Re: [bitfolk] Deploying OpenVPN on a VPS - BitFolk Users

28 Feb 2011

Hi,

Thanks. That's working.

I found this in the server config file:

...
  # To assign specific IP addresses to specific
 # clients or if a connecting client has a private
 # subnet behind it that should also have VPN access,
 # use the subdirectory "ccd" for client-specific
 # configuration files (see man page for more info).

 # EXAMPLE: Suppose the client
 # having the certificate common name "Thelonious"
 # also has a small subnet behind his connecting
 # machine, such as 192.168.40.128/255.255.255.248.
 # First, uncomment out these lines:
 ;client-config-dir ccd
 ;route 192.168.40.128 255.255.255.248
 # Then create a file ccd/Thelonious with this line:
 #   iroute 192.168.40.128 255.255.255.248
 # This will allow Thelonious' private subnet to
 # access the VPN.  This example will only work
 # if you are routing, not bridging, i.e. you are
 # using "dev tun" and "server" directives. 
...

 # EXAMPLE: Suppose you want to give
 # Thelonious a fixed VPN IP address of 10.9.0.1.
 # First uncomment out these lines:
 ;client-config-dir ccd
 ;route 10.9.0.0 255.255.255.252
 # Then add this line to ccd/Thelonious:
 #   ifconfig-push 10.9.0.1 10.9.0.2 

I'm hoping that means I can assign a subnet of 10-dot addresses to the 
client rather than the single address and then issue those to other 
devices. I've got a USB NIC for my laptop. The other option would be to 
re-NAT the address the client receives.

Cheers,
Paul.

On 27/02/11 09:56, Andryan wrote:
...
  Oops, sorry, a typo.

  sysctl -w net.ipv4.ip_forward=1  Should be
1 not 0. :)

 On Sun, Feb 27, 2011 at 4:55 PM, Andryan&lt;andryan(a)gmail.com&gt;  wrote:
> Hi Paul,
>
> First, you need to set up masquerading/SNAT on the OpenVPN server:
>
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> Second, you need to ensure ip_forwarding is enabled on the OpenVPN server:
>
> sysctl -w net.ipv4.ip_forward=0
>
> Next, how do you plan to route your VOIP phone and BlackBerry through
> this OpenVPN client?
>
>
> Regards,
> Andryan
>
>
> On Sun, Feb 27, 2011 at 8:35 AM, Paul Stimpson
> &lt;paul(a)stimpsonfamily.co.uk&gt;  wrote:
>> Hi,
>>
>> On 25/02/11 15:53, Andryan wrote:
>>> Hi Paul,
>>>
>>> Does the OpenVPN client get a default route?  Have you set up iptables
>>> masquerading/SNAT on eth0?  Show us your "iptables -t nat -vnL".
>>>
>> These seem to make vague sense from the client except for the 2 defaults.
>>
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use
>> Iface
>> 10.26.0.1         10.26.0.5       255.255.255.255 UGH   0      0        0
>> tun0
>> 10.26.0.5             *               255.255.255.255 UH    0      0
>>   0 tun0
>> redfox.vps.bitf 192.168.26.1    255.255.255.255 UGH   0      0        0
>> wlan0
>> 192.168.26.0    *               255.255.255.0   U     2      0        0
>> wlan0
>> link-local           *               255.255.0.0     U     1000   0        0
>> wlan0
>> default             10.26.0.5       128.0.0.0       UG    0      0        0
>> tun0
>> 128.0.0.0         10.26.0.5       128.0.0.0       UG    0      0        0
>> tun0
>> default            192.168.26.1    0.0.0.0         UG    0      0        0
>> wlan0
>>
>> The iptables gives no entries as I haven't set this up because I'm not
sure
>> how. I'd be really grateful if you could give me some advice on how to do
>> this.
>>
>> Going forward, I like to try to route a small subnet from the client so I
>> can take my VOIP phone and a wireless access point for my Blackberry with
>> me. OpenVPN's ability to do this is one of my reasons for choosing it.
>>
>> Thanks,
>> Paul.
>>
>>
>> 