|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|||
OpenVPN - Problem with connections
Hi,
I've set up OpenVPN on our firewall running FreeBSD 7.0, but I'm having trouble with getting everything to work ok. My setup looks like this: Internet --- (1.2.3.4) Firewall (192.168.0.33) --- Internal Network Clients on the Internet can connect to the firewall without problems, and I can for example ssh to 192.168.0.33 after connecting with openvpn, but I can't reach anything else on my internal network. I have plenty of machines on the internal network but I can't reach any of them, not even with ping. Maybe a routing problem? Firewall configuration: Code:
dev tun local 1.2.3.4 port 1194 proto udp server 10.10.10.0 255.255.255.0 ifconfig-pool-persist ipp.txt ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/server.crt key /usr/local/etc/openvpn/keys/server.key dh /usr/local/etc/openvpn/keys/dh2048.pem push "route 192.168.0.0 255.255.255.0" push "dhcp-option DNS 192.168.0.10" push "dhcp-option DNS 192.168.0.25" push "dhcp-option DOMAIN starwars.local" comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key group nobody daemon Code:
client remote 1.2.3.4 1194 dev tun ca ca.crt cert client.crt key client.key comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key verb 3 Code:
0.0.0.0 0.0.0.0 192.168.4.1 192.168.4.78 25 0.0.0.0 0.0.0.0 192.168.4.1 192.168.4.83 20 10.10.10.1 255.255.255.255 10.10.10.5 10.10.10.6 1 10.10.10.4 255.255.255.252 10.10.10.6 10.10.10.6 30 10.10.10.6 255.255.255.255 127.0.0.1 127.0.0.1 30 10.255.255.255 255.255.255.255 10.10.10.6 10.10.10.6 30 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.255.0 10.10.10.5 10.10.10.6 1 192.168.4.0 255.255.255.0 192.168.4.78 192.168.4.78 25 192.168.4.0 255.255.255.0 192.168.4.83 192.168.4.83 20 192.168.4.78 255.255.255.255 127.0.0.1 127.0.0.1 25 192.168.4.83 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.4.255 255.255.255.255 192.168.4.78 192.168.4.78 25 192.168.4.255 255.255.255.255 192.168.4.83 192.168.4.83 20 224.0.0.0 240.0.0.0 10.10.10.6 10.10.10.6 30 224.0.0.0 240.0.0.0 192.168.4.78 192.168.4.78 25 224.0.0.0 240.0.0.0 192.168.4.83 192.168.4.83 20 255.255.255.255 255.255.255.255 10.10.10.6 10.10.10.6 1 255.255.255.255 255.255.255.255 192.168.4.78 192.168.4.78 1 255.255.255.255 255.255.255.255 192.168.4.83 192.168.4.83 1 Gateway: 192.168.4.1 Code:
Mon May 05 13:02:22 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 Mon May 05 13:02:22 2008 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Mon May 05 13:02:22 2008 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Mon May 05 13:02:22 2008 LZO compression initialized Mon May 05 13:02:22 2008 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon May 05 13:02:22 2008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon May 05 13:02:22 2008 Local Options hash (VER=V4): '41690919' Mon May 05 13:02:22 2008 Expected Remote Options hash (VER=V4): '530fdded' Mon May 05 13:02:22 2008 UDPv4 link local (bound): [undef]:1194 Mon May 05 13:02:22 2008 UDPv4 link remote: 1.2.3.4:1194 Mon May 05 13:02:22 2008 TLS: Initial packet from 1.2.3.4:1194, sid=4ae4907e 12cd6dc6 Mon May 05 13:02:24 2008 VERIFY OK: depth=1, <HIDDEN> Mon May 05 13:02:24 2008 VERIFY OK: depth=0, <HIDDEN> Mon May 05 13:02:25 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Mon May 05 13:02:25 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon May 05 13:02:25 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Mon May 05 13:02:25 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon May 05 13:02:25 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Mon May 05 13:02:25 2008 [SERVER] Peer Connection Initiated with 1.2.3.4:1194 Mon May 05 13:02:27 2008 SENT CONTROL [SERVER]: 'PUSH_REQUEST' (status=1) Mon May 05 13:02:27 2008 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.10,dhcp-option DNS 192.168.0.25,dhcp-option DOMAIN starwars.local,route 10.10.10.1,ping 10,ping-restart 60,ifconfig 10.10.10.6 10.10.10.5' Mon May 05 13:02:27 2008 OPTIONS IMPORT: timers and/or timeouts modified Mon May 05 13:02:27 2008 OPTIONS IMPORT: --ifconfig/up options modified Mon May 05 13:02:27 2008 OPTIONS IMPORT: route options modified Mon May 05 13:02:27 2008 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Mon May 05 13:02:27 2008 TAP-WIN32 device [Anslutning till lokalt nätverk 8] opened: \\.\Global\{3C96F03B-BB81-451A-8090-FF62E86FB252}.tap Mon May 05 13:02:27 2008 TAP-Win32 Driver Version 8.4 Mon May 05 13:02:27 2008 TAP-Win32 MTU=1500 Mon May 05 13:02:27 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.10.10.6/255.255.255.252 on interface {3C96F03B-BB81-451A-8090-FF62E86FB252} [DHCP-serv: 10.10.10.5, lease-time: 31536000] Mon May 05 13:02:27 2008 Successful ARP Flush on interface [4] {3C96F03B-BB81-451A-8090-FF62E86FB252} Mon May 05 13:02:27 2008 TEST ROUTES: 0/0 succeeded len=2 ret=0 a=0 u/d=down Mon May 05 13:02:27 2008 Route: Waiting for TUN/TAP interface to come up... Mon May 05 13:02:28 2008 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up Mon May 05 13:02:28 2008 route ADD 192.168.0.0 MASK 255.255.255.0 10.10.10.5 Mon May 05 13:02:28 2008 Route addition via IPAPI succeeded Mon May 05 13:02:28 2008 route ADD 10.10.10.1 MASK 255.255.255.255 10.10.10.5 Mon May 05 13:02:28 2008 Route addition via IPAPI succeeded Mon May 05 13:02:28 2008 Initialization Sequence Completed |
|
|||
net.inet.ip.forwarding: 1
net.inet.ip.redirect: 1 Stupid Q: I presume you've set the box to forward packets from other machines through it? Also - I can't tell you anymore why I did this in my server.ovpn (note the last line): push "route 10.8.8.0 255.255.255.0" #route to company network push "dhcp-option DOMAIN xxx.yyy.zzz" #push the DNS domain suffix push "dhcp-option DNS 10.8.8.1" #push DNS entries to client push "dhcp-option WINS 10.8.8.1" #push DNS entries to client push "route 10.8.7.1" # add route to protected network |
|
|||
10.8.7.1 being the tun0 address
lowe:/service/openvpn-client-lion/root 20:40$ ifconfig tun0 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 10.8.7.1 -> 10.8.7.2 netmask 0xffffffff |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
openvpn on openbsd problem.... | michaelk | OpenBSD Security | 8 | 9th February 2011 04:49 AM |
pf: Does pf have the ability to src-track created/established connections? | gen2ly | OpenBSD Security | 3 | 27th February 2009 03:10 PM |
Serial connections | JMJ_coder | General software and network | 9 | 25th July 2008 03:28 PM |
Problems with multiple ISP connections | ebzzry | FreeBSD General | 2 | 1st July 2008 11:32 PM |
More tcp connections | tad1214 | FreeBSD General | 8 | 5th June 2008 03:05 PM |