Date: Tue, 26 Apr 2011 08:45:22 -0500 From: Ryan Coleman <ryan.coleman@cwis.biz> To: Nathan Vidican <nathan@vidican.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: OpenVPN routing Message-ID: <6ABDD9A5-E75D-4998-8D49-C89B280F32D4@cwis.biz> In-Reply-To: <BANLkTikvQRGiFS%2BvRu4_tk3aOsFt7zubwA@mail.gmail.com> References: <6073BC9F-553D-41E2-AE42-341B61850EA7@cwis.biz> <BANLkTikvQRGiFS%2BvRu4_tk3aOsFt7zubwA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 26, 2011, at 8:32 AM, Nathan Vidican wrote: > On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman <ryan.coleman@cwis.biz> = wrote: >>=20 >> I've got an OpenVPN connection working to my remote server, but I = want to route the traffic to the local LAN. >>=20 >> I have a bridge set up, pingable... but can't ping the em1 = (192.168.46.2) from the remote machine. >>=20 >> Server.conf: >> local 192.168.46.2 >> port 1194 >> proto udp >> dev tap >> ca keys/cacert.pem >> cert keys/server.crt >> key keys/server.key # This file should be kept secret >> dh keys/dh1024.pem >> # Don't put this in the keys directory unless user nobody can read it >> crl-verify keys/crl.pem >> #Make sure this is your tunnel address pool >> server 192.168.47.0 255.255.255.0 >> ifconfig-pool-persist ipp.txt >> #This is the route to push to the client, add more if necessary >> #push "route 192.168.46.254 255.255.255.0" >> push "route 192.168.47.0 255.255.255.0" >> push "dhcp-option DNS 192.168.45.10" >> keepalive 10 120 >> cipher BF-CBC #Blowfish encryption >> comp-lzo >> #fragment >> user nobody >> group nobody >> persist-key >> persist-tun >> status openvpn-status.log >> verb 6 >> mute 5 >>=20 >>=20 >> client.conf: >> #Begin client.conf >> client >> dev tap >> proto udp >> remote sub.domain.ltd 1194 >> nobind >> user nobody >> group nobody >> persist-key >> persist-tun >> #crl-verify >> #remote-cert-tls server >> ca keys/cacert.pem >> cert keys/ryanc.crt >> key keys/ryanc.key >> cipher BF-CBC >> comp-lzo >> verb 3 >> mute 20 >>=20 >> Any ideas? As I said, I can talk to the remote server, but not the = local LAN. >>=20 >> To throw a new curveball in the mix, I'd like to talk to = 192.168.45.0/24 - which we have another VPN connecting the two networks = (not running on a VPN I can do much with). >=20 >=20 > Do you have packet forwarding (routing /gateway) enabled? An > all-important, yet sometimes forgotten step... > check if: >=20 > sysctl net.inet.ip.forwarding >=20 > returns 1 for enabled or not. You can enable it right away by setting > to 1, and/or view the instructions in the handbook for greater detail > including how to set as a startup option as well: > = http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.= html Yes, it is enabled. And Maciej, I had server-bridge running before and it wasn't routing = ICMP, nor anything else. I have ipnat enabled - as was recommended by one guide - and am routing = everything from 192.168.47.0/24 to 0.0.0.0/32 (I'm not well versed on = this specific area but that seems like it should be 0/0, right?) Relevant rc.conf: defaultrouter=3D"192.168.46.254" hostname=3D"nbserver1.allstatecom.local" ifconfig_em0=3D"inet 192.168.46.2 netmask 255.255.255.0" openvpn_enable=3D"YES" openvpn_configfile=3D"/usr/local/etc/openvpn/server.conf" gateway_enable=3D"YES" ipnat_enable=3D"YES" Thanks again, Ryan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6ABDD9A5-E75D-4998-8D49-C89B280F32D4>