Hi Jeff, See response inline:
Jeff Boyce wrote: >> I guess you need at least something like this: >> >> $ cat /etc/config/network >> ... >> config interface 'vpn' >> option ifname 'tun0' >> option defaultroute '0' >> option peerdns '0' >> option proto 'none' >> > > I had everything here in my network config file, except the defaultroute and > peerdns options. After reviewing what those options are, I am not sure that > they are necessary, but I have included them in my config now. Maybe they are not really needed - most important is to have that "vpn" interface that can be used in the firewall config. >> $ cat /etc/config/firewall >> ... >> config zone >> option name 'vpn' >> option input 'ACCEPT' >> option output 'ACCEPT' >> option forward 'ACCEPT' >> option network 'vpn' >> > > I had Option Forward REJECT on this. I have changed this to ACCEPT on the > VPN zone, and also changed it to ACCEPT on the LAN zone (which was also > REJECT). That's definitely needed. > So after all these changes, and restarting services, and even rebooting the > router, the result was the same. In summary, trying to ping the Vista box > behind the Server would result in the response: Reply from 10.4.0.1: > Destination host unreachable. Address 10.4.0.1 is the tunnel address at the > server end of the VPN tunnel. So it seems to me that the server end of the > tunnel doesn't know what the LAN network is behind it. If you are able to ping the Vista box from the OpenWrt router it still sounds like a firewall issue to me - either on the router or on the Vista box. Since the OpenWrt router is configured as the default gateway on the Vista box you don't need to add additional routes (except for the OpenVPN client, which should be done by the OpenVPN config.) In order to identify the firewall that causes the issue, I would disable all firewalls first, retry the ping tests, and enable them again step by step. On the OpenWrt box this can be done by: $ /etc/init.d/firewall stop and to enable: $ /etc/init.d/firewall start (Warning: this also disables NAT/MASQUERADING and may disconnect hosts behind the router from the internet!) On Vista there is also a way to completely disable the firewall. If the OpenWrt firewall is the origin of the issue it helps to see what are the resulting iptables rules. The OpenWrt firewall config is just used for a set of macros/scripts which create iptables rules. Please send those iptables rules and you will probably get further help here ;) $ iptables -L -n -v $ iptables -L -n -v -t nat Cheers, Mathias. ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
