Date: Tue, 26 Apr 2011 09:07:28 -0500 From: Diego Arias <dak.col@gmail.com> To: Ryan Coleman <ryan.coleman@cwis.biz> Cc: Nathan Vidican <nathan@vidican.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: OpenVPN routing Message-ID: <BANLkTimLZ1BeF3c8Nmoe1OEYccitK2p1_g@mail.gmail.com> In-Reply-To: <6ABDD9A5-E75D-4998-8D49-C89B280F32D4@cwis.biz> References: <6073BC9F-553D-41E2-AE42-341B61850EA7@cwis.biz> <BANLkTikvQRGiFS%2BvRu4_tk3aOsFt7zubwA@mail.gmail.com> <6ABDD9A5-E75D-4998-8D49-C89B280F32D4@cwis.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 26, 2011 at 8:45 AM, Ryan Coleman <ryan.coleman@cwis.biz> wrote: > > On Apr 26, 2011, at 8:32 AM, Nathan Vidican wrote: > > > On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman <ryan.coleman@cwis.biz> > wrote: > >> > >> I've got an OpenVPN connection working to my remote server, but I want > to route the traffic to the local LAN. > >> > >> I have a bridge set up, pingable... but can't ping the em1 > (192.168.46.2) from the remote machine. > >> > >> Server.conf: > >> local 192.168.46.2 > >> port 1194 > >> proto udp > >> dev tap > >> ca keys/cacert.pem > >> cert keys/server.crt > >> key keys/server.key # This file should be kept secret > >> dh keys/dh1024.pem > >> # Don't put this in the keys directory unless user nobody can read it > >> crl-verify keys/crl.pem > >> #Make sure this is your tunnel address pool > >> server 192.168.47.0 255.255.255.0 > >> ifconfig-pool-persist ipp.txt > >> #This is the route to push to the client, add more if necessary > >> #push "route 192.168.46.254 255.255.255.0" > >> push "route 192.168.47.0 255.255.255.0" > >> push "dhcp-option DNS 192.168.45.10" > >> keepalive 10 120 > >> cipher BF-CBC #Blowfish encryption > >> comp-lzo > >> #fragment > >> user nobody > >> group nobody > >> persist-key > >> persist-tun > >> status openvpn-status.log > >> verb 6 > >> mute 5 > >> > >> > >> client.conf: > >> #Begin client.conf > >> client > >> dev tap > >> proto udp > >> remote sub.domain.ltd 1194 > >> nobind > >> user nobody > >> group nobody > >> persist-key > >> persist-tun > >> #crl-verify > >> #remote-cert-tls server > >> ca keys/cacert.pem > >> cert keys/ryanc.crt > >> key keys/ryanc.key > >> cipher BF-CBC > >> comp-lzo > >> verb 3 > >> mute 20 > >> > >> Any ideas? As I said, I can talk to the remote server, but not the > local LAN. > >> > >> To throw a new curveball in the mix, I'd like to talk to > 192.168.45.0/24 - which we have another VPN connecting the two networks > (not running on a VPN I can do much with). > > > > > > Do you have packet forwarding (routing /gateway) enabled? An > > all-important, yet sometimes forgotten step... > > check if: > > > > sysctl net.inet.ip.forwarding > > > > returns 1 for enabled or not. You can enable it right away by setting > > to 1, and/or view the instructions in the handbook for greater detail > > including how to set as a startup option as well: > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html > > Yes, it is enabled. > > And Maciej, I had server-bridge running before and it wasn't routing ICMP, > nor anything else. > > I have ipnat enabled - as was recommended by one guide - and am routing > everything from 192.168.47.0/24 to 0.0.0.0/32 (I'm not well versed on this > specific area but that seems like it should be 0/0, right?) > > Relevant rc.conf: > defaultrouter="192.168.46.254" > hostname="nbserver1.allstatecom.local" > ifconfig_em0="inet 192.168.46.2 netmask 255.255.255.0" > openvpn_enable="YES" > openvpn_configfile="/usr/local/etc/openvpn/server.conf" > gateway_enable="YES" > ipnat_enable="YES" > > Thanks again, > Ryan > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > If you need to route LAN - TO - LAN just enable the client-to-client. Its a Security Feature of OpenVPN http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing -- Still Going Strong!!!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTimLZ1BeF3c8Nmoe1OEYccitK2p1_g>