I looked at your previous post re the iroute and it looks fine to me.
Configs look good too.
Hmm, ceritificates & such I expect.
You could try the whole certificate generation again.
I am asuming that you downloaded OpenVPN for your PC and used Easy RSA to generate the cerificates.
If you have Windoze, like me, I Edit the vars.bat to set up all of the basic stuff and just change the common name. If you get stuck, I can generate a set an publish them here for you to try.
That way, if you have any doubts about your setup, at least you have something from someone else that you know works
Triple check your certificates. If they dont, reply and I'll knock up a set for you.
Joined: 08 Jun 2012 Posts: 11 Location: Fayetteville, TN
Posted: Fri Jun 29, 2012 14:31 Post subject:
Here is my setup and routes:
Code:
Home Gateway: 10.51.1.1
Home VPN server: 10.51.1.5
Remote Gateway: 10.51.2.1
Remote VPN Client: 10.51.2.5
VPN Network: 10.50.25.0
on server:
route 10.51.2.0 255.255.255.0
push "route 10.51.1.0 255.255.255.0"
iroute:
iroute 10.51.2.0 255.255.255.0
Just curious, what is your WAN gateway on the WRT54GL?
I think your DMZ is the problem. Your WRT54GL is doing some NATing that is making all traffic look like it's coming from it's WAN address (it's called MASQUERADE, and it's supposed to do that).
Basically, your modem has an external IP address, it is then passing traffic on to the WRT54GL on address 192.168.0.1. The WRT54GL then passes traffic to the whole subnet 192.168.3.0(everything connected to the LAN).
Because your client external IP is what is seen by the VPN server, that is included in the VPN. You also have defined the client LAN in your config file, so that is fine. But since you have another IP as a middle-man inbetween the external IP and the LAN, it's getting rejected.
If your modem is handing out 192 addresses, that means it's probably a router as well. Unless you just really want another router in there you can:
1. Take the cable that is in the WAN port of your WRT54GL and plug it in to a LAN port.
2. Turn off DHCP and let all clients to the WRT54GL get addresses from the modem.
3. Change your server config file to
Code:
route 192.168.0.0 255.255.255.0
4. And change your iroute to
Code:
iroute 192.168.0.0 255.255.255.0
If your really want to have the extra router in there, that is going to require some NAT configurations. I'm not very fluent in NAT so someone else would need to help you there.
Just curious, what is your WAN gateway on the WRT54GL?
You mean, the WAN IP adress of my client WRT54GL ? It's 192.168.0.1.
Thank you for your answer, I understand better what is going on... I think you are right, it's my DMZ which is responsible of all my troubles here...
But I prefer to keep the firewall on the WRT54GL ; router functionnalities of the box provided by my ISP are quite limited... It's make me think about another thing I would like to implement : I'm routing all my traffic on the VPN, including internet traffic and I would like to create a rule like that in the WRT54GL firewall (on the client side) : only allowing outgoing traffic towards my WRT54GL server, and blocking everyhting else. Then, if my VPN connection is lost, all my traffic going on the WAN will be blocked.
I think that the way to go is to use iptable POSTROUTING, could somebody confirm that ?
Joined: 08 Jun 2012 Posts: 11 Location: Fayetteville, TN
Posted: Fri Jul 06, 2012 14:01 Post subject:
If the assigned IP of your WRT54GL is 192.168.0.1 then what is the address of the server that assigned it(your modem)?
Just like 192.168.3.1 is the gateway address for your LAN clients. The WRT54GL is a gateway for all of the traffic on the LAN. Your modem is acting as a gateway for all of the traffic coming from the WRT54GL.
Anyway, knowing the gateway address is not really that important. I was just curious if address 192.168.0.1 was being used by the client, what was the servers address.
Now, on to the main point. To block client traffic to the local WAN you probably can do it all with FORWARD rules. It might look something like this:
iptables -A FORWARD -i br0 -o eth0 -j DROP
iptables -A FORWARD -i br0 -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o br0 -j ACCEPT
where the devices are your actual configured devices (check ifconfig to see what they are).
Joined: 08 Jun 2012 Posts: 11 Location: Fayetteville, TN
Posted: Fri Jul 13, 2012 15:32 Post subject:
It really doesn't matter since you must have 2-way communication to do anything. If you block one direction, it will block it all.
I just did bridge to WAN because your clients on the bridge are much more likely to initiate a connection to the internet, than from the internet to your clients.