-
hi,
I just realized :
- you want two sets of users to connect to the same VPN
- regular users cannot see each other, admin users can see everybody
- you're using a 'tun' style setup for this
hmmm this is quite difficult; the problem is that with a 'tun' style setup the packets between clients never leave openvpn itself thus iptables does not come into play here. For that you...
2009-11-15 11:41:50 UTC in OpenVPN
-
sounds like an MTU problem ; try lowering the tun-mtu and/or fragment parameter on both sides and try again , e.g.
fragment 1300
for starters; if that does not help then try
tun-mtu 1400
see the openvpn manual page for more details on these parameters.
HTH,
JJK.
2009-11-13 09:35:12 UTC in OpenVPN
-
your iptables rules does not make much sense: it reads as
the openvpn VPN has addresses in the range 10.232.172.0/24
all traffic with source address 10.232.172.0/24 going OUT over the tun0 interface needs to be masqueraded
but the tun0 interface already is on this subnet !
the first rule would make more sense:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o tun0 -j...
2009-11-06 21:53:47 UTC in OpenVPN
-
destination: 10.8.0.0
netmask: 255.255.255.0
gw: 192.168.3.100.
2009-11-06 14:36:46 UTC in OpenVPN
-
you don't need to create a route to your home router, but a route FROM your home router : this depends on your home router how you do this.
an alternative is to use iptables on the NAS box; try something like
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
.
2009-11-06 09:06:30 UTC in OpenVPN
-
without config files it is hard to be sure but this looks like a classical routing issue...
-is routing enabled on the NAS box
cat /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward
and does the home network know that packets entering over the VPN tunnel needs to go back into the VPN tunnel ?
If your VPN network is 10.8.0.0/24 (the default) then...
2009-11-05 17:03:28 UTC in OpenVPN
-
hi ,
you cannot mix two networks like 10.0.0.0/8 and 172.19.0.0/16 in a single openvpn setup : the different networks will never see each other.
you have 2 options:
- choose something like 10.0.10.0/24 for the admin network and adjust your routes accordingly
- use 2 openvpn setups (on 2 different ports) and set up routing between them.
cheers,
JJK.
2009-11-05 15:15:55 UTC in OpenVPN
-
so the vpn clients are on 10.0.0.0/8
the admin systems are on the 172.19.0.0/16 network (not part of the VPN)
right?
then your iptables rules are not matching the right interfaces:
-i tun0 -o tun0
means traffic coming in on the VPN and going out on the VPN again... Most likely you're looking for something like
-i tun0 -o eth0
-i eth0 -o tun0
.
2009-11-05 10:24:34 UTC in OpenVPN
-
the server log line
<code>
Tue Nov 3 14:27:45 2009 TCP/UDP: Socket bind failed on local address
[undef]:45000: Address already in use
</code>
suggests that there already is an openvpn instance running; please shut down existing openvpn instances first (a 'killall -9 openvpn' does it the rude way).
cheers,
JJK.
2009-11-04 11:13:54 UTC in OpenVPN
-
hi , the error message
<code>
VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=CA/L=Ontario/O=MarinTechnologies/CN=MarinTechnologiesCA/emailAddress=postmaster@marintechie.com
</code>
pretty much says it all... please verify that this certificate is listed/known as a valid CA cert on the client and server. Also, posting your config files might...
2009-11-03 21:41:11 UTC in OpenVPN
