Matthias Kellermann wrote: > Hello everyone, > > recently I've configured OpenVPN on a Debian Etch Server with Shorewall. > The VPN-Server is used to connect from an external Client to the > internal server. > > This is my setup: > > 192.168.0.4 eth0 192.168.0.2 eth1 ext. IP dyn. IP > tun0 10.0.0.1 tun0 10.0.0.6 > > Server A ------------- Server B --------------- Client > > internal external > Samba Share VPN Server / Shorewall VPN Client > > Now I want the Client to communicate with the internal Server A. I want > to forward the Samba Ports to the tun0 interface (10.0.0.1) of Server B, > so that I can access the samba share from Server A (192.168.0.4) > directly on Server B (10.0.0.1). > > I've done the following with Shorewall: > > interfaces: > int eth0 > net eth1 > road tun+ > > zones: > fw firewall > int ipv4 > net ipv4 > road ipv4 > > tunnels: > openvpnserver:1194 net 0.0.0.0/0 > > policy: > all all REJECT > net all DROP > int all DROP > $FW net REJECT > $FW int ACCEPT > $FW road ACCEPT > int road ACCEPT > road $FW ACCEPT > road int ACCEPT > road net ACCEPT > > rules (only the important DNAT rule) > DNAT road int:192.168.0.4 tcp 135,139,445 > - 10.0.0.1 > > OpenVPN works - the client can access everything on Server B (10.0.0.1). > But the DNAT ports show up as filtered when I scan the server with nmap > and I'll get a timeout when trying to connect to them (also tried with > some other protocols like FTP). > > Do you have any idea whats wrong here?
I think you are taking the wrong approach here; I would be astonished if you could ever make that work. Rather what you want to do is: a) Run a WINS server or PDC in your local network; Samba configured as a WINS server works file for this and you can ever run it on the local network. b) In your OpenVPN server configuration, push the --dhcp-option WINS setting to your windows clients. They can then use the wins server. c) Be sure to push a route to your local network to your clients (you should be doing that anyway). As an alternative, you could also switch from your current routed OpenVPN configuration to a bridged one -- that would allow M$ networking to work transparently between your OpenVPN clients and your local network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
