Cannot bring up openvpn link
I have a working ppp-over-ssh vpn solution between our two sites. Now I tried to use openvpn for the purpose, instead, using the simple example I found at the openvpn site.
My problem is that when I bring up the openvpn link, it does not work, and I cannot even ping the local end of the link. The two sites (I call them local and remote) to be connected together are as follows: local public IP: 212.212.85.138 local private network1: 192.168.0.0/24 local private network2: 192.168.226.0/24 remote public IP: 212.212.85.146 remote private network: 192.168.2.0/24 I think openvpn should use a separate IP address range for the vpn link itself, this should be: local vpn link ip: 192.168.230.1 remote vpn link ip: 192.168.230.2 Here is my local (server-side) openvpn.conf: dev tun ifconfig 192.168.230.1 192.168.230.2 secret /usr/local/etc/openvpn.key route 192.168.2.65 255.255.255.192 When I try to bring up the link like this: openvpn --config openvpn.conf I get these messages: dmx# Thu Jun 23 05:08:45 2005 0: OpenVPN 1.6.0 i386-portbld-freebsd4.5 [SSL] [LZO] built on Jun 19 2005 Thu Jun 23 05:08:45 2005 1: gw 212.212.85.137 Thu Jun 23 05:08:45 2005 2: TUN/TAP device /dev/tun0 opened Thu Jun 23 05:08:45 2005 3: /sbin/ifconfig tun0 192.168.230.1 192.168.230.2 mtu 1256 netmask 255.255.255.255 up add net 192.168.2.65: gateway 192.168.230.2 Thu Jun 23 05:08:46 2005 4: UDPv4 link local (bound): [undef]:5000 Thu Jun 23 05:08:46 2005 5: UDPv4 link remote: [undef] Here is my local ifconfig output after I bring up the link: sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.226.1 netmask 0xffffffe0 broadcast 192.168.226.31 ether 00:00:e8:ec:9c:ba media: Ethernet autoselect (100baseTX <full-duplex>) status: active ed0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 inet 212.212.85.138 netmask 0xfffffffc broadcast 212.212.85.139 ether 00:c0:0c:b0:35:47 ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1256 inet 192.168.230.1 --> 192.168.230.2 netmask 0xffffffff Opened by PID 95941 tun1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 Here is the netstat -r output: Destination Gateway Flags Refs Use Netif Expire default datanet-gw.foo.bar UGSc 282760 151306900 ed0 localhost localhost UH 293 93196 lo0 192.168.0.64/26 castor.foo.bar. UGSc 0 6301 sis0 192.168.0.128/26 cross.foo.bar. UGSc 0 9303 sis0 192.168.0.192/26 hydra.foo.bar. UGSc 0 0 sis0 192.168.2.64/26 192.168.230.2 UGSc 1 95 tun0 192.168.226/27 link#1 UC 5 0 sis0 dmx.foo.bar. 0:0:e8:ec:9c:ba UHLW 307 1439247 lo0 castor.foo.bar. 0:50:22:80:9b:6e UHLW 11734 137606878 sis0 598 cross.foo.bar. link#1 UHLW 94 7600324 sis0 hydra.foo.bar. link#1 UHLW 2 2739318 sis0 192.168.230.2 192.168.230.1 UH 1 0 tun0 212.212.85.136/30 link#2 UC 2 0 ed0 datanet-gw.foo.bar 0:7:e9:7:0:7c UHLW 1003 0 ed0 1196 dmx.foo.bar. 0:c0:c:b0:35:47 UHLW 0 83 lo0 When I try to ping the local end of the vpn, it fails: PING 192.168.230.1 (192.168.230.1): 56 data bytes ping: sendto: Permission denied It looks like the ping packages get denied and dropped by just my first rule on the local ipfw firewall, which rule is intended against ip spoofing: 00010 61512 5115361 deny ip from any to 192.168.0.0/16 via ed0 I just do not understand why this happens? I ping 192.168.230.1, which ip address is a local one attached to tun0, so I suppose my ping packages should not be routed to ed0 at all, thus they should never get denied by a firewall rule for ed0. Am I missing something important? Could you help me? |
All times are GMT -5. The time now is 05:19 AM. |