guides to create openvpn server in linux?

[+BudMan MVC]

"if i connect to the openvpn server at my office, that makes me a client right?"

If use a VPN client to connect to it then yeah -- Why and the F would you do that??? Your on the same freaking lan!

If you don't use the openvpn client, or on the client network that the remote vpn routers then NO your not a client.

BTW, that drawing is the best you have put up so far -- other than leaving out all the NAT routers that are in front of all the vpn clients and the vpn server.

edit: Ok this is a better drawing of what your doing - is it not? You have no idea what the remote private networks are. And your remote devices are on some 172.16.x vpn networks. But your trying to admin/support them from boxes on the 192.168.100.0/24 network at your office. And your using 10.10.x addresses as your vpn tunnel endpoints.

And you have route in your internet router to point to the vpn router for the different remote 172.16.x.x/24 networks

I add this detail because its IMPORTANT to understand this - or your drawing just looks like a simple site to site vpn setup.

Nor are these 192.168.100 boxes "clients" of the vpn server router. They are not running openvpn client software? Are they?

[metro2012]

"if i connect to the openvpn server at my office, that makes me a client right?"

If use a VPN client to connect to it then yeah -- Why and the F would you do that??? Your on the same freaking lan!

i connect to it because the vpn server knows the routes to get to the remote openvpn client.

actually, the vpn clients (my pc's openvpn client software and the nb1600) know how to get to the openvpn server. that would be a lot better explaination of why i connect to the openvpn server :)

If you don't use the openvpn client, or on the client network that the remote vpn routers then NO your not a client.

but then there is no way to get on the lan2 side of nb1600 at the remove connections (which is 172.16.x.x, where the x at 172.16.x is different for each company)

BTW, that drawing is the best you have put up so far -- other than leaving out all the NAT routers that are in front of all the vpn clients and the vpn server.

i wanted to keep the drawing as simple as possible this time....hoping to explain it better.

edit: Ok this is a better drawing of what your doing - is it not? You have no idea what the remote private networks are. And your remote devices are on some 172.16.x vpn networks. But your trying to admin/support them from boxes on the 192.168.100.0/24 network at your office. And your using 10.10.x addresses as your vpn tunnel endpoints.

yes. that drawing is correct, if i understand it correctly. i wont backpedal this time. i bolded what u wrote because that is what i ment when i put it should not matter what the other networks are and when i said it shud "magically" work. obviously not the best wording so i apoligize.

And you have route in your internet router to point to the vpn router for the different remote 172.16.x.x/24 networks

NO. I want to make it clear that the ONLY routes that exist are on the openvpn server/clients. no other device has routes what so ever (other than its obvious defaults).

I add this detail because its IMPORTANT to understand this - or your drawing just looks like a simple site to site vpn setup.

i wanted to bold that "NO" to make sure that its also clear that the only routes exist on the openvpn server/clients. nothing else. the pcs and the remote tcp/ip equipment have no routes what so ever. the remote tcp/ip equipment have no idea they are on a vpn and the pcs know it because they have openvpn software on them. nothing else.

Nor are these 192.168.100 boxes "clients" of the vpn server router. They are not running openvpn client software? Are they?

YES. The 192.168.100.x boxes are running openvpn client software so they can access the openvpn server and read the routes to get to the rest of the remote networks.

there is a "reason" (with quotes) that i make the boxes connect to a openvpn server on my local lan: we will give support from the office but if someone stays home for whatever reason, he should also give support from home.

i understand that this thread "burns" as in its been weeks and pages and pages of post after post, soem not clear on my part and i apoligize once again and thank you very much for having patiences :)

[+BudMan MVC]

"YES. The 192.168.100.x boxes are running openvpn client software so they can access the openvpn server and read the routes to get to the rest of the remote networks."

You should of brought this up pages and pages ago - this changes everything!!!!

I was wondering how you were saying was working - back you said you put in routes, I assumed you put in a route into your internet router to point to the vpn server.. Or you placed it on the hosts, that is what we talked about doing, etc.

"it should not matter what the other networks"

And again I am going to tell you that it DOES FREAKING MATTER -- if you run into a conflict with what networks your routing over your vpn network. But if your vpn software on each of your work pcs -- JFC you could of brought that up on page freaking ONE!! It's possible that if you set default route?

Here is my point.. So for example 2nd interface on the remote sides has 172.16.x.0/24 right -- what if their network is 172.16.x.0/24? This puts the same network on both of your interfaces. This is why I point out knowing what the remote networks are!

So now as I see your problem you don't want clients to be able to talk to each other that are from different sites. But you want client to be able to talk to all the sites?? Yeah I really don't think that is going to work???? Off the top of my head I can't think of way to do that.

[metro2012]

"YES. The 192.168.100.x boxes are running openvpn client software so they can access the openvpn server and read the routes to get to the rest of the remote networks."

You should of brought this up pages and pages ago - this changes everything!!!!

im sorry. i was focusing on the network layout rather than the software....

I was wondering how you were saying was working - back you said you put in routes, I assumed you put in a route into your internet router to point to the vpn server.. Or you placed it on the hosts, that is what we talked about doing, etc.

"it should not matter what the other networks"

And again I am going to tell you that it DOES FREAKING MATTER -- if you run into a conflict with what networks your routing over your vpn network. But if your vpn software on each of your work pcs -- JFC you could of brought that up on page freaking ONE!! It's possible that if you set default route?

Here is my point.. So for example 2nd interface on the remote sides has 172.16.x.0/24 right -- what if their network is 172.16.x.0/24? This puts the same network on both of your interfaces. This is why I point out knowing what the remote networks are!

yes, ive stated the 172.16.x.x network as a example but we were indeed told to pick some strange network for lan2 to make sure there is no confclits

So now as I see your problem you don't want clients to be able to talk to each other that are from different sites. But you want client to be able to talk to all the sites?? Yeah I really don't think that is going to work???? Off the top of my head I can't think of way to do that.

i want me, client 1, to talk to all clients (2, 3, 4) but i dont want 2,3,4 to talk to each other. could i put firewall rules in my openvpn server???

[+BudMan MVC]

Yes you could do it with firewall/acl of some sort. I would have to reread the manual - not sure that router can do that?

[metro2012]

Yes you could do it with firewall/acl of some sort. I would have to reread the manual - not sure that router can do that?

yes it has a firewall but i did not mean on the nb1600. i ment on the openvpn server.

[+BudMan MVC]

So your no longer using a nb1600 at the office, but a full linux os, running openvpn? And the nb1600s at the remote locations.

[metro2012]

So your no longer using a nb1600 at the office, but a full linux os, running openvpn? And the nb1600s at the remote locations.

yes. i mentioned that the "tech guy" gave up on using the nb1600 as a server as it was too hard for him and just told me to copy/paste stuff on a linux box running openvpn

[+BudMan MVC]

Well if that is the case - this should be what your after then.

http://backreference.org/2010/05/02/controlling-client-to-client-connections-in-openvpn/

Controlling client-to-client connections in OpenVPN

[metro2012]

Well if that is the case - this should be what your after then.

http://backreference.org/2010/05/02/controlling-client-to-client-connections-in-openvpn/

Controlling client-to-client connections in OpenVPN

i have no firewall currently in place......that article sounds more like a currently firewall in place that is blocking everything and i should make rules to ALLOW....

i think in my case it should be the opposite: a firewall that allows everything (as stupid as it sounds) and rules to BLOCK it.....it shouldnt be that difficult to implement although im not too familar with iptables....

[metro2012]

that second part: "This works fine; the only issue is a few extra packets are generated by the server." i dont understand too well so i cant do/understand the opposite :s

[metro2012]

tried the oppsite and it didnt work :(

blocked all packets from/to tunnel address and it didnt seem to work.

[+BudMan MVC]

"that article sounds more like a currently firewall in place that is blocking everything and i should make rules to ALLOW...."

No that is not what it said.

"To confirm that this is true, run tcpdump on the server while client-to-client is disabled, no firewall is in effect, and two clients are pinging each other"

So lets get some basics down, what interface type are you using in openvpn tun or tap?

And when you have the client-to-client option off, can your clients talk to each other? If this is off your clients should not be able to talk to each other??

BTW, firewalls do not allow all and block specific - since once you hit a rule allow, it would not go to any other rules. Default rule on a firewall is always deny.

You then need to put rules before the deny rule that allows the traffic you want. If you put in an allow all rule, then your deny would never get hit now would it ;)

[metro2012]

"that article sounds more like a currently firewall in place that is blocking everything and i should make rules to ALLOW...."

No that is not what it said.

"To confirm that this is true, run tcpdump on the server while client-to-client is disabled, no firewall is in effect, and two clients are pinging each other"

So lets get some basics down, what interface type are you using in openvpn tun or tap?

tun

And when you have the client-to-client option off, can your clients talk to each other? If this is off your clients should not be able to talk to each other??

correct. on the server, when i turn off (remove the line of client-to-client) they cannot talk to each other. if i turn it on (the line is there, they can talk to each other)

ill reconfirm that 100% once again tommorrow

BTW, firewalls do not allow all and block specific - since once you hit a rule allow, it would not go to any other rules. Default rule on a firewall is always deny.

You then need to put rules before the deny rule that allows the traffic you want. If you put in an allow all rule, then your deny would never get hit now would it ;)

that bold part: the default rule in iptables in deny everything? i thought iptables had it as allow everything then block it via your rules. i use a gui (dont remember what it is called) in ubuntu and there is no deny everything from/to everything rule..... thats why i ask.

i mean it makes sense it blocks everything (it is a firewall after all) but im just asking :)

again thanks for the help budman.

[metro2012]

damn it.........i was reading some things and trying to better the security but i ****ed sumthing up and now i can only access one of the lan2 ports (172.16.3.1...........cant access the rest)

i think the problem is possibly server side.

[metro2012]

after all of this and now this :(

[metro2012]

i observe the folowing:

when i connect to my local openvpn server from a local computer, on my local computer, i lose track of the local network. i can ping the vpn addresses such as 10.10.10.1 and such but the rest i lose.........

could a route be missing?

also even when im not connected to the vpn, internet has been increiblely slow for loading.

[Lilrich]

After setting up my own VPN using PfSense i have to say that this is one of the most confusing threads i have ever read on Neowin, i have literally got no idea what it is you are trying to do or where you are upto for that matter.

Might be a good idea to sit down and think about what you are trying to achive and come back and explain it properly so that someone can help.

8 Pages with no resoloution is insane.

[metro2012]

After setting up my own VPN using PfSense i have to say that this is one of the most confusing threads i have ever read on Neowin, i have literally got no idea what it is you are trying to do or where you are upto for that matter.

Might be a good idea to sit down and think about what you are trying to achive and come back and explain it properly so that someone can help.

8 Pages with no resoloution is insane.

this isnt a typical vpn setup.

it was solved but for some odd reason it got disconfigured.

on to more information:

on other pcs on my network i get on speedtest about a 105ms ping.

on this pc i get a 4000ms ping

could it be that my pc is trying all different sorts of routes and since at the end they all fail, they go with the default?

ive done a route -f so that should have solvded that but still nothing. this is while im not connected to the openvpn.

[metro2012]

yup it has to be the routing table. i get a error pining 127.0.0.1!!!!

i think its the routing table as there is only 1 entry

destination submask gateway interface metric

0.0.0.0 0.0.0.0 192.168.100.100 192.168.100.73 266

how do i restart my routing table to default?

[metro2012]

i did a /release and /renew and entries poppued up but i still cant do a ping to 127.0.0.1

i went to a xp machine and there are not only more entries but the metric here has been set to 266

[+BudMan MVC]

restart the machine if you lost your routing table.

edit: Yeah it took like 6 pages to even understand what he was trying to do exactly, because he keep saying yup that is what he wanted, when it wasn't. I would draw out how I thought his networks were setup and what he wanted, and YEAH that's it - when no it was not even close.

This has probably been the most frustrating thread I have ever had the displeasure of being in, I should of dropped it on page 2 ;)

I really don't know if lang barrier, or just NO understanding of networking at all?

What they are wanting to do in a nutshell, is vpn endpoints behind 2 nat routers, where he does not even know or care about the remote side network. He is going to run into a site where this is a problem for damn sure! he is going to run into a site where the network there is same as one of his other networks. Anyhoo.

He then wants none of the clients to be able to talk to each other, but he wants some clients to be able to talk to all the clients.

He has computers at the main location using vpn client into the vpn endpoint at the main location, vs just being on the network there.. Where he could talk to all clients, but none of the clients would be able to talk to all the other clients, etc.

He is using this industrial router, which has lots of features and looks pretty good. But his setup is just freaking NUTS!! It would be much simpler if his vpn endpoint at the main office was actually the edge router vs box inside a NAT.

Its a total nightmare to be sure!