Lost hope using ccd option

Post by **janjust** » Tue Apr 05, 2011 10:23 am

* check the IP address of the VPN client in the 10.0.2 range
* remove the 'ifconfig-pool-persist' line from the server config and restart the openvpn to see if it makes a difference
* run wireshark on the vpn server and do a 'ping 10.1.1.1' from the VPN client ; follow the flow of the packets and check the source and destination IPs

pwg3n · Post by **pwg3n** » Tue Apr 05, 2011 10:33 am

It's working now. Thanks so much.

The problem was the old IP in the server.conf (forgot to change IP, changed only the mask).

The problem was that the subnet mask was incorrect and did not match the both VPN classes.

255.255.254.0 matched both 10.0.2.0 and 10.0.3.0

The next step would be to make some iptables filters. I have to put these filters on FORWARD chain on the tun0 interface, am I right?

janjust wrote:* check the IP address of the VPN client in the 10.0.2 range
* remove the 'ifconfig-pool-persist' line from the server config and restart the openvpn to see if it makes a difference
* run wireshark on the vpn server and do a 'ping 10.1.1.1' from the VPN client ; follow the flow of the packets and check the source and destination IPs

Post by **janjust** » Tue Apr 05, 2011 10:40 am

depends on what you want to filter; you're using

Code: Select all

client-to-client

which means that all clients can see each other without passing through iptables .

To restrict access from VPN clients to hosts on your LAN use the FORWARD chain.
To restrict access from VPN clients to the VPN server itself use the INPUT chain.

pwg3n · Post by **pwg3n** » Tue Apr 05, 2011 12:41 pm

Hm...
So i must wipe out client-to-client for the traffic to be processed by iptables?

janjust wrote:depends on what you want to filter; you're using
Code: Select all
client-to-client
which means that all clients can see each other without passing through iptables .

To restrict access from VPN clients to hosts on your LAN use the FORWARD chain.
To restrict access from VPN clients to the VPN server itself use the INPUT chain.

pwg3n · Post by **pwg3n** » Tue Apr 05, 2011 1:04 pm

This is a interesting one:

Excluded the client-to-client option, and tried to drop some traffic from one subnet to another:

iptables -I FORWARD 1 -i tun0 -s 10.0.3.1 -d 10.1.1.1 -j DROP

But nothing happens. Still can ping 10.1.1.1

Post by **janjust** » Tue Apr 05, 2011 1:28 pm

this is getting off-topic , as we're now talking about debugging iptables ; try inserting

Code: Select all

iptables -I FORWARD 1 -i tun0 -s 10.0.3.1 -d 10.1.1.1 -j LOG

to see if you're actually matching the right packets.

pwg3n · Post by **pwg3n** » Tue Apr 05, 2011 2:01 pm

Thank you janjust, you're right about the offtopic, I'll take over on my own right now.

OpenVPN Support Forum

Lost hope using ccd option

Re: Lost hope using ccd option

Re: Lost hope using ccd option

Re: Lost hope using ccd option

Re: Lost hope using ccd option

Re: Lost hope using ccd option

Re: Lost hope using ccd option

Re: Lost hope using ccd option