Jump to content
Sign in to follow this  
Ritter

VPN Routing

Recommended Posts

# openvpn --version
OpenVPN 2.0.6 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 21 2006
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>

 

The first node is also my firewall, it has the following interfaces:

eth0: 192.168.0.10

eth1: public address from dhcp

tun0: 192.168.201.1

 

Not sure if and how gentoo differs here, but I have a single config file name for the connection, that a symlinked init.d script will call this config.

/etc/openvpn/kiosk.conf:

local 192.168.0.10
port 1194
proto udp
dev tun
ca ca.crt
cert lnx-iprovo1.crt
key lnx-iprovo1.key
dh dh2048.pem
server 192.168.201.0 255.255.255.0
client-config-dir ccd-kiosk
route 10.10.2.0 255.255.255.0
keepalive 10 120
tls-auth ta.key 0
cipher DES-EDE3-CBC
comp-lzo
max-clients 3
user nobody
group nobody
persist-key
persist-tun
status status.log
log openvpn.log
verb 5
mute 20

 

A few rules to iptables make things play nice.

At first I ran these so I could see better what wa happening with packets:

-A INPUT -i tun0 -j LOG --log-prefix "INPUT (tun0) " --log-level 6
-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j LOG --log-prefix "FORWARD (tun0) " --log-level 6
-A FORWARD -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j LOG --log-prefix "OUTPUT (tun0) " --log-level 6
-A OUTPUT -o tun0 -j ACCEPT
-A PREROUTING -i tun0 -j LOG --log-prefix "PREROUTING (tun0) " --log-level 6
-A PREROUTING -i tun0 -j ACCEPT
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o tun0 -j SNAT --to-source 192.168.201.1

 

All that are needed:

-A INPUT -i tun0 -j ACCEPT
-A FORWARD -i tun0 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A PREROUTING -i tun0 -j ACCEPT
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o tun0 -j SNAT --to-source 192.168.201.1

 

I'm going to have to finish this later .. as I am putting this together I have realized my kiosk in the mall must have lost power and I can't connect to it. HAHA .. need to get a UPS in there.

Share this post


Link to post
Share on other sites

i wonder if i can lick some of your skill from you?

Share this post


Link to post
Share on other sites
i wonder if i can lick some of your skill from you?

No you cannot, not that others haven't tried .. not to name any names (Flukex!)

Share this post


Link to post
Share on other sites

great to see you posting again Ritter ! hope life is treating you well mate

 

cheers

anyweb

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...