|
|
Great suggestion and I really appreciate a response! I ran that command and unfortunately I still have the same issue: unable to browse the internet via IP or domain name. I am looking at the log on openvpn and I see similar items to the below after I have connected, while trying to browse. Sat Aug 5 05:47:40 2006 us=709832 dmassey/24.158.96.58:12651 MULTI: bad source address from client [172.21.216.195], packet dropped Sat Aug 5 05:47:41 2006 us=164154 dmassey/24.158.96.58:12651 MULTI: bad source address from client [172.21.216.195], packet dropped Sat Aug 5 05:47:47 2006 us=368958 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Sat Aug 5 05:47:57 2006 us=441700 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) -----Original Message----- From: Richard Quintin [mailto:rjqjunk@xxxxxx] Sent: Friday, August 04, 2006 7:59 AM To: Massey, David Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: [Openvpn-users] Network/NAT/Route-Internet Help Please Probably what you want is something like this iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -d ! 10.8.0.0/24 -j MASQUERADE David wrote: > > Setup: > ############# > #Server.conf# > ############# > port 1194 > dev tun > > # Use "local" to set the source address on multi-homed hosts > #local [IP address] > > # TLS parms > tls-server > ca DMDM.crt > cert serverA.crt > key serverA.key > dh DMDM.pem > > # Tell OpenVPN to be a multi-client udp server > mode server > > # The server's virtual endpoints > ifconfig 10.8.0.1 10.8.0.2 > > # Pool of /30 subnets to be allocated to clients. > # When a client connects, an --ifconfig command > # will be automatically generated and pushed back to > # the client. > ifconfig-pool 10.8.0.4 10.8.0.255 > > # Push route to client to bind it to our local > # virtual endpoint. > push "route 10.8.0.1 255.255.255.255" > push "redirect-gateway" > > # Push any routes the client needs to get in > # to the local network. > ;push "route 192.168.0.0 255.255.255.0" > > # Push DHCP options to Windows clients. > ;push "dhcp-option DOMAIN example.com" > ;push "dhcp-option DNS 192.168.0.1" > ;push "dhcp-option WINS 192.168.0.1" > > # Client should attempt reconnection on link > # failure. > keepalive 10 60 > > # Delete client instances after some period > # of inactivity. > inactive 600 > > # Route the --ifconfig pool range into the > # OpenVPN server. > route 10.8.0.0 255.255.255.0 > > # The server doesn't need privileges > user openvpn > group openvpn > > # Keep TUN devices and keys open across restarts. > persist-tun > persist-key > > management localhost 7505 > > verb 4 > ############# > #client.conf# > ############# > port 1194 > dev tun > remote PUBLIC.IP 1194 > > # TLS parms > > tls-client > ca DMDM.crt > cert dmassey.crt > key dmassey.key > > # This parm is required for connecting > # to a multi-client server. It tells > # the client to accept options which > # the server pushes to us. > pull > > # Scripts can be used to do various > # things (change nameservers, for > # example. > #up scripts/ifup-post > #down scripts/ifdown-post > > verb 4 > ################ > iptables --list# > ################ > [root@papa ~]# iptables --list > Chain FORWARD (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > ACCEPT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT icmp -- anywhere anywhere > icmp type 8 code 0 > ACCEPT ipv6-crypt-- anywhere anywhere > ACCEPT ipv6-auth-- anywhere anywhere > ACCEPT udp -- anywhere 224.0.0.251 > udp dpt:5353 > ACCEPT udp -- anywhere anywhere > udp dpt:ipp > ACCEPT all -- anywhere anywhere > state > RELATED,ESTABLISHED > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:ftp > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:ssh > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:smtp > ACCEPT tcp -- anywhere anywhere > state NEW tcp > dpt:domain > ACCEPT udp -- anywhere anywhere > state NEW udp > dpt:domain > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:http > ACCEPT tcp -- anywhere anywhere > state NEW tcp > dpt:poppassd > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:pop3 > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:imap > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:https > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:smtps > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:imaps > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:pop3s > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:1194 > ACCEPT udp -- anywhere anywhere > state NEW udp dpt:1194 > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:7505 > ACCEPT tcp -- anywhere anywhere > state NEW tcp > dpt:webcache > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:8443 > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:9008 > ACCEPT tcp -- anywhere anywhere > state NEW tcp dpt:9080 > ACCEPT tcp -- anywhere anywhere > state NEW tcp > dpts:60000:65000 > DROP tcp -- anywhere anywhere > state NEW tcp > dpt:netbios-ns > DROP tcp -- anywhere anywhere > state NEW tcp > dpt:netbios-dgm > DROP tcp -- anywhere anywhere > state NEW tcp > dpt:netbios-ssn > DROP tcp -- anywhere anywhere > state NEW tcp > dpt:microsoft-ds > DROP tcp -- anywhere anywhere > state NEW tcp dpt:mysql > DROP tcp -- anywhere anywhere > state NEW tcp > dpt:postgres > REJECT all -- anywhere anywhere > reject-with > icmp-host-prohibited > ######### > ifconfig# > ######### > [root@66-226-75-121 ~]# ifconfig > eth0 Link encap:Ethernet HWaddr 00:30:48:5A:23:AD > inet addr:PUBLIC.IP Bcast:PRIVATE.IP Mask:255.255.255.0 > inet6 addr: fe80::230:48ff:fe5a:23ad/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:11483924 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1140176 errors:9 dropped:0 overruns:0 carrier:9 > collisions:43608 txqueuelen:10 > RX bytes:1281610034 (1.1 GiB) TX bytes:333308650 (317.8 MiB) > Base address:0xb800 Memory:fc9a0000-fc9c0000 > > eth0:1 Link encap:Ethernet HWaddr 00:30:48:5A:23:AD > inet addr:192.168.253.173 Bcast:192.168.253.255 > Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > Base address:0xb800 Memory:fc9a0000-fc9c0000 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:7159692 errors:0 dropped:0 overruns:0 frame:0 > TX packets:7159692 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:502614478 (479.3 MiB) TX bytes:502614478 (479.3 MiB) > > tun0 Link encap:UNSPEC HWaddr O's > inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:0 (0.0 b) TX bytes:492 (492.0 b) > > [root@papa ~]# > ###################################### > FILE: iptables FROM: /etc/sysconfig/# > ###################################### > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type 8/0 -j ACCEPT > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 21 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 22 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 25 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 53 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp > --dport 53 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 106 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 110 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 143 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 443 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 465 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 993 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 995 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 1194 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp > --dport 1194 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 7505 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 8080 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 8443 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 9008 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 9080 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 60000:65000 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 137 -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 138 -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 139 -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 445 -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 3306 -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > --dport 5432 -j DROP > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > ############# > Route-SERVER# > ############# > [root@xxxxxxxxx ~]# route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 > 66.213.75.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 > 192.168.253.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 > 0.0.0.0 66.226.75.1 0.0.0.0 UG 0 0 0 eth0 > ############# > Route-CLIENT# > ############# > C:\Documents and Settings\dmassey>route print > > > > > Active Routes: > > Network Destination Netmask Gateway Interface Metric > > 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 1 > > 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 1 > > 10.8.0.4 255.255.255.252 10.8.0.6 10.8.0.6 30 > > 10.8.0.6 255.255.255.255 127.0.0.1 127.0.0.1 30 > > 10.255.255.255 255.255.255.255 10.8.0.6 10.8.0.6 30 > > 66.226.75.121 255.255.255.255 172.21.216.254 172.21.216.195 1 > > 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 > > 172.21.216.128 255.255.255.128 172.21.216.195 172.21.216.195 20 > > 172.21.216.195 255.255.255.255 127.0.0.1 127.0.0.1 20 > > 172.21.255.255 255.255.255.255 172.21.216.195 172.21.216.195 20 > > 224.0.0.0 240.0.0.0 10.8.0.6 10.8.0.6 30 > > 224.0.0.0 240.0.0.0 172.21.216.195 172.21.216.195 20 > > 255.255.255.255 255.255.255.255 10.8.0.6 4 1 > > 255.255.255.255 255.255.255.255 10.8.0.6 3 1 > > 255.255.255.255 255.255.255.255 10.8.0.6 10.8.0.6 1 > > 255.255.255.255 255.255.255.255 172.21.216.195 172.21.216.195 1 > > Default Gateway: 10.8.0.5 > > ======================================================================== === > > Persistent Routes: > > None > ########################################################## > SERVER: Fedora Core 4 (Public IP Address) > CLIENT(S): Windows XP SP2 > I am a newbie, please have mercy on me and point me in the right direction. > > ISSUE: Server can ping client (10.8.0.6). Client can ping server(10.8.0.1). > Client can not get on the internet through the VPN. As you can see above I do > redirect-gateway. I am sure this has something to do with the dreaded iptables. > I am trying to learn this stuff piece by piece, but i am missing something > fundamental. I am sure i turned on forwarding. But I do not understand how to > forward from tun0 to eth0 or even why you would need to or even if I need to. > It could be routes perhaps. I just want to be able to browse the internet from > my client through the VPN. > > I have searched this group, I have searched the net. I have seen the answer > countless of times I am sure, but I do not know enough to know what I am looking > for. > > > ------------------------------------------------------------------------ - > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDE V > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- Richard Quintin, DBA Information Systems & Computing, DBMS Virginia Tech ~ If you can laugh at it, then you can live with it. E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00070.html on line 680 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00070.html on line 680 |