headers
Mike Meyer | 1 Jun 2006 01:48
X-Face

Re: Re: Own DNS system on company intranet?

In <loom.20060601T002945-286 <at> post.gmane.org>, Matt Bostock <matt <at> mattbostock.com> typed:
> Matt Bostock typed:
> > > I'm nearly finished setting up my first OpenVPN, a routed client-to-client
> > > company intranet, so that I can restrict access to internal services to
> > > authorised users.
> > This really doesn't sound like a job for a VPN to me, but I don't know
> > all the details.
> You'll have to forgive my ignorance Mike as networking topology isn't my
> one of my strong points. The staff for my company are mostly remote workers,
> so I figured in this case, a VPN would be the best way to grant them access?

Yes, that's right. I misinterpreted what you said, thinking that you
meant to keep some internal users from getting to internal services
unless they were authorized. If you want to let authorized remote
users access your internal network, while keeping non-authorized
external users from getting to the same, then a VPN is the right
solution.

> > You might consider a cooperating DHCP server.
> > You can't run a real root server - those are defined globally for the
> > internet. You could build a server that claimed to be a root server,
> > but that would almost certainly break something.
> Obviously; I was just unsure about whether any sort of special setup was
> required if I wanted to use a 'made-up' TLD (acmeco) for the company intranet.

No special setup needed. Just configure your server as an
authoritative server for that domain name. Personally, I'd recommend
against it, just to avoid problems if that TLD ever becomes real. I
(and all my clients) use their real domain name for internal
machines. The name resolving software is configured to allow me to
(Continue reading)

Permalink | Reply | 2 comments |
headers
Giancarlo Razzolini | 1 Jun 2006 01:50
Picon

Re: Re: openvpn-auth-pam.so problem

yan wrote:
> I think you can't just copy the path from the howto.
> 
> You should sure where is the openvpn-auth-pam.so module. From the log message
> the server can't find this module in this path.
> 
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and Risk!
> Fully trained technicians. The highest number of Red Hat certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

First, try increasing the verbosity to a number grater or equal than 7.
Then the auth-pam plugin will be much more verbose with you. Then take a
look at the logs, they will surely help you. If not, then try creating a
 separate service entry for openvpn in the /etc/pam.d directory,
pointing to system-auth. And thirdly you might want to take a look an a
plugin i developed for openvpn that authenticate users from shadow:
http://auth-passwd.sourceforge.net
(Continue reading)

Permalink | Reply | 3 comments |
headers
Phil Burrow | 1 Jun 2006 02:10
Picon
Favicon

Re: Connecting two LANs

Terje Christensen wrote:
> I' trying to connect two LANs over the Internet using openvpn.net.
> 
> LAN A 172.16.1.0/24
> LAN M 192.168.0.0/24

Greetings Terje!

Did you create a file for your client within ccd? If you want to access 
its subnet from your VPN server/LAN A you need to create a file with the 
following:

iroute 192.168.0.0 255.255.255.0

Also you need in your server.conf:

route 192.168.0.0 255.255.255.0
push "route 172.16.1.0 255.255.255.0"

Cheers,

Phil

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
Permalink | Reply | 3 comments |
headers
David Nugent | 1 Jun 2006 02:57
Picon

Re: New client keys will not generate?

Chuck Bunn wrote:
> I generated a server and client keys yesterday without any problems. 
> My server was rebooted since then and now I cannot generate any more 
> client keys. I get the message 'you must define KEY_DIR'. Inside of 
> vars I have this defined as 'export 
> KEY_DIR=/etc/openvpn/easy-rsa/keys' and I still get the error. What am 
> I missing here???

. ./vars
or
vars.bat

depending on your OS. KEY_DIR is one of the environment variables that 
the other scripts use, and the 'vars' script sets them up.

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
Permalink | Reply | 0 comments |
headers
Jason Burrell | 1 Jun 2006 06:18
Picon

MULTI: bad source address from client, packet dropped

It seems my life is being made more difficult by the minute with
OpenVPN. It seems to be a recurrent problem without a good answer I've
found. I'm pretty much at my wit's end and give up. Yes, IP forwarding
is enabled on both machines.

 I set up an OpenVPN 2.0 server on a remote machine. I then have a
client running on a border router at another site that connects to it.
It connects fine. I can ping back and forth between the server and the
client, initiated from either side. The problem arises when I try to
ping from a machine on the client side to a machine behind the server.

 Wed May 31 22:37:18 2006 us=958912
clientStarnetBeta-Cave/client-IP:43077 MULTI: bad source address from
client [192.168.0.130], packet dropped

 Now, on the server this is my routing table:

 Kernel IP routing table
 Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
 10.3.0.2        *               255.255.255.255 UH        0 0          0 tun0
 192.168.100.0   *               255.255.255.0   U         0 0          0 eth1
 192.168.102.0   10.3.0.2        255.255.255.0   UG        0 0          0 tun0
 192.168.2.0     10.3.0.2        255.255.255.0   UG        0 0          0 tun0
 192.168.1.0     10.3.0.2        255.255.255.0   UG        0 0          0 tun0
 192.168.0.0     10.3.0.2        255.255.255.0   UG        0 0          0 tun0
 9.19.129.0      *               255.255.255.0   U         0 0          0 eth1
 9.19.129.0      *               255.255.255.0   U         0 0          0 eth1
 10.3.0.0        10.3.0.2        255.255.255.0   UG        0 0          0 tun0
 10.15.1.0       10.3.0.2        255.255.255.0   UG        0 0          0 tun0
 10.15.0.0       10.3.0.2        255.255.255.0   UG        0 0          0 tun0
(Continue reading)

Permalink | Reply | 3 comments |
headers
Martin Müller - Rudolf Hausstein OHG | 1 Jun 2006 08:14
Picon

Re: Site2Site - routing-problem (linux)

Phil Burrow schrieb:
> Martin Müller - Rudolf Hausstein OHG wrote:
>
> > Client: route -n
> > Kernel IP Routentabelle
> > Ziel           Router         Genmask         Flags Metric Ref Use 
> Iface
> > 192.168.123.5  0.0.0.0        255.255.255.255 UH    0      0     0 tun0
> > 192.168.100.0  192.168.123.5  255.255.255.0   UG    0      0     0 tun0
> > 192.168.123.0  192.168.123.5  255.255.255.0   UG    0      0     0 tun0
> > 10.0.0.0       0.0.0.0        255.0.0.0       U     0      0     0 eth0
>
> Hi Martin,
>
> From this routing table, your local subnet is 10.0.0.0/255.0.0.0 
> instead of 10.8.0.0/255.255.255.0 like you put in your OpenVPN 
> configs. That's the reason push "route 10.8.0.0 255.255.255.0" breaks 
> your client LAN, because OpenVPN would create a route that directs 
> traffic for 10.8.0.0/255.255.255.0 to your OpenVPN server since there 
> is no route for that subnet on your client.
>
> EITHER change this line:
>
> > 10.0.0.0       0.0.0.0        255.0.0.0       U     0      0     0 eth0
>
> to
>
> > 10.8.0.0       0.0.0.0        255.255.255.0       U     0      0 0 eth0
>
> OR
(Continue reading)

Permalink | Reply | 3 comments |
headers
Gavin Chappell | 1 Jun 2006 09:42
Picon
Favicon

Re: Re: openvpn-auth-pam.so problem

Giancarlo Razzolini wrote:
> First, try increasing the verbosity to a number grater or equal than 7.
> Then the auth-pam plugin will be much more verbose with you. Then take a
> look at the logs, they will surely help you. If not, then try creating a
>  separate service entry for openvpn in the /etc/pam.d directory,
> pointing to system-auth. And thirdly you might want to take a look an a
> plugin i developed for openvpn that authenticate users from shadow:
> http://auth-passwd.sourceforge.net
> 
> Try it if you are authenticating plain unix users. If you are using pam
> to authenticate users on an ldap directory, or nis, then keep using the
> auth-pam plugin. If all of above doesn't solve your situation, then
> paste your log here (with verbosity grater or equal to 7).

OK, I've attached a log with verbosity set to 7 (I hope this mailing 
list can cope with attachments, if not then let me know and I'll upload 
it somewhere). While it gives me plenty of information about the OpenVPN 
process, I still only seem to get two lines regarding the PAM plugin.

Thanks for the link to your plugin, this may do what I want for now, 
although ultimately it might be nice if I could authenticate either 
against our departmental eDirectory system, or the campus wide Active 
Directory (means people only have one password to remember!).

I assume that if I use your plugin, I can stop the users actually SSHing 
to the VPN server by just giving them a /sbin/nologin shell?

Thanks,
Gavin
(Continue reading)

Permalink | Reply | 2 comments |
headers
Craig Morrison | 1 Jun 2006 09:43

Re: MULTI: bad source address from client, packet dropped

Jason Burrell wrote:
> It seems my life is being made more difficult by the minute with
> OpenVPN. It seems to be a recurrent problem without a good answer I've
> found. I'm pretty much at my wit's end and give up. Yes, IP forwarding
> is enabled on both machines.

Here's my SWAG...

> 
> Here are the configuration files, incidentally:
> 
> Server.conf:
> push "route 192.168.100.0 255.255.255.0"
> push "route 192.168.0.0 255.255.255.0"
> push "route 192.168.1.0 255.255.255.0"
> push "route 192.168.2.0 255.255.255.0"

Push all the routes here that you want the clients to see.

> client.conf:

Add:

pull

To the end of your client config..

> 
> Server-side ccd file for the client:
> iroute 192.168.0.0 255.255.255.0
(Continue reading)

Permalink | Reply | 1 comment |
headers
Terje Christensen | 1 Jun 2006 09:48
Picon
Favicon

Re: Connecting two LANs

Hi and thank you for your replies

>Did you create a file for your client within ccd? If you want to access its 
>subnet from your VPN server/LAN A you need to create a file with the 
>following:
>iroute 192.168.0.0 255.255.255.0
Thank you. I already had this file, but forgot to mention it in my original 
posting.

>Also you need in your server.conf:
>route 192.168.0.0 255.255.255.0
>push "route 172.16.1.0 255.255.255.0"
I added these lines to my server.conf file. But it did not help.

Andres:
I did not understand your reply.  You refer to IP address 192.168.10.0 and 
192.168.20.0. But the net that resides on LAN M is 192.168.0.0.

I don't speak "routing" ;)

terchris

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
Permalink | Reply | 2 comments |
headers
Gavin Chappell | 1 Jun 2006 10:00
Picon
Favicon

Re: MULTI: bad source address from client, packet dropped

Craig Morrison wrote:
>> client.conf:
> 
> Add:
> 
> pull
> 
> To the end of your client config..

His client.conf already has the "client" keyword, which implies "pull" 
anyway.

 From the manpage:

--client
     A helper directive designed to simplify the configuration of 
OpenVPN's client mode. This directive is equivalent to:

          pull
          tls-client

Regards,
Gavin

-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
(Continue reading)

Permalink | Reply | 0 comments |

Gmane