On 2014-07-28 08:43, John wrote:
On Sun, Jul 27, 2014 at 02:07:34PM -0400, Gordon Turner wrote:
On 2014-07-27 10:16, John wrote:
>On Sat, Jul 26, 2014 at 05:34:56PM -0400, Gordon Turner wrote:
>>On 2014-07-23 20:30, Gordon Turner wrote:
>
>Does your gateway at 192.168.2.1 know how to reach 10.0.0.0/24? Does it
>have a route telling it to use 192.168.2.140 to reach 10.0.0.0/24?
I don't have any other routes setup, I guess I am struggling with
where
should I add them?
If I understand your network topology correctly, you need to add a
route
to 10.0.0.0/24 on the gateway device 192.168.2.1 otherwise return
traffic from 192.168.2.0/24 to 10.0.0.0/24 is probably taking some
other
path or getting dropped.
So on the gateway which is 192.168.2.1:
/sbin/route add 10.0.0.0/24 192.168.2.140
That, eventually, did the the trick.
That was one of the first things I tried, but the route (for some
reason) wasn't used immediately. I rebooted the OpenVPN and restarted
the gateway router and then things were working! Yay!
I will eventually move the VPN end point to the new gateway / router,
but for now it is nice to have them decoupled.
I did have 2 more questions that someone might be able to help with:
Does `framed-ip-address` in `npppd-users` assign an ip address to the
user when authenticated? That was my expectation, but when I provide an
ip from the `pool-address` range, the value is not used. Another value
from the pool is used instead.
```
jtest:\
:password=SEEKRIT:\
:framed-ip-address=10.0.0.2:
```
With regards to adding extra rules to pf.conf for the VPN traffic, if I
am relying on l2tp and ipsec for authentication, and I trust those
connecting completely (ie me) is there any risk NOT not adding
additional filtering rules?
To put a different way, I want to have VPN clients treated as if they
were on the private network natively. I am only forwarding TCP 500,
4500 to the VPN endpoint which is listening for them.
```
set skip on pppx0
pass in quick on egress proto udp from any to any port {500, 4500} keep
state
pass on enc0 from any to any keep state (if-bound)
```
Thanks!
Gord.
