Brian Vagnoni on 8 Nov 2009 16:11:37 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OpenVPN Help Adjusted


Trying to tunnel services over openvpn, like ssh, and vnc. What am i doing wrong?

SUSEfirewall2 config:

FW_DEV_EXT="any eth0"                                                 
FW_DEV_INT="tun0"                                                     
FW_DEV_DMZ=""                                                         
FW_ROUTE="yes"                                                        
FW_MASQUERADE="no"                                                    
FW_MASQ_DEV="zone:ext"                                                
FW_MASQ_NETS="0/0"                                                    
FW_NOMASQ_NETS=""                                                     
FW_PROTECT_FROM_INT="no"                                              
FW_SERVICES_EXT_TCP="113"                                             
FW_SERVICES_EXT_UDP="1194"                                            
FW_SERVICES_EXT_IP=""                                                 
FW_SERVICES_EXT_RPC=""                                                
FW_CONFIGURATIONS_EXT="sshd"                                          
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT="0/0,tcp,113"
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT="yes"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""



SUSEfirewall2-custom config:

fw_custom_before_antispoofing() {                                                                      
                       
true
}                                                                                                      

fw_custom_after_antispoofing() { # could also be named "before_port_splitting()"                        
   
true
}

fw_custom_before_port_handling() {

true
}

fw_custom_before_masq() { # could also be named "after_port_handling()"

true
}

fw_custom_before_denyall() { # could also be named "after_forwardmasq()"

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -o tun+ -j ACCEPT

true
}

openvpn server config:

;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key  # This file should be kept secret
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway"
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"
;client-to-client
;duplicate-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
;max-clients 100
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20


dmesg output:

SFW2-INext-DROP-DEFLT IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=10.8.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=408 DF PROTO=TCP SPT=1284 DPT=5901 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405580103030801010402)
SFW2-INext-DROP-DEFLT IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=10.8.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=414 DF PROTO=TCP SPT=1284 DPT=5901 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405580103030801010402)
SFW2-INext-DROP-DEFLT IN=tun0 OUT= MAC= SRC=10.8.0.6 DST=10.8.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=423 DF PROTO=TCP SPT=1284 DPT=5901 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (0204055801010402)


--------------------------------------------------
Brian Vagnoni
PGP Digital Fingerprint
F076 6EEE 06E5 BEEF EBBD  BD36 F29E 850D FC32 3955
--------------------------------------------------
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug