|
Title: openvpn gw 2 gw server tun client tap Post by: amucha on Thursday 17 December 2009, 07:32:00 pm hello all,
i try to connect to networks. one is our network, protected by endian fw. the second is a network with openvpn srv. it should be work in that way that the office computers in network one can access the mashines in network two. (opposite direction is not so importand) so the first step was to manually build up a vpn tunnel. the admin from network two uses this openvpn srv config : #OpenVPN Server conf daemon openvpnserver writepid /var/run/openvpn.pid #DAN prepare ZERINA for listening on blue and orange ;local ***.*** dev tun tun-mtu 1400 proto tcp port 443 tls-server ca /var/ipcop/ovpn/ca/cacert.pem cert /var/ipcop/ovpn/certs/servercert.pem key /var/ipcop/ovpn/certs/serverkey.pem dh /var/ipcop/ovpn/ca/dh1024.pem server 192.168.254.0 255.255.255.0 push "route 192.168.8.0 255.255.254.0" keepalive 10 60 status-version 1 status /var/log/ovpnserver.log 30 cipher BF-CBC push "dhcp-option DOMAIN ***.***.**" push "dhcp-option DNS 192.168.9.4" max-clients 100 tls-verify /var/ipcop/ovpn/verify crl-verify /var/ipcop/ovpn/crls/cacrl.pem user nobody group nobody persist-key persist-tun verb 3 the client configuration is this : tls-client client dev tun proto tcp tun-mtu 1400 remote ***.***.** *** pkcs12 account.p12 cipher BF-CBC verb 3 ns-cert-type server ok. if i use this client configuration from my office computer (windows xp) everything is fine. i can ping the hosts in the second network. even names are resolved correctly. remote desktop etc. pp . no problem . ok. i stopped this connection. next step was to establish a connection via endian fw. so i configured OpenVPN client (gw2gw). set up in the extended config section : connection type : routed block dhcp answ. from tunnel : yes protocol : tcp than i started the network. the connection could be established. the admin in the second network confirmed this (he could see the connection too). but no ping or any further access was possible. i tryed some other configurations but the behaviour was the same every time. than i checked the configuration endian fw generated for my client . here it is : client pull comp-lzo nobind resolv-retry infinite dev tap2 pkcs12 <cert> ns-cert-type server proto tcp remote <host:port> writepid /var/run/openvpn/client_.pid up-delay up "/usr/local/bin/dir.d-exec /etc/openvpn/ifup.client.d/" down-pre down "/usr/local/bin/dir.d-exec /etc/openvpn/ifdown.client.d/" the first thing is, that the client uses the tap device (for routed and also bridged conn.type). is there a chance to tell endian fw that it should use the tun device ? is it necessary to add additional routes / rules or is this done by endian fw scripts ? many thanks in advance andreas . Title: Re: openvpn gw 2 gw server tun client tap Post by: Saltee on Thursday 07 January 2010, 05:53:40 am sounds like a routing problem - ensure you're pushing your routes correctly
|