From owner-freebsd-questions@FreeBSD.ORG Tue Apr 26 13:45:40 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 537A81065701 for ; Tue, 26 Apr 2011 13:45:40 +0000 (UTC) (envelope-from ryan.coleman@cwis.biz) Received: from server.cwis.biz (70-89-202-5-invergrove-mn.hfc.comcastbusiness.net [70.89.202.5]) by mx1.freebsd.org (Postfix) with ESMTP id 194808FC17 for ; Tue, 26 Apr 2011 13:45:39 +0000 (UTC) Received: from server.cwis.biz (localhost [127.0.0.1]) by server.cwis.biz (Postfix) with ESMTP id 05F20264E2D2; Tue, 26 Apr 2011 08:46:49 -0500 (CDT) X-Virus-Scanned: amavisd-new at cwis.biz Received: from server.cwis.biz ([127.0.0.1]) by server.cwis.biz (server.cwis.biz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6C6OQUuDeQnQ; Tue, 26 Apr 2011 08:46:33 -0500 (CDT) Received: from [192.168.46.76] (173-160-104-249-Minnesota.hfc.comcastbusiness.net [173.160.104.249]) by server.cwis.biz (Postfix) with ESMTPSA id C06BB264E2D1; Tue, 26 Apr 2011 08:46:32 -0500 (CDT) Mime-Version: 1.0 (Apple Message framework v1084) From: Ryan Coleman In-Reply-To: Date: Tue, 26 Apr 2011 08:45:22 -0500 Message-Id: <6ABDD9A5-E75D-4998-8D49-C89B280F32D4@cwis.biz> References: <6073BC9F-553D-41E2-AE42-341B61850EA7@cwis.biz> To: Nathan Vidican X-Mailer: Apple Mail (2.1084) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: FreeBSD Mailing List Subject: Re: OpenVPN routing X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 13:45:40 -0000 On Apr 26, 2011, at 8:32 AM, Nathan Vidican wrote: > On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman = wrote: >>=20 >> I've got an OpenVPN connection working to my remote server, but I = want to route the traffic to the local LAN. >>=20 >> I have a bridge set up, pingable... but can't ping the em1 = (192.168.46.2) from the remote machine. >>=20 >> Server.conf: >> local 192.168.46.2 >> port 1194 >> proto udp >> dev tap >> ca keys/cacert.pem >> cert keys/server.crt >> key keys/server.key # This file should be kept secret >> dh keys/dh1024.pem >> # Don't put this in the keys directory unless user nobody can read it >> crl-verify keys/crl.pem >> #Make sure this is your tunnel address pool >> server 192.168.47.0 255.255.255.0 >> ifconfig-pool-persist ipp.txt >> #This is the route to push to the client, add more if necessary >> #push "route 192.168.46.254 255.255.255.0" >> push "route 192.168.47.0 255.255.255.0" >> push "dhcp-option DNS 192.168.45.10" >> keepalive 10 120 >> cipher BF-CBC #Blowfish encryption >> comp-lzo >> #fragment >> user nobody >> group nobody >> persist-key >> persist-tun >> status openvpn-status.log >> verb 6 >> mute 5 >>=20 >>=20 >> client.conf: >> #Begin client.conf >> client >> dev tap >> proto udp >> remote sub.domain.ltd 1194 >> nobind >> user nobody >> group nobody >> persist-key >> persist-tun >> #crl-verify >> #remote-cert-tls server >> ca keys/cacert.pem >> cert keys/ryanc.crt >> key keys/ryanc.key >> cipher BF-CBC >> comp-lzo >> verb 3 >> mute 20 >>=20 >> Any ideas? As I said, I can talk to the remote server, but not the = local LAN. >>=20 >> To throw a new curveball in the mix, I'd like to talk to = 192.168.45.0/24 - which we have another VPN connecting the two networks = (not running on a VPN I can do much with). >=20 >=20 > Do you have packet forwarding (routing /gateway) enabled? An > all-important, yet sometimes forgotten step... > check if: >=20 > sysctl net.inet.ip.forwarding >=20 > returns 1 for enabled or not. You can enable it right away by setting > to 1, and/or view the instructions in the handbook for greater detail > including how to set as a startup option as well: > = http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.= html Yes, it is enabled. And Maciej, I had server-bridge running before and it wasn't routing = ICMP, nor anything else. I have ipnat enabled - as was recommended by one guide - and am routing = everything from 192.168.47.0/24 to 0.0.0.0/32 (I'm not well versed on = this specific area but that seems like it should be 0/0, right?) Relevant rc.conf: defaultrouter=3D"192.168.46.254" hostname=3D"nbserver1.allstatecom.local" ifconfig_em0=3D"inet 192.168.46.2 netmask 255.255.255.0" openvpn_enable=3D"YES" openvpn_configfile=3D"/usr/local/etc/openvpn/server.conf" gateway_enable=3D"YES" ipnat_enable=3D"YES" Thanks again, Ryan