hi there I''m having trouble doing a dnat for remote desktop to a computer on the openvpn segment. If that computer was on the local network, the rule would be: DNAT net loc:192.168.1.10 tcp 3389 when I have the computer accessing through openvpn to my network, its IP is 192.168.135.14, so I thought this next rule would work, but it doesn''t: DNAT net vpn:192.168.135.14 tcp 3389 Can anybody help me? TIA Ignacio ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Oenus Tech Services wrote:> hi there > > I''m having trouble doing a dnat for remote desktop to a computer on the > openvpn segment. If that computer was on the local network, the rule > would be: > > DNAT net loc:192.168.1.10 tcp 3389 > > when I have the computer accessing through openvpn to my network, its IP > is 192.168.135.14, so I thought this next rule would work, but it doesn''t: > > DNAT net vpn:192.168.135.14 tcp 3389 > > Can anybody help me?Does the default route at 192.168.135.14 go back through the OpenVPN tunnel? If not, this will never work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep escribió:> Oenus Tech Services wrote:>> when I have the computer accessing through openvpn to my network, its IP >> is 192.168.135.14, so I thought this next rule would work, but it doesn't: >> >> DNAT net vpn:192.168.135.14 tcp 3389 >> >> Can anybody help me? > > Does the default route at 192.168.135.14 go back through the OpenVPN tunnel? > If not, this will never work. > > -TomI'm afraid not. The default route is the internet router gateway ip, which could be anything depending where I'm connecting from. The route to the remote openvpn server is 192.168.135.13. Then my next question should go to the openvpn list, but I'll ask anyway here, in case someone has knowledge of it: can I do a push "redirect-gateway" for a specific openvpn client instead of doing it globally on the server? TIA, Ignacio ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
The other way is to basically do both DNAT and SNAT. The packet is basically ''proxied'' by your router. That way it comes back to you and you do DNAT/SNAT and send it to the original source. If you need to do this for just one port, Stunnel, or ssh tunnel, or any other variant will work for you. Prasanna. On 4/25/07, Oenus Tech Services <oenustech@oenus.com> wrote:> Tom Eastep escribió: > > Oenus Tech Services wrote: > > >> when I have the computer accessing through openvpn to my network, its IP > >> is 192.168.135.14, so I thought this next rule would work, but it doesn''t: > >> > >> DNAT net vpn:192.168.135.14 tcp 3389 > >> > >> Can anybody help me? > > > > Does the default route at 192.168.135.14 go back through the OpenVPN tunnel? > > If not, this will never work. > > > > -Tom > > I''m afraid not. The default route is the internet router gateway ip, > which could be anything depending where I''m connecting from. The route > to the remote openvpn server is 192.168.135.13. > > Then my next question should go to the openvpn list, but I''ll ask anyway > here, in case someone has knowledge of it: can I do a push > "redirect-gateway" for a specific openvpn client instead of doing it > globally on the server? > > TIA, > > Ignacio > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Oenus Tech Services wrote:> Tom Eastep escribió: >> Oenus Tech Services wrote: > >>> when I have the computer accessing through openvpn to my network, its IP >>> is 192.168.135.14, so I thought this next rule would work, but it doesn''t: >>> >>> DNAT net vpn:192.168.135.14 tcp 3389 >>> >>> Can anybody help me? >> Does the default route at 192.168.135.14 go back through the OpenVPN tunnel? >> If not, this will never work. >> >> -Tom > > I''m afraid not. The default route is the internet router gateway ip, > which could be anything depending where I''m connecting from. The route > to the remote openvpn server is 192.168.135.13. > > Then my next question should go to the openvpn list, but I''ll ask anyway > here, in case someone has knowledge of it: can I do a push > "redirect-gateway" for a specific openvpn client instead of doing it > globally on the server? >Yes. Use CCDs (client-config-directories -- see the openvpn documentation). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
ok. thanks so much, Tom Ignacio>> Then my next question should go to the openvpn list, but I''ll ask anyway >> here, in case someone has knowledge of it: can I do a push >> "redirect-gateway" for a specific openvpn client instead of doing it >> globally on the server? >> > > Yes. Use CCDs (client-config-directories -- see the openvpn documentation). > > -Tom------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/