| View previous topic :: View next topic |
| Author |
Message |
wifiED
n00b
Joined: 31 Mar 2008
Posts: 13
Location: South Africa
|
 Posted: Thu Apr 16, 2009 8:04 pm Post subject: OpenVPN server on Gentoo |
 |
|
Hey all
This is the situation i have:
I have a gentoo server with a web application running on it. The server is on a public network (in a datacentre) and the client wishes for me to firewall
all access to the server besides for the IP address of their network and my network for administration.
Network configuration:
IP Server => 196.40.104.2
IP VPN => 10.8.0.0/24
TUN Server => 10.8.0.1
My first instinct was to install OpenVPN which i did and was able to ping the server from the client and visa-versa. But i needed to push the route for the public address (196.40.104.2) to access the web app.
i added it to the openvpn.conf and on first try it worked perfectly with a Windows Vista client. But when i try connect with a XP or server 2003 client i cant ping the vpn network nor the public address from those machines.
Here is my server config:
| Code: |
port 1194
proto tcp
dev tun
ca ca.crt
cert serv.crt
key serv.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
#ifconfig-pool 10.8.0.5 10.8.0.200
ifconfig-pool-persist ipp.txt
push "route 196.40.104.2 255.255.255.255"
keepalive 10 120
comp-lzo
tun-mtu 1500
mssfix 1450
user nobody
group nobody
plugin /usr/lib/openvpn/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name
persist-key
persist-tun
status openvpn-status.log
verb 4
|
And the clients config file:
| Code: |
client
dev tun
proto tcp
remote 196.40.104.2 1194
resolv-retry infinite
nobind
persist-key
auth-user-pass
ca ca.crt
comp-lzo
verb 3
|
Any help would be appreciated to help me figure out how i would be able to access the public address via the vpn  |
|
| Back to top |
|
 |
richard.scott
Veteran
Joined: 19 May 2003
Posts: 1497
Location: Oxfordshire, UK
|
| Posted: Sat Apr 25, 2009 3:21 pm Post subject: |
|
|
Does the XP user have admin rights?
If not, add the user into the local "Network Operators Group" so it can setup routing. |
|
| Back to top |
|
|
Mad Merlin
Veteran
Joined: 09 May 2005
Posts: 1155
|
| Posted: Sat Apr 25, 2009 7:23 pm Post subject: |
|
|
If your server in the datacenter only has a single public IP, then I don't think you can accomplish what you're hoping to do. Let's assume your server has the public IP 1.2.3.4, and you VPN to it. Now, you've got a pair of 172.16.1.0/24 IPs (one on the server, one on the client) for the VPN, but the VPN relies on the initial route to 1.2.3.4. But now you want to access 1.2.3.4 over the VPN, which is impossible, because if you set the route for 1.2.3.4 to be over the VPN, the VPN will stop working, see the chicken and the egg problem?
The simple solution is to either access the server through it's VPN IP (172.16.1.0/24) or add a private aliased IP to the server (say, 10.0.0.1) and then set the route for 10.0.0.1 on the clients to be via the VPN (172.16.1.0/24).
_________________
Game! - Where the stick is mightier than the sword! |
|
| Back to top |
|
|
richard.scott
Veteran
Joined: 19 May 2003
Posts: 1497
Location: Oxfordshire, UK
|
| Posted: Sat Apr 25, 2009 8:47 pm Post subject: |
|
|
He's already said it worked under Vista....
In Vista you have to give the openvpn-gui admin rights to run.
In XP you have to either be an admin, or have rights to update the routing table. Adding the user into the Network Operators Group does this for you without having to assign admin rights. |
|
| Back to top |
|
|
|
Networking & Security
