On Tue, Apr 26, 2011 at 8:45 AM, Ryan Coleman <ryan.cole...@cwis.biz> wrote:
> > On Apr 26, 2011, at 8:32 AM, Nathan Vidican wrote: > > > On Mon, Apr 25, 2011 at 10:36 PM, Ryan Coleman <ryan.cole...@cwis.biz> > wrote: > >> > >> I've got an OpenVPN connection working to my remote server, but I want > to route the traffic to the local LAN. > >> > >> I have a bridge set up, pingable... but can't ping the em1 > (192.168.46.2) from the remote machine. > >> > >> Server.conf: > >> local 192.168.46.2 > >> port 1194 > >> proto udp > >> dev tap > >> ca keys/cacert.pem > >> cert keys/server.crt > >> key keys/server.key # This file should be kept secret > >> dh keys/dh1024.pem > >> # Don't put this in the keys directory unless user nobody can read it > >> crl-verify keys/crl.pem > >> #Make sure this is your tunnel address pool > >> server 192.168.47.0 255.255.255.0 > >> ifconfig-pool-persist ipp.txt > >> #This is the route to push to the client, add more if necessary > >> #push "route 192.168.46.254 255.255.255.0" > >> push "route 192.168.47.0 255.255.255.0" > >> push "dhcp-option DNS 192.168.45.10" > >> keepalive 10 120 > >> cipher BF-CBC #Blowfish encryption > >> comp-lzo > >> #fragment > >> user nobody > >> group nobody > >> persist-key > >> persist-tun > >> status openvpn-status.log > >> verb 6 > >> mute 5 > >> > >> > >> client.conf: > >> #Begin client.conf > >> client > >> dev tap > >> proto udp > >> remote sub.domain.ltd 1194 > >> nobind > >> user nobody > >> group nobody > >> persist-key > >> persist-tun > >> #crl-verify > >> #remote-cert-tls server > >> ca keys/cacert.pem > >> cert keys/ryanc.crt > >> key keys/ryanc.key > >> cipher BF-CBC > >> comp-lzo > >> verb 3 > >> mute 20 > >> > >> Any ideas? As I said, I can talk to the remote server, but not the > local LAN. > >> > >> To throw a new curveball in the mix, I'd like to talk to > 192.168.45.0/24 - which we have another VPN connecting the two networks > (not running on a VPN I can do much with). > > > > > > Do you have packet forwarding (routing /gateway) enabled? An > > all-important, yet sometimes forgotten step... > > check if: > > > > sysctl net.inet.ip.forwarding > > > > returns 1 for enabled or not. You can enable it right away by setting > > to 1, and/or view the instructions in the handbook for greater detail > > including how to set as a startup option as well: > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-routing.html > > Yes, it is enabled. > > And Maciej, I had server-bridge running before and it wasn't routing ICMP, > nor anything else. > > I have ipnat enabled - as was recommended by one guide - and am routing > everything from 192.168.47.0/24 to 0.0.0.0/32 (I'm not well versed on this > specific area but that seems like it should be 0/0, right?) > > Relevant rc.conf: > defaultrouter="192.168.46.254" > hostname="nbserver1.allstatecom.local" > ifconfig_em0="inet 192.168.46.2 netmask 255.255.255.0" > openvpn_enable="YES" > openvpn_configfile="/usr/local/etc/openvpn/server.conf" > gateway_enable="YES" > ipnat_enable="YES" > > Thanks again, > Ryan > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > If you need to route LAN - TO - LAN just enable the client-to-client. Its a Security Feature of OpenVPN http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing -- Still Going Strong!!! _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"