Re: Surf outside Internet through VPN
Darren Pilgrim wrote: > Noah Silverman wrote: >> I want to find a way to pass ALL traffic from my laptop THROUGH my >> office VPN and then out to the Internet. This is a "road warrior" >> setup. This gives me a few benefits: 1) I can check my email >> securely through VPN. 2) No matter where I am, I will always have >> the external IP of my VPN server when accessing the web. >> >> I have setup a VPN. Was able to get it working with either tun or >> tap interfaces. That part seems OK. >> >> Now what?? (I can see and connect to the VPN server with '10.0.8.1' >> easily. I can't see or connect to the outside world.) Do I need to >> add some kind of special route in the routing table? > > If you can talk to arbitrary hosts on your office network--not just > the VPN server--setting your default router to the office's gateway > will achieve what you want. > ___ If you meant the internal address of the office's gateway, then changing the default route to that means that you will no longer be able to reach the public IP of the VPN peer. What you need to do is, i) Add a host route to the VPN peer address, via your current default gateway on whatever network you happen to be on ii) Change your default route to be something on your office net that is willing to router traffic out the Internet for you. This potentially could the internal address of your office firewall, if it knows how to route back to you via the VPN terminating box. Alternatively just the other end of your tunnel, I'm guessing from the above that it's '10.0.8.1' If you're using OpenVPN, then the "redirect-gateway" directive tries to do the above for you. Cheers, Dunc ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Layer2 VPN
Hi folks, I've been trying to create a layer2 VPN using FreeBSD boxes as the gateways. The 2 methods I thought of are:- a) Create a tunnel between the 2 gateways using gif interfaces, and bridge the gifs onto a real NIC. b) Using openvpn in bridging mode, and bridge the tap device onto a real NIC. Both methods seem to work fine, unless I try and put 802.1Q traffic down the VPN, in which case neither method works. Is there some fundamental reason as to why this would not work, or am I just flailing?? (I'm pretty sure everything is configured right, my tagged traffic is fine without the VPN in the equation, and also the VPN is fine with no tagged traffic) If this is just not going to work, and I should stop now, does anybody have any suggestions as to how I might achieve this in FreeBSD? Regards, Dunc ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Layer2 VPN
Andrew Thompson wrote: On Tue, Oct 03, 2006 at 11:41:07AM +0100, Dunc wrote: Hi folks, I've been trying to create a layer2 VPN using FreeBSD boxes as the gateways. The 2 methods I thought of are:- a) Create a tunnel between the 2 gateways using gif interfaces, and bridge the gifs onto a real NIC. Both methods seem to work fine, unless I try and put 802.1Q traffic down the VPN, in which case neither method works. This should work fine with vlan headers, do you have any indication of where the problem is? you may need to get packet dumps at the sending and receiving ends. Grab a tcpdump at the sending bridge0, sending interface, receiving interface, receiving bridge0. You can send them to me if you need help deciphering them. cheers, Andrew ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]" Hi Andrew, I couldn't see why it wouldn't either. It's just an ethernet frame with an extra field filled in AIUI I did do dumps earlier, and the problem seemed to be around about the bridge device at the far end as I pinged, however I will start again from scratch tomorrow and get some data. I was on a bit of a mission today as I need to have a working solution soon, so I tried combinations of OS and tunnel techs. The only actual success I have had so far is Linux with OpenVPN in tap mode. Anyway, thanks for your help so far and I shall return. Cheers, Dunc ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Layer2 VPN
Andrew Thompson wrote: > On Wed, Oct 04, 2006 at 12:32:15AM +0100, Dunc wrote: >> Andrew Thompson wrote: >>> On Tue, Oct 03, 2006 at 11:41:07AM +0100, Dunc wrote: >>> >>>> Hi folks, >>>> >>>> I've been trying to create a layer2 VPN using FreeBSD boxes as the >>>> gateways. >>>> >>> This should work fine with vlan headers, do you have any indication of >>> where the problem is? you may need to get packet dumps at the sending >>> and receiving ends. >>> >> I couldn't see why it wouldn't either. It's just an ethernet frame with >> an extra field filled in AIUI >> > > It may be because our bridge does not yet differentiate between vlans in > its forwarding table, you can confirm this by clearing the learn flag on all > the interfaces (ifconfig bridge0 -learn xxx0). Its not a proper solution > of course. > > Andrew > ___ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "[EMAIL PROTECTED]" Hiya, Switching learning off doesn't seem to have helped. Please find attached some ifconfig output, and also tcpdumps. I'm starting at the interface where the machine I'm pinging from plugs in (fxp1). I'm including dumps with normal traffic (just to prove I have configured everything correctly as much as anything :-) ), and then with .1Q traffic. Hope this can shed some light. Cheers, Dunc A end - fxp1: flags=8943 mtu 1500 options=8 inet6 fe80::202:b3ff:fed8:40ff%fxp1 prefixlen 64 scopeid 0x2 ether 00:02:b3:d8:40:ff media: Ethernet autoselect (100baseTX ) status: active gif0: flags=8051 mtu 1280 tunnel inet 172.16.3.228 --> 172.16.3.245 inet6 fe80::202:b3ff:fed8:40fe%gif0 prefixlen 64 scopeid 0x6 bridge0: flags=8043 mtu 1500 ether ac:de:48:7e:e3:ed priority 32768 hellotime 2 fwddelay 15 maxage 20 member: fxp1 flags=2 member: gif0 flags=2 B end - fxp1: flags=8943 mtu 1500 options=8 inet6 fe80::203:47ff:feda:c9a1%fxp1 prefixlen 64 scopeid 0x2 ether 00:03:47:da:c9:a1 media: Ethernet autoselect (100baseTX ) status: active gif0: flags=8051 mtu 1280 tunnel inet 172.16.3.245 --> 172.16.3.228 inet6 fe80::203:47ff:feda:c9a0%gif0 prefixlen 64 scopeid 0x9 bridge0: flags=8043 mtu 1500 ether ac:de:48:fd:bc:0d priority 32768 hellotime 2 fwddelay 15 maxage 20 member: fxp1 flags=2 member: gif0 flags=2 With Normal Traffic --- [EMAIL PROTECTED]:root # tcpdump -i fxp1 -e tcpdump: WARNING: fxp1: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp1, link-type EN10MB (Ethernet), capture size 96 bytes 11:49:03.750456 00:30:48:5b:6d:e9 (oui Unknown) > 00:0d:88:fc:cc:c5 (oui Unknown), ethertype IPv4 (0x0800), length 98: 192.168.1.2 > 192.168.1.1: ICMP echo request, id 60847, seq 0, length 64 11:49:03.750977 00:0d:88:fc:cc:c5 (oui Unknown) > 00:30:48:5b:6d:e9 (oui Unknown), ethertype IPv4 (0x0800), length 98: 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 60847, seq 0, length 64 [EMAIL PROTECTED]:root # tcpdump -i bridge0 -e tcpdump: WARNING: bridge0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bridge0, link-type EN10MB (Ethernet), capture size 96 bytes 11:49:57.174059 00:30:48:5b:6d:e9 (oui Unknown) > 00:0d:88:fc:cc:c5 (oui Unknown), ethertype IPv4 (0x0800), length 98: 192.168.1.2 > 192.168.1.1: ICMP echo request, id 61103, seq 0, length 64 11:49:57.174629 00:0d:88:fc:cc:c5 (oui Unknown) > 00:30:48:5b:6d:e9 (oui Unknown), ethertype IPv4 (0x0800), length 98: 192.168.1.1 > 192.168.1.2: ICMP echo reply, id 61103, seq 0, length 64 [EMAIL PROTECTED]:root # tcpdump -i gif0 -e tcpdump: WARNING: gif0: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes 11:50:17.749652 AF IPv4 (2), length 102: IP0 bad-hlen 0 11:50:17.750098 AF Unknown (18), length 104: 0x: 0300 0030 485b 6de9 000d 88fc ccc5 0800 ...0H[m. 0x0010: 4500 0054 e450 4001 1305 c0a8 0101 [EMAIL PROTECTED] 0x0020: c0a8 0102 2fec f2af 4523 91e9 ../.E#.. 0x0030: 000b 1b49 0809 0a0b 0c0d 0e0f 1011 1213 ...I 0x0040: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .!"# 0x0050: 2425 2627 2829 2a2b 2c2d 2e2f$%&'()*+,-./ [EMAIL PROTECTED]:root # tcpdump -i fxp0 -n -e proto etherip tcpdump: verbose output suppressed, use -v or -vv
