[ previous ] [ next ] [ threads ]
 
 From:  Louis <m0n0 dot ch at hourfollowshour dot org>
 To:  peter at Closeconsultants dot com
 Cc:  thomas at wedoweb dot se, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] openvpn roadwarrior configuration
 Date:  Sun, 12 Dec 2004 13:50:20 -0500
Peter,

 > This effectively pushes EVERYTHING down the tunnel (DNS, DHCP,

This is my goal, I want is everything over that wireless link to/from 
m0n0 to be completely encrypted, I don't want to see DNS traffic passing 
through wirelessly.  In fact, wouldn't any VPN solution want this to 
happen?  People could sniff and all your DNS traffic and then gain 
insight as to where you are going which would seem to partially defeat 
the idea of VPN.  How does IPSec and PPTP do it?

This brings up another question, since I don't have another physical 
laptop/wifi station at the moment I have tested by putting another wifi 
interface in my Thinkpad.  Now when I sniff my channel from that second 
interface *I do* see some cleartext traffic going by.  Now I imagine 
this is not being picked up from the air, but from the local machine 
depending on how the stack or routes are configured?  Not a valid test I 
know but any input on this would be nice.  (I saw this when testing PPTP 
from Linux as well).

 >specify the redirect-gateway + local push option which is correct for
 > situation where clients are on the same network as the server.

I have this working according to the openvpn client messages on in 
Windows XP, but I get an error for the redirect-gateway + local push 
option using the openvpn client on Linux (FC3).  [will paste]

I will add a section to the doc as to how to configure the client in 
Linux.  Also will try to segment it better to show a local VPN 
configuration vs a remote VPN configuration.

 >OpenVPN now has an official port number  assigned by IANA (1194).
Will the GUI screen mention to add firewall rules or offer to add them 
automatically when you turn it on?  T

 > You might want to try the local wireless network scenario using TAP
I will check this out, I did see that you suggest this in your 
documentation which I based a lot of what I did off of.  TUN seemed to 
work more clean, and I was also big on setting the configuration to 
something that can be supported by the most clients, since I plan on 
having Windows, Mac, and Linux clients using OpenVPN when its all done.

 > Alse I reccommend TinyCA (http://tinyca.sm-zone.net/) for managing
Will there be any GUI tools added to the m0n0 OpenVPN screens to 
generate all the certs?

Thanks for the good work on this, I look forward to the coming updates.

http://seigal.com/docs/m0n0-openvpn.html

Louis



Peter Curran wrote:
> Louis
> 
> Good document!
> 
> Couple of pointers for you.....
> 
> You said that your config was for clients on a wireless network on OPT1.  It 
> looks like a good setup for that purpose.  One thing to note is that you 
> specify the redirect-gateway + local push option which is correct for the 
> situation where clients are on the same network as the server.
> 
> This effectively pushes EVERYTHING down the tunnel (DNS, DHCP, evrything..).  
> The only thing left going across the real network path is packets to/from 
> OVPN.
> 
> If you are in a road-warrior scenario with remote users on completely seperate 
> (not physically connected) networks then this will likely cause many 
> problems.  I suggest that you just do redirect-gateway only.  This then 
> creates a default route via the tunnel, but traffic to the network local to 
> the client (typically for DNS) does not use the tunnel.
> 
> When the next version of the code is out (still testing but I hope tommorrow) 
> then there is a port change.  OpenVPN now has an official port number 
> assigned by IANA (1194).
> 
> You might want to try the local wireless network scenario using TAP tunnels as 
> well - this actually performs better for me and allows me to use bridging to 
> the LAN interface.
> 
> Alse I reccommend TinyCA (http://tinyca.sm-zone.net/) for managing certs etc. 
> - it provides a fairly smooth GUI environment and is not too difficult to 
> use.
> 
> Regards
> 
> Peter
> 
>>http://seigal.com/docs/m0n0-openvpn.html