Road warrior on port 1194 and 1195

Beach

Hi all!

I have 3 sites connected with 2 VPN tunnels each (A->B, A->C)
Tunnel 1 is office net and tunnel 2 is education net.

So I wonder if you can have Road warriors on both port 1194 and port 1195?
I need to access both LAN and Education from @.

Regards
Beach

GruensFroeschli

I dont really understand what you are trying to achieve.
Could you elaborate?

Do you want to connect roadwarriors to the tunnels you already have?

As a rule of thumb:
site-to-site: shared key
roadwarriors: PKI
dont mix roadwarriors and site-to-site.

Beach

Ok, sorry for my bad explanation…..
I already have road warrior with port 1194 to my LAN (Office) with PKI, works perfect!!
Now I need road warrior to OPT1 with port 1195 to my OPT (Education).
The tunnels between the sites are site-to-site and have others ports and uses shared key.
I don’t want OPT (Education) to be able to connect to anything on the LAN (Office).
I’ve configured OpenVPN for LAN and OPT with different certificates and used as you can see different ports.
I’ve set up rules for both ports (test) equal to each other.
WAN
Proto Source Port Destination Port Gateway
TCP  *        *    *            1194 *
TCP  *        *    *            1195 *
But I’m unable to connect to Education……
Hope that this I better  ;)

Regards
Beach

GruensFroeschli

Now I need road warrior to OPT1 with port 1195 to my OPT (Education).

You come up with more parts of the network that were not described before.
Could you draw a diagramm of what is where? I still dont really understand what your ultimate goal is.

My main problem is is dont understand where your clients are and what they need to have access to.
The road warriors are on OPT1? and they need access to OPT1???

Beach

Sorry again…. ::)
Road warriors who connect to LAN (1194) (Office) should just reach LAN-subnet.
Road warriors who connect to OPT (1195) (Education) should just reach Education-subnet.

Regards
Beach

GruensFroeschli

Ah now i get it :) (kind of ;))

I assume you've set the "local subnet" field.
This field is a "push route" in the config.

You can add as many "push route's" as you want via the custom options.

So for the roadwarriors that connect to the server on 1194 just push a route for the "office subnet"
and for the roadwarriors that connect to the server on 1195 push a route for "the education subnet".

Unfortunately you cannot prevent users from accessing something else if they add routes manually to their routingtable.
–> You cannot define Firewall rules for OpenVPN.
This will change in a future version.

But keep in mind.
If the roadwarriors should access something on the other side of the office or the education tunnel you will have to push another route.

Did you already try to set this up?
Did you had any problems?

Another possibility i see:

You can set client specific configurations.
So if client X connects he will get routes to education.
if client Y connects he will get routes to office.

Beach

Well once again sorry for my bad explantion, and thanks for your time!!
Here is my config for OpenVPN, and it's just one as you can see but I have 2 configs in it!

I'm not so good beacause I'm new to VPN… but it was very easy to config 1194 for LAN and as I said everything works perfect.
I tried to connect to Education but it wont work, not sure why.

Ok, so I can't prevent them, well I have to wait then ;)
I don't think that there are someone who know anything about routes here, so that wont be a problem.
And I don´t know where to push route, but I'm gonna try to figure it out!!

You mean Client-Specific configuration?
I've got approx. 80 clients.......

Thanks for all help!!

Regards
Beach

Beach

I've changed LAN from port 1194 to 1195 and Education from 1195 to 1194.
Then I'm able to connect to Education, but LAN will not.
Could it be some FW-rules or that port 1195 isn't right for this purpose?

GruensFroeschli

What kind of VPN connection are these Links to Office and Education?
OpenVPN too?

Beach

Hi again!!

Yes, they are to Office and Education.
Heres an update : IT WORKS NOW!!!
I've read some topics that say that you have to reboot your server.
I tried it and now it works.
I'm frustrated that I didn't saw that before.

So many thanks for your help GruensFroeschli, I feel stupid…..... :'(

And congratulations to your win yesterday over Sweden in ishockey!!!
So I hope we win tonight and further on!!!

Regards
Beach

GruensFroeschli

Hehe.
Sometimes the easiest thing is the solution. Dont feel stupid!

(we won??? To be honstest… i'm not the least bit interrested in Ice hockey :D )

Beach

Ok I wont…....

Thanks for all your help.

hockey ;D