After upgrading (re-installing from scratch) my firewall from 4.6 (or 4.7) to 5.0, I have not been able to get OpenVPN back working. Please forgive me for asking here at misc but I have spent two days Googling, reading tons of HOWTO's and trying out different solutions, but without being able to solve the issue.
The previous and working implementation were based on this HOWTO, http://personal.exadios.com/Technical/IEEE802.11/a0001.html, which worked well in describing how to bridge a wired lan with a wireless lan. PROBLEM: Clients successfully connect to VPN server, receive proper dhcp addresses for both wlan and tunnel interfaces (and can reach the wlan subnet) but fail to reach the wired lan or internet. /var/log/messages indicates everything is up and running. CURRENT SETUP: Interfaces on firewall/vpn server: url0 -> dhcp NONE NONE NONE (isp) acx0 -> inet 192.168.2.1 255.255.255.0 NONE (wlan accesspoint) tun0 -> link0\up bridge0 -> add bge0\add tun0\up bge0 -> inet 192.168.3.1 255.255.255.0 NONE (lan) /etc/openvpn/server.conf ---8<--- daemon openvpn writepid /var/openvpn/pid status /var/openvpn/status 10 local 192.168.2.1 port 1194 proto udp dev tun0 dev-type tap client-to-client ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem server-bridge 192.168.3.1 255.255.255.0 192.168.3.200 192.168.3.210 # change to your setup ifconfig-pool-persist /var/openvpn/ipp.txt push "redirect-gateway local def1" #push redirect-gateway 192.168.3.1 keepalive 10 120 tls-auth /etc/openvpn/keys/ta.key 0 cipher BF-CBC # Blowfish (default) max-clients 10 user _openvpn group _openvpn persist-key persist-tun verb 3 mute 20 chroot /var/empty --->8--- Interfaces on client machine/vpn client: iwn0 -> dhcp NONE NONE NONE [wlan options] tun0 -> link0\up /etc/openvpn/client.conf ---8<--- client dev tun0 dev-type tap proto udp remote 192.168.2.1 port 1194 resolv-retry infinite nobind user _openvpn group _openvpn persist-key persist-tun mute-replay-warnings ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/client.crt key /etc/openvpn/keys/client.key ns-cert-type server tls-auth /etc/openvpn/keys/ta.key 1 cipher BF-CBC verb 3 mute 20 chroot /var/empty --->8--- /etc/resolv.conf ---8<--- nameserver 192.168.3.1 nameserver 193.75.75.75 nameserver 193.75.75.193 lookup file bind --->8--- A tcpdump on acx0 (wlan accesspont) yields this: ---8<--- # tcpdump -env -ttt -i acx0 tcpdump: listening on acx0, link-type EN10MB Dec 15 02:15:35.159695 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 375: 192.168.2.1.1194 > 192.168.2.200.42941: udp 333 (ttl 64, id 41258, len 361) Dec 15 02:15:35.159822 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 391: 192.168.2.1.1194 > 192.168.2.200.42941: udp 349 (ttl 64, id 5887, len 377) Dec 15 02:15:35.159914 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 431: 192.168.2.1.1194 > 192.168.2.200.42941: udp 389 (ttl 64, id 58840, len 417) Dec 15 02:15:35.160033 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 447: 192.168.2.1.1194 > 192.168.2.200.42941: udp 405 (ttl 64, id 56154, len 433) Dec 15 02:15:35.160122 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 439: 192.168.2.1.1194 > 192.168.2.200.42941: udp 397 (ttl 64, id 32655, len 425) Dec 15 02:15:35.161985 00:16:ea:b3:65:d0 00:0f:3d:58:b5:00 0800 95: 192.168.2.200.42941 > 192.168.2.1.1194: [udp sum ok] udp 53 (ttl 64, id 4108, len 81) Dec 15 02:15:35.346095 00:16:ea:b3:65:d0 00:0f:3d:58:b5:00 0800 151: 192.168.2.200.42941 > 192.168.2.1.1194: udp 109 (ttl 64, id 51891, len 137) Dec 15 02:15:35.346276 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 151: 192.168.2.1.1194 > 192.168.2.200.42941: udp 109 (ttl 64, id 22222, len 137) Dec 15 02:15:40.355711 00:16:ea:b3:65:d0 00:0f:3d:58:b5:00 0800 72: 192.168.2.200.29597 > 193.75.75.75.53: [udp sum ok] 53793+ A? pool.ntp.org. (30) (ttl 64, id 39342, len 58) --->8--- However, a tcpdump on tun0 on the OpenVPN server yields the following: ---8<--- # tcpdump -env -ttt -i tun0 tcpdump: listening on tun0, link-type EN10MB Dec 15 02:12:00.945266 fe:e1:ba:da:9e:7a 00:14:c2:e1:ad:6f 0800 72: 192.168.3.200.37441 > 192.168.3.1.53: [udp sum ok] 10028+ AAAA? pool.ntp.org. (30) (ttl 64, id 50329, len 58) Dec 15 02:12:00.945311 00:14:c2:e1:ad:6f fe:e1:ba:da:9e:7a 0800 70: 192.168.3.1 > 192.168.3.200: icmp: 192.168.3.1 udp port 53 unreachable (ttl 255, id 42537, len 56, bad cksum 0!) Dec 15 02:12:03.915356 fe:e1:ba:da:9e:7a 00:14:c2:e1:ad:6f 0800 79: 192.168.3.200.27617 > 192.168.3.1.53: [udp sum ok] 64252+ AAAA? fxfeeds.mozilla.com. (37) (ttl 64, id 8802, len 65) Dec 15 02:12:03.915387 00:14:c2:e1:ad:6f fe:e1:ba:da:9e:7a 0800 70: 192.168.3.1 > 192.168.3.200: icmp: 192.168.3.1 udp port 53 unreachable (ttl 255, id 5606, len 56, bad cksum 0!) --->8--- Thanks in advance, Erling Westenvik
