Results 1 to 7 of 7
  1. #1
    Untanglit
    Join Date
    May 2008
    Posts
    18

    Default VPN setup issues, remote office

    I am having some troubles with VPN. here is my setup.

    location1:
    DSL->UT1(external)->LAN(internal)
    DSL is a bridge, UT1 has a statically assigned public IP
    LAN is 172.16.1.1

    I have only openVPN setup like so:
    Address pool = remote1 172.168.230.0/255.255.255.0
    VPN Site = remotesite1, address pool = remote1, network address = 1.2.3.4, netmask = 255.255.255.0

    I distribute the client and then go to remote1 which is setup:
    DSL->UT2(external)->LAN(internal)
    DSL is a brdige, UT2 has a statically assigned public IP
    LAN is 172.16.230.1
    LAN has DHCP server giving 172.16.230.100-200,255.255.255.0, gw=172.16.230.1, gateway netmask is 255.255.255.0

    I run the openvpn client wizard, says it works, I can power up the VPN.

    From the UT2 box I can ping 172.16.1.1, from UT1 I can ping 172.16.230.1.

    When I connect a client machine to UT2's LAN, It gets IP 172.16.230.160 but is unable to ping any address. It cannot ping 172.16.230.1,172.16.1.1, or anything from this client attached to UT2.

    Any ideas? Shouldn't the vpn site entry on UT1 have an address other than 1.2.3.4?

    when i shut off the vpn on UT2, I can then ping the local 172.16.230.1 address.

    Also, when UT2 connects to UT1, it gets an IP 172.16.230.5 from UT1. I cannot ping this address from anywhere.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,240

    Default

    Add a pass rule for the VPN source interface in the packet filter and see if your problem goes away.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untanglit
    Join Date
    May 2008
    Posts
    18

    Default thanks for the help

    Thanks for the help but I i'm not 100% clear on your response AND I have another related question..

    For the remote VPN site, does the UT server there need to provide DHCP or can that come from the VPN server?

    This bypass rule, "Add a pass rule for the VPN source interface in the packet filter and see if your problem goes away. "

    the VPN source interface? which is this, internal or external? or both?

    do you see a problem with my main site at 172.16.1.0/24 and the vpn pools are 172.16.x.0/24?

    Is this type of setup considered reliable? having a central VPN server with 20 or more remote VPN sites and having each VPN site able to access resources on the other VPN sites?

  4. #4
    Untanglit
    Join Date
    May 2008
    Posts
    18

    Default tried the bypass

    I tried using bypass on all of the interfaces but it didnt work.

    I am wondering if it is a problem having the LAN side of the remote UT set with a static address of 172.16.230.1 and also having that within the range of the VPN IP address pool 172.16.230.0/24.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,240

    Default

    The VPN interface is considered external and block all by the firewall module. Now, even if you don't have the module installed UT runs on top of IPTables and IPTables will drop all packets on the VPN interface by default.

    All that said the OpenVPN module does manually configure pass rules to allow traffic but for some reason they don't always stick or work.

    The work around is to open a browser and go into the UT web console.

    http://<iuip>/alpaca

    In the top right corner there is an advanced button. You will need to use this to enabled avanced mode. Once that is done you can use the button again to access the packet filter.

    The following link is a screenshot of the rule I use to force the firewall to pass everything.

    http://forums.untangle.com/attachmen...2&d=1208828846
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untanglit
    Join Date
    May 2008
    Posts
    18

    Default thanks

    I'm will do this on the remote UT2 box. Should I do this on all of the UT boxes? even the VPN server?

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,240

    Default

    The only side I had to do it on was the remote, but when I turned on client-server VPN I had to do it to the server.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2