On Wednesday, January 25, 2017 10:17:47 AM MST Tom Eastep wrote: > On 01/25/2017 10:01 AM, Thomas Fjellstrom wrote: > > On Wednesday, January 25, 2017 12:31:22 PM MST Roberto C. Sánchez > > > > wrote: > >> On Wed, Jan 25, 2017 at 09:56:13AM -0700, Thomas Fjellstrom > >> > >> wrote: > >>> I'm basically getting what I had before: > >>> > >>> lan# ping VPNINTHOST > >>> > >>> fw# tcpdump -i eth0 host VPNGW 09:46:47.622220 IP MYIP.57800 > > >>> 149.56.251.50.openvpn: UDP, length 85 09:46:48.646222 IP > >>> MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > >>> 09:46:50.665662 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, > >>> length 85 09:46:51.686162 IP MYIP.57800 > > >>> 149.56.251.50.openvpn: UDP, length 85 09:46:52.710196 IP > >>> MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > >>> 09:46:54.729324 IP MYIP.57800 > 149.56.251.50.openvpn: UDP, > >>> length 85 09:46:55.750166 IP MYIP.57800 > > >>> 149.56.251.50.openvpn: UDP, length 85 09:46:56.774188 IP > >>> MYIP.57800 > 149.56.251.50.openvpn: UDP, length 85 > >>> 09:46:56.830549 IP VPNGWIP.openvpn > MYIP.57800: UDP, length > >>> 69 > >>> > >>> and thats it. many packets go out, very few come back. > >>> > >>> The vpn works fine via an openvpn client connection through > >>> NetworkManager on a local lan computer. But so far not having > >>> luck setting it up on the firewall. > >> > >> This sounds like an OpenVPN routing problem. Have you compared > >> the configurations you are using via NetworkManager and the CLI > >> client? > > > > They were very close, I've now made them match and have the same > > results. > > I suspect that in your OpenVPN config, you need to push a route to > your local LAN, so that the remote endpoint knows to route traffic to > that LAN through the VPN.
Routes are getting pushed from the vpn server, and being setup on the firewall, and pings from a lan host get sent out over the vpn connection, which can be seen from the tcpdump log as traveling over the openvpn port on the wan connection. I've been looking at various openvpn guides and such, but so far there doesn't seem to be a way for me to push up a route to the server if it isnt already configured to allow it. > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ---------------------------------------------------------------------------- > -- Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Thomas Fjellstrom tho...@fjellstrom.ca ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
