Thanks Lonnie and yes I will be using the new option.
I realised afterwards that I already had fixed this problem in the new release
but had just forgotten about it.
Its basic routing and I am kicking myself. Old age ☹
Regards
Michael Knill
On 13/3/19, 12:25 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
Yes, if 172.30.253.0/24 was the OpenVPN subnet on the remote WG peer, what
you did would have made sense, assuming your OpenVPN subnets across peers are
unique.
Think of the WireGuard "AllowedIPs" setting as AllowedIPs_into_this_peer .
The corresponding figurative "AllowedIPs_out_of_this_peer" is limited by either
control of the "AllowedIPs" of the remote peer and/or local firewall rules.
Also note that by default, OpenVPN and WireGuard are isolated from each
other. In AstLinux 1.3.5.2 there is a new Firewall sub-tab option (unchecked
by default):
_x_ Allow WireGuard VPN tunnel to the OpenVPN tunnel(s)
Before AstLinux 1.3.5.2 an AIF custom rule would be needed to do the same.
Lonnie
> On Mar 11, 2019, at 11:57 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>
> Damn it I found the problem.
> When using OpenVPN and Wireguard, I added this to the Wireguard config:
> AllowedIPs = 172.29.253.1/32, 172.30.253.0/24 (wg peer,openvpn subnet)
> This was done to allow OpenVPN to Wireguard connectivity however it ended
up putting a route into the routing table for the openvpn subnet pointing to
nowhere effectively black holing it.
>
> A trap for young players obviously.
> Thanks all.
>
> Regards
> Michael Knill
>
> From: Michael Knill <michael.kn...@ipcsolutions.com.au>
> Reply-To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Date: Tuesday, 12 March 2019 at 3:24 pm
> To: AstLinux List <astlinux-users@lists.sourceforge.net>
> Subject: [Astlinux-users] HELP URGENT OpenVPN problem
>
> After the weekend I upgraded my Astlinux system with my new release of
config files but the Astlinux version remained the same as 1.3.2.
> Now all the Yealink phones connecting with OpenVPN connect fine as shown
on the Status Tab but I cannot ping them.
> When I make a connection via my laptop via OpenVPN I also cant ping the
server.
> What would cause the OpenVPN to break on an Astlinux box? What tests
should I do next?
> I have these exact files in other systems and its fine.
>
> Details:
> ### gui.openvpn.conf - start ###
> ###
> ### Auth Method
> OVPN_USER_PASS_VERIFY="no"
> ### Device
> OVPN_DEV="tun0"
> ### Port Number
> OVPN_PORT="1194"
> ### Protocol
> OVPN_PROTOCOL="udp"
> ### Log Verbosity
> OVPN_VERBOSITY="1"
> ### Compression
> OVPN_LZO="yes"
> ### QoS Passthrough
> OVPN_QOS="yes"
> ### Cipher
> OVPN_CIPHER=""
> ### Auth HMAC
> OVPN_AUTH=""
> ### Allowed External Hosts
> OVPN_TUNNEL_HOSTS="0/0"
> ### Server Hostname
> OVPN_HOSTNAME="21010.ibcaccess.net"
> ### Server IPv4 Network
> OVPN_SERVER="172.30.253.0 255.255.255.0"
> ### Server IPv6 Network
> OVPN_SERVERV6=""
> ### Topology
> OVPN_TOPOLOGY="subnet"
> ### Server Push
> OVPN_PUSH="
> route 172.30.20.0 255.255.255.0
> "
> ### Raw Commands
> OVPN_OTHER="
> ifconfig-pool-linear
> "
> ### Private Key Size
> OVPN_CERT_KEYSIZE="2048"
> ### Signature Algorithm
> OVPN_CERT_ALGORITHM="sha256"
> ### CA File
> OVPN_CA="/mnt/kd/openvpn/webinterface/keys/ca.crt"
> ### CERT File
> OVPN_CERT="/mnt/kd/openvpn/webinterface/keys/server.crt"
> ### Key File
> OVPN_KEY="/mnt/kd/openvpn/webinterface/keys/server.key"
> ### DH File
> OVPN_DH="/mnt/kd/openvpn/webinterface/dh1024.pem"
> ### TLS-Auth File
> OVPN_TA=""
> ### gui.openvpn.conf - end ###
>
> Regards
> Michael Knill
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
