Hello everyone, recently I''ve configured OpenVPN on a Debian Etch Server with Shorewall. The VPN-Server is used to connect from an external Client to the internal server. This is my setup: 192.168.0.4 eth0 192.168.0.2 eth1 ext. IP dyn. IP tun0 10.0.0.1 tun0 10.0.0.6 Server A ------------- Server B --------------- Client internal external Samba Share VPN Server / Shorewall VPN Client Now I want the Client to communicate with the internal Server A. I want to forward the Samba Ports to the tun0 interface (10.0.0.1) of Server B, so that I can access the samba share from Server A (192.168.0.4) directly on Server B (10.0.0.1). I''ve done the following with Shorewall: interfaces: int eth0 net eth1 road tun+ zones: fw firewall int ipv4 net ipv4 road ipv4 tunnels: openvpnserver:1194 net 0.0.0.0/0 policy: all all REJECT net all DROP int all DROP $FW net REJECT $FW int ACCEPT $FW road ACCEPT int road ACCEPT road $FW ACCEPT road int ACCEPT road net ACCEPT rules (only the important DNAT rule) DNAT road int:192.168.0.4 tcp 135,139,445 - 10.0.0.1 OpenVPN works - the client can access everything on Server B (10.0.0.1). But the DNAT ports show up as filtered when I scan the server with nmap and I''ll get a timeout when trying to connect to them (also tried with some other protocols like FTP). Do you have any idea whats wrong here? Thanks in advance. Matthias ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Matthias Kellermann wrote:> Hello everyone, > > recently I''ve configured OpenVPN on a Debian Etch Server with Shorewall. > The VPN-Server is used to connect from an external Client to the > internal server. > > This is my setup: > > 192.168.0.4 eth0 192.168.0.2 eth1 ext. IP dyn. IP > tun0 10.0.0.1 tun0 10.0.0.6 > > Server A ------------- Server B --------------- Client > > internal external > Samba Share VPN Server / Shorewall VPN Client > > Now I want the Client to communicate with the internal Server A. I want > to forward the Samba Ports to the tun0 interface (10.0.0.1) of Server B, > so that I can access the samba share from Server A (192.168.0.4) > directly on Server B (10.0.0.1). > > I''ve done the following with Shorewall: > > interfaces: > int eth0 > net eth1 > road tun+ > > zones: > fw firewall > int ipv4 > net ipv4 > road ipv4 > > tunnels: > openvpnserver:1194 net 0.0.0.0/0 > > policy: > all all REJECT > net all DROP > int all DROP > $FW net REJECT > $FW int ACCEPT > $FW road ACCEPT > int road ACCEPT > road $FW ACCEPT > road int ACCEPT > road net ACCEPT > > rules (only the important DNAT rule) > DNAT road int:192.168.0.4 tcp 135,139,445 > - 10.0.0.1 > > OpenVPN works - the client can access everything on Server B (10.0.0.1). > But the DNAT ports show up as filtered when I scan the server with nmap > and I''ll get a timeout when trying to connect to them (also tried with > some other protocols like FTP). > > Do you have any idea whats wrong here?I think you are taking the wrong approach here; I would be astonished if you could ever make that work. Rather what you want to do is: a) Run a WINS server or PDC in your local network; Samba configured as a WINS server works file for this and you can ever run it on the local network. b) In your OpenVPN server configuration, push the --dhcp-option WINS setting to your windows clients. They can then use the wins server. c) Be sure to push a route to your local network to your clients (you should be doing that anyway). As an alternative, you could also switch from your current routed OpenVPN configuration to a bridged one -- that would allow M$ networking to work transparently between your OpenVPN clients and your local network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> > I think you are taking the wrong approach here; I would be astonished if you > could ever make that work. > > Rather what you want to do is: > > a) Run a WINS server or PDC in your local network; Samba configured as a > WINS server works file for this and you can ever run it on the local network.I meant to say that you can even run it on the Firewall (which is what I do).> > b) In your OpenVPN server configuration, push the --dhcp-option WINS setting > to your windows clients. They can then use the wins server. > > c) Be sure to push a route to your local network to your clients (you should > be doing that anyway). > > As an alternative, you could also switch from your current routed OpenVPN > configuration to a bridged one -- that would allow M$ networking to work > transparently between your OpenVPN clients and your local network.-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep schrieb:> I think you are taking the wrong approach here; I would be astonished if you > could ever make that work. > > Rather what you want to do is: > > a) Run a WINS server or PDC in your local network; Samba configured as a > WINS server works file for this and you can ever run it on the local network. > > b) In your OpenVPN server configuration, push the --dhcp-option WINS setting > to your windows clients. They can then use the wins server. > > c) Be sure to push a route to your local network to your clients (you should > be doing that anyway). > > As an alternative, you could also switch from your current routed OpenVPN > configuration to a bridged one -- that would allow M$ networking to work > transparently between your OpenVPN clients and your local network.Thanks Tom. I will try the WINS setting. Additionally I will install the OpenVPN server on the same machine where Samba is running. This should be easier to manage because its all in one place. Matthias ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/