OpenVPN vm cant connect to other VM's

lokadamus at gmx.de lokadamus at gmx.de
Mon Mar 11 21:06:46 UTC 2013


On 11.03.2013 20:13, Michael Sierchio wrote:
> Are you pushing routes in your server.conf file?
>
> (hint - show, don't tell)
>
> - M
>
> On Wed, Mar 6, 2013 at 2:38 AM, Brent Clark <brentgclarklist at gmail.com> wrote:
>> Hi guys
>>
>> Im struggling with a freebsd vm, that I have that I use for a VPN connection
>> too, from my workstation to my home LAN. And I was wondering if someone
>> could peer review me and my problem.
>>
>> OpenVPN is working beautifully. I.e. I can connect to some services (apache
>> etc) that I run directly on my FreeBSD / openvpn vm.
>>
>> What im now trying to achieve is that I can connect to other VMs / machines
>> on my home LAN.
>>
>> Im using tun for my VPN, and my pf.conf looks like so (please see the nat on
>> ...)
>>
>> [root at freebsd /usr/home/bclark]# cat  /etc/pf.conf
>> ext_if="re0"
>> vpn_if="tun0"
>> int_net="10.0.0.0/24"
>> vpn_net="192.168.200.0/24"
>> set skip on lo0
>> set optimization normal
>> #set block-policy drop
>> set limit { states 20000, frags 10000, src-nodes 20000 }
>> # Normalization: reassemble fragments and resolve or reduce traffic
>> ambiguities.
>> scrub in all
>> # Translation: specify how addresses are to be mapped or redirected.
>> # NAT rules
>> # enabling NAT currently breaks policy based routing
>> #nat on $ext_if from { $int_net, $vpn_net } to any -> ($ext_if)
>> #nat on tun0 from { 192.168.200.0/24 } to any -> (re0)
>> nat on re0 from { 192.168.200.0/24 } to any -> (re0)
>>
>> table <sshguard> persist
>> block in quick on re0 proto tcp from <sshguard> to any port ssh label "ssh
>> brute"
>>
>> What am I missing?
>>
>> If anyone could assist, it would be appreciated.
>>
>> Kind Regards
>> Brent Clark
>>
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
For your own network yes. You must route all your traffic, which is for 
your other lan/ subnet.
Every VPN connect must be corrected routed, equal which vpn is used.
Else every traffic will go loose through internet traffic.

I connect some subnets with OpenVPN and every subnet must configured 
with "ccd" (its a subfolder
with a filename of certificate- name and content with "iroute subnet" to 
tell, when client xyz is connect,
subnet is there) and in server.conf. Else this subnets won't routed correct.
You can add this route manuell through its OpenVPN- Gateway.

Show:
server.conf: look for "client-config-dir /usr/local/.../ccd" in 
server.conf and insert your subnet:
route 192.168.x.x 255.255.255.0

create a file with certificate-name under 
"/usr/local/etc/openvpn/config/"your connect-name"/ccd/ and insert:
iroute 192.168.x.x 255.255.255.0
Look in /var/log/openvpn.log for the right certificate-name.

Everytime this certificat/ client is connect the subnet- traffic will be 
routed through him.

Don't forget to restart openvpn. ;)
*Sorry, my english is not so good*
Regards


More information about the freebsd-questions mailing list