|
|
Probably what you want is something like this iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d ! 10.8.0.0/24 -j MASQUERADE David wrote: > > Setup: > ############# > #Server.conf# > ############# > port 1194 > dev tun > > # Use "local" to set the source address on multi-homed hosts > #local [IP address] > > # TLS parms > tls-server > ca DMDM.crt > cert serverA.crt > key serverA.key > dh DMDM.pem > > # Tell OpenVPN to be a multi-client udp server > mode server > > # The server's virtual endpoints > ifconfig 10.8.0.1 10.8.0.2 > > # Pool of /30 subnets to be allocated to clients. > # When a client connects, an --ifconfig command > # will be automatically generated and pushed back to > # the client. > ifconfig-pool 10.8.0.4 10.8.0.255 > > # Push route to client to bind it to our local > # virtual endpoint. > push "route 10.8.0.1 255.255.255.255" > push "redirect-gateway" > > # Push any routes the client needs to get in > # to the local network. > ;push "route 192.168.0.0 255.255.255.0" > > # Push DHCP options to Windows clients. > ;push "dhcp-option DOMAIN example.com" > ;push "dhcp-option DNS 192.168.0.1" > ;push "dhcp-option WINS 192.168.0.1" > > # Client should attempt reconnection on link > # failure. > keepalive 10 60 > > # Delete client instances after some period > # of inactivity. > inactive 600 > > # Route the --ifconfig pool range into the > # OpenVPN server. > route 10.8.0.0 255.255.255.0 > > # The server doesn't need privileges > user openvpn > group openvpn > > # Keep TUN devices and keys open across restarts. > persist-tun > persist-key > > management localhost 7505 > > verb 4 > ############# > #client.conf# > ############# > port 1194 > dev tun > remote PUBLIC.IP 1194 > > # TLS parms > > tls-client > ca DMDM.crt > cert dmassey.crt > key dmassey.key > > # This parm is required for connecting > # to a multi-client server. It tells > # the client to accept options which > # the server pushes to us. > pull > > # Scripts can be used to do various > # things (change nameservers, for > # example. > #up scripts/ifup-post > #down scripts/ifdown-post > > verb 4 > ################ > iptables --list# > ################ > [root@papa ~]# iptables --list > Chain FORWARD (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT icmp -- anywhere anywhere > icmp type 8 code 0 > ACCEPT ipv6-crypt-- anywhere anywhere > ACCEPT ipv6-auth-- anywhere anywhere > ACCEPT udp -- anywhere 224.0.0.251 > udp dpt:5353 > ACCEPT udp -- anywhere anywhere > udp dpt:ipp > ACCEPT all -- anywhere anywhere > state > RELATED,ESTABLISHED > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:ftp > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:ssh > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:smtp > ACCEPT tcp -- anywhere anywhere > state NEW tcp > dpt:domain > ACCEPT udp -- anywhere anywhere > state NEW udp > dpt:domain > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:http > ACCEPT tcp -- anywhere anywhere > state NEW tcp > dpt:poppassd > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:pop3 > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:imap > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:https > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:smtps > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:imaps > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:pop3s > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:1194 > ACCEPT udp -- anywhere anywhere > state NEW udp dpt:1194 > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:7505 > ACCEPT tcp -- anywhere anywhere > state NEW tcp > dpt:webcache > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:8443 > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:9008 > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:9080 > ACCEPT tcp -- anywhere anywhere > state NEW tcp > dpts:60000:65000 > DROP tcp -- anywhere anywhere > state NEW tcp > dpt:netbios-ns > DROP tcp -- anywhere anywhere > state NEW tcp > dpt:netbios-dgm > DROP tcp -- anywhere anywhere > state NEW tcp > dpt:netbios-ssn > DROP tcp -- anywhere anywhere > state NEW tcp > dpt:microsoft-ds > DROP tcp -- anywhere anywhere > state NEW tcp dpt:mysql > DROP tcp -- anywhere anywhere > state NEW tcp > dpt:postgres > REJECT all -- anywhere anywhere > reject-with > icmp-host-prohibited > ######### > ifconfig# > ######### > [root@66-226-75-121 ~]# ifconfig > eth0 Link encap:Ethernet HWaddr 00:30:48:5A:23:AD > inet addr:PUBLIC.IP Bcast:PRIVATE.IP Mask:255.255.255.0 > inet6 addr: fe80::230:48ff:fe5a:23ad/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:11483924 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1140176 errors:9 dropped:0 overruns:0 carrier:9 > collisions:43608 txqueuelen:10 > RX bytes:1281610034 (1.1 GiB) TX bytes:333308650 (317.8 MiB) > Base address:0xb800 Memory:fc9a0000-fc9c0000 > > eth0:1 Link encap:Ethernet HWaddr 00:30:48:5A:23:AD > inet addr:192.168.253.173 Bcast:192.168.253.255 > Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > Base address:0xb800 Memory:fc9a0000-fc9c0000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:7159692 errors:0 dropped:0 overruns:0 frame:0 > TX packets:7159692 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:502614478 (479.3 MiB) TX bytes:502614478 (479.3 MiB) > > tun0 Link encap:UNSPEC HWaddr O's > inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:0 (0.0 b) TX bytes:492 (492.0 b) > > [root@papa ~]# > ###################################### > FILE: iptables FROM: /etc/sysconfig/# > ###################################### > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type 8/0 -j ACCEPT > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 21 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 22 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 25 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 53 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp > --dport 53 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 106 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 110 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 143 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 443 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 465 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 993 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 995 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 1194 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp > --dport 1194 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 7505 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 8080 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 8443 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 9008 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 9080 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 60000:65000 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 137 -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 138 -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 139 -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 445 -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 3306 -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 5432 -j DROP > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > ############# > Route-SERVER# > ############# > [root@xxxxxxxxx ~]# route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 > 66.213.75.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 > 192.168.253.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 > 0.0.0.0 66.226.75.1 0.0.0.0 UG 0 0 0 eth0 > ############# > Route-CLIENT# > ############# > C:\Documents and Settings\dmassey>route print > > > > > Active Routes: > > Network Destination Netmask Gateway Interface Metric > > 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 1 > > 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 1 > > 10.8.0.4 255.255.255.252 10.8.0.6 10.8.0.6 30 > > 10.8.0.6 255.255.255.255 127.0.0.1 127.0.0.1 30 > > 10.255.255.255 255.255.255.255 10.8.0.6 10.8.0.6 30 > > 66.226.75.121 255.255.255.255 172.21.216.254 172.21.216.195 1 > > 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 > > 172.21.216.128 255.255.255.128 172.21.216.195 172.21.216.195 20 > > 172.21.216.195 255.255.255.255 127.0.0.1 127.0.0.1 20 > > 172.21.255.255 255.255.255.255 172.21.216.195 172.21.216.195 20 > > 224.0.0.0 240.0.0.0 10.8.0.6 10.8.0.6 30 > > 224.0.0.0 240.0.0.0 172.21.216.195 172.21.216.195 20 > > 255.255.255.255 255.255.255.255 10.8.0.6 4 1 > > 255.255.255.255 255.255.255.255 10.8.0.6 3 1 > > 255.255.255.255 255.255.255.255 10.8.0.6 10.8.0.6 1 > > 255.255.255.255 255.255.255.255 172.21.216.195 172.21.216.195 1 > > Default Gateway: 10.8.0.5 > > =========================================================================== > > Persistent Routes: > > None > ########################################################## > SERVER: Fedora Core 4 (Public IP Address) > CLIENT(S): Windows XP SP2 > I am a newbie, please have mercy on me and point me in the right direction. > > ISSUE: Server can ping client (10.8.0.6). Client can ping server(10.8.0.1). > Client can not get on the internet through the VPN. As you can see above I do > redirect-gateway. I am sure this has something to do with the dreaded iptables. > I am trying to learn this stuff piece by piece, but i am missing something > fundamental. I am sure i turned on forwarding. But I do not understand how to > forward from tun0 to eth0 or even why you would need to or even if I need to. > It could be routes perhaps. I just want to be able to browse the internet from > my client through the VPN. > > I have searched this group, I have searched the net. I have seen the answer > countless of times I am sure, but I do not know enough to know what I am looking > for. > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- Richard Quintin, DBA Information Systems & Computing, DBMS Virginia Tech ~ If you can laugh at it, then you can live with it. ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00057.html on line 581 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00057.html on line 581 |