|
|
sorry for interrution, No worries! i've read your post in the openvpn users list.which means you have been using openvpn and freebsd successfully.
i'm facing a problem with that (freebsd 5.2.1 and openvpn 2.0 beta 11) I'm using FreeBSD 4.10 on a router with 1 public static IP and a few NICs and private subnets, talking to a freeBSD 4.10 laptop that roams. I'm using openvpn 1.6 (from the freebsd ports tree.) The laptop uses openvpn to connect to my wireless access point inside my network, and also to tunnel into an inside subnet from the internet. I use the tun driver, and ipfw on the router and ipfw2 on the laptop. i'm using the Bridged Ethernet one. two freebsd servers for each network.two fixed ip addresses. would you please send me the ipfw rules on any machine(the parts related to the vpn) and how to establisha bridge successfully in freebsd ! Hmmm, so many pieces to this puzzle, lets see if I can make it make sense! -------- highlights from laptop's /etc/rc.firewall (not complete, just the sections I use for openvpn firewalling----------------- #!/bin/sh if [ -n "${2}" ]; then iface="${2}" fi case ${firewall_type} in alone) setup_loopback # tunnel is on home network ${fwcmd} add pass all from any to any via tun0 # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # openvpn ${fwcmd} add pass udp from any to any 5001 via ${iface} keep-state # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # Allow setup of outgoing TCP connections only ${fwcmd} add pass tcp from any to any out xmit ${iface} setup # Disallow setup of all other TCP connections ${fwcmd} add deny log tcp from any to any setup # Allow DNS queries out in the world ${fwcmd} add pass udp from any to any 53 out xmit ${iface} keep-state # dhcp ${fwcmd} add pass udp from any to any 67,68 # allow pinging (8=pingout 0=pingreply 3&11 = unreachable&ttl ${fwcmd} add pass icmp from any to any out xmit ${iface} icmptypes 8 ${fwcmd} add pass icmp from any to any in recv ${iface} icmptypes 0,3,11 ${fwcmd} add deny log all from any to any ;; ------------------------------------------------------------------------ I will hope that the firewall is the least of your problems; if you can, run with an open firewall until you have things working since misconfigured firewalls can break all kinds of stuff. If you can't leave the firewall open while configuring (I couldn't), at least set all your deny rules to log and watch the logs, something like 'tail -c 2000 -f /var/log/security'. Assuming that your openvpn config files are correct (big assumption but you didn't give me symptoms of the problem, anyway mine are very close to the linuxy example in the HOWTO) the biggest trick is probably ensuring that the routes are correct. It could be usefult to see the output of 'netstat -r'. Here's mine, connected through a public access point: netstat -r Internet: Destination Gateway Flags Refs Use Netif Expire default 10.20.72.1 UGSc 18 69 tun0 10.20.72/25 10.20.72.1 UGSc 0 0 tun0 10.20.72.1 10.20.72.2 UH 20 0 tun0 my.public_ip.com 192.168.1.1 UGHS 1 1457 wi0 localhost localhost UH 1 4 lo0 192.168.1 link#4 UC 1 0 wi0 192.168.1.1 00:22:44:1b:bb:b4 UHLW 1 0 wi0 973 192.168.1.102 localhost UGHS 0 0 lo0 I don't know your experience level, so forgive me if this is obvious, but in case it isn't obvious, not all the routes you need always happen automagically. Here, the access point 192.168.1.1 (which I have a direct link to) has DHCP'd me the address of 192.168.1.102. My tunnel into my home network is 10.20.72.1 (home router) to 10.20.72.2 (laptop). I had to manually add the route to my.public_ip.com through the DHCP router so the tunnel can get home, otherwise it would be routed through the default route which wouldn't make any sense at all. So my wtdhcp script (that's Wireless Tunnel DHCP) looks like this:
----------------------------------------------
#!/bin/sh
ssid="-"
if [ -n "${1}" ]; then
ssid="${1}"
fi
route flush > /dev/null# wdhcp associates with an access point and dhcps an address (and sets routes and nameservers) /root/bin/wdhcp ${ssid} cat <<EOF > /etc/resolv.conf domain public_ip.com nameserver 10.20.73.1 EOF echo "--- getting default route"
gateway=`route get default | grep gateway | awk '{print $2}'`
# assume 1.2.3.4 is my.public_ip.com
route add 1.2.3.4 ${gateway}echo --- openvpn cd /etc/ssl/myCA; /usr/local/sbin/openvpn --config wtdhcp.conf # further steps not reached if openvpn not backgrounded ---------------------------------------------- This script isn't great, it has no error checking despite the fact that many of the steps could fail for a variety of reasons. There must be a better way to get the DHCP'd default route (which will be how the tunnel gets home) before I run openvpn (which will set the default route through the tunnel) but I don't know what it is. I hope that you don't mind that I forwarded this (private mail) to the openvpn list; if any useful answers appear here I like to have them publicly archived. If this isn't cool, let me know. I will be an irregular reader of both this mail account and the openvpn list, but I try to reply when I'm expecting mail. If you can't get it working, mail more diagnostics like routing table, network topology, maybe output of 'ipfw show' etc etc and what the problem seems to be. thanks in advance, have a nice day
Alex ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2004-11/msg00088.html on line 300 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2004-11/msg00088.html on line 300 |