More detail:
Site #1 (Server) is the subnet 192.168.1.0/24 and router 192.168.1.254.
Actual computer is 192.168.1.100.
Site #2 (Client) is the subnet 192.168.2.0/24 and router 192.168.2.254.
Actual computer is 192.168.2.100.
I've got both Linksys boxes here before actually putting them in the two
different shops I'm trying to help connect together.
The system I'm typing on has the address 192.168.20.4. For the moment,
I'm using
remote 192.168.20.4
in the Client openvpn configuration file. The Client linksys router has
a static route set up for 192.168.20.4 / 255.255.255.0 -> 192.168.2.254.
The Server linksys router has an Application setup to forward UDP port
1194 to 192.168.1.100.
On my own host I can see the packets go by:
13:31:47.067916 IP 192.168.2.100.1235 > 192.168.20.4.1194: UDP,
length 60
13:31:47.067927 IP 192.168.2.100.1235 > 192.168.20.4.1194: UDP,
length 60
13:31:47.068512 IP 192.168.2.100.1235 > 192.168.20.4.1194: UDP,
length 60
13:31:47.068541 IP 192.168.2.100.1235 > 192.168.1.254.1194: UDP,
length 60
but the server's openvpn shows nothing in its log. I've got the
firewall disabled on the server system, and also the SPI firewall stuff
in the server's router is disabled. In the same, it's got the VPN
Passthrough stuff (IPSec, etc) all enabled.
The client's router also has the VPN Passthrough stuff enabled.
On my middle-man host I've done
sudo iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --sport 1194 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i eth0 -p udp --dport 1194 -j
DNAT --to 192.168.1.254
to make sure it does its NAT job for me.
I'm hammering my way through everything that could have to do with it,
but I've not yet seen the light. I'm still praying it's a silly mistake
on my host trying to be the go-between. The alternative is trying to go
to both shops (Blackrock and off Grafton St) with the routers in place
and hope it "just works", since I'm happy with the openvpn configs.
B
P.S. Server config:
dev tun
port 1194
local 192.168.1.100
ifconfig 192.168.9.1 192.168.9.2
proto udp
secret key.txt
#comp-lzo ...later
ping 15
ping-restart 300
resolv-retry 300
ping-timer-rem
persist-tun
persist-key
#
persist-local-ip
persist-remote-ip
push "persist-key"
push "persist-tun"
#
status openvpn-status.log
log openvpn.log
verb 4
#keepalive 10 120 ?
#
# Client network side
route 192.168.2.0 255.255.255.0
Client config:
remote 192.168.20.4
port 1194
dev tun
#float ?
ifconfig 192.168.9.2 192.168.9.1
nobind
proto udp
secret key.txt
#comp-lzo ...later
ping 15
ping-restart 300
resolv-retry 300
ping-timer-rem
# Should come from the server doing a push "persist-..."
#persist-tun
#persist-key
status openvpn-status.log
log openvpn.log
verb 4
#keepalive 10 120 ?
#
# Server network:
route 192.168.1.0 255.255.255.0
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
