Hello all,
I am having some issues with the OpenVPN implementation:
I am able to connect from externally to the OpenVPN, I am able to ping the clearOS server (192.168.1.100), but am unable to interact with any other hosts (ie 192.168.1.101)
I have had to force the client to connect TCP as my ISP does strange things to UDP packets.
I have attempted to push a route to 192.168.1.0 but that doesn't seem to have worked either.
The client is not the issue as I created my own OpenVPN config on a standalone computer and it worked perfectly.
Any suggestions would be greatly appreciated! Thank you.
I am having some issues with the OpenVPN implementation:
I am able to connect from externally to the OpenVPN, I am able to ping the clearOS server (192.168.1.100), but am unable to interact with any other hosts (ie 192.168.1.101)
I have had to force the client to connect TCP as my ISP does strange things to UDP packets.
I have attempted to push a route to 192.168.1.0 but that doesn't seem to have worked either.
The client is not the issue as I created my own OpenVPN config on a standalone computer and it worked perfectly.
Any suggestions would be greatly appreciated! Thank you.
Share this post:
Accepted Answer
No worries, I found the problem.
I had to adjust the DNS and WINS entries in clients*.conf to
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option WINS 10.8.0.1"
and
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.8.10.1"
push "dhcp-option WINS 10.8.10.1"
respectively.
All sorted! Thank you for your help! (Can I buy you a coffee?)
I had to adjust the DNS and WINS entries in clients*.conf to
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.8.0.1"
push "dhcp-option WINS 10.8.0.1"
and
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 10.8.10.1"
push "dhcp-option WINS 10.8.10.1"
respectively.
All sorted! Thank you for your help! (Can I buy you a coffee?)
Responses (7)
-
Accepted Answer
I've done some more testing. Using the ClearOS LAN IP or the OpenVPN LAN IP makes no difference to DNS and browsing the network. The main issue is the Windoze firewall which, by default, blocks anything coming from outside the LAN. This includes OpenVPN. Adding the ClearOS firewall rules sidesteps the issue as it makes all traffic appear to come from the ClearOS server. The other thing to do is configure the Windoze to allow traffic in from various subnets (the Scope tab in the advanced firewall settings). -
Accepted Answer
-
Accepted Answer
In the standard set up with ClearOS as a gateway you should not need the two firewall rules, unless your LAN devices block incoming traffic not coming from the LAN subnet. This can happen with the Windoze firewall, but is not too common.
For me I push the domain and name resolution by DNS works (but for some reason is much slower if you don't specify the domain name). I think I have some devices which work and some which don't. It is not client specific so very odd. WINS does not seem to work even with any tweaks I do to Samba. By not work I mean I cannot resolve from my LAN devices connected to OpenVPN. I am not sure that things like My Network Places/Neighbourhood work on remote PC's works either but I can't remember and have little need for it. -
Accepted Answer
Hi Nick,
I reconfigured my box completely, allowing vmware to do a passthrough to one of my NICs, which is now connected to my fibre modem - WAN IP - ok.
Configured ClearOS to be in gateway mode - all clients have internet again.
Added rules:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 10.8.10.0/24 -j MASQUERADE
iptables-save
Remote access to internal IPs now works! Thank you!
Only thing that doen't work still is internal host name resolution -
DNS DHCP and WINS are all set to
192.168.1.100
Have I configured something incorrectly? -
Accepted Answer
The POSTROUTING rule should be something like:
for the custom firewall module and$IPTABLES -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
from the command line. 10.8.0.0/24 should be the subnet that OpenVPN is using. Can you also check that /proc/sys/net/ipv4/ip_forward is set to 1?iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
It would probably be more normal to add a route in your gateway if you can to redirect anything to 10.8.0.0/24 via 192.168.1.100 rather than try to NAT the incoming packets, but I'd have thought both would work.
Also note that if you want to use OpenVPN form a number of locations, the LAN subnets 192.168.0.0/24 and 192.168.1.0/24 are not a good idea.
If you make ClearOS a gateway remember not to connect both the LAN and WAN to the same physical subnet, and make sure the LAN and WAN subnets are different. -
Accepted Answer
Hi Nick,
Thanks for the reply.
Indeed it is running in standalone, although I have just purchased some extra patch cables to configure in gateway mode if this is better supported.
I attempted the POSTROUTING entry in iptables to no avail.
If I now configure (monday) in gateway mode will this resolve my issue?
Many thanks -
Accepted Answer
Is your server in standalone mode? If so you will need some static routes either on your gateway or on the individual devices you are trying to connect to. Alternatively you'd need to NAT the incoming packets in ClearOS so that they appear to come from 192.168.1.100 for the rest of your LAN.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »