Hi,
Thanks for the reply.
Configuring openvpn in tcp mode doesn't seem to work. So, I changed it to
udp, and added the following three rules in my firewall.
iptables -vA FORWARD -p udp --dport 1194 -j ACCEPT
iptables -vt nat -I PREROUTING -d a.b.c.d -p udp --dport 1194 -j DNAT --to
vpn_server_ip:1194
iptables -v -I FORWARD -d vpn_server_ip -p udp --dport 1194 -j ACCEPT
Now, Im able to make the initial connection with the server. But I cant
ping between the server (10.8.0.1 <http://10.8.0.1>) and the client (
10.8.0.2 <http://10.8.0.2>) . The server displays 'no route to host' and the
client displays the following message while I ping from the client.
Mon Nov 21 14:59:33 2005 us=164067 NOTE: failed to obtain options
consistency in
fo from peer -- this could occur if the remote peer is running a version of
Open
VPN before 1.5-beta8 or if there is a network connectivity problem, and will
not
necessarily prevent OpenVPN from running (0 bytes received from peer, 0
bytes a
uthenticated data channel traffic) -- you can disable the options
consistency ch
eck with --disable-occ.
Am I missing anything?
Thanks & Regards,
Mohan.
On 11/19/05, S Mohan <smohan@xxxxxxxx> wrote:
Your SNAT rule should use the public IP (a.b.c.d mentioned in the DNAT
rule)
as the source address to be translated to and must have source address
check
for 192.168.1.127 <http://192.168.1.127> before NAT'ting. Your current
configuration will not work
as the reply is not coming from the IP that the initiating msg was sent
to.
Modify
"iptables -t nat -A POSTROUTING -p tcp -d
192.168.1.127<http://192.168.1.127>--dport 1194 -j SNAT
--to-source 192.168.1.1 <http://192.168.1.1>"
to
"iptables -t nat -A POSTROUTING -p tcp -s
192.168.1.127<http://192.168.1.127>--sport 1194 -j SNAT
--to-source a.b.c.d:1194"
Regards
Mohan
-----Original Message-----http://192.168.1.127:1194/>
From: ilugc-bounces@xxxxxxxxxxxxx
[mailto:ilugc-bounces@xxxxxxxxxxxxx] On Behalf Of Mohan SK
Sent: Friday, November 18, 2005 4:23 PM
To: Binand Sethumadhavan
Cc: ILUGC
Subject: Re: [Ilugc] OpenVPN fails thru firewall
Here are my rules.
# vpn a.b.c.d:1194-->192.168.1.127:1194 <http://192.168.1.127:1194>
<http://192.168.1.127:1194/> (vpn)
iptables -A FORWARD -i eth2 -p tcp --dport 1194 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -p tcp -d a.b.c.d
--dport 1194 -j DNAT --to-destination
192.168.1.127:1194<http://192.168.1.127:1194>
<http://192.168.1.127:1194/>
iptables -t nat -A OUTPUT -p tcp -d a.b.c.d --dport 1194 -j
DNAT --to-destination 192.168.1.127:1194 <http://192.168.1.127:1194> <
-j SNAT --to-source
iptables -t nat -A POSTROUTING -p tcp -d
192.168.1.127 <http://192.168.1.127><http://192.168.1.127/>--dport 1194
192.168.1.1 <http://192.168.1.1> <http://192.168.1.1/>
Mohan.
On 11/18/05, Binand Sethumadhavan <binand@xxxxxxxxx> wrote:
IPSec, L2TP,
OK, I just checked OpenVPN's website - they have this bit:
"OpenVPN is an SSL VPN and as such is not compatible with
or PPTP."_______________________________________________
All my earlier posts were assuming you were building an IPSec VPN
system. So ignore all of them. It seems to me that your problem is
that the iptables rules are unidirectional - can you post the rules
here?
Binand
_______________________________________________
To unsubscribe, email ilugc-request@xxxxxxxxxxxxx with "unsubscribe
<password> <address>"
in the subject or body of the message.
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
To unsubscribe, email ilugc-request@xxxxxxxxxxxxx with
"unsubscribe <password> <address>"
in the subject or body of the message.
http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
