${maxtap}`; do
> >     brctl addif br0 tap${i}
> > done
> > sleep 1
> > for i in `seq 0 ${maxtap}`; do
> >     ifconfig tap${i} 0.0.0.0 promisc up
> > done
> > sleep 1
> > ifconfig eth1 0.0.0.0 promisc up
> > sleep 1
> > ifconfig br0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST}
> > #####################################
> > 
> > Here's the routing table on the server (some addresses mangled, some
> > less important columns deleted altogether):
> > 
> > ########### server routes ###########
> > Destination Gateway   Genmask         Iface
> > X.Y.Z.192   0.0.0.0   255.255.255.192 eth0
> > X.Y.Z.128   0.0.0.0   255.255.255.192 eth2
> > 192.168.1.0 0.0.0.0   255.255.255.0   br0
> > 127.0.0.0   0.0.0.0   255.0.0.0       lo
> > 0.0.0.0     X.Y.Z.129 0.0.0.0         eth2
> > #####################################
> > 
> > eth0 is the DMZ. That's the network i want to route through the tunnel.
> > But if i go to the road-warrior OVPN config and i uncomment the route
> > statement, then restart the OVPN service, nothing works. Even the
> > internal network tunneling doesn't work anymore. Comment the route
> > statement out, and then i can see the internal net through the tunnel
> > and everything is fine (and it works pretty damn well) except that i
> > access the DMZ through the "outside" not through the tunnel.
> > 
> > So it's not that the route just doesn't work, but the route statement
> > seems to break everything altogether.
> > 
> > I mangled the route statement, adding 0 at the end and stuff like that.
> > It didn't help.
> > 
> > I am probably doing something wrong, but i can't figure out what. Any
> > ideas?
> > Thanks,
> > 
> > -- 
> > Florin Andrei
> > 
> > http://florin.myip.org/
> > 
> > 
> > 
> > -------------------------------------------------------
> > The SF.Net email is sponsored by EclipseCon 2004
> > Premiere Conference on Open Tools Development and Integration
> > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> > http://www.eclipsecon.org/osdn
> > _______________________________________________
> > Openvpn-users mailing list
> > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> > https://lists.sourceforge.net/lists/listinfo/openvpn-users
> > 
> 
> 
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
-- 
Florin Andrei

http://florin.myip.org/



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users