|
|
Apologies to anyone who is seeing this on both lists. On Saturday 2005-September-10 00:17, I omitted an important part of: > Home machine: LAN address 192.168.6.6/24 (no direct external > interface) Remote machine: x.y.z.112/29 > > Home openvpn config: > remote x.y.z.112 > ifconfig x.y.z.116 192.168.6.248 > ifconfig-nowarn # we don't need the complaints in the log > > Remote openvpn config: > remote my.dynamic.dnsname > ifconfig 192.168.6.248 x.y.z.116 > # you might want this, but I didn't: > # route 192.168.6.0 255.255.255.0 vpn_gateway > > [ The rest of this is Linux-specific, but I'm sure the same idea > could be done on other Unices. ] > > Started both ends of the tunnel. At home: > # echo 64 tunnel >> /etc/iproute2/rt_tables > # ip rule add from x.y.z.116 table tunnel > # ip route add default via 192.168.6.248 table tunnel > # ip route flush cache > (These should go in an openvpn --up script.) > > As it happens, no explicit iptables rules were needed! YMMV depending > upon the rules you have, of course. I do the firewalling on the > remote, so only allowed services and replies to my own connections go > through the tunnel. I had to make sure the filter/FORWARD chain on > the remote would pass the packets I needed. Here at home, > filter/INPUT accepts anything from that interface. Also, at the remote: # echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp # echo 1 > /proc/sys/net/ipv4/ip_forward (These might be wanted in an --up script at the other endpoint.) The first command tells the eth0 interface (substitute the name of yours) to listen for proxy ARP: hosts other than itself, but for whom it has an explicit route. http://en.wikipedia.org/wiki/Proxy_ARP explains better than I can. Earlier, by accident, I had bound the wrong IP's at each endpoint, so the system arp(8) cache was still answering for x.y.z.116. In time the cache timed out, and the tunnel stopped working. The second command is not needed if you were already using the machine as a router, which I was, but it occurred to me that you and others might not be doing that. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-09/msg00110.html on line 228 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-09/msg00110.html on line 228 |