Dear all,
I am setting up openvpn open source on an ec2 instance in AWS.
my goal is the following;
road warriors only gaining access to my private instances through openvpn
connection.
(172.16.10.0/24,172.16.20.0/24,172.16.30.0/24)
Problem: road warriors cannot reach anything but the server which has openvpn
on.
note: this instance does not act as a gateway for other instances. it's just
another instance among many on the same subnet.
Road warriors can:
- ssh to 172.16.40.1 (which is the tun0 ip)
- ping 172.16.10.181 (which is eth0 ip, on this very server)
- use 172.16.40.1 as a dns server
road warriors cannot:
- reach anything on 172.16.0.0/16
- reach anything on 0.0.0.0/0
here is a tcpdump done on the server, when a road warrior trying to connect to
172.16.10.173:
tcpdump -vvv -n dst host 172.16.10.173
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
19:51:58.695705 IP (tos 0x10, ttl 63, id 42479, offset 0, flags [DF], proto TCP
(6), length 60)
172.16.40.6.39105> 172.16.10.173.22: Flags [S], cksum 0x633b (correct), seq
622945101, win 29200, options [mss 1366,sackOK,TS val 5686946 ecr 0,nop,wscale
7], length 0
19:51:59.690072 IP (tos 0x10, ttl 63, id 42480, offset 0, flags [DF], proto TCP
(6), length 60)
172.16.40.6.39105> 172.16.10.173.22: Flags [S], cksum 0x6241 (correct), seq
622945101, win 29200, options [mss 1366,sackOK,TS val 5687196 ecr 0,nop,wscale
7], length 0
19:52:01.693818 IP (tos 0x10, ttl 63, id 42481, offset 0, flags [DF], proto TCP
(6), length 60)
172.16.40.6.39105> 172.16.10.173.22: Flags [S], cksum 0x604c (correct), seq
622945101, win 29200, options [mss 1366,sackOK,TS val 5687697 ecr 0,nop,wscale
7], length 0
19:52:03.710977 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
172.16.10.173 tell 172.16.10.181, length 28
19:52:05.712328 IP (tos 0x10, ttl 63, id 42482, offset 0, flags [DF], proto TCP
(6), length 60)
172.16.40.6.39105> 172.16.10.173.22: Flags [S], cksum 0x5c61 (correct), seq
622945101, win 29200, options [mss 1366,sackOK,TS val 5688700 ecr 0,nop,wscale
7], length 0
19:52:13.721456 IP (tos 0x10, ttl 63, id 42483, offset 0, flags [DF], proto TCP
(6), length 60)
172.16.40.6.39105> 172.16.10.173.22: Flags [S], cksum 0x548d (correct), seq
622945101, win 29200, options [mss 1366,sackOK,TS val 5690704 ecr 0,nop,wscale
7], length 0
19:52:29.753903 IP (tos 0x10, ttl 63, id 42484, offset 0, flags [DF], proto TCP
(6), length 60)
172.16.40.6.39105> 172.16.10.173.22: Flags [S], cksum 0x44e5 (correct), seq
622945101, win 29200, options [mss 1366,sackOK,TS val 5694712 ecr 0,nop,wscale
7], length 0
19:52:34.766954 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
172.16.10.173 tell 172.16.10.181, length 28
19:53:01.787747 IP (tos 0x10, ttl 63, id 42485, offset 0, flags [DF], proto TCP
(6), length 60)
172.16.40.6.39105> 172.16.10.173.22: Flags [S], cksum 0x259d (correct), seq
622945101, win 29200, options [mss 1366,sackOK,TS val 5702720 ecr 0,nop,wscale
7], length 0
19:53:06.798946 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has
172.16.10.173 tell 172.16.10.181, length 28
here is my server.conf:
;local a.b.c.d
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh2048.pem
server 172.16.40.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.10.0 255.255.255.0"
push "route 172.16.20.0 255.255.255.0"
push "route 172.16.30.0 255.255.255.0"
#testing
push "route 4.2.2.0 255.255.255.0"
push "dhcp-option DNS 172.16.40.1"
keepalive 10 120
cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 9
mute 20
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
