On 22 August 2012 10:24, MJ Ray mjr@phonecoop.coop wrote:
Jenny Hopkins hopkins.jenny@gmail.com
openvpn connection [...] Openvpn uses a tunnel of 12.3.3.0 [...] second computer on my internal network, 192.168.1.whatever [...] try at assigning a static address on the 12.3.3.0 network to no avail, it couldn't ping the computer here on its tun 12.3.3.6 address. [...] Is this an impossible mission, or are there any tricks and tools i can be using to make this happen? [...]
I got a bit lost among the missing IP addresses and quite exactly where "here" and "internal" actually are, but I didn't see you setting ip_forward on the openvpn-connected machine, which seems like one thing which might prevent it working.
It should be a case of setting the routing parameters correctly on each machine. The "route" config options in openvpn may help with that... or they might not.
Sometimes I resort to setting up NAT and masquerading in this sort of situation, mainly because I've been doing that for years and it avoids anything I don't control getting upset at there suddenly being a network where there was only a single IP address.
Here's a script I used for masquerading recently, but the device and network details may not reflect what you actually need to do, and there may be a security flaw in this (I suspect the MASQUERADE line should probably have -s 192.168.0.0/24 -i eth2 on it):
echo 1 > /proc/sys/net/ipv4/ip_forward iptables-restore << EOF *nat :PREROUTING ACCEPT [573:36591] :POSTROUTING ACCEPT [59:5375] :OUTPUT ACCEPT [43:6574] -A POSTROUTING -o tun1 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [118:33140] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [170:21363] -A FORWARD -i tun1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.0.0/24 -i eth2 -j ACCEPT -A FORWARD -j LOG -A FORWARD -j DROP COMMIT EOF
Hope that helps,
Thanks! What is the relevance of the -are they ports?- numbers in square brackets, like :PREROUTING ACCEPT [573:36591]?
I've now told the dhcp server the IP address of repo and told it the openvpn endpoint machine (here,192.168.1.6) is the gateway for there using routing table, and I've done "echo 1 > /proc/sys/net/ipv4/ip_forward". Now the local (i.e. home network where I am trying to set this all up) network knows that for repo.tcl.office they go to 192.168.1.6. The request is getting stuck there so I'll have a go at the masquerading.
(I had a go at iptable rules last night and, along with trying tinyproxy, inadvertently managed to redirect any requests on port 80 back to my own apache server :-))
Jenny