Hi list,
i'm setting up a vpn with OpenVPN on OpenBSD 5.1 amd64. (Not IPSec
because I still do not know how to use well, this will be the next study).
My configuration is 1:N. No problem with ca, key, cert creation.
I've this scenario:
1 firewall (Snapgear) not openbsd and managed by other people.
2 A network with different server;
I've installed on a vm OpenBSD 5.1 and openvpn. Generating certificates,
keys...etc.
Firewall: 192.168.0.1
OBSD: 192.168.0.118 on port 10194 (10.0.8.1 -> 10.0.8.2)
FTPSVR: 192.168.0.115
Remote Client: 10.0.8.5 -> 10.0.8.6
When client connect on openvpn server, handshake goes well, client
connect and receive fixed ip from the server. At this point client can
communicate with virtual ip of server, local openvpn server ip, and can
send packet to other server locally to the openvpn server (on remote lan).
The other server, get the packet, reply to this packet, but (obviously)
the reply does not reaches the openvpn client because there are no route
for packet of 10.0.8.0/24. All traffic flow has been monitored with
tcpdump on openvpn server and on FTPSVR and all packet go in the right
direction.
I've ridden in the past that I must insert a route on the bastion host
(firewall snapgear) to say that packet for 10.0.8/24 network must be
routed on 192.168.0.118 (the openvpn server).
I've asked to the firewall admin to add route for this purpose, but it
says, this is not secure. Why this is not secure?
There are other method other than routing rules, as such as nat for this
purpose?
Thanks in advance. Alessandro.
