OpenVPN routing

Ryan Coleman ryan.coleman at cwis.biz
Tue Apr 26 13:45:40 UTC 2011 

On Apr 26, 2011, at 8:32 AM, Nathan Vidican wrote:

> On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman <ryan.coleman at cwis.biz> wrote:
>> 
>> I've got an OpenVPN connection working to my remote server, but I want to route the traffic to the local LAN.
>> 
>> I have a bridge set up, pingable... but can't ping the em1 (192.168.46.2) from the remote machine.
>> 
>> Server.conf:
>> local 192.168.46.2
>> port 1194
>> proto udp
>> dev tap
>> ca keys/cacert.pem
>> cert keys/server.crt
>> key keys/server.key # This file should be kept secret
>> dh keys/dh1024.pem
>> # Don't put this in the keys directory unless user nobody can read it
>> crl-verify keys/crl.pem
>> #Make sure this is your tunnel address pool
>> server 192.168.47.0 255.255.255.0
>> ifconfig-pool-persist ipp.txt
>> #This is the route to push to the client, add more if necessary
>> #push "route 192.168.46.254 255.255.255.0"
>> push "route 192.168.47.0 255.255.255.0"
>> push "dhcp-option DNS 192.168.45.10"
>> keepalive 10 120
>> cipher BF-CBC #Blowfish encryption
>> comp-lzo
>> #fragment
>> user nobody
>> group nobody
>> persist-key
>> persist-tun
>> status openvpn-status.log
>> verb 6
>> mute 5
>> 
>> 
>> client.conf:
>> #Begin client.conf
>> client
>> dev tap
>> proto udp
>> remote sub.domain.ltd 1194
>> nobind
>> user nobody
>> group nobody
>> persist-key
>> persist-tun
>> #crl-verify
>> #remote-cert-tls server
>> ca keys/cacert.pem
>> cert keys/ryanc.crt
>> key keys/ryanc.key
>> cipher BF-CBC
>> comp-lzo
>> verb 3
>> mute 20
>> 
>> Any ideas?  As I said, I can talk to the remote server, but not the local LAN.
>> 
>> To throw a new curveball in the mix, I'd like to talk to 192.168.45.0/24 - which we have another VPN connecting the two networks (not running on a VPN I can do much with).
> 
> 
> Do you have packet forwarding (routing /gateway) enabled? An
> all-important, yet sometimes forgotten step...
> check if:
> 
>   sysctl net.inet.ip.forwarding
> 
> returns 1 for enabled or not. You can enable it right away by setting
> to 1, and/or view the instructions in the handbook for greater detail
> including how to set as a startup option as well:
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html

Yes, it is enabled.

And Maciej, I had server-bridge running before and it wasn't routing ICMP, nor anything else.

I have ipnat enabled - as was recommended by one guide - and am routing everything from 192.168.47.0/24 to 0.0.0.0/32 (I'm not well versed on this specific area but that seems like it should be 0/0, right?)

Relevant rc.conf:
defaultrouter="192.168.46.254"
hostname="nbserver1.allstatecom.local"
ifconfig_em0="inet 192.168.46.2  netmask 255.255.255.0"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
gateway_enable="YES"
ipnat_enable="YES"

Thanks again,
Ryan

More information about the freebsd-questions mailing list