[ previous ] [ next ] [ threads ]
 
 From:  Vincent Fleuranceau <vincent at bikost dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] OpenVPN major issues
 Date:  Tue, 26 Oct 2004 11:08:54 +0200
To all:

It seems the OpenVPN port is in a very very beta stage. I've been trying 
to set up a m0n0 <--> m0n0 config for 2 days without success last week. 
I've given Peter some feedback on my experiments. This is what I've got 
back from Peter (on holidays this week - don't blame him ;-), assuming 
you give the OpenVPN server a 10.0.0.0/24 range and you have just on 
client (to simplify):

- the server creates a Point-to-point 10.0.0.1 --> 10.0.0.2 subnet for 
its *own* internal routing stuff. No client will use this address at all.

- each new client creates a *dedicated* Point-to-point /30 subnet, 
starting with 10.0.0.6 --> 10.0.0.5 and so on...

PLEASE NOTE: the odd IP is *always* on the server side, i.e. the 
"remote" IP from the client's perspective and the even IP is always on 
the client side.

- on the server you have to add a static route to the client's LAN 
network (be careful to use a  correct mask, /24 for example) on the 
OpenVPN Server interface, using 10.0.0.6 as gateway (not 10.0.0.5 and 
forget 10.0.0.1 and 10.0.0.2).

- on the client you have to add a static route to the server's LAN 
network (be careful to use a  correct mask, /24 for example) on the 
OpenVPN XXXX interface, using 10.0.0.5 as gateway (not 10.0.0.6 and 
forget 10.0.0.1 and 10.0.0.2).

PLEASE NOTE: I think the static routes are generated too *early* in the 
boot process, i.e. it happens before the OpenVPN interfaces are 
configured, so the route are simply ignored. Please activate them again 
from the WebGUI (edit the route, then press the "Save" button without 
modifying anything and apply the changes)

- on the server, you must let UDP port 5000 enter the WAN interface.

- on the client, you must let UDP port 5001 enter the WAN interface.

[PLEASE NOTE: if you have several clients on the *same* m0n0 box each 
client will use a different port, starting with 5001, 5002 and so on. If 
you have many clients (i.e. different m0n0 machines) connecting to the 
same OpenVPN server, they will all use the same 5001 port]

- filtering on the OpenVPN interfaces is only used to manage what passes 
*trough* the tunnel when it's up and running.

- there may be other issues in the code: for example the current code 
create (useless) NAT maps for the OpenVPN interfaces...

I must mention I have not tried the OpenVPN stuff since it's in Manuel's 
1.2b2 release, but Manuel confirmed it's the same code as in Peter's 
early version. I've just collected this info from Peter's answers to my 
e-mails and my own experience : if I've written something wrong, please 
correct me...

More: I've told Peter I may try to write down some sort of m0n0 <--> 
m0n0 OpenVPN documentation. So: feedback is welcome ;-)

-- Vincent