|
|
Setup:
#############
#Server.conf#
#############
port 1194
dev tun
# Use "local" to set the source address on multi-homed hosts
#local [IP address]
# TLS parms
tls-server
ca DMDM.crt
cert serverA.crt
key serverA.key
dh DMDM.pem
# Tell OpenVPN to be a multi-client udp server
mode server
# The server's virtual endpoints
ifconfig 10.8.0.1 10.8.0.2
# Pool of /30 subnets to be allocated to clients.
# When a client connects, an --ifconfig command
# will be automatically generated and pushed back to
# the client.
ifconfig-pool 10.8.0.4 10.8.0.255
# Push route to client to bind it to our local
# virtual endpoint.
push "route 10.8.0.1 255.255.255.255"
push "redirect-gateway"
# Push any routes the client needs to get in
# to the local network.
;push "route 192.168.0.0 255.255.255.0"
# Push DHCP options to Windows clients.
;push "dhcp-option DOMAIN example.com"
;push "dhcp-option DNS 192.168.0.1"
;push "dhcp-option WINS 192.168.0.1"
# Client should attempt reconnection on link
# failure.
keepalive 10 60
# Delete client instances after some period
# of inactivity.
inactive 600
# Route the --ifconfig pool range into the
# OpenVPN server.
route 10.8.0.0 255.255.255.0
# The server doesn't need privileges
user openvpn
group openvpn
# Keep TUN devices and keys open across restarts.
persist-tun
persist-key
management localhost 7505
verb 4
#############
#client.conf#
#############
port 1194
dev tun
remote PUBLIC.IP 1194
# TLS parms
tls-client
ca DMDM.crt
cert dmassey.crt
key dmassey.key
# This parm is required for connecting
# to a multi-client server. It tells
# the client to accept options which
# the server pushes to us.
pull
# Scripts can be used to do various
# things (change nameservers, for
# example.
#up scripts/ifup-post
#down scripts/ifdown-post
verb 4
################
iptables --list#
################
[root@papa ~]# iptables --list
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
icmp type 8 code 0
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251
udp dpt:5353
ACCEPT udp -- anywhere anywhere
udp dpt:ipp
ACCEPT all -- anywhere anywhere
state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere
state NEW tcp
dpt:domain
ACCEPT udp -- anywhere anywhere
state NEW udp
dpt:domain
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere
state NEW tcp
dpt:poppassd
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:1194
ACCEPT udp -- anywhere anywhere
state NEW udp dpt:1194
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:7505
ACCEPT tcp -- anywhere anywhere
state NEW tcp
dpt:webcache
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:8443
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:9008
ACCEPT tcp -- anywhere anywhere
state NEW tcp dpt:9080
ACCEPT tcp -- anywhere anywhere
state NEW tcp
dpts:60000:65000
DROP tcp -- anywhere anywhere
state NEW tcp
dpt:netbios-ns
DROP tcp -- anywhere anywhere
state NEW tcp
dpt:netbios-dgm
DROP tcp -- anywhere anywhere
state NEW tcp
dpt:netbios-ssn
DROP tcp -- anywhere anywhere
state NEW tcp
dpt:microsoft-ds
DROP tcp -- anywhere anywhere
state NEW tcp dpt:mysql
DROP tcp -- anywhere anywhere
state NEW tcp
dpt:postgres
REJECT all -- anywhere anywhere
reject-with
icmp-host-prohibited
#########
ifconfig#
#########
[root@66-226-75-121 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:30:48:5A:23:AD
inet addr:PUBLIC.IP Bcast:PRIVATE.IP Mask:255.255.255.0
inet6 addr: fe80::230:48ff:fe5a:23ad/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11483924 errors:0 dropped:0 overruns:0 frame:0
TX packets:1140176 errors:9 dropped:0 overruns:0 carrier:9
collisions:43608 txqueuelen:10
RX bytes:1281610034 (1.1 GiB) TX bytes:333308650 (317.8 MiB)
Base address:0xb800 Memory:fc9a0000-fc9c0000
eth0:1 Link encap:Ethernet HWaddr 00:30:48:5A:23:AD
inet addr:192.168.253.173 Bcast:192.168.253.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0xb800 Memory:fc9a0000-fc9c0000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:7159692 errors:0 dropped:0 overruns:0 frame:0
TX packets:7159692 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:502614478 (479.3 MiB) TX bytes:502614478 (479.3 MiB)
tun0 Link encap:UNSPEC HWaddr O's
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:492 (492.0 b)
[root@papa ~]#
######################################
FILE: iptables FROM: /etc/sysconfig/#
######################################
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type 8/0 -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp
--dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 106 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 993 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp
--dport 1194 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 7505 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 8443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 9008 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 9080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 60000:65000 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 137 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 138 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 139 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 445 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 3306 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp
--dport 5432 -j DROP
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
#############
Route-SERVER#
#############
[root@xxxxxxxxx ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
66.213.75.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.253.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 66.226.75.1 0.0.0.0 UG 0 0 0 eth0
#############
Route-CLIENT#
#############
C:\Documents and Settings\dmassey>route print
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 1
10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 1
10.8.0.4 255.255.255.252 10.8.0.6 10.8.0.6 30
10.8.0.6 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.8.0.6 10.8.0.6 30
66.226.75.121 255.255.255.255 172.21.216.254 172.21.216.195 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.21.216.128 255.255.255.128 172.21.216.195 172.21.216.195 20
172.21.216.195 255.255.255.255 127.0.0.1 127.0.0.1 20
172.21.255.255 255.255.255.255 172.21.216.195 172.21.216.195 20
224.0.0.0 240.0.0.0 10.8.0.6 10.8.0.6 30
224.0.0.0 240.0.0.0 172.21.216.195 172.21.216.195 20
255.255.255.255 255.255.255.255 10.8.0.6 4 1
255.255.255.255 255.255.255.255 10.8.0.6 3 1
255.255.255.255 255.255.255.255 10.8.0.6 10.8.0.6 1
255.255.255.255 255.255.255.255 172.21.216.195 172.21.216.195 1
Default Gateway: 10.8.0.5
===========================================================================
Persistent Routes:
None
##########################################################
SERVER: Fedora Core 4 (Public IP Address)
CLIENT(S): Windows XP SP2
I am a newbie, please have mercy on me and point me in the right direction.
ISSUE: Server can ping client (10.8.0.6). Client can ping server(10.8.0.1).
Client can not get on the internet through the VPN. As you can see above I do
redirect-gateway. I am sure this has something to do with the dreaded iptables.
I am trying to learn this stuff piece by piece, but i am missing something
fundamental. I am sure i turned on forwarding. But I do not understand how to
forward from tun0 to eth0 or even why you would need to or even if I need to.
It could be routes perhaps. I just want to be able to browse the internet from
my client through the VPN.
I have searched this group, I have searched the net. I have seen the answer
countless of times I am sure, but I do not know enough to know what I am looking
for.
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00048.html on line 558
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00048.html on line 558
|