Page 2 of 2
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 10:23 am
by janjust
* check the IP address of the VPN client in the 10.0.2 range
* remove the 'ifconfig-pool-persist' line from the server config and restart the openvpn to see if it makes a difference
* run wireshark on the vpn server and do a 'ping 10.1.1.1' from the VPN client ; follow the flow of the packets and check the source and destination IPs
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 10:33 am
by pwg3n
It's working now. Thanks so much.
The problem was the old IP in the server.conf (forgot to change IP, changed only the mask).
The problem was that the subnet mask was incorrect and did not match the both VPN classes.
255.255.254.0 matched both 10.0.2.0 and 10.0.3.0
The next step would be to make some iptables filters. I have to put these filters on FORWARD chain on the tun0 interface, am I right?
janjust wrote:* check the IP address of the VPN client in the 10.0.2 range
* remove the 'ifconfig-pool-persist' line from the server config and restart the openvpn to see if it makes a difference
* run wireshark on the vpn server and do a 'ping 10.1.1.1' from the VPN client ; follow the flow of the packets and check the source and destination IPs
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 10:40 am
by janjust
depends on what you want to filter; you're using
which means that all clients can see each other without passing through iptables .
To restrict access from VPN clients to hosts on your LAN use the FORWARD chain.
To restrict access from VPN clients to the VPN server itself use the INPUT chain.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 12:41 pm
by pwg3n
Hm...
So i must wipe out client-to-client for the traffic to be processed by iptables?
janjust wrote:depends on what you want to filter; you're using
which means that all clients can see each other without passing through iptables .
To restrict access from VPN clients to hosts on your LAN use the FORWARD chain.
To restrict access from VPN clients to the VPN server itself use the INPUT chain.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 1:04 pm
by pwg3n
This is a interesting one:
Excluded the client-to-client option, and tried to drop some traffic from one subnet to another:
iptables -I FORWARD 1 -i tun0 -s 10.0.3.1 -d 10.1.1.1 -j DROP
But nothing happens. Still can ping 10.1.1.1
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 1:28 pm
by janjust
this is getting off-topic , as we're now talking about debugging iptables ; try inserting
Code: Select all
iptables -I FORWARD 1 -i tun0 -s 10.0.3.1 -d 10.1.1.1 -j LOG
to see if you're actually matching the right packets.
Re: Lost hope using ccd option
Posted: Tue Apr 05, 2011 2:01 pm
by pwg3n
Thank you janjust, you're right about the offtopic, I'll take over on my own right now.