The dual connections are because they need to send print jobs to the remote locations, as well as the remotes accessing the server at the main office.
And as I said, doing it this way builds the proper routes. Any user at any location can ping an ip address at any other location. It seems to me, I've run into the problem you're having. I think I had to delete the user I created for login. Making changes to an existing openvpn user, like when you're testing, doesn't work. You have to delete and recreate them each time. And the ip address range I use for the remotes isn't in the same range used by the lan's dhcp. For example, I hand out 192.168.1.20 thru 30 for OpenVPN clients, and 192.168.1.50 thru 200 for the lan PCs. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HansL Sent: Saturday, August 18, 2007 8:16 AM To: [email protected] Subject: Re: [Efw-user] openvpn set up, mobile clients can only reach firewall's internal green NIC address, no other machines on LAN are reachable I tried your config file as well, but same results. Why do you make a 2-way connection? I try to use one machine as a VPN server and the other one as a (net2net) client. And yes, one (guest) network has 192.168.0.0/24 and the other (host) network has 192.168.1.0/24. This has been defined in the Endian setup. I also selected 'routed' as an option for the VPN tunnel. The strange thing is: the connection comes up quickly and I can read 'established'. After that, I can ping my machine with the freshly retrieved VPN IP address (192.168.0.160) and I can also ping to the internal IP address of the VPN server (192.168.0.253). So the VPN connection is up and running, I assume. The only problem is that I can't reach the other servers, printers etc. in the LAN. The other way around, I can reach the 192.168.0.253 machine from every machine in that LAN, so there is no network problem in that sense. The symptoms are exactly those of the OpenVPN bug as mentioned in Endian 2.1.1, but I'm using a newer version.... I'm really puzzled... compdoc wrote: > > I have openvpn running on 4 efw servers located in 4 cities for a > customer. > Three are 2.1.1, and one is 2.1.2. For OpenVPN gui, I use these settings > on the > client: > > client > float > dev tap > proto udp > port 1194 > remote <ip-address> > resolv-retry infinite > nobind > persist-key > persist-tun > ca cityname.cer (no need for a path) > auth-user-pass > pull > comp-lzo > > > On the servers, to properly build the routes that are pushed to the users, > each > remote server connects to the central office in a hub-spoke configuration. > The > remotes connect to the hub (central office) with the Net2Net client in > routed > mode. And the hub also connects to the remotes with the Net2Net client in > routed > mode. It's a two-way connection. > > And when you add users for the Net2Net clients (the servers), you need to > click > the configure networks button, and enter the remotes' lan ip address > range. > > Of course, all remote networks have to use a different ip address range. I > assume you know that about routing... > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of HansL > Sent: Saturday, August 18, 2007 4:14 AM > To: [email protected] > Subject: Re: [Efw-user] openvpn set up, mobile clients can only reach > firewall's > internal green NIC address, no other machines on LAN are reachable > > > I have tried two alternatives as a client: > > 1) RoadWarrior configuration: > OpenVPN GUI 1.03 with the following configuration: > > client > proto udp > dev tap > remote <ip-address> > resolv-retry infinite > nobind > persist-key > persist-tun > ca c:\\openvpn\\cacert.pem > auth-user-pass > comp-lzo > > 2) Net2Net > Besides that, I've tried to create a Net2Net setup with another Endian > 2.1.2 > setup on another server. > I've created a new vpn tunnel in the OpenVPN Net2Net client with the > following settings: > > connect to: <ip address> > username: hans > password: <password> > bridged: no > routed: yes > block DHCP: no > > And after that I've uploaded the CA from the server. > > To finalize: the configuration of the VPN Server (also Endian 2.1.2) > - Runs within a ESX 2.5.2 virtual machine (might be relevant) > - OpenVPN server enabled, IP address pool between 192.168.0.160 and > 192.168.0.180 > - Configued on 1194 UDP > - I created an account hans with a remote network 192.168.1.0 with netmask > 255.255.255.0 > > The version of the efw-firewall RPM package on the Endian server is 2.1.1 > The version of Endian itself is 2.1.2 as mentioned before. > > The file rc.firewall reads the following: > > function iptables_accessall() { > iptables -F ACCEPT_ALL > iptables -F VPNTRAFFIC > > Hope this helps > > > > compdoc wrote: >> >> I was wondering how the external client(s) connect - what software, or >> what the >> setup is? >> >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of HansL >> Sent: Saturday, August 18, 2007 2:59 AM >> To: [email protected] >> Subject: Re: [Efw-user] openvpn set up, mobile clients can only reach >> firewall's >> internal green NIC address, no other machines on LAN are reachable >> >> >> I have exactly the same problem with the 2.1.2 version of Endian. >> The line in the rc.firewall has already been changed in this version, but >> still. >> >> I can reach my Endian box (both on the VPN IP address as on the GREEN IP >> address of the Endian box). >> All other IP's in the network cannot be reached. >> >> I have tried this both with a Net2Net configuration and with a >> RoadWarrior >> configuration. Same results. >> >> Any suggestions what to do? >> >> >> Igor Mikolic-Torreira wrote: >>> >>> I believe this is the OpenVPN routing bug. This has been >>> discuss previously on this list (a search of the arives >>> should find it). A solution also appears at >>> >>> http://alumnus.caltech.edu/~igormt/endian/bugs.html >>> >>> Igor >>> >>> >>> Ron E. wrote: >>>> Dear All, >>>> >>>> Hopefully someone has an idea about this. I manage several Endian >>>> firewall systems with openvpn configured and enabled. The one with this >>>> issue is running version 2.1.1 (the most recent version any of the >>>> various systems are running). >>>> >>>> Recently I configured openvpn on this particular system and while >>>> clients can connect successfully, only the firewalls green NIC is >>>> accessible, no other LAN machines are despite being reachable from >>>> inside the network normally. >>>> >>>> I have reproduced this problem on multiple systems connected to the >>>> Internet in multiple ways, with a public IP on the client side, via a >>>> NAT gateway, etc., etc. >>>> >>>> Looked through the openvpn logs and searched this mailing list but >>>> haven't found any clues. >>>> >>>> Would appreciate any input, thanks. >>>> >>>> ------------------------------------------------------------------------- >>>> This SF.net email is sponsored by: Splunk Inc. >>>> Still grepping through log files to find problems? Stop. >>>> Now Search log events and configuration files using AJAX and a browser. >>>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>>> _______________________________________________ >>>> Efw-user mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/efw-user >>>> >>> >>> >>> ------------------------------------------------------------------------- >>> This SF.net email is sponsored by: Splunk Inc. >>> Still grepping through log files to find problems? Stop. >>> Now Search log events and configuration files using AJAX and a browser. >>> Download your FREE copy of Splunk now >> http://get.splunk.com/ >>> _______________________________________________ >>> Efw-user mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/efw-user >>> >>> >> >> -- >> View this message in context: >> > http://www.nabble.com/openvpn-set-up%2C-mobile-clients-can-only-reach-firewall%2 >> > 7s-internal-green-NIC-address%2C-no-other-machines-on-LAN-are-reachable-tf427692 >> 6.html#a12211768 >> Sent from the efw-user mailing list archive at Nabble.com. >> >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Efw-user mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/efw-user >> >> >> ------------------------------------------------------------------------- >> This SF.net email is sponsored by: Splunk Inc. >> Still grepping through log files to find problems? Stop. >> Now Search log events and configuration files using AJAX and a browser. >> Download your FREE copy of Splunk now >> http://get.splunk.com/ >> _______________________________________________ >> Efw-user mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/efw-user >> >> > > -- > View this message in context: > http://www.nabble.com/openvpn-set-up%2C-mobile-clients-can-only-reach-firewall%2 > 7s-internal-green-NIC-address%2C-no-other-machines-on-LAN-are-reachable-tf427692 > 6.html#a12212240 > Sent from the efw-user mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Efw-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/efw-user > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Efw-user mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/efw-user > > -- View this message in context: http://www.nabble.com/openvpn-set-up%2C-mobile-clients-can-only-reach-firewall%2 7s-internal-green-NIC-address%2C-no-other-machines-on-LAN-are-reachable-tf427692 6.html#a12213769 Sent from the efw-user mailing list archive at Nabble.com. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Efw-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/efw-user ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Efw-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/efw-user
