On Fri, 20 Oct 2023 15:35:30 -0400, Bo Berglund <bo.bergl...@gmail.com> wrote:
>On Thu, 19 Oct 2023 18:11:48 -0400, Bo Berglund <bo.bergl...@gmail.com> wrote: > >>I.e. is it enough to remove the route into the local LAN for this to be >>blocked >>and only allowing web access forwarding? > >So today I tried this: > > >topology subnet >server 10.13.149.0 255.255.255.0 'nopool' >multihome #Operate on both eth0 and wlan0 >ifconfig-pool 10.13.149.2 10.13.149.127 255.255.255.0 >ifconfig-pool-persist ipp_webonly.txt #Clients keep their IP via this >#push "route 10.0.1.0 255.255.255.0" #Gives access to local LAN >push "redirect-gateway def1 bypass-dhcp" #client access Internet via vpn >push "dhcp-option DNS 208.67.222.222" #Public DNS server >push "dhcp-option DNS 208.67.220.220" #Public DNS server > >This is the same as the server where I reach the web through vpn and also the >vpn server's LAN via the tunnel. > >The only differences: >1) push "ropute... line **commented out** >2) ifconfig is set to a different subnet than the other service uses > >The new service runs on a different port so I changed the port number in a copy >of the ovpn file for full web/LAN access to get the ovpn file for the web only >case. > >But it did not work... >I could connectr successfully but when I tried to reach an Internet resource >from my pohone after connecting it timed out. > >So now the client cannot reach the internet at all, which is strange given that >the route line I always thought would control the connection to the loacal LAN >rather than to the Internet... > >What have I missed? > >The log seems to show a successful connection but then it spits out this >afterwards: > >BosseAtJenny/90.***:3626 PUSH: Received control message: 'PUSH_REQUEST' >BosseAtJenny/90.***:3626 MULTI: bad source address from client >[100.85.129.161], >packet dropped >BosseAtJenny/90.***:3626 MULTI: bad source address from client >[100.85.129.161], >packet dropped > > >This is strange to me but it does also appear when I connect successfully to >the >web+LAn service, so it might be something always present whatever it is. Forgot to say that I added the rule for this server so iptables-save reports: *nat :PREROUTING ACCEPT [49428:11412761] :INPUT ACCEPT [49214:11396939] :OUTPUT ACCEPT [2047:130347] :POSTROUTING ACCEPT [2047:130347] -A POSTROUTING -s 10.13.143.0/24 -j MASQUERADE -A POSTROUTING -s 10.13.149.0/24 -j MASQUERADE Which I assumed was needed in order to make the routing out onto the web to happen. 143 is for web+lan (working) and 149 for webonly (failing) -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
