[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Openvpn and win2003 as a internet gateway?

  • Subject: Re: [Openvpn-users] Openvpn and win2003 as a internet gateway?
  • From: Peter Barwich <pbarwich@xxxxxxxxxxx>
  • Date: Sun, 08 Jul 2007 15:39:01 +0100
As far as I know there is no firewall on the server.

I have not setuped such a thing.

The basic firewall is not turned on in ”routing and remote access”

 

Server:

--------------------------------------------------------------------

management localhost 7505

push "echo ----------- VPN kobling ----------- "

port 1195

proto udp

dev tun

ca ca.crt

cert balder.crt

key balder.key  # This file should be kept secret

dh dh2048.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;client-config-dir ccd

push "redirect-gateway def1"

push "dhcp-option DNS 10.8.0.1"

push "dhcp-option WINS 10.8.0.1"

keepalive 10 120

tls-auth ta.key 0 # This file is secret

comp-lzo

max-clients 100

persist-key

persist-tun

status openvpn-status.log

verb 3

 

 

client:

-------------------------------------------------

client

dev tun

proto udp

remote my-server-2 1194

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert test.crt

key test.key

ns-cert-type server

tls-auth ta.key 1

comp-lzo

verb 3

 

are there anyone here that successfully setuped a win2003 as internet gateway with openvpn?

 

Thor

 

 

Fra: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] På vegne av Paul Wright
Sendt: 7. juli 2007 22:52
Til: Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Emne: Re: [Openvpn-users] Openvpn and win2003 as a internet gateway?

 

The connection is made successfully… but traffic seems to be dropped on the win2003 server.

MULTI: bad source address from client [10.0.0.121], packet dropped

 

I'm guessing that a firewall rule is dropping the packet because it is sourced from an RFC1918 address.  What can you tell us about the configuration on the Win2003 server?

paul

By the way

Adding this to the server config

client-config-dir ccd

and this to the client text file in ccd dir

iroute 10.0.0.0 255.255.255.0

 

makes the errors in the log dissapear, but still no dice!

I'd be inclined to simplify things a bit: -

Firstly don't push the gateway until you have a reliable connection. Delete "push "redirect-gateway def1""

Secondly don't try and assign IPs to your vpn by WINS until you have sorted out a connection. OVPN will assign the vpn addresses. There are, I believe, ways to allow WINS to assign IPs in the servers own LAN subnet, but there are some difficulties with tun adaptors in that you need to use /30 subnets. Is that why you use 10.0.0.121] to keep it well away from LAN addresses?

And thirdly I'm not sure you need your ccd file directive (iroute 10.0.0.0 255.255.255.0) This is supposed to be telling the server where the clients LAN subnet is, but it is the same subnet as the VPN which will be a problem. Have a look at http://openvpn.net/howto.html#scope, which implies that this is needed if you want machines on the client LAN to have access to the server LAN. Again, keep it simple to begin with

There was a lot of discussion on point 2 and /30 subnets in this mailing list. Review at http://news.gmane.org/gmane.network.openvpn.user.

Peter