|
|
Evening All
Ok after toying around with tcpdump and fidling around with SuSEfirewall2 and
OpenVPN settings, I now have a working solution which I'd like to share with
you. What follows are my setup files for server and one client, as well as the
necessary SuSEfirewall2 config files :
Server.conf:
==================================
local 10.0.0.6
dev tun
port 1194
proto udp
tls-server
ca /etc/ssl/keys/ca.crt
cert /etc/ssl/keys/xxxxxx.crt
key /etc/ssl/private/xxxxx.key
dh /etc/ssl/keys/dh1024.pem
ifconfig 192.168.96.5 192.168.96.6
up /etc/openvpn/xxxxx.up
comp-lzo
user nobody
group nobody
status /etc/openvpn/xxxx-status.log
log /etc/openvpn/xxxxx.log
verb 4
mute 10
Client.conf
===================================
dev tun
dev-node tun0
proto udp
remote xxx.xxx.xxx.xxx
port 1194
ifconfig 192.168.96.6 192.168.96.5
route 192.168.15.0 255.255.255.0 192.168.96.5
route 192.168.10.0 255.255.255.0 192.168.96.5
route 192.168.5.0 255.255.255.0 192.168.96.5
tls-client
ca ca.crt
cert xxxx.crt
key xxxx.key
ns-cert-type server
;persist-key
;persist-tun
status openvpn-status.log
log xxxx.log
comp-lzo
verb 4
mute 10
keepalive 20 240
SuSEfirewall
=====================================
FW_QUICKMODE="no"
FW_DEV_EXT="eth-id-xx-xx-xx-xx-xx-xx"
FW_DEV_INT="eth-id-xx-xx-xx-xx-xx-xx "
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="ssh"
FW_SERVICES_EXT_UDP="1194"
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP="1194"
FW_FORWARD="192.168.94.6/32,192.168.15.0/24 192.168.15.0/24,192.168.94.6/32
192.168.94.6/32,192.168.10.0/24 192.168.10.0/24,192.168.94.6/32
192.168.96.6/32,192.
168.15.0/24 192.168.15.0/24,192.168.96.6/32 192.168.96.6/32,192.168.10.0/24 192.
168.10.0/24,192.168.96.6/32 192.168.15.0/24,192.168.5.0/24 192.168.15.0/24,192.1
68.13.0/24 192.168.10.0/24,192.168.5.0/24 192.168.10.0/24,192.168.13.0/24"
# 192.168.94.6 & 192.168.96.6 =>> OpenVPN client side tunnel endpoints
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_ANTISPOOF="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="int"
FW_IGNORE_FW_BROADCAST="no"
FW_ALLOW_CLASS_ROUTING="yes"
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_REJECT="no"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING="yes"
FW_IPSEC_TRUST="no"
/etc/sysconfig/scripts/SuSEfirewall2-custom (excerpt)
===================================
fw_custom_before_denyall() { # could also be named "after_forwardmasq()"
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
true
}
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-06/msg00222.html on line 304
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-06/msg00222.html on line 304
|