openvpn/forwarding problem

From: Henning Hasemann <h.hasemann@xxxxxxxx>
Date: Mon, 27 Aug 2007 17:12:34 +0200

My network setup looks (roughly) like this:

"gateway" has a handmade (and by now halfway complicated) iptables
script and an openvpn server. (plus some more things that I think
shouldnt matter here).

+-----------+
| DMZ |
| 10.66.*.* |
+-----------+
|
+------------------------+ +--------------+
| 10.66.0.1 | | |
| 13.13.6.110 |----| PUB |
| gateway | | 13.13.6.* |
| | | (10.8.0.*) |
| 13.13.6.125 | +--------------+
+------------------------+
|
+-------------------+
| INTERNET |
| *.*.*.* |
| (10.8.0.*) |
+-------------------+

10.8.0.* is the virtual openvpn-client address space
13.13.6.* is the adress space of our "public zone" I changed the
numbers so you dont see where I actually work ;-)

* PUB is allowed to make connections to anywhere in INTERNET
* INTERNET and PUB are allowed to connect anywhere in DMZ as long as is
via openvpn

So far this works quite well.
The ony thing that is missing is the ability to connect to machines in
PUB coming from INTERNET via openvpn.

I once tried to add a rule for this but it simply didnt work
(unfortunately I dont remember what *exactly* happened, but everything
was somehow locked up). Even worse, its already a "working environment"
so its not easy to just twiddle around a bit with the openvpn.conf and
see what the result is. (vpn acces from PUB to DMZ is crucial)

My assumption is that if I generally push a route to connect to the
13.13.6.*ers via openvpn, that they wont connect directly to each other
anymore (which does not fully explain the problem to me but I feel it
goes into this direction).

Any general ideas/hints?

Henning

PS:
Its my first vpn installation so dont be shy to say potentially obvious
things ;-)

--
GPG Public Key:
http://keyserver.ganneff.de:11371/pks/lookup?op=get&search=0xDDD6D36D41911851
Fingerprint: 344F 4072 F038 BB9E B35D E6AB DDD6 D36D 4191 1851
.

Prev by Date: Re: resolving all dns though a binary
Next by Date: Re: linux server logon
Previous by thread: have to manually restart networking to get wireless connection
Next by thread: Telnet Problem
Index(es):
- Date
- Thread

Relevant Pages

Re: openVPN: no home network access
... I have to say the firewall which also holds openvpn ... I didn't get my Windows network visible from the road. ... This firewall is between my home network and the internet. ...
(comp.os.linux.security)
Re: [opensuse] tun0 vs ppp0 interface: when to use which?
... over the internet and also for providing an IP connection ... I've never seen a "TUN" device, outside of OpenVPN. ...
(SuSE)
OpenVPN trafic tuneling
... I want to ask is it possible to connect internet via OpenVPN. ... FREEBSD SERVER and be able to connect to internet only by server (as ... I'm really sorry about my poor English but i haven't slept for many ...
(comp.unix.bsd.freebsd.misc)
Wo einen OpenVPN-server plazieren ?
... Als OpenVPN Server ist mein bevorzugter Kandidat Zeroshell ... mit einer NIC in die eingehende DMZ. ... mit einer NIC in das interne trusted LAN. ... der DMZ in das interne Netz zu erlauben. ...
(de.comp.security.firewall)