|
||||||||
Thanks for your reply! I exactly did it this way! The OpenVPN Server rules are configured correctly, because I can connect to the server with any OpenVPN client, except m0n0wall. The m0n0wall OpenVPN client is blocking all incoming OpenVPN traffic: --- Oct 26 12:27:44 ovpnclient ipmon[76]: 12:27:43.932632 de1 @0:7 b 212.202.xxx.xxx,5000 -> 145.253.xxx.xxx,1292 PR udp len 20 42 IN --- This message repeats about 20-30 times per second, but the destination udp port changes every time. And here is my current "ipfstat -nio": (de0 = LAN (192.168.101.0/24), de1 = WAN (Static IP)) --- @1 pass out quick on lo0 from any to any @2 pass out quick on de0 proto udp from 192.168.101.254/32 port = 67 to any port = 68 @3 pass out quick on de1 proto udp from any port = 68 to any port = 67 @4 pass out quick on de0 from any to any keep state @5 pass out quick on de1 from any to any keep state @6 pass out quick on tap1 from any to any keep state @7 block out log quick from any to any @1 pass in quick on lo0 from any to any @2 block in log quick from any to any with short @3 block in log quick from any to any with ipopt @4 pass in quick on de0 proto udp from any port = 68 to 255.255.255.255/32 port = 67 @5 pass in quick on de0 proto udp from any port = 68 to 192.168.101.254/32 port = 67 @6 block in log quick on de1 from 192.168.101.0/24 to any @7 block in log quick on de1 from any to any @8 block in log quick on de1 proto udp from any port = 67 to 192.168.101.0/24 port = 68 @9 pass in quick on de1 proto udp from any port = 67 to any port = 68 @10 block in log quick on de0 from !192.168.101.0/24 to any @11 block in log quick on tap1 from !any to any @12 block in log quick on de1 from 10.0.0.0/8 to any @13 block in log quick on de1 from 127.0.0.0/8 to any @14 block in log quick on de1 from 172.16.0.0/12 to any @15 block in log quick on de1 from 192.168.0.0/16 to any @16 skip 1 in proto tcp from any to any flags S/FSRA @17 block in log quick proto tcp from any to any @18 block in log quick on de0 from any to any head 100 @1 pass in quick from 192.168.101.0/24 to 192.168.101.254/32 keep state group 100 @2 pass in quick from 192.168.101.0/24 to any keep state group 100 @19 block in log quick on de1 from any to any head 200 @1 pass in quick proto gre from any to 127.0.0.1/32 keep state group 200 @2 pass in quick proto tcp from any to 127.0.0.1/32 port = 1723 keep state group 200 @3 pass in quick proto udp from any to any port = 5001 keep state keep frags group 200 @20 block in log quick on tap1 from any to any head 300 @1 pass in quick from any to any keep state group 300 @21 block in log quick from any to any --- Maybe this help. And thank you again, Vincent! Andre Vincent Fleuranceau schrieb: > > -------- Original Message -------- > >> Hello Vincent, >> >> thanks a lot for this Howto! >> But I still have a problem with inbound pakets at the clients WAN side. >> What does work is a non-m0n0wall OpenVPN client, but m0n0wall itself >> does not. I opened anything coming from my OpenVPN server on the WAN >> side, but m0n0wall is still blocking all pakets coming in from port >> 5000/udp. >> Don't know, what's the reason for this :( >> > > On the server, 5000 this is the DESTINATION port. You should have > something like: > > pass on WAN interface from any port = 5001 to SERVER_WAN_IP port = 5000 > > On the client (for those who are using m0n0wall as client too), it's > the contrary: > > pass on WAN interface from any port = 5000 to CLIENT_WAN_IP port = 5001 > > To get started, don't specify a source port at first, hen tighten this > when you're sure it's working. > > That should do it: of course, if your client uses a different port, > don't forget to adapt the rules. > > Hint: in the log "Settings" tab, check the "Log packets blocked by the > default rule" to see exactly what gets blocked on the WAN interface. > > -- Vincent > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |