At connection openvpn I do not see shared folders and computers in a network. Although the ping from client to server is stable and the working group is the same. I enclose my configuration. I reviewed the entire forum and the Internet but did not find the answer.
# Tip - if you are using this as a template for configuring other VPNs:
# - the ifconfig-pool-persist file must be unique
# - the port/protocol combination must be unique
# - different server IPs are recommended
# - don't forget about the firewall
port 1194
proto udp
dev tun
ca /etc/pki/CA/ca-cert.pem
cert /etc/pki/CA/sys-0-cert.pem
key /etc/pki/CA/private/sys-0-key.pem
dh /etc/openvpn/ssl/dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nobody
multihome
persist-key
persist-tun
ifconfig-pool-persist /var/lib/openvpn/ipp.txt 120
status /var/lib/openvpn/openvpn-status.log
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verb 3
push "dhcp-option DNS 192.168.5.1"
push "dhcp-option WINS 192.168.5.1"
push "dhcp-option DOMAIN server.njh.lan"
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
push "route 192.168.5.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
client-to-client
client-config-dir /etc/openvpn/ccd
/etc/openvpn/ccd
iroute 192.168.0.0 255.255.255.0
iroute 192.168.5.0 255.255.255.0
In OpenVPN
Share this post:
Responses (12)
-
Accepted Answer
Your last post means nothing without the headers.
Every time you add a custom rule the firewall reloads. If you think nothing is happening, please give the contents of /etc/clearos/firewall.d/custom, and please put it and any firewall output between code tags - the piece of paper icon with a <> on it. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Nick Howitt wrote:
It is correct the first time you run it. Restart your firewall then to an "iptables nvL -t NAT" and have a look at the POSTROUTING chain. There should be a rule with a tun+ interface. Run the command and it deletes that line. Run it again and it fails:
[root@server ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 9 packets, 1141 bytes)
pkts bytes target prot opt in out source destination
13 1501 DNSthingy all -- * * 0.0.0.0/0 0.0.0.0/0
7 948 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
6 816 MINIUPNPD all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 6 packets, 816 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 62.252.0.0/14 udp dpt:67 to:255.255.255.255
1 369 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
5 398 MASQUERADE all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * !docker0 172.18.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !br-a2579ec9ae9c 172.19.0.0/16 0.0.0.0/0
Chain DNSthingy (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- enp5s0 * 0.0.0.0/0 !172.17.2.1 udp dpt:53 to:172.17.2.1:53
0 0 DNAT tcp -- enp5s0 * 0.0.0.0/0 !172.17.2.1 tcp dpt:53 to:172.17.2.1:53
0 0 DNAT tcp -- * * 0.0.0.0/0 172.27.27.27 tcp dpt:80 to:172.27.27.27:6373
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- br-a2579ec9ae9c * 0.0.0.0/0 0.0.0.0/0
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9305 to:172.17.2.112:9305
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9307 to:172.17.2.112:9307
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9308 to:172.17.2.112:9308
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:59909 to:172.17.2.112:59909
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:19132 to:172.17.2.116:19132
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9304 to:172.17.2.112:9304
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:34182 to:172.17.2.118:34182
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:34181 to:172.17.2.118:34181
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:34180 to:172.17.2.118:34180
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:59820 to:172.17.2.101:59820
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:49396 to:172.17.2.140:49396
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:50677 to:172.17.2.181:50677
[root@server ~]# iptables -D POSTROUTING -t nat -o tun+ -j ACCEPT
[root@server ~]# iptables -D POSTROUTING -t nat -o tun+ -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
-
Accepted Answer
[root@system ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
$IPTABLES -D POSTROUTING -t nat -o tun+ -j ACCEPT - deleted -
Accepted Answer
-
Accepted Answer
[root@system ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 5 packets, 582 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:1211 to:192.168.5.16:1211
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:106 to:192.168.5.19:106
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:121 to:192.168.5.13:121
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:124 to:192.168.5.6:124
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:127 to:192.168.5.15:127
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:160 to:192.168.5.20:160
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:185 to:192.168.5.21:185
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:2025 to:192.168.5.23:2025
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:2026 to:192.168.5.23:2026
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:29021 to:192.168.5.23:29021
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:1853 to:192.168.5.21:1853
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:18530 to:192.168.5.29:1853
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:122 to:192.168.5.18:122
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:316 to:192.168.5.22:316
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:178 to:192.168.5.10:178
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:5000 to:192.168.5.23:5000
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:810 to:192.168.5.41:81
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:220 to:192.168.5.41:12092
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.1 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.75 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.254 tcp dpt:80
0 0 ACCEPT tcp -- * * 192.168.1.254 0.0.0.0/0 tcp dpt:80
1 52 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 10.8.0.0/24 0.0.0.0/0
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.16 tcp dpt:1211 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.19 tcp dpt:106 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.13 tcp dpt:121 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.6 tcp dpt:124 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.15 tcp dpt:127 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.20 tcp dpt:160 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.21 tcp dpt:185 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.23 tcp dpt:2025 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.23 tcp dpt:2026 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.23 tcp dpt:29021 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.21 tcp dpt:1853 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.29 tcp dpt:1853 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.18 tcp dpt:122 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.22 tcp dpt:316 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.10 tcp dpt:178 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.23 tcp dpt:5000 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.41 tcp dpt:81 to:192.168.5.1
0 0 SNAT tcp -- * * 192.168.5.0/24 192.168.5.41 tcp dpt:12092 to:192.168.5.1
3 178 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
[root@system ~]#
-
Accepted Answer
It is correct the first time you run it. Restart your firewall then to an "iptables nvL -t NAT" and have a look at the POSTROUTING chain. There should be a rule with a tun+ interface. Run the command and it deletes that line. Run it again and it fails:
[root@server ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 9 packets, 1141 bytes)
pkts bytes target prot opt in out source destination
13 1501 DNSthingy all -- * * 0.0.0.0/0 0.0.0.0/0
7 948 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
6 816 MINIUPNPD all -- enp2s0 * 0.0.0.0/0 0.0.0.0/0
Chain INPUT (policy ACCEPT 6 packets, 816 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 62.252.0.0/14 udp dpt:67 to:255.255.255.255
1 369 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * tun+ 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
5 398 MASQUERADE all -- * enp2s0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * !docker0 172.18.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !br-a2579ec9ae9c 172.19.0.0/16 0.0.0.0/0
Chain DNSthingy (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- enp5s0 * 0.0.0.0/0 !172.17.2.1 udp dpt:53 to:172.17.2.1:53
0 0 DNAT tcp -- enp5s0 * 0.0.0.0/0 !172.17.2.1 tcp dpt:53 to:172.17.2.1:53
0 0 DNAT tcp -- * * 0.0.0.0/0 172.27.27.27 tcp dpt:80 to:172.27.27.27:6373
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- br-a2579ec9ae9c * 0.0.0.0/0 0.0.0.0/0
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9305 to:172.17.2.112:9305
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9307 to:172.17.2.112:9307
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9308 to:172.17.2.112:9308
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:59909 to:172.17.2.112:59909
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:19132 to:172.17.2.116:19132
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9304 to:172.17.2.112:9304
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:34182 to:172.17.2.118:34182
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:34181 to:172.17.2.118:34181
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:34180 to:172.17.2.118:34180
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:59820 to:172.17.2.101:59820
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:49396 to:172.17.2.140:49396
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:50677 to:172.17.2.181:50677
[root@server ~]# iptables -D POSTROUTING -t nat -o tun+ -j ACCEPT
[root@server ~]# iptables -D POSTROUTING -t nat -o tun+ -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
I've no idea what your ccd stuff is. I've come across it before but never bothered with it.
There are some other issues. You are getting round the DNS issue as you have a LAN name which does not resolve externally so your DNS should always resolve.
There isa firewalling issue as well. From your config, all your packets will appear on your LAN as coming from 10.8.0.0/24. For any Windows device this will not be seen as coming from its own LAN and the Windows firewall could be blocking you. You can get round this by allowing traffic from 10.8.0.0/24 into your Windows machines. Alternatively you can probably delete a firewall rule in ClearOS by adding the following Custom Firewall rule:
This should allow all the packets to appear on your LAN as if they are coming from your ClearOS LAN IP so should be accepted by the Windows firewall.$IPTABLES -D POSTROUTING -t nat -o tun+ -j ACCEPT
Please can you try this rule. If it does not have the desired results, instead can you use the following rule:$IPTABLES -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
Please can you post back with your results.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »