|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Trying to tunnel services over openvpn, like ssh, and vnc. What am i doing wrong?
SUSEfirewall2 config:
FW_DEV_EXT="any eth0"
FW_DEV_INT="tun0"
FW_ROUTE="yes"
FW_MASQUERADE="no"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="113"
FW_SERVICES_EXT_UDP="1194"
FW_CONFIGURATIONS_EXT="sshd"
FW_SERVICES_ACCEPT_EXT="0/0,tcp,113"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_REJECT_INT="yes"
FW_IPSEC_TRUST="no"
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
SUSEfirewall2-custom config:
fw_custom_before_antispoofing() {
true
}
fw_custom_after_antispoofing() { # could also be named "before_port_splitting()"
true
}
fw_custom_before_port_handling() {
true
}
fw_custom_before_masq() { # could also be named "after_port_handling()"
true
}
fw_custom_before_denyall() { # could also be named "after_forwardmasq()"
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT
true
}
openvpn server config:
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key # This file should be kept secret
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log openvpn.log
;log-append openvpn.log
verb 3
;mute 20
dmesg output:
SFW2-INext-DROP-DEFLT IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=10.8.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=408 DF PROTO=TCP SPT=1284 DPT=5901 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405580103030801010402)
SFW2-INext-DROP-DEFLT IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=10.8.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=414 DF PROTO=TCP SPT=1284 DPT=5901 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405580103030801010402)
SFW2-INext-DROP-DEFLT IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=10.8.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=423 DF PROTO=TCP SPT=1284 DPT=5901 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204055801010402)
--------------------------------------------------
Brian Vagnoni
PGP Digital Fingerprint
F076 6EEE 06E5 BEEF EBBD BD36 F29E 850D FC32 3955
--------------------------------------------------
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|