From owner-freebsd-questions@FreeBSD.ORG Mon May 28 01:57:33 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 2EB0216A421 for ; Mon, 28 May 2007 01:57:33 +0000 (UTC) (envelope-from peter@topcomtech.com.cn) Received: from mail.topcomtech.com.cn (61-221-55-190.HINET-IP.hinet.net [61.221.55.190]) by mx1.freebsd.org (Postfix) with ESMTP id 98D9B13C4B9 for ; Mon, 28 May 2007 01:57:32 +0000 (UTC) (envelope-from peter@topcomtech.com.cn) Received: from pjfs.renzhichu.cc ([219.137.13.77]) (authenticated bits=0) by mail.topcomtech.com.cn (8.14.1/8.14.1) with ESMTP id l4S1v62F010333 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 28 May 2007 09:57:09 +0800 (CST) (envelope-from peter@topcomtech.com.cn) Received: from pjfs.renzhichu.cc (localhost.renzhichu.cc [127.0.0.1]) by pjfs.renzhichu.cc (8.14.1/8.14.1) with ESMTP id l4S1puq9001316; Mon, 28 May 2007 09:51:56 +0800 (CST) (envelope-from pjf@pjfs.renzhichu.cc) Received: (from pjf@localhost) by pjfs.renzhichu.cc (8.14.1/8.14.1/Submit) id l4S1psqI001315; Mon, 28 May 2007 09:51:54 +0800 (CST) (envelope-from pjf) Date: Mon, 28 May 2007 09:51:54 +0800 From: Pei Pjf To: Benjamin Lutz Message-ID: <20070528015154.GA1195@pjfs.renzhichu.cc> References: <20070526143955.GA1122@pjf2.fbsd.home> <200705271837.36028.mail@maxlor.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200705271837.36028.mail@maxlor.com> User-Agent: Mutt/1.4.2.2i Cc: freebsd-questions@freebsd.org Subject: Re: openvpn on freebsd problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 May 2007 01:57:33 -0000 On Sun, May 27, 2007 at 06:37:35PM +0200, Benjamin Lutz wrote: > On Saturday 26 May 2007 16:39, User Pjf wrote: > > I install openvpn from port. Follow openvpn.net howto, vpn can > > connect from client to server, but on client side, I cann't ping > > server side other machines. > > > > On my server side, vpn server and gateway is same one box, I > > use dev tun, the server has a public static ip address, install > > nat,ipfw for internal net to Internet. > > > > In refer to howto, > > "Make sure that you've enabled IP and TUN/TAP forwarding on > > the OpenVPN server machine." > > > > I know IP forwarding is work fine, but how to enable TUN forwarding? > > You enable ip forwarding with the net.inet.ip.forwarding and > net.inet6.ip6.forwarding sysctls. However, if your gateway already > works for the internal net, I strongly suspect those sysctls are > already set to 1. > > I'd have a look at your firewall ruleset. I don't setup any firewall ruleset. I just use freebsd default ruleset.This is my /etc/rc.conf: # -- sysinstall generated deltas -- # Fri Oct 20 17:47:04 2006 # Created: Fri Oct 20 17:47:04 2006 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. check_quotas="NO" defaultrouter="219.137.13.1" #defaultrouter="192.168.14.254" hostname="pjfs.renzhichu.cc" ifconfig_em1="inet 219.137.13.77 netmask 255.255.255.0" ifconfig_rl0="inet 192.168.14.253 netmask 255.255.255.0" keymap="us.iso" sshd_enable="YES" usbd_enable="NO" named_enable="YES" inetd_enable="YES" gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="em1" natd_flags="" openvpn_enable="YES" > It seems most likely to me > that the reason for your VPN not working lies there. I suggest that you > enable logging for any "deny" rules you have in your ruleset and see > whether any packets associated with the VPN connection are dropped. OK. I add these two lines into /etc/sysctl.conf. net.inet.ip.fw.verbose=1 net.inet.ip.fw.verbose_limit=5 I will test it at this afternoon. > > Cheers > Benjamin Thank you very much. Pei