Date: Mon, 11 Mar 2013 22:06:48 +0100 From: "lokadamus@gmx.de" <lokadamus@gmx.de> To: Michael Sierchio <kudzu@tenebras.com> Cc: Brent Clark <brentgclarklist@gmail.com>, freebsd-questions@freebsd.org Subject: Re: OpenVPN vm cant connect to other VM's Message-ID: <513E4768.7020309@gmx.de> In-Reply-To: <CAHu1Y70NW%2BVQE_tC99J2rWv%2Bf4m6en_Wqgo7v6%2BOEO_gcZBjaA@mail.gmail.com> References: <51371C8A.8050205@gmail.com> <CAHu1Y70NW%2BVQE_tC99J2rWv%2Bf4m6en_Wqgo7v6%2BOEO_gcZBjaA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11.03.2013 20:13, Michael Sierchio wrote:
> Are you pushing routes in your server.conf file?
>
> (hint - show, don't tell)
>
> - M
>
> On Wed, Mar 6, 2013 at 2:38 AM, Brent Clark <brentgclarklist@gmail.com> wrote:
>> Hi guys
>>
>> Im struggling with a freebsd vm, that I have that I use for a VPN connection
>> too, from my workstation to my home LAN. And I was wondering if someone
>> could peer review me and my problem.
>>
>> OpenVPN is working beautifully. I.e. I can connect to some services (apache
>> etc) that I run directly on my FreeBSD / openvpn vm.
>>
>> What im now trying to achieve is that I can connect to other VMs / machines
>> on my home LAN.
>>
>> Im using tun for my VPN, and my pf.conf looks like so (please see the nat on
>> ...)
>>
>> [root@freebsd /usr/home/bclark]# cat /etc/pf.conf
>> ext_if="re0"
>> vpn_if="tun0"
>> int_net="10.0.0.0/24"
>> vpn_net="192.168.200.0/24"
>> set skip on lo0
>> set optimization normal
>> #set block-policy drop
>> set limit { states 20000, frags 10000, src-nodes 20000 }
>> # Normalization: reassemble fragments and resolve or reduce traffic
>> ambiguities.
>> scrub in all
>> # Translation: specify how addresses are to be mapped or redirected.
>> # NAT rules
>> # enabling NAT currently breaks policy based routing
>> #nat on $ext_if from { $int_net, $vpn_net } to any -> ($ext_if)
>> #nat on tun0 from { 192.168.200.0/24 } to any -> (re0)
>> nat on re0 from { 192.168.200.0/24 } to any -> (re0)
>>
>> table <sshguard> persist
>> block in quick on re0 proto tcp from <sshguard> to any port ssh label "ssh
>> brute"
>>
>> What am I missing?
>>
>> If anyone could assist, it would be appreciated.
>>
>> Kind Regards
>> Brent Clark
>>
>>
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
For your own network yes. You must route all your traffic, which is for
your other lan/ subnet.
Every VPN connect must be corrected routed, equal which vpn is used.
Else every traffic will go loose through internet traffic.
I connect some subnets with OpenVPN and every subnet must configured
with "ccd" (its a subfolder
with a filename of certificate- name and content with "iroute subnet" to
tell, when client xyz is connect,
subnet is there) and in server.conf. Else this subnets won't routed correct.
You can add this route manuell through its OpenVPN- Gateway.
Show:
server.conf: look for "client-config-dir /usr/local/.../ccd" in
server.conf and insert your subnet:
route 192.168.x.x 255.255.255.0
create a file with certificate-name under
"/usr/local/etc/openvpn/config/"your connect-name"/ccd/ and insert:
iroute 192.168.x.x 255.255.255.0
Look in /var/log/openvpn.log for the right certificate-name.
Everytime this certificat/ client is connect the subnet- traffic will be
routed through him.
Don't forget to restart openvpn. ;)
*Sorry, my english is not so good*
Regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?513E4768.7020309>