[ale] What is an easy open vpn to set up

Chuck Payne terrorpup at gmail.com
Tue Mar 27 18:56:42 EDT 2012


On Tue, Mar 27, 2012 at 1:11 PM, Michael Trausch <mike at trausch.us> wrote:
> Remember to use the reserved example addresses:
>
> The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), and
> 203.0.113.0/24 (TEST-NET-3) are provided for use in documentation.
>
> Defined by RFC 5737.
>
I > On Mar 27, 2012 1:06 PM, "Michael H. Warfield" <mhw at wittsend.com> wrote:
>>
>> On Tue, 2012-03-27 at 12:44 -0400, Brian Mathis wrote:
>> > On Tue, Mar 27, 2012 at 12:16 PM, Michael H. Warfield <mhw at wittsend.com>
>> > wrote:
>> > > On Tue, 2012-03-27 at 11:37 -0400, Chuck Payne wrote:
>> > >> On Tue, Mar 27, 2012 at 11:33 AM, John Knight
>> > >> <john at classiccitytelco.com>wrote:
>> > >> >  Hi Chuck,
>> > >> >
>> > >> > What issue did you run into in the past?
>> > >> >   *John Knight*
>> > >> >
>> > >> > On 3/27/2012 11:28 AM, Chuck Payne wrote:
>> > >> > More and more I am needing access to server that are behind my
>> > >> > firewall, so I like to set up openvpn, but in the past had issue.
>> > >> > What
>> > >> > is the easiest to set up?
>> > >>
>> > >> Routing. I could connect, but if I tried to ping or connect to
>> > >> anything I
>> > >> couldn't.
>> > >>
>> > >> Chuck "PUP" Payne
>> > >
>> > > There are a variety of potential problems in there depending on how
>> > > you
>> > > are setting up your VPN.  For instance, is the VPN terminating on the
>> > > firewall, passing through the firewall, or being portforwarded to
>> > > another server?  Are you attempting to do any NAT in there?  Is it a
>> > > private address space behind the firewall?  How did you have your
>> > > routing set up on the VPN server (i.e. what kind of routes did you
>> > > have
>> > > OpenVPN pushing to your client)?  Could you connect to services on the
>> > > VPN server itself?
>> > >
>> > > For pushing routes you might have something like this on your server .
>> > >
>> > > push "route 192.168.1.0 255.255.255.0"
>> > >
>> > > This obviously assumes that you're using the 192.168.1.0 network
>> > > behind
>> > > your firewall...
>> > >
>> > > For that to work, however, the server must be in the default path back
>> > > from the machines behind the firewall back to the outside network or
>> > > you'll have to do some less than pretty (and less than reliable)
>> > > routing
>> > > tricks on all the devices to route the VPN back or NAT the VPN on the
>> > > server so the devices behind the firewall only see the VPN servers
>> > > address.
>> > >
>> > > Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>>
>> > It's strongly advisable to avoid the 192.168.1.0 subnet at home since
>> > that seems to be the default everywhere.  You will have problems when
>> > both your local and remote networks use that subnet.  I recommend
>> > changing all your home IPs to something in the 10.x.x.x or 172.16.x.x
>> > - 172.31.x.x, since you probably can't change it in the remote
>> > locations.
>>
>> That was strictly an example.  Sort of like using test.com for a domain
>> name.  That would also imply that he's dealing with a NAT device.  The
>> fact that it is so common is why I used it for the example block.
>>
>> > ❧ Brian Mathis
>>
>> Regards,
>> Mike
>> --
>> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>>   /\/\|=mhw=|\/\/          | (678) 463-0932 |
>>  http://www.wittsend.com/mhw/
>>   NIC whois: MHW9          | An optimist believes we live in the best of
>> all
>>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

My internal network for the last 12 years has been 192.168.105.0/24, I
saw too many devices have the 192.160.0.0/24 or 192.168.1.0/24. So I
wanted to make sure my was different.

I running an ubunto server.

I have a bridge set up br0 --> eth0  which is the outside 56.163.16.12

I have a second is internal 192.168.105.12

This might help, here is my server config file...some where I have set
up wrong.

===========

mode server
tls-server

#local <your ip address> ## ip/hostname of server
#phlegethon.magidesign.com <56.163.16 .12>
local 56.163.16.12
port 1194 ## default openvpn port
proto udp



#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
#dev tun0
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"

#server 192.168.105.0 255.255.255.0

persist-key
persist-tun

#certificates and encryption
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret

cipher BF-CBC        # Blowfish (default)
comp-lzo

#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 56.163.16.12 255.255.255.240 56.163.16.10 56.163.16.11
push route 192.168.105.0 255.255.255.0
push "dhcp-option DNS 56.163.16.9 56.163.16.2"
push "dhcp-option DOMAIN magidesign.com"
client-to-client

max-clients 2 ## set this to the max number of clients that should be
connected at a time

#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3



-- 
Terror PUP a.k.a
Chuck "PUP" Payne

(678) 636-9678
-----------------------------------------
Discover it! Enjoy it! Share it! openSUSE Linux.
-----------------------------------------
openSUSE -- en.opensuse.org/User:Terrorpup
openSUSE Ambassador/openSUSE Member
Community Manager -- Southeast Linux Foundation (SELF)
skype,twiiter,identica,friendfeed -- terrorpup
freenode(irc) --terrorpup/lupinstein
Register Linux Userid: 155363

Have you tried SUSE Studio? Need to create a Live CD,  an app you want
to package and distribute , or create your own linux distro. Give SUSE
Studio a try. www.susestudio.com.
See you at Southeast Linux Fest, June 8-10, 2012 in Charlotte, NC.
www.southeastlinuxfest.org



More information about the Ale mailing list