[kwlug-disc] Initiating connections to OpenVPN clients
paul_nijjar at yahoo.ca
Thu Jun 30 00:17:17 EDT 2011
On Wed, Jun 29, 2011 at 07:23:50PM -0400, Chris Frey wrote:
> On Wed, Jun 29, 2011 at 06:37:43PM -0400, Paul Nijjar wrote:
> > My inclination is to say that the firewall in front of client C is
> > blocking incoming connections from network A. But I don't know whether
> > OpenVPN can do magic to get around that. Can it?
> Network A ------- Server B
> Server --------VPNlink----------- Client C
> So OpenVPN server and Client C must cooperate for Server B to reach C.
> The firewall could be in the OpenVPN server, or on Client C itself.
> But once the VPN connection is made, the physical network that Client C
> is on has no role in blocking anything. If it doesn't block the VPN
> connection, it can't block anything else.
> If Client C connects to Server B, is C's IP address, as viewed from B
> on the same network / netmask as A? How does that compare with C's
> idea of its own IP address?
Okay. Client C has a number of IP addresses (which I am making up):
Locally C thinks it is 10.10.10.10
The OpenVPN assigns an address of 192.168.150.5 to client C, which is
peered to 192.168.150.6
Network A thinks it is 172.16.16.x
When C connects to server B then B thinks the address is 192.168.150.5
-- the address assigned by OpenVPN.
In fact, I can initiate sessions from B to 192.168.150.5, but this
does not solve my problem, because that OpenVPN is given out from a
pool, and I cannot depend on it being any particular value.
I want B to be able to connect to 10.10.10.10 , but it looks like the
routing is failing at my pfSense box. Client B knows enough to connect
to my pfSense box to find the mystery address, but pfSense does not
know what to do from that point.
I have tried manually adding routing rules to pfSense, but I don't
think I understand what I am doing.
EDIT: I still don't know what I am doing, but I copied the
configuration options for my site-to-site connections and now
the connection works.
This adds the following lines to the OpenVPN configuration:
route 10.10.10.0 255.255.255.0;push "route 172.26.16.0
and in the "client-specific configuration" tab of pfsense I have:
iroute 10.10.10.0 255.255.255.0
but I am not sure why this makes things work. Removing any one of
these lines makes things fail. I understand I am making a "site to site"
connection to my one client, but I don't understand why this should be
necessary for server B to connect to client C.
More information about the kwlug-disc