[Firewall] Arno with an OpenVPN static link

Lonnie Abelbeck lists at lonnie.abelbeck.com
Sat Jun 22 23:06:58 CEST 2013


I would try adding on your single interface OpenVPN "server" endpoint:
--
push "route 10.10.10.0 255.255.255.0"
--
That will automatically create the 10.10.10.0/24 route on the dual interface OpenVPN "client" endpoint.  (Alternatively add the route in the client OpenVPN config).

Then on the client (dual NIC) endpoint add AIF variables:

INT_IF="eth1 tun0"  # add tun0 to the Internal interfaces list of the client OpenVPN interface

INTERNAL_NET="192.168.1.0/24 10.10.10.0/24"  # add OpenVPN server network as (virtual) LAN network (isolated by default)

IF_TRUSTS="eth1 tun0"   #  allow client LAN (physical and virtual) interfaces to trust each other.

Under this scenario, the client's LAN subnet can talk with any trusted host on the server's 10.10.10.0/24 end.

Hope this helps.

Lonnie


On Jun 22, 2013, at 11:38 AM, Intense Red wrote:

>   I've got 2 machines that run Arno's firewall and I want to connect them with 
> an OpenVPN link to allow machines from a LAN to route out via the OpenVPN 
> link.
> 
>   I'm attaching a 15k png graphic to illustrate the setup, but here's a 
> description:
> 
>   One machine has 1 NIC with a public IP address running Arno for straight 
> firewall purposes. I'm using this machine as the OpenVPN server and the VPN 
> server is set to 10.10.10.1. (Arno's firewall is also doing a NAT on the 
> 10.10.10.* network.)
> 
>   One machine has 2 NICs, one tied to a ppp ADSL connection, and one NIC set 
> to 192.168.1.1. This LAN NIC is using Arno to do IP Masquerading. OpenVPN runs 
> on this machine as a persistent tunnel using 10.10.1.5.
> 
>   Right now the VPN tunnel works between the 2 machines. I can be on the 
> client and can ping the server on 10.10.10.1. I can set up a browser with a 
> proxy at 10.10.10.1 and hit that machine with no problem.
> 
>   My problem is reaching 10.10.10.1 from the 192.168.1.x LAN clients. I'm 
> guessing I need to add a forward or NAT on the DSL/192.168.1.1 server but have 
> not stumbled onto the right tweak in Arno's firewall.conf to make this happen.
> 
>   Could someone whack me with a clue-bat?
> 
> -- 
> "The poor live in conditions determined by the law. The rich change the laws 
> by buying new conditions." -- Stan Goff
> <lan-openvpn.png>_______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list