[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Bridged connection is successfull but I cannot see the remote network [solved]


  • Subject: Re: [Openvpn-users] Bridged connection is successfull but I cannot see the remote network [solved]
  • From: Ran Shishen <ranshishen@xxxxxxxxx>
  • Date: Wed, 04 Apr 2007 19:15:42 +0200

Everything works perfectly with the configuration below. One just 
unplugged the remote server by mistake. Solved.

Regards,

-- 
Ran Shishen

---

Ran Shishen wrote :
> Serge Wautier <serge <at> wautier.net> writes:
> 
>> Are you sure you're using a bridge? If it were the case, your VPN IP address
>> should be in the same subnet as your office LAN.
>>
>> Serge.
>> http://www.apptranslator.com
>>
> 
> Thank you Serge for your answer.
> 
> You were right: I misunderstood I should use addresses from the same subnet. I
> can now ping my remote router from my home computer. Unfortunately I can't yet
> ping the other machines in the remote network. I assume it is due to some rules
> in my firewall configuration. Here are my firewall configuration files:
> 
> /etc/init.d/S35firewall
> 
> 	#!/bin/sh
> 
> 	## Please make changes in /etc/firewall.user
> 
> 	. /etc/functions.sh
> 	WAN="$(nvram get wan_ifname)"
> 	WANDEV="$(nvram get wan_device)"
> 	LAN="$(nvram get lan_ifname)"
> 
> 	## CLEAR TABLES
> 	for T in filter nat; do
> 	  iptables -t $T -F
> 	  iptables -t $T -X
> 	done
> 
> 	iptables -N input_rule
> 	iptables -N input_wan
> 	iptables -N output_rule
> 	iptables -N forwarding_rule
> 	iptables -N forwarding_wan
> 
> 	iptables -t nat -N NEW
> 	iptables -t nat -N prerouting_wan
> 	iptables -t nat -N prerouting_rule
> 	iptables -t nat -N postrouting_rule
> 
> 	iptables -N LAN_ACCEPT
> 	[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
> 	[ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j
> 	iptables -A LAN_ACCEPT -j ACCEPT
> 
> 	### INPUT
> 	###  (connections with the router as destination)
> 
> 	  # base case
> 	  iptables -P INPUT DROP
> 	  iptables -A INPUT -m state --state INVALID -j DROP
> 	  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 	  iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
> 
> 	  #
> 	  # insert accept rule or to jump to new accept-check table here
> 	  #
> 	  iptables -A INPUT -j input_rule
> 	  iptables -A INPUT -i $WAN -j input_wan
> 
> 	  # allow
> 	  iptables -A INPUT -j LAN_ACCEPT       # allow from lan/wifi interfaces
> 	  iptables -A INPUT -p icmp     -j ACCEPT       # allow ICMP
> 	  iptables -A INPUT -p gre      -j ACCEPT       # allow GRE
> 
> 	  # reject (what to do with anything not allowed earlier)
> 	  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
> 	  iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
> 
> 	### OUTPUT
> 	### (connections with the router as source)
> 
> 	  # base case
> 	  iptables -P OUTPUT DROP
> 	  iptables -A OUTPUT -m state --state INVALID -j DROP
> 	  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> 	  #
> 	  # insert accept rule or to jump to new accept-check table here
> 	  #
> 	  iptables -A OUTPUT -j output_rule
> 
> 	  # allow
> 	  iptables -A OUTPUT -j ACCEPT          #allow everything out
> 
> 	  # reject (what to do with anything not allowed earlier)
> 	  iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
> 	  iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
> 
> 	### FORWARDING
> 	### (connections routed through the router)
> 
> 	  # base case
> 	  iptables -P FORWARD DROP
> 	  iptables -A FORWARD -m state --state INVALID -j DROP
> 	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pm
> 	  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> 
> 	  #
> 	  # insert accept rule or to jump to new accept-check table here
> 	  #
> 	  iptables -A FORWARD -j forwarding_rule
> 	  iptables -A FORWARD -i $WAN -j forwarding_wan
> 
> 	  # allow
> 	  iptables -A FORWARD -i br0 -o br0 -j ACCEPT
> 	  iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
> 
> 	  # reject (what to do with anything not allowed earlier)
> 	  # uses the default -P DROP
> 
> 	### MASQ
> 	  iptables -t nat -A PREROUTING -m state --state NEW -j NEW
> 	  iptables -t nat -A PREROUTING -j prerouting_rule
> 	  iptables -t nat -A PREROUTING -i $WAN -j prerouting_wan
> 
> 	  iptables -t nat -A POSTROUTING -j postrouting_rule
> 	  iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
> 
> 	  iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \
> 		iptables -t nat -A NEW -j DROP
> 
> 	## USER RULES
> 	[ -f /etc/firewall.user ] && . /etc/firewall.user
> 	[ -e /etc/config/firewall ] && {
> 		awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall
> 	}
> 
> 	### VPN
> 
> 	  ### Allow SSH from WAN
> 	  iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
> 	  iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT
> 
> 	  ### Allow OpenVPN connections
> 	  iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT
> 	  iptables        -A input_rule      -i $WAN -p udp --dport 1194 -j ACCEPT
> 
> 
> /etc/firewall.user
> 
> 	#!/bin/sh
> 	# Copyright (C) 2006 OpenWrt.org
> 
> 	iptables -F input_rule
> 	iptables -F output_rule
> 	iptables -F forwarding_rule
> 	iptables -t nat -F prerouting_rule
> 	iptables -t nat -F postrouting_rule
> 
> 	# The following chains are for traffic directed at the IP of the
> 	# WAN interface
> 
> 	iptables -F input_wan
> 	iptables -F forwarding_wan
> 	iptables -t nat -F prerouting_wan
> 
> 	### Open port to WAN
> 	## -- This allows port 22 to be answered by (dropbear on) the router
> 	# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
> 	# iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT
> 
> 	### Port forwarding
> 	## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2
> 	# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2
> 	# iptables        -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT
> 
> 	### DMZ
> 	## -- Connections to ports not handled above will be forwarded to 192.168.1.2
> 	# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2
> 	# iptables        -A forwarding_wan -d 192.168.1.2 -j ACCEPT
> 
> 
> 
> --
> Ran Shishen
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users