I hope I phrased the subject clearly.
We have a firewall controlling about 28 VPN connections from our mobile tabletPCs and laptops.
The server is FC5 running Samba 3.0.21b-2
The tabletPC are XP
Here's the config file - VPN.ovpn on tabletPCs:
Code:
### BEGIN CLIENT SIDE CONFIGURATION FILE ###
#
# tun0 configuration for Asteria
#
# vpn server to contact
remote staff.royalcity.ca
# port to establish connection on
port 5020
# local tunnel device
dev tun0
# interface addresses
tun-mtu 1500
ifconfig 192.168.101.2 192.168.101.1
ip-win32 dynamic
route 192.168.100.0 255.255.255.0 192.168.101.1
dhcp-option DNS 192.168.100.2
dhcp-option WINS 192.168.100.2
# key location
secret "c:\\program files\\OpenVPN\\config\\key.txt"
;fragment 1300
mssfix
; ping-restart 60
; ping-timer-rem
; persist-tun
; persist-key
; resolv-retry 86400
# keep-alive ping
ping 10
# enable LZO compression
comp-lzo
# moderate verbosity
verb 4
mute 10
Here's the server side config:
Code:
### Start Config File Port 5020 ###
#
# tun0 configuration for Asteria
#
# local tun device
dev tun0
# interface addresses
ifconfig 192.168.101.1 192.168.101.2
push "route 192.168.100.0 255.255.255.0"
push "dhcp-option DNS 192.168.100.2"
push "dhcp-option WINS 192.168.100.2"
# key location
secret /etc/openvpn/keys/tun0.key
# port to listen on
port 5020
# user to run as
user nobody
group nobody
# options
comp-lzo
ping 15
verb 1
### End Config File Port 5020 ###
These remote devices run an application which synchronize data to the Database server(WinServer2K3) behind this firewall.
Samba complains that it cannot authenticate these machines yet we don't want these machine to ever access the firewall.
We have iptable rules to forward these machines through to the Database.
Here is a snippet of /var/log/messages:
Code:
Mar 7 05:56:18 emsstaff smbd[15703]: [2009/03/07 05:56:18, 0] lib/util_sock.c:get_peer_addr(1225)
Mar 7 05:56:18 emsstaff smbd[15703]: getpeername failed. Error was Transport endpoint is not connected
Mar 7 05:56:18 emsstaff smbd[15703]: [2009/03/07 05:56:18, 0] lib/util_sock.c:write_data(557)
Mar 7 05:56:18 emsstaff smbd[15703]: write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
Mar 7 05:56:18 emsstaff smbd[15703]: [2009/03/07 05:56:18, 0] lib/util_sock.c:send_smb(765)
Mar 7 05:56:18 emsstaff smbd[15703]: Error writing 4 bytes to client. -1. (Connection reset by peer)
Now multiple these messages by 20-odd devices that are connected but idle at 6am.
Would a slew of these messages cause my firewall to stop responding?
How would you grant access to 30 devices that require a sporadic, secure connection?
Andrew
Would multiple dead SMB connections stop firewall
