Sending all traffic through the VPN?

Got a problem with Viscosity or need help? Ask here!

mutz

Posts: 9
Joined: Thu Mar 05, 2009 8:40 pm

Post by mutz » Fri Mar 27, 2009 2:18 am
hmmm

Is it possible to mail or post the following settings?
- OpenVPN config in dd-wrt
- Startup script (under administration -> Commands -> Startup)
- firewall rules (under administration -> Commands -> firewall)
- viscosity's settings (config.conf at ~/Library/Application Support/Viscosity)

you can redact your wan IP with server.com or something ;)
[email protected]

grtz

super_kev

Posts: 18
Joined: Fri Nov 14, 2008 3:05 am

Post by super_kev » Sat Mar 28, 2009 12:23 am
Well, that's the thing. I copied and pasted your configs, so they are identical. Except for this part which I've played around with:
Code: Select all
push "route 192.168.80.0 255.255.255.0" 
server 192.168.90.0 255.255.255.0
So you would think it should work.

Can you change the above push/server config so I can see how you'd go about connecting a static IP of 192.168.0.29 (behind a router IP of 192.168.0.1) to the DD-WRT OpenVPN server (domain.com, LAN of 192.168.1.1)? Wouldn't it be:
Code: Select all
push "route 192.168.0.29 255.255.255.0" 
server 192.168.1.1 255.255.255.0
Firewall rules:
Code: Select all
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.1.1/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

mutz

Posts: 9
Joined: Thu Mar 05, 2009 8:40 pm

Post by mutz » Sat Mar 28, 2009 2:37 am
Hello

first of all
I think i need to clarify the ip adress 192.168.80.0 ... this is not a machine but the whole range from 192.168.80.1 -> 192.168.80.254

push "route 192.168.80.0 255.255.255.0"
My internal network is 192.168.80.x my router is on 192.168.80.1
So basically every machine that has a 192.168.80.x IP adress on my lan is accesible via the vpn tunnel.

Your Lan is 192.168.0.x so push has to be
push "route 192.168.0.0 255.255.255.0" (if possible change you're lan to something else like 192.168.70.x in ddwrt network setup)

server 192.168.1.1 255.255.255.0
This is the lan range openvpn will make i would change it to
server 192.168.80.0 255.255.255.0 cause a lot of networks have a 192.168.1.x address range

iptables -I FORWARD 1 --source 192.168.1.1/24 -j ACCEPT
This has to be the same IP adress range as your VPNserver so in your case
iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT

Every IP has to end with 0, it's to whole range from 1 to 254 thats used.

So to sum up
If you can change you're local LAN to something like 192.168.80.x do it :)
If not use this conf:
push "route 192.168.0.0 255.255.255.0"
server 192.168.90.0 255.255.255.0

If you can change you're lan then the conf is:
push "route 192.168.80.0 255.255.255.0"
server 192.168.90.0 255.255.255.0

firewall:
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.90.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT

viscosity settings:

make a new connection in viscosity
address: you're WAN ip (i use a dyndns adress it's easier to remember)
protcol: UDP (try TCP if something doesn't work you never know)
Device: Tun
DNS: enable DNS support
authentication:
SSL/TLS client
select the right CA, CERT and key files
TLS-auth leave this one blank
direction default

persist tun checked
persist key checked
no bind checked
pull options checked

hope this clarify a bit... :)

and goodluck

scubes13

Posts: 4
Joined: Tue Mar 03, 2009 2:03 pm

Post by scubes13 » Fri Jun 19, 2009 3:42 am
James,

Is there any chance you could provide a how to for configuring the pfSense settings to allow my viscosity client machine to push all traffic via the VPN connection?

Thanks!

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Jul 21, 2009 9:55 pm
Hi scubes13,

The pfSense developers have actually added Viscosity support to the latest build (meaning you can simply download a client file for Viscosity, which all you have to do is double-click and Viscosity will automatically create a new connection to your pfSense box). However I'm not sure when the next full-release will be that includes this.

I can't really go into too much detail, however the gist of setting up a pfSense OpenVPN server is:

1. Create a new OpenVPN Server using the WebGUI
2. Enter an address pool (e.g. 10.0.2.0/24). I'd recommend making this different from your LAN IP range
3. Enter the IP range for your local network (e.g. 10.0.1.0/24)
4. I also usually tick the Client-to-client VPN option
5. The Authentication method should be PKI in most cases. You'll need to generate a CA certificate, Server certificate, Server key, and DH parameters locally on your Mac (as well as a certificate and key for Viscosity), and then open these files and copy-paste them into the corresponding fields. To generate these files you'll need to download OpenVPN from the OpenVPN website (you shouldn't need to compile anything), and then follow the "Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients" section in their How To section.
6. Enter a DNS search domain, and a DNS server (typically the internal IP address of your pfSense box)
7. Save the new server
8. Now you'll need to setup NAT to allow traffic from VPN clients to access the internet. To do this go to Firewall->NAT in the WebGUI
9. Under the Outbound tab set to "Manual Outbound NAT rule generation"
10. Add a new rule for your VPN. For example, if you use the IP ranges above: Interface = WAN. Source Type = Network. Source Address = 10.0.2.0/24. Save the rule
11. Create a new connection in Viscosity. The remote server should be the WAN IP of your pfSense box. Select the client certificates/key you created in the OpenVPN How To guide. Under networking tick "Send all traffic over VPN connection". The defaults for everything else should be fine (although I haven't tested this).
12. Try connecting.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
35 posts Page 4 of 4