Page 1 of 1

OpenVPN client access

Posted: Sat Jul 12, 2014 12:56 pm
by darkpenguin
Hello!

I'm trying to use a Gargoyle router to establish a VPN connection with a remote office - so that each network should be able to access each other. In my office, I use a Linux server. But:

- The routers ping each other just fine;
- That router can ping my network (I don't know about computers behind it - not until Monday...);
- Neither my router (server), nor computers behind it can't ping that network behind that router. (And this is the problem, because I want them to!)

I have tested it with a Linux machine instead of that router, with exactly the same OpenVPN config, and it work fine. This proves that something is wrong with the router. My firewall is set up so that everything is allowed for this VPN, and ICMP is allowed for everything.

I use a very simple OpenVPN config:

Code: Select all

dev tun
proto udp
remote server.mainoffice.com 1194
ifconfig 169.254.0.2 169.254.0.1 # backwards on the server
route 192.168.1.0 255.255.255.0 # 192.168.2.0 255.255.255.0 on the server
Upon inspecting the configs, I see changes in the firewall:

Code: Select all

firewall.vpn_zone=zone
firewall.vpn_zone.name=vpn
firewall.vpn_zone.network=vpn
firewall.vpn_zone.input=ACCEPT
firewall.vpn_zone.output=ACCEPT
firewall.vpn_zone.forward=ACCEPT
firewall.vpn_zone.mtu_fix=1
firewall.vpn_zone.masq=1
firewall.vpn_lan_forwarding=forwarding
firewall.vpn_lan_forwarding.src=lan
firewall.vpn_lan_forwarding.dest=vpn
I tried disabling "masq" and switching "src" and "dest", but seems like there's more to it.

Re: OpenVPN client access

Posted: Sat Feb 07, 2015 2:49 pm
by darkpenguin
Problem solved.

The problem was that by default, OpenVPN on Gargoyle runs with a "higher level of script security", which disallows calling any scripts. Therefore, scripts that were supposed to run in order to configure everything accordingly to the newly established VPN connection were not run.

I only had to add one more line into the configuration file; if I recall correctly, it was "script-security 2" . That fixed everything, and I wanted to post an answer right away, but... procrastinators, unite! ...tomorrow. :D

Re: OpenVPN client access

Posted: Sat Feb 07, 2015 6:43 pm
by Lantis
This might be interesting information for @Eric

Re: OpenVPN client access

Posted: Sat Feb 07, 2015 7:30 pm
by darkpenguin
Reading the "man openvpn", I think that's actually the default behaviour for openvpn. But, suppose I am just a normal user who has no idea and doesn't care about how openvpn integrates into Gargoyle, which I actually was... It took me few days of reverse engineering to find out that there are scripts and for some reason they are not enabled by default. Especially since all the manuals never mentioned anything about it, even though no VPN settings get applied without that extra line. I guess it's supposed to be a pretty rare case when I want to allow access to my network from the network I'm connected to, so nobody has noticed it yet...

Re: OpenVPN client access

Posted: Sat Feb 07, 2015 9:40 pm
by ispyisail
darkpenguin wrote:Reading the "man openvpn", I think that's actually the default behaviour for openvpn. But, suppose I am just a normal user who has no idea and doesn't care about how openvpn integrates into Gargoyle, which I actually was... It took me few days of reverse engineering to find out that there are scripts and for some reason they are not enabled by default. Especially since all the manuals never mentioned anything about it, even though no VPN settings get applied without that extra line. I guess it's supposed to be a pretty rare case when I want to allow access to my network from the network I'm connected to, so nobody has noticed it yet...
can you post more info?

I've only been able to communicate one way with OpenVPN so i'm interested in this

Re: OpenVPN client access

Posted: Sat Feb 07, 2015 9:53 pm
by darkpenguin
That was a while ago, and the Gargoyle router has died since then, but if I remember correctly, my config plus the line "script-security 2" should be enough.

If that's still not working, take a look at your firewall settings. I don't remember whether did I modify those or not.

The problem was that because of the default of "script-security 1" the appropriate scripts were not run, and so the firewall rules were not applied.