Openvpn Fedora tutorial?
 

On Jan 2, 2008 8:05 PM, Timothy Murphy <tim@birdsnest.maths.tcd.ie> wrote:
> Andrew Parker wrote:
>
> >> I found when following your suggestion
> >> that there was a typo in /etc/openvpn/server.conf
> >> (I had the wrong location for one of the keys).
> >> When I corrected this, and restarted openvpn on both machines,
> >> everything appeared (from /var/log/messages) to be fine.
> >> I have tun0 on my desktop at 192.168.5.1
> >> and tun0 on my laptop at 192.168.5.6 .
> >>
> >> I guess my question now is rather different -
> >> I'm not sure what I can do with the connection.
> >> I don't seem able to ssh in either direction.
> >> And ping fails in both directions too.
> >
> > for a connectivity test, each node should be able to ping the other.
> > i.e. desktop can ping 192.168.5.6 and laptop can ping 192.168.5.1.
>
> As I mentioned, I cannot ping either openvpn address,
> though I can ping my desktop alfred (in Ireland)
> from my laptop martha (in Italy);
> ---------------------------------
> [tim@martha ~]$ route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 192.168.5.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 192.168.5.0 192.168.5.5 255.255.255.0 UG 0 0 0 tun0
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
> [tim@martha ~]$ ping -v -c2 192.168.5.1
> PING 192.168.5.1 (192.168.5.1) 56(84) bytes of data.
> >From 192.168.5.1 icmp_seq=1 Destination Host Unreachable
> >From 192.168.5.1 icmp_seq=2 Destination Host Unreachable
> [tim@martha ~]$ ping -v -c2 www.gayleard.com
> PING www.gayleard.com (86.43.71.228) 56(84) bytes of data.
> 64 bytes from 86.43.71.228: icmp_seq=1 ttl=240 time=105 ms
> 64 bytes from 86.43.71.228: icmp_seq=2 ttl=240 time=106 ms
> ---------------------------------
> [tim@alfred ~]$ route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 192.168.5.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 192.168.5.0 192.168.5.2 255.255.255.0 UG 0 0 0 tun0
> 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
> 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
> [tim@alfred ~]$ ping -v -c2 87.6.120.53
> PING 87.6.120.53 (87.6.120.53) 56(84) bytes of data.
> 64 bytes from 87.6.120.53: icmp_seq=1 ttl=49 time=114 ms
> 64 bytes from 87.6.120.53: icmp_seq=2 ttl=49 time=104 ms
> [tim@alfred ~]$ ping -v -c2 192.168.5.6
> PING 192.168.5.6 (192.168.5.6) 56(84) bytes of data.
> >From 192.168.5.1 icmp_seq=1 Destination Host Unreachable
> >From 192.168.5.1 icmp_seq=1 Destination Host Unreachable
> ---------------------------------

your configs are very similar to mine, apart from a few cosmetic
differences. ditto for the routing tables.

do you have a firewall at either end? have you enabled tun+ devices
access? I have the following in mine, but depending on your f/w you
might want to insert the rules at the beginning rather than append:

/sbin/iptables --append INPUT --in-interface tun+ --jump ACCEPT
/sbin/iptables --append FORWARD --in-interface tun+ --jump ACCEPT
/sbin/iptables --append OUTPUT --out-interface tun+ --jump ACCEPT
/sbin/iptables --append FORWARD --out-interface tun+ --jump ACCEPT

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Openvpn Fedora tutorial?
 

Andrew Parker wrote:

>> >> I'm not sure what I can do with the connection.
>> >> I don't seem able to ssh in either direction.
>> >> And ping fails in both directions too.

> your configs are very similar to mine, apart from a few cosmetic
> differences. ditto for the routing tables.
>
> do you have a firewall at either end? have you enabled tun+ devices
> access? I have the following in mine, but depending on your f/w you
> might want to insert the rules at the beginning rather than append:
>
> /sbin/iptables --append INPUT --in-interface tun+ --jump ACCEPT
> /sbin/iptables --append FORWARD --in-interface tun+ --jump ACCEPT
> /sbin/iptables --append OUTPUT --out-interface tun+ --jump ACCEPT
> /sbin/iptables --append FORWARD --out-interface tun+ --jump ACCEPT

Thanks very much.
I found the problem did indeed lie in the firewall.
After adding the line
loc tun0 192.168.5.0/24
to /etc/shorewall/interfaces on my server,
and re-starting shorewall,
I am able to ping and ssh in either direction:
=========================================
[tim@alfred ~]$ ping -v -c2 192.168.5.6
PING 192.168.5.6 (192.168.5.6) 56(84) bytes of data.
64 bytes from 192.168.5.6: icmp_seq=1 ttl=64 time=124 ms
64 bytes from 192.168.5.6: icmp_seq=2 ttl=64 time=118 ms
[tim@alfred ~]$ ssh 192.168.5.6
Last login: Thu Jan 3 12:23:55 2008
=========================================
[tim@martha ~]$ ping -v -c2 192.168.5.1
PING 192.168.5.1 (192.168.5.1) 56(84) bytes of data.
64 bytes from 192.168.5.1: icmp_seq=1 ttl=64 time=215 ms
64 bytes from 192.168.5.1: icmp_seq=2 ttl=64 time=118 ms
[tim@martha ~]$ ssh 192.168.5.1
Last login: Thu Jan 3 11:24:28 2008 from
host156-198-dynamic.8-87-r.retail.telecomitalia.it
=========================================

--
Timothy Murphy
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Openvpn Fedora tutorial?
 

Timothy Murphy wrote:

Is there a good tutorial for openvpn under Fedora?
I've followed the instructions at
<http://www.webhostingtalk.com/showthread.php?t=595436>
but they seem to have made things worse rather than better.



Did you try the fairly obvious http://www.openvpn.net/ Instructions
there worked for me, on C4, Debian, RHL 7.3 and opensuse 10.2. I think I
had it on Windows at one point too.






--

Cheers
John

-- spambait
1aaaaaaa@coco.merseine.nu Z1aaaaaaa@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Openvpn Fedora tutorial?
 

John Summerfield wrote:

>> Is there a good tutorial for openvpn under Fedora?
>> I've followed the instructions at
>> <http://www.webhostingtalk.com/showthread.php?t=595436>
>> but they seem to have made things worse rather than better.
>>
>
> Did you try the fairly obvious http://www.openvpn.net/ Instructions
> there worked for me, on C4, Debian, RHL 7.3 and opensuse 10.2. I think I
> had it on Windows at one point too.

I did indeed look at this site.
Unfortunately I did not see anything that could be called a good tutorial.
I found the whole site rather muddled,

and far too full of self-praise about openvpn.

The OpenVPN Quickstart starts with a discussion
of the advantages and disadvantages of a Static Key
without ever explaining what a Static Key is.

The OpenVPN 2.0 HOWTO starts with a discussion
"whether to use a routed or bridged VPN",
again with no explanation of what the difference is.

A Fedora OpenVPN HOWTO would be very useful, I think.
I suggested to Miles Brennan that a chapter on openvpn
would make a good addition to his Linux Home Server HOWTO.





--
Timothy Murphy
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Openvpn Fedora tutorial?
 

Timothy Murphy wrote:

John Summerfield wrote:


Is there a good tutorial for openvpn under Fedora?
I've followed the instructions at
<http://www.webhostingtalk.com/showthread.php?t=595436>
but they seem to have made things worse rather than better.


Did you try the fairly obvious http://www.openvpn.net/ Instructions
there worked for me, on C4, Debian, RHL 7.3 and opensuse 10.2. I think I
had it on Windows at one point too.


I did indeed look at this site.
Unfortunately I did not see anything that could be called a good tutorial.
I found the whole site rather muddled,

Oh.
one click from the home page to the howto not good enough?


and far too full of self-praise about openvpn.


He has a good product with a good price and a good licence. If he didn't
say so, would anyone use it?





The OpenVPN Quickstart starts with a discussion
of the advantages and disadvantages of a Static Key
without ever explaining what a Static Key is.

The OpenVPN 2.0 HOWTO starts with a discussion
"whether to use a routed or bridged VPN",


You want routed. Probably.


again with no explanation of what the difference is.

from the howto:
<<Z
Intended Audience

This HOWTO assumes that readers possess a prior understanding of basic
networking concepts such as IP addresses, DNS names, netmasks, subnets,
IP routing, routers, network interfaces, LANs, gateways, and firewall rules.


If you don't have a handle on these basics, but would still like to set
up OpenVPN, I would encourage you to hire an OpenVPN expert on a
consulting basis. Many of the authors on the articles page are available
for consulting, or you can contact the creators of OpenVPN at
info@openvpn.net.

Z

It's not intended to be, and should not be, a tutorial on networking. My
first Linux book (before I used Linux) was the Linux NAG, Network
Administrators Guide, by Olaf Kirch. It's available as a free download,
maybe at The Linux Documentation Project. Hopefully, it's been updated,
a lot has changed since the 1.0 and 1.1 kernels.







--

Cheers
John

-- spambait
1aaaaaaa@coco.merseine.nu Z1aaaaaaa@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list