[ previous ] [ next ] [ threads ]
 
 From:  Andre Maoro <andre at maoro dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] OpenVPN major issues
 Date:  Tue, 26 Oct 2004 11:49:45 +0200
Hello Vincent,

thanks a lot for this Howto!
But I still have a problem with inbound pakets at the clients WAN side.
What does work is a non-m0n0wall OpenVPN client, but m0n0wall itself
does not. I opened anything coming from my OpenVPN server on the WAN
side, but m0n0wall is still blocking all pakets coming in from port 
5000/udp.
Don't know, what's the reason for this :(

Greets,
Andre

Vincent Fleuranceau schrieb:

> To all:
>
> It seems the OpenVPN port is in a very very beta stage. I've been 
> trying to set up a m0n0 <--> m0n0 config for 2 days without success 
> last week. I've given Peter some feedback on my experiments. This is 
> what I've got back from Peter (on holidays this week - don't blame him 
> ;-), assuming you give the OpenVPN server a 10.0.0.0/24 range and you 
> have just on client (to simplify):
>
> - the server creates a Point-to-point 10.0.0.1 --> 10.0.0.2 subnet for 
> its *own* internal routing stuff. No client will use this address at all.
>
> - each new client creates a *dedicated* Point-to-point /30 subnet, 
> starting with 10.0.0.6 --> 10.0.0.5 and so on...
>
> PLEASE NOTE: the odd IP is *always* on the server side, i.e. the 
> "remote" IP from the client's perspective and the even IP is always on 
> the client side.
>
> - on the server you have to add a static route to the client's LAN 
> network (be careful to use a  correct mask, /24 for example) on the 
> OpenVPN Server interface, using 10.0.0.6 as gateway (not 10.0.0.5 and 
> forget 10.0.0.1 and 10.0.0.2).
>
> - on the client you have to add a static route to the server's LAN 
> network (be careful to use a  correct mask, /24 for example) on the 
> OpenVPN XXXX interface, using 10.0.0.5 as gateway (not 10.0.0.6 and 
> forget 10.0.0.1 and 10.0.0.2).
>
> PLEASE NOTE: I think the static routes are generated too *early* in 
> the boot process, i.e. it happens before the OpenVPN interfaces are 
> configured, so the route are simply ignored. Please activate them 
> again from the WebGUI (edit the route, then press the "Save" button 
> without modifying anything and apply the changes)
>
> - on the server, you must let UDP port 5000 enter the WAN interface.
>
> - on the client, you must let UDP port 5001 enter the WAN interface.
>
> [PLEASE NOTE: if you have several clients on the *same* m0n0 box each 
> client will use a different port, starting with 5001, 5002 and so on. 
> If you have many clients (i.e. different m0n0 machines) connecting to 
> the same OpenVPN server, they will all use the same 5001 port]
>
> - filtering on the OpenVPN interfaces is only used to manage what 
> passes *trough* the tunnel when it's up and running.
>
> - there may be other issues in the code: for example the current code 
> create (useless) NAT maps for the OpenVPN interfaces...
>
> I must mention I have not tried the OpenVPN stuff since it's in 
> Manuel's 1.2b2 release, but Manuel confirmed it's the same code as in 
> Peter's early version. I've just collected this info from Peter's 
> answers to my e-mails and my own experience : if I've written 
> something wrong, please correct me...
>
> More: I've told Peter I may try to write down some sort of m0n0 <--> 
> m0n0 OpenVPN documentation. So: feedback is welcome ;-)
>
> -- Vincent
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch