[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Success story (and some small complaints about the HOWTO)

  • Subject: Re: [Openvpn-users] Success story (and some small complaints about the HOWTO)
  • From: Les Mikesell <lesmikesell@xxxxxxxxx>
  • Date: Sat, 21 Jul 2007 14:46:59 -0500

Johannes Schindelin wrote:

> - on the server side, set up the forwarding rules (as root):
> 	$ echo 1 > /proc/sys/net/ipv4/ip_forward
>         $ iptables -A INPUT -i tun0 -j ACCEPT
>         $ iptables -A FORWARD -i tun0 -j ACCEPT
>         $ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>   If you do not know what this is all about, it might be a good idea to 
>   google for it first.  (Yeah, I know this is lame, but I am just 
>   outlining what a HOWTO should contain from my POV.)

Note that OpenVPN itself is cross platform and those particular commands 
are Linux specific.

>   If the OpenVPN connection does not work, these settings are most likely 
>   wrong or incomplete.
> - Set up the server configuration on a port that your restricted box can 
>   connect to (such as 80 (HTTP), or 443 (HTTPS)):
> 	cat > server.conf << EOF
> 	proto tcp-server

You probably only want to use TCP here in cases where that is all you 
can get through some other firewall.

> 	port 443

And you wouldn't be able to do that on a box running a web server with 

 > It took me quite a while to realise that many parts were actually
 > working, but I needed to _masquerade_ the client.  AFAICT this was not
 > mentioned anywhere, and I felt like a complete moron that the
 > QuickStart did not work for me.

You should have realized the tunnel itself was working when you could 
ping the endpoint address or connect to services on the server using 
that address.  Getting anywhere else and back is a matter of routing. I 
agree that masquerading with the server's ethernet address is likely to 
be the easiest way to handle routing, but you can't assume that it is 
always the right approach - or that the server only has one ethernet - 
or that it is running Linux.

> - IMHO it is wrong to start with UDP, since that is much more likely 
>   blocked than anything else.  That happened to me, too.

UDP will often work through a firewall if the destination has a known 
address and you use the keepalive option.  There's no particular reason 
to expect any inbound TCP ports to be open to a host that isn't running 
a service on those ports either.

   Les Mikesell

Openvpn-users mailing list