[ previous ] [ next ] [ threads ]
 From:  m0n0 dot ch at hourfollowshour dot org
 To:  peter at Closeconsultants dot com
 Cc:  thomas at wedoweb dot se, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] openvpn roadwarrior configuration
 Date:  Sun, 12 Dec 2004 16:23:28 -0500

Thanks for the explaintion on voluntary/compulsory and split/non-split, 
that made a lot of sense.

In my case for a local VPN setup, I want everything as secure as 
possible, so I want *all* traffic over the wireless network to be 
encrypted once the VPN connection has been initiated.  It sounds like I 
need to get the redirect-gateway + local working in Linux.  I'm 
*assuming* it is working in windows OK because I don't get that error 
message, but I won't feel cozy about that until I have a friend come 
over to sniff my network.  I will check out the OpenVPN list to see if I 
can locate background on the redirect-gateway error in the Linux client. 
  Just to keep everything together for the archive, here is the error I see:

Dec 12 15:56:08 mybox openvpn[3959]: PUSH: Received control message: 
'PUSH_REPLY,redirect-gateway 'local',route,ifconfig'
Dec 12 15:56:08 mybox openvpn[3959]: Options error: unknown 
--redirect-gateway flag: 'local'
Dec 12 15:56:08 mybox openvpn[3959]: OPTIONS IMPORT: --ifconfig/up 
options modified
Dec 12 15:56:08 mybox openvpn[3959]: OPTIONS IMPORT: route options modified
Dec 12 15:56:08 mybox openvpn[3959]: TUN/TAP device tun0 opened

OpenVPN 2.0_rc1 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Dec 
11 2004

> What kind of stuff can you see in plain the wireless interface?
I'm going to go back and do a bit more formal testing, document the 
config and exactly what I am doing, routes, etc, and throw the results 
into another e-mail.

> include the ones you actually want.  I will mess about with this some more - 
> maybe just auto-set the rules if a single interface is selected?
Ideally it would be a checkbox that you could click on to add the rule 
autoamtically (like when adding NAT items, you select generate filewall 
rules).  At a minimum, little message on the bottom of the page telling 
the user they need to create X rule on the interface before they will be 
able to VPN in.

> I have not yet discussed this with Manuel.  I would like to see this feature - 
> particularly as I am currently working on per-client configs that over-ride 
It would be great to see cert utils directly in the GUI, have a single 
point to manage everything rather then having to go to figure out the 
various different techniques that exist to generate everything required; 
it can be quite confusing.  A good section in the m0n0wall docs as to 
how to generate everything would surfice if it turns out not to be 
reasonable to build this functionality into the image.