is this Client2Network configuration possible?

BruceLee · Post by **BruceLee** » Mon May 09, 2011 11:06 am

Hi,
basically I want to setup the following and I'm not sure if it's possible or not.
Firewall in front of OpenVPN Server. One port is nat'ed to the OpenVPN Server.

LAN: 10.1.0.0/255.255.255.0 (Microsoft AD)
LANs Default Gateway is an internal router that routes between two networks. The IP is e.g. 10.1.0.254
OpenVPN Server has the 10.1.0.10 e.g
OpenVPN clients connect and get an internal IP within 10.1.0.0/255.255.255.0 and LDAP Auth.
TUN is used.

Minimal infos pointing me to the right direction would be great.
Thanks for any help
BruceLee

Post by **janjust** » Mon May 09, 2011 11:43 am

yes this is possible using a Linux server; it is not possible using a windows-based openvpn server, for that you will have to use tap+bridging.

BruceLee · Post by **BruceLee** » Mon May 09, 2011 11:55 am

Hi Janjust,

thanks for the ultra quick reply. Of course I want to use a linux server.

Just to make sure, with linux underneath I can use tun in that case, right?
PS: is this scenario (or a slightly similar one) covered in your book?
Thanks BruceLee

Post by **janjust** » Mon May 09, 2011 12:00 pm

yes this is covered in my book, chapter 11, using ProxyARP.
You'd need to add LDAP support though, but that you can find on the internet (or use pam+samba+winbind)

BruceLee · Post by **BruceLee** » Mon May 09, 2011 12:06 pm

terrific. Thanks for the quick reply.

BruceLee · Post by **BruceLee** » Thu May 26, 2011 1:44 pm

HI Jan,

I'm currently setting up the scenario I was talking about.
I bought your book and I must say that it's excellent. Thank you very much.
Three question for now.
1.
I have setup OpenVPN with multiple Certs by following this guide:
http://www.openvpn.net/index.php/open-s ... o.html#pki.

I have not set a password for prompting when starting OpenVPN since the user has to login first to launch it.
It that safe enough? Or would you setup a password?

2.
I have setup IPforward via:

Code: Select all

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

Since the OpenVPN Gateway is behind my firewall which makes a port redirect to it
do I need any iptables like masquerading and forwarding?
Or can I disable the Firewall?

3.
I have setup ProxyArp. In the client file in your example you have set:

Code: Select all

ifconfig-push 192.168.202.6 192.168.202.5

Would another clients file look like this?

Code: Select all

ifconfig-push 192.168.202.7 192.168.202.5

I'm asking because the 192.168.202.5 is set as DHCP Server on the Windows Client.

Thanks
BruceLee

Post by **janjust** » Thu May 26, 2011 4:06 pm

1) I have not set a password for prompting when starting OpenVPN since the user has to login first to launch it. It that safe enough? Or would you setup a password?

who are you giving access to? if there is a chance of the cert and private key to be stolen (e.g. theft of the laptop, 'share' the key with someone else) then I'd set a password on the private key

2) do I need any iptables like masquerading and forwarding?
Or can I disable the Firewall?

depends on which machines the VPN clients need to access; if the clients only need to talk to each other then I'd block all access other than client to client.

3) Reply with quote Post Posted: 26 May 2011 14:44
Re: is this Client2Network configuration possible?
HI Jan,

I'm currently setting up the scenario I was talking about.
I bought your book and I must say that it's excellent. Thank you very much.
Three question for now.
1.
I have setup OpenVPN with multiple Certs by following this guide:
http://www.openvpn.net/index.php/open-s ... o.html#pki.

I have not set a password for prompting when starting OpenVPN since the user has to login first to launch it.
It that safe enough? Or would you setup a password?

2.
I have setup IPforward via:
Code:
/etc/sysctl.conf:
net.ipv4.ip_forward = 1

Since the OpenVPN Gateway is behind my firewall which makes a port redirect to it
do I need any iptables like masquerading and forwarding?
Or can I disable the Firewall?

3.
I have setup ProxyArp. In the client file in your example you have set:
Code:
ifconfig-push 192.168.202.6 192.168.202.5

Would another clients file look like this?
Code:
ifconfig-push 192.168.202.7 192.168.202.5

each client is assigned a miniature network (as you could have read in my book

)

the first client is assigned 192.168.202.4 - 192.168.202.7; the client IP is .6, the virtual endpoint (and the DHCP server in windows) is .5
the second client would be 192.168.202.8 - 192.168.202.11 ; the client IP is .10, the endpoint is .9. The CCD file would be

Code: Select all

ifconfig-push 192.168.202.10 192.168.202.9

BruceLee · Post by **BruceLee** » Mon Jun 06, 2011 8:53 pm

thanks JanJust for your reply. Yeah, I could have read it but I missed that because I was just focused on two recipes.
Almost everything is running fine except one thing:
Sometimes I receive this error.

Code: Select all

”Connect script failed. Timeout after 15 secs”

But my up_script always runs fine. It just takes some time on slow connections.
How can I increase the timeout value of 15 seconds?
up-delay did not help.

Thanks a lot

Post by **janjust** » Mon Jun 06, 2011 9:15 pm

which script/program is reporting this error? I could not find this text in the openvpn 2.1 sources anywhere; it is in the OpenVPN GUI application ; check the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\OpenVPN-GUI\connectscript_timeout
it has a default value of 15 seconds.

BruceLee · Post by **BruceLee** » Tue Jun 07, 2011 7:24 am

HI JanJust,
sorry, I have not posted enough details. And yes, you were right.
This error shows up on a OpenVPN Client 2.2 running the OpenVPN-Gui on Windows after the tunnel is connected and the profilename_up.bat script is ran.
I will increase this value in the registry.
You're the man. Thanks a lot.

BTW: I'm finished with testing soon and will post another solution how to run OpenVPN on Windows 7 without adding the user to admin or network operations group.