Yeah, net.inet.ip.forwarding=1, but thanks. I should perhaps have made it more clear that my wired lan (192.168.3.0) works normally -- and my wireless too when without OpenVPN. I'm feeling quite stupid here, being more and more certain that the solution is very close. And very simple...
On Wed, Dec 14, 2011 at 11:02:43PM -0500, Josh Grosse wrote: > Erling Westenvik <erling.westen...@gmail.com> wrote: > > After upgrading (re-installing from scratch) my firewall from 4.6 (or > 4.7) to 5.0, I have not been able to get OpenVPN back working. Please > forgive me for asking here at misc but I have spent two days Googling, > reading tons of HOWTO's and trying out different solutions, but without > being able to solve the issue. > > The previous and working implementation were based on this HOWTO, > http://personal.exadios.com/Technical/IEEE802.11/a0001.html, which > worked well in describing how to bridge a wired lan with a wireless lan. > > > PROBLEM: > > Clients successfully connect to VPN server, receive proper dhcp > addresses for both wlan and tunnel interfaces (and can reach the wlan > subnet) but fail to reach the wired lan or internet. > /var/log/messages indicates everything is up and running. > > > CURRENT SETUP: > > Interfaces on firewall/vpn server: > url0 -> dhcp NONE NONE NONE (isp) > acx0 -> inet 192.168.2.1 255.255.255.0 NONE (wlan accesspoint) > tun0 -> link0\up > bridge0 -> add bge0\add tun0\up > bge0 -> inet 192.168.3.1 255.255.255.0 NONE (lan) > > /etc/openvpn/server.conf > ---8<--- > daemon openvpn > writepid /var/openvpn/pid > status /var/openvpn/status 10 > local 192.168.2.1 > port 1194 > proto udp > dev tun0 > dev-type tap > client-to-client > ca /etc/openvpn/keys/ca.crt > cert /etc/openvpn/keys/server.crt > key /etc/openvpn/keys/server.key > dh /etc/openvpn/keys/dh1024.pem > server-bridge 192.168.3.1 255.255.255.0 192.168.3.200 192.168.3.210 # > change to your setup > ifconfig-pool-persist /var/openvpn/ipp.txt > push "redirect-gateway local def1" > #push redirect-gateway 192.168.3.1 > keepalive 10 120 > tls-auth /etc/openvpn/keys/ta.key 0 > cipher BF-CBC # Blowfish (default) > max-clients 10 > user _openvpn > group _openvpn > persist-key > persist-tun > verb 3 > mute 20 > chroot /var/empty > --->8--- > > > Interfaces on client machine/vpn client: > iwn0 -> dhcp NONE NONE NONE [wlan options] > tun0 -> link0\up > > > /etc/openvpn/client.conf > ---8<--- > client > dev tun0 > dev-type tap > proto udp > remote 192.168.2.1 > port 1194 > resolv-retry infinite > nobind > user _openvpn > group _openvpn > persist-key > persist-tun > mute-replay-warnings > ca /etc/openvpn/keys/ca.crt > cert /etc/openvpn/keys/client.crt > key /etc/openvpn/keys/client.key > ns-cert-type server > tls-auth /etc/openvpn/keys/ta.key 1 > cipher BF-CBC > verb 3 > mute 20 > chroot /var/empty > --->8--- > > > /etc/resolv.conf > ---8<--- > nameserver 192.168.3.1 > nameserver 193.75.75.75 > nameserver 193.75.75.193 > lookup file bind > --->8--- > > > A tcpdump on acx0 (wlan accesspont) yields this: > ---8<--- > # tcpdump -env -ttt -i acx0 > tcpdump: listening on acx0, link-type EN10MB > Dec 15 02:15:35.159695 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 375: > 192.168.2.1.1194 > 192.168.2.200.42941: udp 333 (ttl 64, id 41258, len > 361) > Dec 15 02:15:35.159822 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 391: > 192.168.2.1.1194 > 192.168.2.200.42941: udp 349 (ttl 64, id 5887, len > 377) > Dec 15 02:15:35.159914 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 431: > 192.168.2.1.1194 > 192.168.2.200.42941: udp 389 (ttl 64, id 58840, len > 417) > Dec 15 02:15:35.160033 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 447: > 192.168.2.1.1194 > 192.168.2.200.42941: udp 405 (ttl 64, id 56154, len > 433) > Dec 15 02:15:35.160122 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 439: > 192.168.2.1.1194 > 192.168.2.200.42941: udp 397 (ttl 64, id 32655, len > 425) > Dec 15 02:15:35.161985 00:16:ea:b3:65:d0 00:0f:3d:58:b5:00 0800 95: > 192.168.2.200.42941 > 192.168.2.1.1194: [udp sum ok] udp 53 (ttl 64, id > 4108, len 81) > Dec 15 02:15:35.346095 00:16:ea:b3:65:d0 00:0f:3d:58:b5:00 0800 151: > 192.168.2.200.42941 > 192.168.2.1.1194: udp 109 (ttl 64, id 51891, len > 137) > Dec 15 02:15:35.346276 00:0f:3d:58:b5:00 00:16:ea:b3:65:d0 0800 151: > 192.168.2.1.1194 > 192.168.2.200.42941: udp 109 (ttl 64, id 22222, len > 137) > Dec 15 02:15:40.355711 00:16:ea:b3:65:d0 00:0f:3d:58:b5:00 0800 72: > 192.168.2.200.29597 > 193.75.75.75.53: [udp sum ok] 53793+ A? > pool.ntp.org. (30) (ttl 64, id 39342, len 58) > --->8--- > > > However, a tcpdump on tun0 on the OpenVPN server yields the following: > ---8<--- > # tcpdump -env -ttt -i tun0 > tcpdump: listening on tun0, link-type EN10MB > Dec 15 02:12:00.945266 fe:e1:ba:da:9e:7a 00:14:c2:e1:ad:6f 0800 72: > 192.168.3.200.37441 > 192.168.3.1.53: [udp sum ok] 10028+ AAAA? > pool.ntp.org. (30) (ttl 64, id 50329, len 58) > Dec 15 02:12:00.945311 00:14:c2:e1:ad:6f fe:e1:ba:da:9e:7a 0800 70: > 192.168.3.1 > 192.168.3.200: icmp: 192.168.3.1 udp port 53 unreachable > (ttl 255, id 42537, len 56, bad cksum 0!) > Dec 15 02:12:03.915356 fe:e1:ba:da:9e:7a 00:14:c2:e1:ad:6f 0800 79: > 192.168.3.200.27617 > 192.168.3.1.53: [udp sum ok] 64252+ AAAA? > fxfeeds.mozilla.com. (37) (ttl 64, id 8802, len 65) > Dec 15 02:12:03.915387 00:14:c2:e1:ad:6f fe:e1:ba:da:9e:7a 0800 70: > 192.168.3.1 > 192.168.3.200: icmp: 192.168.3.1 udp port 53 unreachable > (ttl 255, id 5606, len 56, bad cksum 0!) > --->8--- > > > Thanks in advance, > Erling Westenvik > > > Did you, by any chance, forget to enable the IP forwarding sysctl? It's just > a guess. > -- > Sent from my phone. Please excuse any idiotic automated word choices. It > wasn't me. Honest.
