From owner-freebsd-questions@FreeBSD.ORG Mon Mar 11 21:06:46 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 0A8E7FDF for ; Mon, 11 Mar 2013 21:06:46 +0000 (UTC) (envelope-from lokadamus@gmx.de) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by mx1.freebsd.org (Postfix) with ESMTP id 1B4A2189 for ; Mon, 11 Mar 2013 21:06:44 +0000 (UTC) Received: from mailout-de.gmx.net ([10.1.76.32]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0M94oF-1U3N9S1ugf-00CPzB for ; Mon, 11 Mar 2013 22:06:43 +0100 Received: (qmail invoked by alias); 11 Mar 2013 21:06:43 -0000 Received: from 31-18-8-110-dynip.superkabel.de (EHLO [192.168.0.143]) [31.18.8.110] by mail.gmx.net (mp032) with SMTP; 11 Mar 2013 22:06:43 +0100 X-Authenticated: #3333826 X-Provags-ID: V01U2FsdGVkX1/Q+28t3lTQL5ni8FV34WKpDFyImnKJwM+8lY17/S 1nSpKP1OXgJlek Message-ID: <513E4768.7020309@gmx.de> Date: Mon, 11 Mar 2013 22:06:48 +0100 From: "lokadamus@gmx.de" User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:15.0) Gecko/20120909 Thunderbird/15.0 MIME-Version: 1.0 To: Michael Sierchio Subject: Re: OpenVPN vm cant connect to other VM's References: <51371C8A.8050205@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: Brent Clark , freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Mar 2013 21:06:46 -0000 On 11.03.2013 20:13, Michael Sierchio wrote: > Are you pushing routes in your server.conf file? > > (hint - show, don't tell) > > - M > > On Wed, Mar 6, 2013 at 2:38 AM, Brent Clark wrote: >> Hi guys >> >> Im struggling with a freebsd vm, that I have that I use for a VPN connection >> too, from my workstation to my home LAN. And I was wondering if someone >> could peer review me and my problem. >> >> OpenVPN is working beautifully. I.e. I can connect to some services (apache >> etc) that I run directly on my FreeBSD / openvpn vm. >> >> What im now trying to achieve is that I can connect to other VMs / machines >> on my home LAN. >> >> Im using tun for my VPN, and my pf.conf looks like so (please see the nat on >> ...) >> >> [root@freebsd /usr/home/bclark]# cat /etc/pf.conf >> ext_if="re0" >> vpn_if="tun0" >> int_net="10.0.0.0/24" >> vpn_net="192.168.200.0/24" >> set skip on lo0 >> set optimization normal >> #set block-policy drop >> set limit { states 20000, frags 10000, src-nodes 20000 } >> # Normalization: reassemble fragments and resolve or reduce traffic >> ambiguities. >> scrub in all >> # Translation: specify how addresses are to be mapped or redirected. >> # NAT rules >> # enabling NAT currently breaks policy based routing >> #nat on $ext_if from { $int_net, $vpn_net } to any -> ($ext_if) >> #nat on tun0 from { 192.168.200.0/24 } to any -> (re0) >> nat on re0 from { 192.168.200.0/24 } to any -> (re0) >> >> table persist >> block in quick on re0 proto tcp from to any port ssh label "ssh >> brute" >> >> What am I missing? >> >> If anyone could assist, it would be appreciated. >> >> Kind Regards >> Brent Clark >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > For your own network yes. You must route all your traffic, which is for your other lan/ subnet. Every VPN connect must be corrected routed, equal which vpn is used. Else every traffic will go loose through internet traffic. I connect some subnets with OpenVPN and every subnet must configured with "ccd" (its a subfolder with a filename of certificate- name and content with "iroute subnet" to tell, when client xyz is connect, subnet is there) and in server.conf. Else this subnets won't routed correct. You can add this route manuell through its OpenVPN- Gateway. Show: server.conf: look for "client-config-dir /usr/local/.../ccd" in server.conf and insert your subnet: route 192.168.x.x 255.255.255.0 create a file with certificate-name under "/usr/local/etc/openvpn/config/"your connect-name"/ccd/ and insert: iroute 192.168.x.x 255.255.255.0 Look in /var/log/openvpn.log for the right certificate-name. Everytime this certificat/ client is connect the subnet- traffic will be routed through him. Don't forget to restart openvpn. ;) *Sorry, my english is not so good* Regards