[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] RV: help with setting up first vpn, some urgency!


  • Subject: Re: [Openvpn-users] RV: help with setting up first vpn, some urgency!
  • From: "Dave" <dmehler26@xxxxxxxxxx>
  • Date: Thu, 20 Dec 2007 16:24:32 -0500

Hello,
    I'm sure i've got a snafu in my setup somewhere, and i'm hoping it's not 
firewall. I'm more familiar with FreeBSD's pf than linux's iptables and 
that's where the openvpn is currently at, so that's what i'll give you.
    On my lan router the .254 address in it's pf.conf i have:

ext_if = "xl0"
int_if = "dc0"
         tcp_state="flags S/SA keep state"
int_net = $int_if:network
vpn_server = "192.168.0.3"
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn_server port 
1194

pass in on $ext_if inet proto udp from any to $vpn_server port 1194 keep 
state
pass out quick on $int_if inet proto udp from any to $vpn_server port 1194 
keep state


those rules take the port 1194 traffic to the .3 machine, i am using a block 
by default policy so that's why i have two rules there. This box, the .3 
machine, is also the samba server, it's pf.conf file has these rules:

ext_if = "vr0"
udp_services = "{ domain, bootpc, ntp, 1194 }"
tcp_state = "flags S/SA keep state"

# allow in udp services (dhcp, dns, ntp etc)
pass quick on $ext_if inet proto { tcp, udp } from any to any port 
$udp_services $tcp_state

# allow samba traffic
pass in quick on $ext_if inet proto tcp from any to $ext_if port 135 
$tcp_state
pass in quick on $ext_if inet proto tcp from any to $ext_if port 139 
$tcp_state
pass in quick on $ext_if inet proto tcp from any to $ext_if port 445 
$tcp_state
pass in quick on $ext_if inet proto udp from any to $ext_if port 137 keep 
state
pass in quick on $ext_if inet proto udp from any to $ext_if port 138 keep 
state
pass quick on $ext_if from ($ext_if) to $broadcast
pass quick on $ext_if from $ext_if:network to $broadcast
pass quick on $ext_if inet proto udp from $ext_if:network port 137 to 
$ext_if:broadcast keep state
pass quick on $ext_if inet proto udp from $ext_if:network port 138 to 
$ext_if:broadcast keep state
pass out quick on $ext_if inet proto udp from $ext_if to $ext_if:network 
port 137 keep state
pass out quick on $ext_if inet proto udp from $ext_if to $ext_if:network 
port 138 keep state

pass quick on tun0 all
pass quick on tap0 all

Thanks, and again some urgency!
Dave.

----- Original Message ----- 
From: "Damian Rivas" <damian@xxxxxxxxxx>
To: <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Thursday, December 20, 2007 3:01 PM
Subject: [Openvpn-users] RV: help with setting up first vpn, some urgency!


> If the data enters but doesn't return it is probably a Firewall issue.
> Have you checked that you are letting traffic out on the tun interface?
> Send to the list your firewall rules for the VPN and lets check them
> out.
>
> Regards.-
> Damian
>
> -----Mensaje original-----
> De: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx
> [mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] En nombre de Dave
> Enviado el: Jueves, 20 de Diciembre de 2007 02:05 p.m.
> Para: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Asunto: [Openvpn-users] help with setting up first vpn, some urgency!
>
>
> Hello,
>    I need some assistance with setting up my first vpn and there is
> some
> urgency in it as i'm going to be going out of town for the holidays and
> am
> going to need it.
>    I've read the docs and the book, and i've got keys generated and i
> can
> connect from a remote client, in routed moee. If i try in bridge mode i
> get
> "Can not connect to client connection failed" msg. The bridge mode
> connection was atempted from an xp home client.
>    My goal is to be able to set up a vpn remotely, remote in, and
> access my
> samba shares, and my test and development web server as if i was here.
>    The problem is when i connect i can ping, but i don't get anything
> back.
> A tcpdump on the interface on the lan pc where the vpn server is shows
> the
> packets coming in but not going out. Trying to query my lan's local
> nameserver times out, that can't be located.
>    Let me give you some information. I'm going to be using either a
> roaming
> laptop or a fixed desktop box, both of which will be remote to my
> network.
> Let's say for the sake of example that the laptop will have ip of
> 2.3.4.5
> and the desktop will have the ip of 3.4.5.6. My internal lan ip range is
>
> 192.168.0.0/24 and the vpn server, i've tried this twice will either be
> on a
> Centos box or a FreeBSD box, at either .3 or .4 in that range. The dns
> server/lan gateway box is .254. My vpn range is 10.8.0.0/24 in routed
> mode,
> if i can get bridge mode going i'll put it in my lan range.
>    As i said i've tried both, i can connect in routed mode, get the
> error
> about connecting to client failed in bridge. The samba server and the
> test
> web server are both on the same box, depending on which box the vpn
> server
> is on it might or might not be the same machine depending on which is
> easier
> to set up.
>    If anyone can help i can create accounts where needed with sudo and
> i
> can supply client keys.
>    Any additional information let me know.
>    As i said there is some urgency as i can only test this remotely and
> i
> won't be remote until i leave, if it doesn't work i'm outa luck.
>    Any help much appreciated.
> Dave.
>
>
> ------------------------------------------------------------------------
> -
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users