content:en_us:7_ug_openvpn
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
content:en_us:7_ug_openvpn [2020/05/25 16:40] 84.9.57.48 |
content:en_us:7_ug_openvpn [2020/07/20 08:43] 84.9.57.48 |
||
|---|---|---|---|
| Line 478: | Line 478: | ||
| ===== OpenVPN with Gateway Management/DNSThingy ===== | ===== OpenVPN with Gateway Management/DNSThingy ===== | ||
| - | There is a problem for OpenVPN users trying to access devices on the ClearOS LAN if the ClearOS LAN is protected by Gateway Management or DNSThingy with Don't Talk to Strangers (DTTS) enabled. The official DNSThingy solution is to go into the control panel then go Rules > Enablers (at the top) and add an enabler with the following in it: | + | There is currently (20 Jul 2020) a problem for OpenVPN users trying to access devices on the ClearOS LAN if the ClearOS LAN is protected by Gateway Management or DNSThingy with Don't Talk to Strangers (DTTS) enabled. The official DNSThingy solution is to go into the control panel then go Rules > Enablers (at the top) and add an enabler with the following in it: |
| <code>your_LAN_subnet|td0-65535,ud0-65535</code>Repeat the line for multiple LAN subnets. This will allow all TCP and UDP traffic through to the LAN, but **it will not allow pings (ICMP) **. | <code>your_LAN_subnet|td0-65535,ud0-65535</code>Repeat the line for multiple LAN subnets. This will allow all TCP and UDP traffic through to the LAN, but **it will not allow pings (ICMP) **. | ||
| - | There is an alternative solution which will allow all traffic including ICMP. Create a file /etc/clearos/firewall.d/11-dnsthingy-DTTS-bypass (the name is irrelevant as long as it begins with a two digit number greater than 10) and put the following in it: | + | There is an alternative solution which will allow all traffic including ICMP. Create a Custom Firewall rule with the following rule: |
| - | <code>if [ "$FW_PROTO" == "ipv4" ]; then true | + | <code>$IPTABLES -I FORWARD -i tun+ -j ACCEPT</code> |
| - | CHECK=$($IPTABLES -nvL FORWARD --line-numbers| grep DNSthingyIPE | awk '{print $1}' 2>/dev/null) | + | |
| - | if [ -n "$CHECK" ]; then | + | |
| - | CHECK2=$($IPTABLES -nvL FORWARD --line-numbers| grep tun+ | awk '{print $1}' 2>/dev/null) | + | |
| - | if [ "$CHECK2" -gt "$CHECK" ]; then | + | |
| - | $IPTABLES -D FORWARD $CHECK # Delete default DNSthingyIPE rule | + | |
| - | $IPTABLES -I FORWARD $CHECK2 -j DNSthingyIPE # Add the DNSthingyIPE further down | + | |
| - | fi | + | |
| - | fi | + | |
| - | fi</code> | + | |
| - | + | ||
| - | Then restart the firewall with a:<code>service firewall restart</code> | + | |
| It is OK to use both solutions at the same time. | It is OK to use both solutions at the same time. | ||
| + | |||
| + | Note that there is a version of Gateway Management in beta testing which fixes this issue, but until it is released this rule will be needed. | ||
| ===== Softphone/VoIP issue ===== | ===== Softphone/VoIP issue ===== | ||
content/en_us/7_ug_openvpn.txt · Last modified: 2021/03/31 10:14 by 84.9.57.48