Hi I have difficulties to connect to dmz zone with openvpn as roadwarrior. The connection from my laptop to loc zone is working. So i can ping, ssh, print into loc zone. But somehow I cannot connect into samba server in dmz zone (with proxy arp) Firewall has public ip in same network as dmz zone computers, so dmz zone is configured with proxy arp. You can notice in conf file examples that i have push route in /etc/openvpn/openvpn.conf push "route 192.168.2.0 255.255.255.128" But if I will add route to dmz zone all the traffic (even usual traffic to dmz open servers) to firewall and dmz mashines will stop. My OS trustix linux, shorewall 4.0.11, openvpn 2.0.5 (in server), 2.1 (in Win2K) Thank you for help Some of my shorewall files /etc/shorewall/tunnels openvpnserver:1194 net 0.0.0.0/0 /etc/shorewall/zones fw firewall net ipv4 dmz ipv4 loc ipv4 loc2 ipv4 road ipv4 /etc/shorewall/masq eth0 eth2 eth0 eth3 eth0 eth4 /etc/shorewall/hosts loc1 eth2:192.168.2.0/25 routeback loc2 eth2:192.168.20.128/25 /etc/shorewall/proxyarp x.y.c.z2 eth1 eth0 no no x.y.c.z3 eth1 eth0 no no /etc/shorewall/rules ACCEPT net fw udp 1194 ACCEPT fw net udp 1194 ACCEPT fw loc1 udp 1194 ACCEPT loc1 fw udp 1194 ACCEPT net dmz udp 1194 ACCEPT dmz net udp 1194 ACCEPT fw dmz udp 1194 ACCEPT dmz fw udp 1194 /etc/shorewall/policy road fw ACCEPT fw road ACCEPT road dmz ACCEPT dmz road ACCEPT road loc1 ACCEPT loc1 road ACCEPT My OpenVPN files my client conf file pull dev tun proto udp remote myserver 1194 resolv-retry infinite nobind persist-key persist-tun ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt" cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client.crt" key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client.key" comp-lzo verb 3 My server conf /etc/openvpn/openvpn.conf port 1194 proto udp dev tun dh /etc/openvpn/easy-rsa/keys/dh1024.pem ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key client-config-dir /etc/openvpn/ccd server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/ipp.txt push "route 192.168.2.0 255.255.255.128" duplicate-cn keepalive 10 120 max-clients 100 comp-lzo user nobody group nobody persist-key persist-tun verb 4 ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Rein Laaneser wrote:> Hi > > I have difficulties to connect to dmz zone with openvpn as roadwarrior. > > The connection from my laptop to loc zone is working. So i can ping, > ssh, print into loc zone. > But somehow I cannot connect into samba server in dmz zone (with proxy arp) > > Firewall has public ip in same network as dmz zone computers, so dmz > zone is configured with proxy arp. > > You can notice in conf file examples that i have push route in > /etc/openvpn/openvpn.conf > push "route 192.168.2.0 255.255.255.128" > But if I will add route to dmz zone all the traffic (even usual traffic > to dmz open servers) to firewall and dmz mashines will stop.Without details, it''s hard to know -- but I assume that the route you are adding also includes the external address of the firewall itself. This instantly stops the tunnel from working. I recommend that you follow the problem reporting guidelines at http://www.shorewall.net/support.htm#Guidelines and we will try to help further. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Hi I did not explained clearly the mistake I made The vpn connection is freezing in after following push directive push "route 89.219.141.144 255.255.255.248" freezes vpn connection also push "route 192.168.2.0 255.255.255.128" - which works well.. The problem lies that then route to tunnel is same as route to my vpn server. But what i want to do is route only to samba server in same network. If it would be httpd server or other then I would connect to this directly. What I need is VPN connection which connects in same time to 192.168.2.0 network and same time samba server in my dmz zone. Advice is given, that need to push route to host (my samaba server) not network. The openvpn config file directive push "route 89.219.141.147 255.255.255.248" did not add the route to OpenVPN client, laptop with Win2K How to push host route to client? Or is there another soulution for this? Sincerely Rein L Rein Laaneser wrote:> Some details to follow more clearly about situation. > As I explained OpenVPN connection is working into my local zone > (emk in my example file) with openvpn.conf option > push "route 192.168.2.0 <http://192.168.2.0> 255.255.255.128 > <http://255.255.255.128>" > When i add also route to dmz zone all vpn connection drops. > > shorewall-shell - 4.0.11 > openvpn - 2.0.5-1------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Rein Laaneser wrote:> directly. > > What I need is VPN connection which connects in same time to 192.168.2.0 > network and same time samba server in my dmz zone. > > Advice is given, that need to push route to host (my samaba server) not > network. > The openvpn config file directive > push "route 89.219.141.147 255.255.255.248" did not add the route to > OpenVPN client, laptop with Win2K > > How to push host route to client?In the context of OpenVPN, a host route is simply a route with netmask 255.255.255.255. push "route <samba server ip address> 255.255.255.255" Here is an example from my own OpenVPN configuration. I have this in the server configuration: push "route 206.124.146.177 255.255.255.255" The OpenVPN server is at 206.124.146.176. So if I were to push "route 206.124.146.168 255.255.255.240" my tunnel wouldn''t work either. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php