[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Bridged connection is successfull but I cannot see the remote network


  • Subject: Re: [Openvpn-users] Bridged connection is successfull but I cannot see the remote network
  • From: Ran Shishen <ranshishen@xxxxxxxxx>
  • Date: Tue, 3 Apr 2007 21:02:23 +0000 (UTC)

Serge Wautier <serge <at> wautier.net> writes:

> 
> Are you sure you're using a bridge? If it were the case, your VPN IP address
> should be in the same subnet as your office LAN.
> 
> Serge.
> http://www.apptranslator.com
> 

Thank you Serge for your answer.

You were right: I misunderstood I should use addresses from the same subnet. I
can now ping my remote router from my home computer. Unfortunately I can't yet
ping the other machines in the remote network. I assume it is due to some rules
in my firewall configuration. Here are my firewall configuration files:

/etc/init.d/S35firewall

	#!/bin/sh

	## Please make changes in /etc/firewall.user

	. /etc/functions.sh
	WAN="$(nvram get wan_ifname)"
	WANDEV="$(nvram get wan_device)"
	LAN="$(nvram get lan_ifname)"

	## CLEAR TABLES
	for T in filter nat; do
	  iptables -t $T -F
	  iptables -t $T -X
	done

	iptables -N input_rule
	iptables -N input_wan
	iptables -N output_rule
	iptables -N forwarding_rule
	iptables -N forwarding_wan

	iptables -t nat -N NEW
	iptables -t nat -N prerouting_wan
	iptables -t nat -N prerouting_rule
	iptables -t nat -N postrouting_rule

	iptables -N LAN_ACCEPT
	[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
	[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j
	iptables -A LAN_ACCEPT -j ACCEPT

	### INPUT
	###  (connections with the router as destination)

	  # base case
	  iptables -P INPUT DROP
	  iptables -A INPUT -m state --state INVALID -j DROP
	  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	  iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP

	  #
	  # insert accept rule or to jump to new accept-check table here
	  #
	  iptables -A INPUT -j input_rule
	  iptables -A INPUT -i $WAN -j input_wan

	  # allow
	  iptables -A INPUT -j LAN_ACCEPT       # allow from lan/wifi interfaces
	  iptables -A INPUT -p icmp     -j ACCEPT       # allow ICMP
	  iptables -A INPUT -p gre      -j ACCEPT       # allow GRE

	  # reject (what to do with anything not allowed earlier)
	  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
	  iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

	### OUTPUT
	### (connections with the router as source)

	  # base case
	  iptables -P OUTPUT DROP
	  iptables -A OUTPUT -m state --state INVALID -j DROP
	  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

	  #
	  # insert accept rule or to jump to new accept-check table here
	  #
	  iptables -A OUTPUT -j output_rule

	  # allow
	  iptables -A OUTPUT -j ACCEPT          #allow everything out

	  # reject (what to do with anything not allowed earlier)
	  iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
	  iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

	### FORWARDING
	### (connections routed through the router)

	  # base case
	  iptables -P FORWARD DROP
	  iptables -A FORWARD -m state --state INVALID -j DROP
	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pm
	  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

	  #
	  # insert accept rule or to jump to new accept-check table here
	  #
	  iptables -A FORWARD -j forwarding_rule
	  iptables -A FORWARD -i $WAN -j forwarding_wan

	  # allow
	  iptables -A FORWARD -i br0 -o br0 -j ACCEPT
	  iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

	  # reject (what to do with anything not allowed earlier)
	  # uses the default -P DROP

	### MASQ
	  iptables -t nat -A PREROUTING -m state --state NEW -j NEW
	  iptables -t nat -A PREROUTING -j prerouting_rule
	  iptables -t nat -A PREROUTING -i $WAN -j prerouting_wan

	  iptables -t nat -A POSTROUTING -j postrouting_rule
	  iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

	  iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
		iptables -t nat -A NEW -j DROP

	## USER RULES
	[ -f /etc/firewall.user ] && . /etc/firewall.user
	[ -e /etc/config/firewall ] && {
		awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall
	}

	### VPN

	  ### Allow SSH from WAN
	  iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
	  iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT

	  ### Allow OpenVPN connections
	  iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT
	  iptables        -A input_rule      -i $WAN -p udp --dport 1194 -j ACCEPT


/etc/firewall.user

	#!/bin/sh
	# Copyright (C) 2006 OpenWrt.org

	iptables -F input_rule
	iptables -F output_rule
	iptables -F forwarding_rule
	iptables -t nat -F prerouting_rule
	iptables -t nat -F postrouting_rule

	# The following chains are for traffic directed at the IP of the
	# WAN interface

	iptables -F input_wan
	iptables -F forwarding_wan
	iptables -t nat -F prerouting_wan

	### Open port to WAN
	## -- This allows port 22 to be answered by (dropbear on) the router
	# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
	# iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT

	### Port forwarding
	## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
	# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2
	# iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT

	### DMZ
	## -- Connections to ports not handled above will be forwarded to 192.168.1.2
	# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
	# iptables        -A forwarding_wan -d 192.168.1.2 -j ACCEPT



--
Ran Shishen

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users