Re: [Openvpn-users] Strange IP assigning

[Erich T. <eri...@th...>]

Hi

Thomas Ilsche wrote:
> Hello,
> 
> I have a strange situation. I have setup a current stable OpenVPN on a
> Linux box with a Win2k client.
> 
> The first strange thing, in ipp.txt it states
> 
> test1,10.9.0.4 (not using this)
> user1,10.9.0.8

This is a /30 subnet with the addresses 10.9.0.9 and 10.9.0.10

> 
> However user1 always gets the IP 10.9.0.10 assigned, I could not find
> any evidence why this is.

see above, you probably defined ifconfig-pool-persist

> I have tried alot of setups and most of the times the client gets a
> strange netmask and dhcp server even though nothing about this is set
> in the config file:
> 
> Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.9.0.10/255.255.255.252 on interface
> {...mac...} [DHCP-serv: 10.9.0.9,lease-time: 31536000]

again see above

> 
> also in many setups the gateway was set to 10.9.0.9

dito

> 
> It would already help if someone could explain me this behaviour!
> 
> 
> 
> More information for if someone has a litle time left. I have tried
> _alot_ of setups, none actually worked like I wanted, some were able
> to actually connect but not do the routing I need.

You probably tried too much, it's easier to stick to the manual pages.

> 
> 
> Heres my setup:
> Local network: 192.168.2.0/24 with
> VPN Server 192.168.2.10 (default gw 192.168.2.1) and
> NAT-Router 192.168.2.1 on a dynamic ip adress
> The NAT router forwards a port to to the vpn server.
> A client elsewhere in the internet behind a HTTP-Proxy, this subnet is
> 192.168.5.0/24. I want to enable tunneled NAT internet access for the
> Client.
> 
> The Proxy tunnel seems to work fine, so does the port forwarding.
> What I thought should work:
> On the linux box I have enabled the following iptables settings:
> Chain FORWARD
>   ACCEPT     all  --  tun0   any     10.9.0.10            anywhere
>   ACCEPT     all  --  eth0   any     anywhere             10.9.0.10
> 
> nat: Chain POSTROUTING
>   SNAT       all  --  any    eth0    10.9.0.10            anywhere            to:192.168.2.10

What is this for?

I guess you want to masquerade your traffic coming from the tunnel to 
have a source address of 192.168.2.10.

You best preselect that traffic as coming from the tun interface going 
anywhere but the local net in the POSTROUTING chain. then masq it 
through the outgoing interface.

...

BTW. I am using shorewall to handle my iptables for me, makes life a lot 
easier.

cheers

Erich