Linux-Noob Forums
VPN Routing - Printable Version

+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html)
+--- Forum: Security and Firewalls (https://www.linux-noob.com/forums/forum-87.html)
+--- Thread: VPN Routing (/thread-1893.html)

VPN Routing - Ritter - 2006-07-20




Code:
# openvpn --version OpenVPN 2.0.6 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 21 2006 Developed by James Yonan Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>




 

The first node is also my firewall, it has the following interfaces:

eth0: 192.168.0.10

eth1: public address from dhcp

tun0: 192.168.201.1

 

Not sure if and how gentoo differs here, but I have a single config file name for the connection, that a symlinked init.d script will call this config.

/etc/openvpn/kiosk.conf:



Code:
local 192.168.0.10 port 1194 proto udp dev tun ca ca.crt cert lnx-iprovo1.crt key lnx-iprovo1.key dh dh2048.pem server 192.168.201.0 255.255.255.0 client-config-dir ccd-kiosk route 10.10.2.0 255.255.255.0 keepalive 10 120 tls-auth ta.key 0 cipher DES-EDE3-CBC comp-lzo max-clients 3 user nobody group nobody persist-key persist-tun status status.log log openvpn.log verb 5 mute 20




 

A few rules to iptables make things play nice.

At first I ran these so I could see better what wa happening with packets:



Code:
-A INPUT -i tun0 -j LOG --log-prefix "INPUT (tun0) " --log-level 6 -A INPUT -i tun0 -j ACCEPT -A FORWARD -i tun0 -j LOG --log-prefix "FORWARD (tun0) " --log-level 6 -A FORWARD -i tun0 -j ACCEPT -A OUTPUT -o tun0 -j LOG --log-prefix "OUTPUT (tun0) " --log-level 6 -A OUTPUT -o tun0 -j ACCEPT -A PREROUTING -i tun0 -j LOG --log-prefix "PREROUTING (tun0) " --log-level 6 -A PREROUTING -i tun0 -j ACCEPT -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o tun0 -j SNAT --to-source 192.168.201.1




 

All that are needed:



Code:
-A INPUT -i tun0 -j ACCEPT -A FORWARD -i tun0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A PREROUTING -i tun0 -j ACCEPT -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o tun0 -j SNAT --to-source 192.168.201.1




 

I'm going to have to finish this later .. as I am putting this together I have realized my kiosk in the mall must have lost power and I can't connect to it. HAHA .. need to get a UPS in there.



VPN Routing - znx - 2006-07-21

i wonder if i can lick some of your skill from you?


VPN Routing - Ritter - 2006-07-21


Quote:i wonder if i can lick some of your skill from you?
No you cannot, not that others haven't tried .. not to name any names (Flukex!)



VPN Routing - anyweb - 2006-07-22


great to see you posting again Ritter ! hope life is treating you well mate

 

cheers

anyweb