Open VPN I must be doing something wrong. - Page 2

sky-knight · 03-30-2009, 10:11 AM

config -> administration -> public address

Select use manually specified IP, and fill in the WAN IP address.

Alternately on the same screen is the use hostname option. The hostname is configured on config -> networking -> hostname. The TOP field. That name needs to be publicly resolvable, and then the hostname will go into the scripts instead.

6 of one, half dozen of the other. Personally I prefer hostnames, easier to remember.

andrew50 · 03-30-2009, 10:19 AM

check under administration, public address and see what you have there..

windozeuser · 03-30-2009, 10:21 AM

Ok that was wrong. I changed it to the DNS name for the WAN. I'm going to guess my next step is to reexport and try again.

windozeuser · 03-30-2009, 01:42 PM

Ok progress. The client is now connected and can ping the gateway on my network 10.250.4.1, and the Untangle server at 10.250.4.12, but nothing behind the Untangle gateway.

Any pointers where to look why this will not go through?

andrew50 · 03-30-2009, 01:47 PM

do you have the firewall set to block all ?

probably need to make a rule for VPN to be allowed to Internal

windozeuser · 03-30-2009, 01:54 PM

Firewall passes 25,21,80,443 to 10.250.4.6. That's been working since I started.There is no block all, and the logs do not show a firewall connection being dropped.

Tracert from the client goes to 172.16.0.1 and then dies out.

I put a rule in that 172.16.0.9 allowed inbound. Not showing up in the logs either.

I do really appreciate your time here.

windozeuser · 03-30-2009, 01:57 PM

I just noticed, that I can FTP to 10.250.4.6 from the client, so it has to be something from the firewall. Source address is 172.16.0.9.

I'm assuming I should allow 172.16.0.9 to pass through the firewall completely.

andrew50 · 03-30-2009, 02:01 PM

Quote:

Originally Posted by sky-knight

The VPN interface is "less trusted" and if you have the firewall module installed. You're supposed to have to define rules on what traffic you want passed.

passing traffic from external to internal is different than VPN to internal

andrew50 · 03-30-2009, 02:03 PM

for funsies try making a firewall rule that allows all VPN to all internal and tighten from there as needed if it works

andrew50 · 03-30-2009, 02:04 PM

Code:

Enable Rule: Check Yes
Description:Allow VPN FULL ACCESS
Action: PASS
Log: up to you
RuleTraffic Type:ANY
Source Interface:VPN
Destination Interface:INTERNAL
Source Address:ANY
Destination Address:ANY
Source Port:ANY
Destination Port:ANY

03-30-2009, 10:11 AM	#11 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 14,698	config -> administration -> public address Select use manually specified IP, and fill in the WAN IP address. Alternately on the same screen is the use hostname option. The hostname is configured on config -> networking -> hostname. The TOP field. That name needs to be publicly resolvable, and then the hostname will go into the scripts instead. 6 of one, half dozen of the other. Personally I prefer hostnames, easier to remember. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

03-30-2009, 10:21 AM	#13 (permalink)
windozeuser Untanglit Join Date: Mar 2009 Posts: 21	Ok that was wrong. I changed it to the DNS name for the WAN. I'm going to guess my next step is to reexport and try again. __________________ An unspecified error has occurred in module <UNKNOWN>. Please contact your system administrator and tell him you are being used a beta tester.

03-30-2009, 01:42 PM	#14 (permalink)
windozeuser Untanglit Join Date: Mar 2009 Posts: 21	Ok progress. The client is now connected and can ping the gateway on my network 10.250.4.1, and the Untangle server at 10.250.4.12, but nothing behind the Untangle gateway. Any pointers where to look why this will not go through? __________________ An unspecified error has occurred in module <UNKNOWN>. Please contact your system administrator and tell him you are being used a beta tester.

03-30-2009, 01:54 PM	#16 (permalink)
windozeuser Untanglit Join Date: Mar 2009 Posts: 21	Firewall passes 25,21,80,443 to 10.250.4.6. That's been working since I started.There is no block all, and the logs do not show a firewall connection being dropped. Tracert from the client goes to 172.16.0.1 and then dies out. I put a rule in that 172.16.0.9 allowed inbound. Not showing up in the logs either. I do really appreciate your time here. __________________ An unspecified error has occurred in module <UNKNOWN>. Please contact your system administrator and tell him you are being used a beta tester.

03-30-2009, 01:57 PM	#17 (permalink)
windozeuser Untanglit Join Date: Mar 2009 Posts: 21	I just noticed, that I can FTP to 10.250.4.6 from the client, so it has to be something from the firewall. Source address is 172.16.0.9. I'm assuming I should allow 172.16.0.9 to pass through the firewall completely. __________________ An unspecified error has occurred in module <UNKNOWN>. Please contact your system administrator and tell him you are being used a beta tester.

03-30-2009, 10:19 AM	#12 (permalink)
andrew50 Master Untangler Join Date: Mar 2008 URLs submitted: 6 Posts: 143	check under administration, public address and see what you have there..

03-30-2009, 01:47 PM	#15 (permalink)
andrew50 Master Untangler Join Date: Mar 2008 URLs submitted: 6 Posts: 143	do you have the firewall set to block all ? probably need to make a rule for VPN to be allowed to Internal

03-30-2009, 02:03 PM	#19 (permalink)
andrew50 Master Untangler Join Date: Mar 2008 URLs submitted: 6 Posts: 143	for funsies try making a firewall rule that allows all VPN to all internal and tighten from there as needed if it works