openvpn routing
Hi all :-) This freebsd server in an internal lan server, IP 192.168.1.254. 192.168.1.212 is gateway on internet. I've an easy config: DestinationGatewayFlagsRefs Use Netif Expire default192.168.1.212 UGS 031807em0 10.20.10.0/24 10.20.10.2 UGS 00 tun0 10.20.10.1 link#5 UHS 00lo0 10.20.10.2 link#5 UH 00 tun0 127.0.0.1 link#4 UH 0 3478lo0 192.168.1.0/24 link#2 U 046116em0 192.168.1.254 link#2 UHS 00lo0 ifconfig em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 inet 192.168.1.254 netmask 0xff00 broadcast 192.168.1.255 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 [...] tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST metric 0 mtu 1500 inet 10.20.10.1 -- 10.20.10.2 netmask 0x Problem is: 10.20.10.2 is a gateway? why? On clients I've this error: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options Tue Jul 16 19:28:30 2013 us=860975 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.20.10.0 Tue Jul 16 19:28:30 2013 us=861091 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options openvpn server config: port XXX proto udp dev tun ;dev-node tap0 ca /usr/local/etc/openvpn/XX.crt cert /usr/local/etc/openvpn/XX.crt key /usr/local/etc/openvpn/XX.key dh /usr/local/etc/openvpn/dh2048.pem server 10.20.10.0 255.255.255.0 push route 10.20.10.0 255.255.255.0 ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt 0 ;duplicate-cn keepalive 10 120 ;cipher BF-CBC# Blowfish (default) ;cipher AES-256-CBC # AES cipher DES-EDE3-CBC # Triple-DES comp-lzo user nobody group nobody persist-key persist-tun ;status /var/log/openvpn-status.log ;log-append /var/log/openvpn.log verb 10 mute 20 client-to-client client-config-dir ccd route 10.20.10.1 255.255.255.0 ping-restart 0 tls-auth /usr/local/etc/openvpn/ta.key 0 plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login #tmp-dir /dev/shm Almost same config on linux openvpn server runs. It's the server that create correct route. But on freebsd I've 10.20.10.2 like automatic gw. Any idea? thanks! Pol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: openvpn routing
This freebsd server in an internal lan server, IP 192.168.1.254. 192.168.1.212 is gateway on internet. [...] tap -- tun solved :-) Pol ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Wednesday 27 of April 2011 01:15:09, Ryan Coleman wrote: Maciej, Here you go: Ryan-Colemans-MacBook-Pro:~ ryanjcole$ netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.0.1.1 UGSc 610 en1 10.0.1/24 link#5 UCS 30 en1 10.0.1.1 0:23:12:f7:37:cc UHLWI 89 1268 en1 1142 10.0.1.2 0:14:d1:1f:79:1b UHLWI 0 837 en1183 10.0.1.198 127.0.0.1 UHS 0 0 lo0 10.0.1.255 ff:ff:ff:ff:ff:ff UHLWbI 0 6 en1 127127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 2 75 lo0 169.254link#5 UCS 0 0 en1 172.16.87/24 link#7 UC 10 vmnet1 172.16.87.255 ff:ff:ff:ff:ff:ff UHLWbI 03 vmnet1 192.168.46 192.168.47.2 UGSc00 tap0 192.168.47 link#10UC 10 tap0 192.168.47.2 link#10UHLWI 10 tap0 And this is with tap interfaces - I think it won't work. Don't use bridge mode if you have two subnets of /24. I saw examples that it would work only if you make one subnet accessible to both: local network and vpn network. Change your configuration from bridged to routed or change your vpn addressing space. If you'll go the routed way you may try this: http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed -- Maciej Milewski ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Tuesday 26 of April 2011 04:38:29, Ryan Coleman wrote: Also: [root@nbserver1 /usr/home/ryanc]# ifconfig em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=98VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:14:22:15:dc:65 inet 192.168.46.2 netmask 0xff00 broadcast 192.168.46.255 media: Ethernet autoselect (1000baseT full-duplex) status: active tap0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8LINKSTATE ether 00:bd:7e:86:1d:00 inet 192.168.47.1 netmask 0xff00 broadcast 192.168.47.255 Opened by PID 10341 bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 46:e1:75:c6:a3:a7 inet 192.168.47.254 netmask 0xff00 broadcast 192.168.47.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 5 priority 128 path cost 200 member: em0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 1 priority 128 path cost 2 On Apr 25, 2011, at 9:36 PM, Ryan Coleman wrote: I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: ... server 192.168.47.0 255.255.255.0 From the man openvpn(8): Don't use --server if you are ethernet bridging. Use --server- bridge instead. And additionally bridging means that you have to divide your local subnet(192.168.46.0/24) into two parts. Please have a look for the example at [1]. You may even not need bridging if you want to use two subnets of /24. Have you tried with standard setup(server) and configuring your default gateway(I suspect 192.168.46.1) with the routing information about openvpn subnet 192.168.47.0/24? [1] http://openvpn.net/index.php/open-source/documentation/miscellaneous/76- ethernet-bridging.html Maciej Milewski ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: local 192.168.46.2 port 1194 proto udp dev tap ca keys/cacert.pem cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # Don't put this in the keys directory unless user nobody can read it crl-verify keys/crl.pem #Make sure this is your tunnel address pool server 192.168.47.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary #push route 192.168.46.254 255.255.255.0 push route 192.168.47.0 255.255.255.0 push dhcp-option DNS 192.168.45.10 keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo #fragment user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 5 client.conf: #Begin client.conf client dev tap proto udp remote sub.domain.ltd 1194 nobind user nobody group nobody persist-key persist-tun #crl-verify #remote-cert-tls server ca keys/cacert.pem cert keys/ryanc.crt key keys/ryanc.key cipher BF-CBC comp-lzo verb 3 mute 20 Any ideas? As I said, I can talk to the remote server, but not the local LAN. To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with). Thanks, Ryan___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Do you have packet forwarding (routing /gateway) enabled? An all-important, yet sometimes forgotten step... check if: sysctl net.inet.ip.forwarding returns 1 for enabled or not. You can enable it right away by setting to 1, and/or view the instructions in the handbook for greater detail including how to set as a startup option as well: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html -- Nathan Vidican nat...@vidican.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Apr 26, 2011, at 8:32 AM, Nathan Vidican wrote: On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: local 192.168.46.2 port 1194 proto udp dev tap ca keys/cacert.pem cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # Don't put this in the keys directory unless user nobody can read it crl-verify keys/crl.pem #Make sure this is your tunnel address pool server 192.168.47.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary #push route 192.168.46.254 255.255.255.0 push route 192.168.47.0 255.255.255.0 push dhcp-option DNS 192.168.45.10 keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo #fragment user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 5 client.conf: #Begin client.conf client dev tap proto udp remote sub.domain.ltd 1194 nobind user nobody group nobody persist-key persist-tun #crl-verify #remote-cert-tls server ca keys/cacert.pem cert keys/ryanc.crt key keys/ryanc.key cipher BF-CBC comp-lzo verb 3 mute 20 Any ideas? As I said, I can talk to the remote server, but not the local LAN. To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with). Do you have packet forwarding (routing /gateway) enabled? An all-important, yet sometimes forgotten step... check if: sysctl net.inet.ip.forwarding returns 1 for enabled or not. You can enable it right away by setting to 1, and/or view the instructions in the handbook for greater detail including how to set as a startup option as well: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html Yes, it is enabled. And Maciej, I had server-bridge running before and it wasn't routing ICMP, nor anything else. I have ipnat enabled - as was recommended by one guide - and am routing everything from 192.168.47.0/24 to 0.0.0.0/32 (I'm not well versed on this specific area but that seems like it should be 0/0, right?) Relevant rc.conf: defaultrouter=192.168.46.254 hostname=nbserver1.allstatecom.local ifconfig_em0=inet 192.168.46.2 netmask 255.255.255.0 openvpn_enable=YES openvpn_configfile=/usr/local/etc/openvpn/server.conf gateway_enable=YES ipnat_enable=YES Thanks again, Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Tue, Apr 26, 2011 at 8:45 AM, Ryan Coleman ryan.cole...@cwis.biz wrote: On Apr 26, 2011, at 8:32 AM, Nathan Vidican wrote: On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman ryan.cole...@cwis.biz wrote: I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: local 192.168.46.2 port 1194 proto udp dev tap ca keys/cacert.pem cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # Don't put this in the keys directory unless user nobody can read it crl-verify keys/crl.pem #Make sure this is your tunnel address pool server 192.168.47.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary #push route 192.168.46.254 255.255.255.0 push route 192.168.47.0 255.255.255.0 push dhcp-option DNS 192.168.45.10 keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo #fragment user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 5 client.conf: #Begin client.conf client dev tap proto udp remote sub.domain.ltd 1194 nobind user nobody group nobody persist-key persist-tun #crl-verify #remote-cert-tls server ca keys/cacert.pem cert keys/ryanc.crt key keys/ryanc.key cipher BF-CBC comp-lzo verb 3 mute 20 Any ideas? As I said, I can talk to the remote server, but not the local LAN. To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with). Do you have packet forwarding (routing /gateway) enabled? An all-important, yet sometimes forgotten step... check if: sysctl net.inet.ip.forwarding returns 1 for enabled or not. You can enable it right away by setting to 1, and/or view the instructions in the handbook for greater detail including how to set as a startup option as well: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html Yes, it is enabled. And Maciej, I had server-bridge running before and it wasn't routing ICMP, nor anything else. I have ipnat enabled - as was recommended by one guide - and am routing everything from 192.168.47.0/24 to 0.0.0.0/32 (I'm not well versed on this specific area but that seems like it should be 0/0, right?) Relevant rc.conf: defaultrouter=192.168.46.254 hostname=nbserver1.allstatecom.local ifconfig_em0=inet 192.168.46.2 netmask 255.255.255.0 openvpn_enable=YES openvpn_configfile=/usr/local/etc/openvpn/server.conf gateway_enable=YES ipnat_enable=YES Thanks again, Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org If you need to route LAN - TO - LAN just enable the client-to-client. Its a Security Feature of OpenVPN http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing -- Still Going Strong!!! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Tuesday 26 of April 2011 15:45:22, Ryan Coleman wrote: I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. ... push route 192.168.47.0 255.255.255.0 Have you tried adding the route to 192.168.46.0/24 subnet into the vpn client? You want to ping the host/interface on different subnet. If you don't set the routing to this subnet how your client should know that he needs to put that packet through tap interface not defaultroute which I suspect is different? Can you show the output of netstat -rn of the vpn client? You may try to look into tcpdump on the vpn router to find what is going with your packets.And for such scenario like vpnclient-vpnserver-network you may even not need nat just simple routing will be enough as long as you set it up on right. My setup is based on tun interfaces and works like a charm. I don't use nat and I only added routing info to the specific routers in the internal networks. Maciej Milewski ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Apr 26, 2011, at 9:53 AM, Maciej Milewski wrote: On Tuesday 26 of April 2011 15:45:22, Ryan Coleman wrote: I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. ... push route 192.168.47.0 255.255.255.0 Have you tried adding the route to 192.168.46.0/24 subnet into the vpn client? You want to ping the host/interface on different subnet. If you don't set the routing to this subnet how your client should know that he needs to put that packet through tap interface not defaultroute which I suspect is different? Can you show the output of netstat -rn of the vpn client? You may try to look into tcpdump on the vpn router to find what is going with your packets.And for such scenario like vpnclient-vpnserver-network you may even not need nat just simple routing will be enough as long as you set it up on right. My setup is based on tun interfaces and works like a charm. I don't use nat and I only added routing info to the specific routers in the internal networks. Maciej Milewski I'm going to have to get this information when I get home and am not on the office LAN. I can do ping tests specifically through the tap0 interface but not check the netstat report properly from inside the network. -- Ryan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Apr 26, 2011, at 3:50 PM, Ryan Coleman wrote: On Apr 26, 2011, at 9:53 AM, Maciej Milewski wrote: On Tuesday 26 of April 2011 15:45:22, Ryan Coleman wrote: I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. ... push route 192.168.47.0 255.255.255.0 Have you tried adding the route to 192.168.46.0/24 subnet into the vpn client? You want to ping the host/interface on different subnet. If you don't set the routing to this subnet how your client should know that he needs to put that packet through tap interface not defaultroute which I suspect is different? Can you show the output of netstat -rn of the vpn client? You may try to look into tcpdump on the vpn router to find what is going with your packets.And for such scenario like vpnclient-vpnserver-network you may even not need nat just simple routing will be enough as long as you set it up on right. My setup is based on tun interfaces and works like a charm. I don't use nat and I only added routing info to the specific routers in the internal networks. Maciej Milewski I'm going to have to get this information when I get home and am not on the office LAN. I can do ping tests specifically through the tap0 interface but not check the netstat report properly from inside the network. Maciej, Here you go: Ryan-Colemans-MacBook-Pro:~ ryanjcole$ netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.0.1.1 UGSc 610 en1 10.0.1/24 link#5 UCS 30 en1 10.0.1.1 0:23:12:f7:37:cc UHLWI 89 1268 en1 1142 10.0.1.2 0:14:d1:1f:79:1b UHLWI 0 837 en1183 10.0.1.198 127.0.0.1 UHS 00 lo0 10.0.1.255 ff:ff:ff:ff:ff:ff UHLWbI 06 en1 127127.0.0.1 UCS 00 lo0 127.0.0.1 127.0.0.1 UH 2 75 lo0 169.254link#5 UCS 00 en1 172.16.87/24 link#7 UC 10 vmnet1 172.16.87.255 ff:ff:ff:ff:ff:ff UHLWbI 03 vmnet1 192.168.46 192.168.47.2 UGSc00tap0 192.168.47 link#10UC 10tap0 192.168.47.2 link#10UHLWI 10tap0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%lo0/64 fe80::1%lo0 Uc lo0 fe80::1%lo0 link#1 UHL lo0 fe80::%en1/64 link#5 UC en1 fe80::224:36ff:fea1:1d68%en10:24:36:a1:1d:68UHLW en1 fe80::9227:e4ff:fef8:b2fb%en1 90:27:e4:f8:b2:fb UHL lo0 ff01::/32 ::1 Um lo0 ff02::/32 ::1 UmC lo0 ff02::/32 link#5 UmC en1 Ryan-Colemans-MacBook-Pro:~ ryanjcole$ ping 192.168.46.2 PING 192.168.46.2 (192.168.46.2): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
On Apr 26, 2011, at 9:07 AM, Diego Arias wrote: If you need to route LAN - TO - LAN just enable the client-to-client. Its a Security Feature of OpenVPN http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing I've done that and it had no effect :-\___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
OpenVPN routing
I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: local 192.168.46.2 port 1194 proto udp dev tap ca keys/cacert.pem cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # Don't put this in the keys directory unless user nobody can read it crl-verify keys/crl.pem #Make sure this is your tunnel address pool server 192.168.47.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary #push route 192.168.46.254 255.255.255.0 push route 192.168.47.0 255.255.255.0 push dhcp-option DNS 192.168.45.10 keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo #fragment user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 5 client.conf: #Begin client.conf client dev tap proto udp remote sub.domain.ltd 1194 nobind user nobody group nobody persist-key persist-tun #crl-verify #remote-cert-tls server ca keys/cacert.pem cert keys/ryanc.crt key keys/ryanc.key cipher BF-CBC comp-lzo verb 3 mute 20 Any ideas? As I said, I can talk to the remote server, but not the local LAN. To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with). Thanks, Ryan___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OpenVPN routing
Also: [root@nbserver1 /usr/home/ryanc]# ifconfig em0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=98VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM ether 00:14:22:15:dc:65 inet 192.168.46.2 netmask 0xff00 broadcast 192.168.46.255 media: Ethernet autoselect (1000baseT full-duplex) status: active tap0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST metric 0 mtu 1500 options=8LINKSTATE ether 00:bd:7e:86:1d:00 inet 192.168.47.1 netmask 0xff00 broadcast 192.168.47.255 Opened by PID 10341 bridge0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 ether 46:e1:75:c6:a3:a7 inet 192.168.47.254 netmask 0xff00 broadcast 192.168.47.255 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: tap0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 5 priority 128 path cost 200 member: em0 flags=143LEARNING,DISCOVER,AUTOEDGE,AUTOPTP ifmaxaddr 0 port 1 priority 128 path cost 2 On Apr 25, 2011, at 9:36 PM, Ryan Coleman wrote: I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN. I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine. Server.conf: local 192.168.46.2 port 1194 proto udp dev tap ca keys/cacert.pem cert keys/server.crt key keys/server.key # This file should be kept secret dh keys/dh1024.pem # Don't put this in the keys directory unless user nobody can read it crl-verify keys/crl.pem #Make sure this is your tunnel address pool server 192.168.47.0 255.255.255.0 ifconfig-pool-persist ipp.txt #This is the route to push to the client, add more if necessary #push route 192.168.46.254 255.255.255.0 push route 192.168.47.0 255.255.255.0 push dhcp-option DNS 192.168.45.10 keepalive 10 120 cipher BF-CBC #Blowfish encryption comp-lzo #fragment user nobody group nobody persist-key persist-tun status openvpn-status.log verb 6 mute 5 client.conf: #Begin client.conf client dev tap proto udp remote sub.domain.ltd 1194 nobind user nobody group nobody persist-key persist-tun #crl-verify #remote-cert-tls server ca keys/cacert.pem cert keys/ryanc.crt key keys/ryanc.key cipher BF-CBC comp-lzo verb 3 mute 20 Any ideas? As I said, I can talk to the remote server, but not the local LAN. To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with). Thanks, Ryan___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
OpenVPN routing problems.
I'm trying to set up an OpenVPN tunnel, from a remote (Win XP) machine to my local network. I've got that working, except for one problem. When I start the OpenVPN server, my FreeBSD router/firewall/ipnat/OpenVPN machine stops routing packets to the outside world. The machine is running 6.0-STABLE from about a week ago: FreeBSD tor 6.0-STABLE FreeBSD 6.0-STABLE #1: Mon Nov 21 23:06:14 EST 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/TOR i386 though I built world before the new kernel, and it's a slow machine, so sources are at least 16 hours older than that. It's a pretty un-complicated network: the router has two NICs, rl0 is the real world, rl1 is the private network. Ipfilter has this rule set: (10.10.10.169 is (munged) public IP address, 172.21.172.0/24 is the private LAN, and 172.21.173.0/24 is the VPN subnet). block in log first quick on rl0 from 192.168.0.0/16 to any block in log first quick on rl0 from 172.16.0.0/12 to any block in log first quick on rl0 from 127.0.0.0/8 to any block in log first quick on rl0 from 0.0.0.0/8 to any block in log first quick on rl0 from 169.254.0.0/16 to any block in log first quick on rl0 from 192.0.2.0/24 to any block in log first quick on rl0 from 204.152.64.0/23 to any block in log first quick on rl0 from 224.0.0.0/3 to any block in log first quick on rl0 from 10.0.0.0/8 to any block in log first on rl0 from any to any pass in quick on tun0 pass out quick on tun0 pass in quick on rl0 proto tcp from any to 10.10.10.169/32 port = 22 flags S ke ep state pass in quick on rl0 proto udp from any to 10.10.10.169/32 port = 1194 keep state pass out quick on rl0 proto tcp from 172.21.172.0/24 to any flags S keep state pass out quick on rl0 proto udp from 172.21.172.0/24 to any keep state pass out quick on rl0 proto icmp from 172.21.172.0/24 to any keep state pass out quick on rl0 proto tcp from 10.10.10.169/32 to any flags keep state pass out quick on rl0 proto udp from 10.10.10.169/32 to any keep state pass out quick on rl0 proto icmp from 10.10.10.169/32 to any keep state ipnat has one rule: map rl0 172.21.172.0/24 - 0/32 portmap tcp/udp auto The output of netstat -rn before starting the OpenVPN server: Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.10.10.129 UGS 0 4399rl0 127.0.0.1 127.0.0.1 UH 0 88lo0 10.10.10.128/26 link#1 UC 00rl0 10.10.10.129 00:09:e9:b5:2f:fc UHLW20rl0 1160 172.21.172/24 link#2 UC 00rl1 172.21.172.5 00:30:c1:0e:14:8f UHLW11rl1781 172.21.172.8 00:0d:88:c9:d2:99 UHLW1 167rl1366 172.21.172.9 00:11:24:bc:d1:cd UHLW1 965rl1657 172.21.172.100 00:11:24:9f:2d:dd UHLW1 1245rl1705 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%rl0/64 link#1UC rl0 fe80::211:95ff:fe1c:2992%rl0 00:11:95:1c:29:92 UHL lo0 fe80::%rl1/64 link#2UC rl1 fe80::250:baff:fed1:8d6c%rl1 00:50:ba:d1:8d:6c UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#4UHL lo0 ff01:1::/32 link#1UC rl0 ff01:2::/32 link#2UC rl1 ff01:4::/32 ::1 UC lo0 ff02::%rl0/32 link#1UC rl0 ff02::%rl1/32 link#2UC rl1 ff02::%lo0/32 ::1 UC lo0 The output of netstat -rn after starting OpenVPN: Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default10.10.10.129 UGS 0 6544rl0 127.0.0.1 127.0.0.1 UH 0 128lo0 10.10.10.128/26 link#1 UC 00rl0 10.10.10.129 00:09:e9:b5:2f:fc UHLW20rl0 1134 172.21.172/24 link#2 UC 00rl1 172.21.172.5 00:30:c1:0e:14:8f UHLW11rl1199 172.21.172.8 00:0d:88:c9:d2:99 UHLW1 75rl1 1164 172.21.172.9 00:11:24:bc:d1:cd UHLW1 977rl1 75 172.21.172.100 00:11:24:9f:2d:dd UHLW1 2145rl1123 172.21.173/24 172.21.173.2 UGS 0 57 tun0 172.21.173.2 172.21.173.1 UH