[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] OpenWRT and OpenVPN


  • Subject: [Openvpn-users] OpenWRT and OpenVPN
  • From: Josh Rivel <jrivel@xxxxxxxxxxxxxx>
  • Date: Thu, 20 Dec 2007 10:59:25 -0500

I'm trying to get my Linksys WRT54G (v2) running OpenWRT/X-WRT.  We use
username/password authentication against our AD Servers internally, if I
openvpn from the CLI on the Linksys I can connect no problem and access
any of the networks at my job with no problem.

If I try and access them from a client connected to the Linksys (i.e. my
laptop) it never gets there.  A tcpdump on the tun0 interface does not
show any traffic being passed, so I'm sure it's just an iptables config
issue, but I can't seem to wrap my head around that convoluted syntax.

IP info:

laptop: 192.168.127.150 (assigned via dhcp)
linksys: 192.168.127.1 (br0), xx.xx.xx.xx (vlan1), assigned via DHCP
openvpn server: some.public.ip, 192.168.88.1 (tun0), 192.168.1.88 (pcn0)
internal network at work: 192.168.1.0

>From the linksys I can ping 192.168.1.anything with no problems, but not
from the laptop.

Here is the output of "iptables-save" on the linksys (attached)

I've also attached the openvpn config file from the linksys as well and
the OpenVPN server.

If I OpenVPN in from the laptop it works fine as well, but I want to not
have to do that and have an "always on" site-to-site OpenVPN connection
between my Linksys and the OpenVPN server at work.

I don't really think it's an OpenVPN config issue, but an iptables
issue.

Thanks in advance,
Josh

# Generated by iptables-save v1.3.3 on Wed Dec 19 23:05:43 2007
*nat
:NEW - [0:0]
:PREROUTING ACCEPT [522:81069]
:POSTROUTING ACCEPT [43:3549]
:OUTPUT ACCEPT [76:5590]
:postrouting_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan - [0:0]
-A NEW -m limit --limit 50/sec --limit-burst 100 -j RETURN 
-A NEW -j DROP 
-A PREROUTING -p tcp -m state --state NEW -j NEW 
-A PREROUTING -j prerouting_rule 
-A PREROUTING -i vlan1 -j prerouting_wan 
-A POSTROUTING -j postrouting_rule 
-A POSTROUTING -o vlan1 -j MASQUERADE 
COMMIT
# Completed on Wed Dec 19 23:05:43 2007
# Generated by iptables-save v1.3.3 on Wed Dec 19 23:05:43 2007
*mangle
:PREROUTING ACCEPT [18408:5466624]
:INPUT ACCEPT [12013:1535014]
:FORWARD ACCEPT [6364:3927047]
:OUTPUT ACCEPT [12058:1279349]
:POSTROUTING ACCEPT [18366:5207373]
COMMIT
# Completed on Wed Dec 19 23:05:43 2007
# Generated by iptables-save v1.3.3 on Wed Dec 19 23:05:43 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [61:4168]
:LAN_ACCEPT - [0:0]
:OUTPUT DROP [0:0]
:forwarding_rule - [0:0]
:forwarding_wan - [0:0]
:input_rule - [0:0]
:input_wan - [0:0]
:output_rule - [0:0]
-A INPUT -i vlan1 -j ACCEPT 
-A INPUT -i vlan0 -j ACCEPT 
-A INPUT -i br0 -j ACCEPT 
-A INPUT -i br+ -j ACCEPT 
-A INPUT -i tun0 -j ACCEPT 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp ! --tcp-option 2 --tcp-flags SYN SYN -j DROP 
-A INPUT -j input_rule 
-A INPUT -i vlan1 -j input_wan 
-A INPUT -j LAN_ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -p gre -j ACCEPT 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -i vlan+ -o tun+ -j ACCEPT 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -j forwarding_rule 
-A FORWARD -i vlan1 -j forwarding_wan 
-A FORWARD -i br0 -o br0 -j ACCEPT 
-A FORWARD -i br0 -o vlan1 -j ACCEPT 
-A LAN_ACCEPT -i vlan1 -j RETURN 
-A LAN_ACCEPT -j ACCEPT 
-A OUTPUT -m state --state INVALID -j DROP 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -j output_rule 
-A OUTPUT -j ACCEPT 
-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset 
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable 
COMMIT
# Completed on Wed Dec 19 23:05:43 2007
local 192.168.1.88
port 1194
proto udp
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 192.168.88.0 255.255.255.128
ifconfig-pool-persist /var/run/ipp-udp.txt
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.31 192.168.1.32"
push "dhcp-option DOMAIN somedomain.corp"
duplicate-cn
keepalive 10 120
comp-lzo
user _openvpn
group _openvpn
persist-key
persist-tun
status /var/log/openvpn-udp-status.log
log         /var/log/openvpn-udp.log
log-append  /var/log/openvpn-udp.log
verb 4
mute 20
plugin /usr/local/lib/openvpn-auth-ldap.so /etc/openvpn/auth-ldap.conf
client
dev tun
proto udp
remote some.server 1194
ns-cert-type server
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
comp-lzo
verb 3
auth-user-pass