Topic: [ANNOUNCE] smeserver-openvpn-bridge-fws-1.1-2.rpm

[imcintyre]

I will post the result tonight. The ip address is the one that I specified "ian" to use when using the vpn. I thought the server file content was the issue.

[AndrewR]

I will post the result tonight. The ip address is the one that I specified "ian" to use when using the vpn. I thought the server file content was the issue.

Ian, for you and for others... the following is a good way to be able to test connections without having to wait days in between:

1) On the workstation that is connecting to the VPN server, if it is running Windows XP or later.. enable Remote Desktop. If that workstation is behind a router, give it a static private address, and then on your router forward port 3389 to that address / machine. Then all you need to know is your public address from your ISP... and you can connect to your workstation from anymachine that has the Remote Desktop Client installed (windows XP, server 2003 have it built-in. Otherwise it can be downloaded from Microsoft).

2) Remotely connect to your workstation, and then using the GUI, try connecting to the VPN. If it works, great. if not, well.. you can make changes without having to wait a day to do so.

I used this to setup my VPN and test... and it  probably cut down the "development" time by several days.

[imcintyre]

Andrew;

My set up is as follows:

modem
     |
     |
SME Server
in gateway/server mode
     |
     |
wireless router
     |
     |
various wireless pc's and xbox.

Will your suggestion work with this setup?
Thanks for your suggestion

Ian

[AndrewR]

Andrew;

My set up is as follows:

modem
     |
     |
SME Server
in gateway/server mode
     |
     |
wireless router
     |
     |
various wireless pc's and xbox.

Will your suggestion work with this setup?
Thanks for your suggestion

Ian

yes, it should. The rules get fun.. but it's not impossible.

One question: does your wireless router do NAT as well, or are your PCs and XBOX on the same subnet as the SME server?

So.. in plain English.. if the Address of the SME Server is 192.168.1.1, do the PCs etc have addresses of 192.168.1.x?

If not, well, all we need to do is do port forwarding twice. not hard.. but it means your Wireless Router will also need an address on it WAN port that is static. To give you an idea of my own home setup:

MODEM
 ___|
LINUX ROUTER-(Currently Runnning ClarkConnect, going to be upgraded to SME)
 ___|
--------------------------SWITCH---------------------
|.....................................|.............................|
ROOMATE..................WIRELESS...............ROUTERa
.................................................................|
.................................................................Private Network (PC,                                
.................................................................printers, etc)


The Linux Router has a Subnet of 192.168.66.0. RouterA has a WAN Address of 192.168.66.101, and internal network of 192.168.3.0. The Wireless is on its on Subnet (192.168.4.0)

My rules, in basic form for remote access look like this:

1) ON Linux Router: Port 12000 (TCP and UDp) on the External interface (IP provided by ISP) is forwarded to Port 12000 on 192.168.66.101 (the WAN IP of RouterA)

2) ON RouterA: Port 12000 (TCP and UDP) on the WAN is forwarded to port 3389 (TCP and UDP) on 192.168.3.17, my workstation.

My workstation has a static IP. Anytime you do port forwarding and / or translation.. make sure your destination IP(s) have static addresses, otherwise if DHCP changes the address, the rules are broken.

**I chose to open up port 12000 on the public interface instead of 3389 simply because I didn't want to open a "common" port. The port translation is completely voluntary, you don't have to do it. If you do choose to do port translation, to continue with my example, this is what you would type into the Remote Desktop Client when connecting:

XXX.XXX.XXX.XXX:12000 (where XXX.XXX.XXX.XXX is the IP address on the external interface of your SME server).

Also remember to enable Remote Desktop on your workstation. Members of the Administrators group have remote desktop rights by default, but Remote Desktop is turned OFF by default in Windows XP. To turn RDP on, simply right click on My Computer - Properties. In the window that pops up, click on "Remote" and then put a checkmark beside the option "Allow users to connect remotely to my Machine". Click Apply then ok, and you're good to go.**

[imcintyre]

To answer the first question. My Server is handing out the local addresses.

So SME is 192.168.1.1
Router is 192.168.1.2
As I recall I did fixed xbox but it may be dynamic
Everything else is dynamic.

[imcintyre]

Vipire wrote

cat /etc/openvpn/ccd-bridge/ian

[root@mcserver1 ~]# cat /etc/openvpn/ccd-bridge/ian
--ifconfig-push 192.168.7.200 255.255.255.0

Is this helpful?

Thx in advance for help.

Ian

[Daniel B.]

Vipire wrote

cat /etc/openvpn/ccd-bridge/ian

[root@mcserver1 ~]# cat /etc/openvpn/ccd-bridge/ian
--ifconfig-push 192.168.7.200 255.255.255.0

Is this helpful?

Thx in advance for help.

Ian

Well, it cannot work with this configuration. In the previous post you told that your SME is 192.168.1.1 so I guess it's on the subnet 192.168.1.0/255.255.255.0
All your VPN clients should have an IP in this subnet 192.168.1.X, not 192.168.7.X

[imcintyre]

Vip-ire

Sorry for the confusion, a momentary lapse in clarity of thought. My home network is on 192.168.7.*

Work, where I was when I posted, is different.

Ian

[Daniel B.]

Well, look at the permission on the file /etc/openvpn/ccd-bridge/ian. The server complains he cannot access this file, if it's not a permission problem, I really don't know

[imcintyre]

Ok if the permissions are not correct as they are, how should they be?

Ian <~~noob

[Daniel B.]

Well, they should be rw-r-r (world readable) but I just saw that they are (on my own server) rw-rw-rw (world writable), it shouldn't prevent it to work but it's a security problem. another thing I must correct.

[imcintyre]

The permissions are as follows:

root@mcserver1 ccd-bridge]# ls -l
total 8
-rw-r--r--  1 root root 44 Dec 14 06:32 ian
-rw-r--r--  1 root root 44 Dec 14 06:32 server
[root@mcserver1 ccd-bridge]#

Which matches what you have.

[Daniel B.]

Well, this means the file is world readable, there's not reason why the server cannot access or find the file /etc/openvpn/ccd-bridge/ian

The best would be to install it on a test server (fresh install) to be sure there's not a problem, or conflict with another contrib. If you don't have a test server you can change a little template to remove the verification of the specific configuration file but you will lost the advantage of the fixed IP through the VPN:

vim /etc/e-smith/templates-custom/etc/openvpn/server-bridge.conf/80clients

comment the line 14

Code: [Select]

$OUT .= "ccd-exclusive\n"; becomes

Code: [Select]

# $OUT .= "ccd-exclusive\n";

Then

Code: [Select]

expand-template /etc/openvpn/server-bridge.conf
/etc/init.d/openvpn-bridge restart

[imcintyre]

I was trying to avoid the test server route. I may go back to beta 4.

There was one other thing that I thought of when you questioned my internal addresses. I checked my server settings and I had allowed the range to be 192.168.7.1~~254. Could this be a problem? I have changed it to only go to 199 and will let me vpn settings be 200 and above. I will let you know.

Then I will try your next suggestions. It will give me something to do over the holdiays.

Thanks for all your help.

[imcintyre]

Ok; I changed my addressing and the permissions on the files and now it works ok. I will find out which solved the problem and post the answer.

Ian