No, you need to have that route rule in place @snapgear in order to get the reply from the server.
-luis On Tue, Oct 16, 2012 at 12:52 PM, Alessandro Baggi < [email protected]> wrote: > Hi list, > i'm setting up a vpn with OpenVPN on OpenBSD 5.1 amd64. (Not IPSec because > I still do not know how to use well, this will be the next study). > > My configuration is 1:N. No problem with ca, key, cert creation. > > I've this scenario: > > 1 firewall (Snapgear) not openbsd and managed by other people. > 2 A network with different server; > > > I've installed on a vm OpenBSD 5.1 and openvpn. Generating certificates, > keys...etc. > > Firewall: 192.168.0.1 > OBSD: 192.168.0.118 on port 10194 (10.0.8.1 -> 10.0.8.2) > FTPSVR: 192.168.0.115 > Remote Client: 10.0.8.5 -> 10.0.8.6 > > When client connect on openvpn server, handshake goes well, client connect > and receive fixed ip from the server. At this point client can communicate > with virtual ip of server, local openvpn server ip, and can send packet to > other server locally to the openvpn server (on remote lan). > The other server, get the packet, reply to this packet, but (obviously) > the reply does not reaches the openvpn client because there are no route > for packet of 10.0.8.0/24. All traffic flow has been monitored with > tcpdump on openvpn server and on FTPSVR and all packet go in the right > direction. > > I've ridden in the past that I must insert a route on the bastion host > (firewall snapgear) to say that packet for 10.0.8/24 network must be routed > on 192.168.0.118 (the openvpn server). > > I've asked to the firewall admin to add route for this purpose, but it > says, this is not secure. Why this is not secure? > > There are other method other than routing rules, as such as nat for this > purpose? > > > Thanks in advance. Alessandro.
