[kwlug-disc] Initiating connections to OpenVPN clients

Paul Nijjar paul_nijjar at yahoo.ca
Thu Jun 30 00:17:17 EDT 2011


On Wed, Jun 29, 2011 at 07:23:50PM -0400, Chris Frey wrote:
> On Wed, Jun 29, 2011 at 06:37:43PM -0400, Paul Nijjar wrote:
> > My inclination is to say that the firewall in front of client C is
> > blocking incoming connections from network A. But I don't know whether
> > OpenVPN can do magic to get around that. Can it?
> 
>   Network A ------- Server B
>      |
>   OpenVPN
>    Server --------VPNlink----------- Client C
> 
> So OpenVPN server and Client C must cooperate for Server B to reach C.
> 
> The firewall could be in the OpenVPN server, or on Client C itself.
> But once the VPN connection is made, the physical network that Client C
> is on has no role in blocking anything.  If it doesn't block the VPN
> connection, it can't block anything else.
> 
> If Client C connects to Server B, is C's IP address, as viewed from B
> on the same network / netmask as A?  How does that compare with C's
> idea of its own IP address?

Okay. Client C has a number of IP addresses (which I am making up): 

Locally C thinks it is 10.10.10.10 

The OpenVPN assigns an address of 192.168.150.5 to client C, which is
peered to 192.168.150.6 

Network A thinks it is 172.16.16.x 


When C connects to server B then B thinks the address is 192.168.150.5
-- the address assigned by OpenVPN. 

In fact, I can initiate sessions from B to 192.168.150.5, but this
does not solve my problem, because that OpenVPN is given out from a
pool, and I cannot depend on it being any particular value. 

I want B to be able to connect to 10.10.10.10 , but it looks like the
routing is failing at my pfSense box. Client B knows enough to connect
to my pfSense box to find the mystery address, but pfSense does not
know what to do from that point. 

I have tried manually adding routing rules to pfSense, but I don't
think I understand what I am doing. 

EDIT: I still don't know what I am doing, but I copied the
configuration options for my site-to-site connections and now 
the connection works. 

This adds the following lines to the OpenVPN configuration: 

route 10.10.10.0 255.255.255.0;push "route 172.26.16.0
255.255.255.0"

and in the "client-specific configuration" tab of pfsense I have: 

iroute 10.10.10.0 255.255.255.0

but I am not sure why this makes things work. Removing any one of
these lines makes things fail. I understand I am making a "site to site"
connection to my one client, but I don't understand why this should be
necessary for server B to connect to client C. 



- Paul 

-- 
http://pnijjar.freeshell.org 



More information about the kwlug-disc mailing list