[ previous ] [ next ] [ threads ]
 
 From:  Warwick Ward-Cox <cedricthegreat at gmail dot com>
 To:  Steven McCoy <fnjordy at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] bidirection routing with OpenVPN?
 Date:  Thu, 12 May 2005 21:15:33 +0200 
I have a problem with the monowall openvpn implementation on the
client side, client establishes the openvpn succesfully and client
side can connect to server side network succeffully,  however the
reverse server to client network does not work until the firewall
rules are reapplied.

My thinking is monowall firewall rulebase is applied at boot time and
not after the VPN is established.

Is anyone else having this problem.

Warwick

On 5/11/05, Steven McCoy <fnjordy at gmail dot com> wrote:
> Ok, as an FYI I got this setup, its quite nice, I had to add a few
> parameters to openvpn, although for testing I just overrode everything.
> 
> 1) Create ccd directory
> 
> mkdir /var/db/ccd
> 
> 2) Create iroutes for each "common name", as defined in TLS, client
> 
> echo "iroute 10.2.0.0 <http://10.2.0.0> 255.255.255.0 <http://255.255.255.0>"
> > /var/db/ccd/China
> 
> 3) Copy openvpn binary
> 
> cp /usr/local/sbin/openvpn /usr/local/sbin/openvpn_real
> 
> 3) Upload wrapper script:
> 
> #!/bin/sh
> /usr/local/sbin/openvpn_real \
> --daemon \
> --user nobody \
> --group nobody \
> --verb 1 \
> --writepid /var/run/ovpn_srv.pid \
> --dev tun0 \
> --port 5000 \
> --local vpn.yorkion.com.hk <http://vpn.yorkion.com.hk> \
> --client-to-client \
> --max-clients 25 \
> --server 172.16.2.0 <http://172.16.2.0> 255.255.255.128<http://255.255.255.128>\
> --ca /var/db/ovpn_ca_cert.pem \
> --cert /var/db/ovpn_srv_cert.pem \
> --key /var/db/ovpn_srv_key.pem \
> --dh /var/db/ovpn_dh.pem \
> --cipher BF-CBC \
> --ping 15 \
> --push "ping 15" \
> --ping-restart 240 \
> --push "ping-restart 120" \
> --ping-exit 600 \
> --push "ping-exit 600" \
> --client-config-dir /var/db/ccd \
> --route 10.2.0.0 <http://10.2.0.0> 255.255.255.0 <http://255.255.255.0> \
> --route 192.168.1.0 <http://192.168.1.0> 255.255.255.0<http://255.255.255.0>\
> --persist-tun
> 
> The client is on DSL in China, so have to up the ping parameters a bit.
> 
> Any suggestions? I might work on updating the m0n0wall php if no one else
> is, its been a while since the last beta.
> 
> --
> Steve-o
> 
>