I have openvpn running on 4 efw servers located in 4 cities for a customer. Three are 2.1.1, and one is 2.1.2. For OpenVPN gui, I use these settings on the client:
client float dev tap proto udp port 1194 remote <ip-address> resolv-retry infinite nobind persist-key persist-tun ca cityname.cer (no need for a path) auth-user-pass pull comp-lzo On the servers, to properly build the routes that are pushed to the users, each remote server connects to the central office in a hub-spoke configuration. The remotes connect to the hub (central office) with the Net2Net client in routed mode. And the hub also connects to the remotes with the Net2Net client in routed mode. It's a two-way connection. And when you add users for the Net2Net clients (the servers), you need to click the configure networks button, and enter the remotes' lan ip address range. Of course, all remote networks have to use a different ip address range. I assume you know that about routing... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HansL Sent: Saturday, August 18, 2007 4:14 AM To: [email protected] Subject: Re: [Efw-user] openvpn set up, mobile clients can only reach firewall's internal green NIC address, no other machines on LAN are reachable I have tried two alternatives as a client: 1) RoadWarrior configuration: OpenVPN GUI 1.03 with the following configuration: client proto udp dev tap remote <ip-address> resolv-retry infinite nobind persist-key persist-tun ca c:\\openvpn\\cacert.pem auth-user-pass comp-lzo 2) Net2Net Besides that, I've tried to create a Net2Net setup with another Endian 2.1.2 setup on another server. I've created a new vpn tunnel in the OpenVPN Net2Net client with the following settings: connect to: <ip address> username: hans password: <password> bridged: no routed: yes block DHCP: no And after that I've uploaded the CA from the server. To finalize: the configuration of the VPN Server (also Endian 2.1.2) - Runs within a ESX 2.5.2 virtual machine (might be relevant) - OpenVPN server enabled, IP address pool between 192.168.0.160 and 192.168.0.180 - Configued on 1194 UDP - I created an account hans with a remote network 192.168.1.0 with netmask 255.255.255.0 The version of the efw-firewall RPM package on the Endian server is 2.1.1 The version of Endian itself is 2.1.2 as mentioned before. The file rc.firewall reads the following: function iptables_accessall() { iptables -F ACCEPT_ALL iptables -F VPNTRAFFIC Hope this helps compdoc wrote: > > I was wondering how the external client(s) connect - what software, or > what the > setup is? > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of HansL > Sent: Saturday, August 18, 2007 2:59 AM > To: [email protected] > Subject: Re: [Efw-user] openvpn set up, mobile clients can only reach > firewall's > internal green NIC address, no other machines on LAN are reachable > > > I have exactly the same problem with the 2.1.2 version of Endian. > The line in the rc.firewall has already been changed in this version, but > still. > > I can reach my Endian box (both on the VPN IP address as on the GREEN IP > address of the Endian box). > All other IP's in the network cannot be reached. > > I have tried this both with a Net2Net configuration and with a RoadWarrior > configuration. Same results. > > Any suggestions what to do? > > > Igor Mikolic-Torreira wrote: >> >> I believe this is the OpenVPN routing bug. This has been >> discuss previously on this list (a search of the arives >> should find it). A solution also appears at >> >> http://alumnus.caltech.edu/~igormt/endian/bugs.html >> >> Igor >> >> >> Ron E. wrote: >>> Dear All, >>> >>> Hopefully someone has an idea about this. I manage several Endian >>> firewall systems with openvpn configured and enabled. The one with this >>> issue is running version 2.1.1 (the most recent version any of the >>> various systems are running). >>> >>> Recently I configured openvpn on this particular system and while >>> clients can connect successfully, only the firewalls green NIC is >>> accessible, no other LAN machines are despite being reachable from >>> inside the network normally. >>> >>> I have reproduced this problem on multiple systems connected to the >>> Internet in multiple ways, with a public IP on the client side, via a >>> NAT gateway, etc., etc. >>> >>> Looked through the openvpn logs and searched this mailing list but >>> haven't found any clues. >>> >>> Would appreciate any input, thanks. >>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Splunk Inc. >>> Still grepping through log files to find problems? Stop. >>> Now Search log events and configuration files using AJAX and a browser. >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>> _______________________________________________ >>> Efw-user mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/efw-user >>> >> >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Efw-user mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/efw-user >> >> > > -- > View this message in context: > http://www.nabble.com/openvpn-set-up%2C-mobile-clients-can-only-reach-firewall%2 > 7s-internal-green-NIC-address%2C-no-other-machines-on-LAN-are-reachable-tf427692 > 6.html#a12211768 > Sent from the efw-user mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Efw-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/efw-user > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Efw-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/efw-user > > -- View this message in context: http://www.nabble.com/openvpn-set-up%2C-mobile-clients-can-only-reach-firewall%2 7s-internal-green-NIC-address%2C-no-other-machines-on-LAN-are-reachable-tf427692 6.html#a12212240 Sent from the efw-user mailing list archive at Nabble.com. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Efw-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/efw-user ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Efw-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/efw-user
