Configuring iptables for Openvpn 2.0.7 on fc3 for remote subnets

Ankush Grover ankush174 at gmail.com
Fri Aug 4 08:59:44 UTC 2006 

hey friends,

 I have installed OpenVPN 2.0.7 on FC3 through rpm (dag repository).
The network scenario of my office is below:

Remote Client <---->   Internet   <------->  Cisco Pix
Firewall(Gateway) <---->  VPN Server &

                   LAN Clients  (192.168.5.0/24)

Cisco Pix Firewall:  Having a static public ip address and a LAN
Address of 192.168.5.5 and it is also acting as a gateway for the LAN

VPN Server: 192.168.5.20 and this is also a server on LAN
                   running few more services for the clients on LAN.

LAN Clients:  192.168.5.0/24

VPN Server port that is 1194 is open on Firewall. I was able to
connect to the VPN Server from my home machine but I was not able to
browse the clients or servers in the
network range of 192.168.5.0/24. I was able to access the nfs
directories on the VPN Server but not of lan clients. The network is
hetrogenous (windows & linux).

In the OpenVPN FAQ I found this

 question: I've successfully set up OpenVPN and can ping between both
OpenVPN peers, however I cannot reach any of the other machines on the
remote subnet. What's the problem?

          Make sure that the firewall is not filtering the TUN/TAP interface.
                     Already allowed through the below iptables entries

      Make sure you have IP forwarding enabled on the server.
                     It is enable on my server

    * If you are using routing (not ethernet bridging), make sure the
clients (or LAN gateway) have a route back to the server for the
packets coming in over the tunnel. This can be done by:
          a)  adding a route in your default gateway for the VPN
network IP subnet pointing to
             the OpenVPN machine,
          b)  adding a route to every client, or
          c)  NATing all VPN traffic to the local address of the
OpenVPN machine for network traffic which leaves the OpenVPN machine
for the local net.

   As I am using routing not ethernet bridging I think last option
that is "c" will be good but I don't know how to configure iptables
for the same.

iptables -L on VPN Server
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.1.1.0/24           192.168.5.0/24

I had added route "192.168.5.0 255.255.255.0" in the client.conf file
and push "route 192.168.5.0 255.255.255.0" in the server.conf file.

These entries are also added to iptables on VPN Server
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT

# Allow TAP interface connections to OpenVPN server
iptables -A INPUT -i tap+ -j ACCEPT

# Allow TAP interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tap+ -j ACCEPT

I am attaching the Openvpn server.conf file along with this email. I
will be very grateful If somebody can guide me how to configure
iptables for the above scenario.

Thanks & Regards

Ankush Grover
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openvpnserver.conf
Type: application/octet-stream
Size: 10264 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060804/f01f687a/attachment-0001.obj>

More information about the fedora-list mailing list