> -----Original Message----- > From: Doug Sampson [mailto:do...@dawnsign.com] > Sent: Tuesday, March 29, 2011 06:02 PM > To: leaf-user@lists.sourceforge.net > Subject: [leaf-user] OpenVPN running in DMZ using Bering uClibc > 3.1 > > Hello, > > I'm experimenting with a dd-wrt type wireless access point in a > DMZ > setting using a three NIC router. I do not want to expose the WAP > to the > Internet- thus it sits in the DMZ. The network is as follows; > > INTERNET > | > | > FIREWALL---------DMZ <<<<<<<<<< WAP > | 10.8.2.x 10.8.2.5 > | > LAN > 10.8.1.x > > I have been using OpenVPN successfully authenticating road > warriors for > years. They connect to the WAN card on the router. I used this > documentation: > > http://www.shorewall.net/3.0/OPENVPN.html > > in configuring the firewall for OpenVPN access. > > Now, the WAP has a fixed IP address in the DMZ zone and uses the > firewall as the gateway to the Internet. I can connect to the > Internet > using a wireless client connected to the WAP in the DMZ zone. > > I tried using the stock OpenVPN client configuration that worked > well in > the Internet behind the DMZ and it fails. I modified the > /etc/shorewall/tunnels as follows: > > #TYPE ZONE GATEWAY GATEWAY > > # ZONE > > openvpnserver net 0.0.0.0/0 > > openvpnserver dmz 0.0.0.0/0 > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > Reading the rest of the documentation, it appears there is > nothing else > I need to do. However, when I attempt to connect using OpenVPN > from a > wireless client with an IP address in the DMZ zone, I fail to > connect. I > get repeated error messages as follows: > > Tue Mar 29 17:27:00 2011 TCP/UDP: Incoming packet rejected from > 10.8.2.254:1194[2], expected peer address: 10.8.1.254:1194 (allow > this > incoming source address/port by removing --remote or adding -- > float) > > I've restarted Shorewall after making the configuration change > but not > the system. What am I missing? There isn't any documentation > showing a > setup allowing OpenVPN connections from both the Internet and the > DMZ. > > Or is OpenVPN designed to handle one zone only? >
It turns out to be an OpenVPN issue. Once I hardcoded a static IP address of the DMZ NIC of the firewall into the openvpn.conf file, I was able to obtain a valid VPN IP address. However, I wasn't able to get into the local network nor was I able to get out to the Internet. Interestingly enough, I saw a CPU spike to 100% once the connection was made. I'll bet this is a DNS/OpenVPN misconfiguration affecting clients trying to access from the DMZ zone. I'll work some more on this tomorrow morning. ~Doug ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
