[Gslug-general] OpenVPN Notes

[Nick Webb]

Hi All,

A few people asked for extra information after the talk on OpenVPN.
The most popular question was about the iptables rule to re-write the
source address of outgoing packets from the OpenVPN server.  Here is
an example of such a rule (script to add to /etc/init.d/iptables is
attached):

/sbin/iptables -t nat -A POSTROUTING -p all -o LAN -j SNAT --to-source
<YOUR LOCAL IP>

To install the attached script, copy to /etc/init.d/iptables, update
it for your IP and create links to the runlevels (or use update-rc.d,
etc.).

If your OpenVPN instance is not running on your default gateway, you
will need this rule to access other machines on the remote LAN.
Otherwise when machines other than the OpenVPN server get packets from
the tunnel, they won't know what machine to respond to (as it has no
idea what the VPN subnet is or how to route traffic for it).

Another question was how to force all traffic through the VPN tunnel
(even if it is not destined for the remote LAN), to do this put this
in your server config file:

push "redirect-gateway"

Another option would be to use a tap device instead of tun, but that
forces all ethernet traffic over the VPN link, not great for
performance and a lot of useless traffic will traverse the tunnel.

Also if you want a really easy way to play around with OpenVPN, this
is a good place to start:
http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html

Once you have that basic config up and running, you can start to
customize it for your needs.

Hope that was helpful,
Nick
-------------- next part --------------
#!/bin/bash
# Simple iptables script -- NJW 9/24/2007

if [[ $1 == start ]] ; then
   # list rules here
   echo "Starting IPTables firewall rules..."
   /sbin/iptables -t nat -A POSTROUTING -p all -o LAN -j SNAT --to-source 192.168.1.xx
else
   echo "Flushing IPTables firewall rules..."
   /sbin/iptables -t nat -F
fi