[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] client-to-lan routing problem


  • Subject: Re: [Openvpn-users] client-to-lan routing problem
  • From: Ernesto Franchini <ernesto.franchini@xxxxxxxxxxx>
  • Date: Wed, 6 Jun 2007 12:10:45 +0200

Il giorno Tue, 05 Jun 2007 09:04:33 -0500
Josh Cepek <josh.cepek@xxxxxxx> ha scritto:

> Since you are using a routed VPN, your 192.168.200.0/24 network needs
> to have a route to 10.8.0.0/24 on the default gateway.  For example,
> if computers at your the network where the VPN server is use
> 192.168.200.1 as the gateway, that device must have a routing rule to
> send traffic bound for 10.8.0.x to the VPN server's IP address.
> Additionally, IP-forwarding must be enabled on the VPN server,
> otherwise it will not pass packets back and forth between VPN clients
> and hosts on its network.  Finally, any firewall rules on the VPN
> server must be configured to allow packets to flow between the two
> networks.
> 
> Josh

thanks indeed. my gateway is a appliance firewall, so i set up a route
that "routes" all packets for all services that comes from the internal
lan and are directed to 10.8.0.0/24 subnet to the VPN-SERVER
(192.168.200.111).
then i wrote a rule to allow any packet destined to 10.8.0.0/24.
that's ok. that's one step ahead :)
now the vpn client can resolve names contacting the DNS server i
"pushed" (192.168.200.95) but any other communication get dropped.
the only passing packets are those from/to the DNS (i can see in the
firewall log the packets on port 53 being accepted and ping packets
being dropped)

this is DNS lookup
CONNECTED  rule:ALLOW_VPN_INT from:192.168.200.95 to:10.8.0.6  UDP   53

this is ping
DROPPED	   rule:LogOpenFails  from:192.168.200.95 to:10.8.0.6
        ICMP     reason:no_new_conn_for_this_packet	

moreover, i get a message on the VPN-SERVER reporting:

MULTI: bad source address from client (192.168.1.204) <--- this is the
client address in its private lan.

i followed the instructions on Openvpn/FAQs about this message
(created ccd with client CN file containing the iroute directive)
but message is showing again...

again, thanks for helping!
cheers ;)

-- 
Ernesto Franchini <ernesto.franchini@xxxxxxxxxxx>
Linux System Administrator :: IT Office

Prodigit SRL                                                   _
Via Mecenate 76/9 - 20138 Milano        ASCII ribbon campaign ( )
Tel. 02/509081 - Fax. 02/50908080        - against HTML email  X
www.prodigit.it                                      & vCards / \

"The grabbing hands grab all they can, everything counts in large
amounts"

Attachment: signature.asc
Description: PGP signature