OpenVPN client access

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

Post Reply
darkpenguin
Posts: 4
Joined: Sat Jul 12, 2014 11:12 am

OpenVPN client access

Post by darkpenguin »

Hello!

I'm trying to use a Gargoyle router to establish a VPN connection with a remote office - so that each network should be able to access each other. In my office, I use a Linux server. But:

- The routers ping each other just fine;
- That router can ping my network (I don't know about computers behind it - not until Monday...);
- Neither my router (server), nor computers behind it can't ping that network behind that router. (And this is the problem, because I want them to!)

I have tested it with a Linux machine instead of that router, with exactly the same OpenVPN config, and it work fine. This proves that something is wrong with the router. My firewall is set up so that everything is allowed for this VPN, and ICMP is allowed for everything.

I use a very simple OpenVPN config:

Code: Select all

dev tun
proto udp
remote server.mainoffice.com 1194
ifconfig 169.254.0.2 169.254.0.1 # backwards on the server
route 192.168.1.0 255.255.255.0 # 192.168.2.0 255.255.255.0 on the server
Upon inspecting the configs, I see changes in the firewall:

Code: Select all

firewall.vpn_zone=zone
firewall.vpn_zone.name=vpn
firewall.vpn_zone.network=vpn
firewall.vpn_zone.input=ACCEPT
firewall.vpn_zone.output=ACCEPT
firewall.vpn_zone.forward=ACCEPT
firewall.vpn_zone.mtu_fix=1
firewall.vpn_zone.masq=1
firewall.vpn_lan_forwarding=forwarding
firewall.vpn_lan_forwarding.src=lan
firewall.vpn_lan_forwarding.dest=vpn
I tried disabling "masq" and switching "src" and "dest", but seems like there's more to it.

darkpenguin
Posts: 4
Joined: Sat Jul 12, 2014 11:12 am

Re: OpenVPN client access

Post by darkpenguin »

Problem solved.

The problem was that by default, OpenVPN on Gargoyle runs with a "higher level of script security", which disallows calling any scripts. Therefore, scripts that were supposed to run in order to configure everything accordingly to the newly established VPN connection were not run.

I only had to add one more line into the configuration file; if I recall correctly, it was "script-security 2" . That fixed everything, and I wanted to post an answer right away, but... procrastinators, unite! ...tomorrow. :D

Lantis
Moderator
Posts: 6920
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: OpenVPN client access

Post by Lantis »

This might be interesting information for @Eric
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

darkpenguin
Posts: 4
Joined: Sat Jul 12, 2014 11:12 am

Re: OpenVPN client access

Post by darkpenguin »

Reading the "man openvpn", I think that's actually the default behaviour for openvpn. But, suppose I am just a normal user who has no idea and doesn't care about how openvpn integrates into Gargoyle, which I actually was... It took me few days of reverse engineering to find out that there are scripts and for some reason they are not enabled by default. Especially since all the manuals never mentioned anything about it, even though no VPN settings get applied without that extra line. I guess it's supposed to be a pretty rare case when I want to allow access to my network from the network I'm connected to, so nobody has noticed it yet...

ispyisail
Moderator
Posts: 5194
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: OpenVPN client access

Post by ispyisail »

darkpenguin wrote:Reading the "man openvpn", I think that's actually the default behaviour for openvpn. But, suppose I am just a normal user who has no idea and doesn't care about how openvpn integrates into Gargoyle, which I actually was... It took me few days of reverse engineering to find out that there are scripts and for some reason they are not enabled by default. Especially since all the manuals never mentioned anything about it, even though no VPN settings get applied without that extra line. I guess it's supposed to be a pretty rare case when I want to allow access to my network from the network I'm connected to, so nobody has noticed it yet...
can you post more info?

I've only been able to communicate one way with OpenVPN so i'm interested in this

darkpenguin
Posts: 4
Joined: Sat Jul 12, 2014 11:12 am

Re: OpenVPN client access

Post by darkpenguin »

That was a while ago, and the Gargoyle router has died since then, but if I remember correctly, my config plus the line "script-security 2" should be enough.

If that's still not working, take a look at your firewall settings. I don't remember whether did I modify those or not.

The problem was that because of the default of "script-security 1" the appropriate scripts were not run, and so the firewall rules were not applied.

Post Reply