Skip to content
Sending all traffic through the VPN?
Got a problem with Viscosity or need help? Ask here!
hmmm
Is it possible to mail or post the following settings?
- OpenVPN config in dd-wrt
- Startup script (under administration -> Commands -> Startup)
- firewall rules (under administration -> Commands -> firewall)
- viscosity's settings (config.conf at ~/Library/Application Support/Viscosity)
you can redact your wan IP with server.com or something
[email protected]
grtz
Is it possible to mail or post the following settings?
- OpenVPN config in dd-wrt
- Startup script (under administration -> Commands -> Startup)
- firewall rules (under administration -> Commands -> firewall)
- viscosity's settings (config.conf at ~/Library/Application Support/Viscosity)
you can redact your wan IP with server.com or something
[email protected]
grtz
Well, that's the thing. I copied and pasted your configs, so they are identical. Except for this part which I've played around with:
Can you change the above push/server config so I can see how you'd go about connecting a static IP of 192.168.0.29 (behind a router IP of 192.168.0.1) to the DD-WRT OpenVPN server (domain.com, LAN of 192.168.1.1)? Wouldn't it be:
Code: Select all
So you would think it should work.push "route 192.168.80.0 255.255.255.0"
server 192.168.90.0 255.255.255.0
Can you change the above push/server config so I can see how you'd go about connecting a static IP of 192.168.0.29 (behind a router IP of 192.168.0.1) to the DD-WRT OpenVPN server (domain.com, LAN of 192.168.1.1)? Wouldn't it be:
Code: Select all
Firewall rules:
push "route 192.168.0.29 255.255.255.0"
server 192.168.1.1 255.255.255.0
Code: Select all
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.1.1/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
Hello
first of all
I think i need to clarify the ip adress 192.168.80.0 ... this is not a machine but the whole range from 192.168.80.1 -> 192.168.80.254
push "route 192.168.80.0 255.255.255.0"
My internal network is 192.168.80.x my router is on 192.168.80.1
So basically every machine that has a 192.168.80.x IP adress on my lan is accesible via the vpn tunnel.
Your Lan is 192.168.0.x so push has to be
push "route 192.168.0.0 255.255.255.0" (if possible change you're lan to something else like 192.168.70.x in ddwrt network setup)
server 192.168.1.1 255.255.255.0
This is the lan range openvpn will make i would change it to
server 192.168.80.0 255.255.255.0 cause a lot of networks have a 192.168.1.x address range
iptables -I FORWARD 1 --source 192.168.1.1/24 -j ACCEPT
This has to be the same IP adress range as your VPNserver so in your case
iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT
Every IP has to end with 0, it's to whole range from 1 to 254 thats used.
So to sum up
If you can change you're local LAN to something like 192.168.80.x do it
If not use this conf:
push "route 192.168.0.0 255.255.255.0"
server 192.168.90.0 255.255.255.0
If you can change you're lan then the conf is:
push "route 192.168.80.0 255.255.255.0"
server 192.168.90.0 255.255.255.0
firewall:
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.90.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
viscosity settings:
make a new connection in viscosity
address: you're WAN ip (i use a dyndns adress it's easier to remember)
protcol: UDP (try TCP if something doesn't work you never know)
Device: Tun
DNS: enable DNS support
authentication:
SSL/TLS client
select the right CA, CERT and key files
TLS-auth leave this one blank
direction default
persist tun checked
persist key checked
no bind checked
pull options checked
hope this clarify a bit...
and goodluck
first of all
I think i need to clarify the ip adress 192.168.80.0 ... this is not a machine but the whole range from 192.168.80.1 -> 192.168.80.254
push "route 192.168.80.0 255.255.255.0"
My internal network is 192.168.80.x my router is on 192.168.80.1
So basically every machine that has a 192.168.80.x IP adress on my lan is accesible via the vpn tunnel.
Your Lan is 192.168.0.x so push has to be
push "route 192.168.0.0 255.255.255.0" (if possible change you're lan to something else like 192.168.70.x in ddwrt network setup)
server 192.168.1.1 255.255.255.0
This is the lan range openvpn will make i would change it to
server 192.168.80.0 255.255.255.0 cause a lot of networks have a 192.168.1.x address range
iptables -I FORWARD 1 --source 192.168.1.1/24 -j ACCEPT
This has to be the same IP adress range as your VPNserver so in your case
iptables -I FORWARD 1 --source 192.168.1.0/24 -j ACCEPT
Every IP has to end with 0, it's to whole range from 1 to 254 thats used.
So to sum up
If you can change you're local LAN to something like 192.168.80.x do it
If not use this conf:
push "route 192.168.0.0 255.255.255.0"
server 192.168.90.0 255.255.255.0
If you can change you're lan then the conf is:
push "route 192.168.80.0 255.255.255.0"
server 192.168.90.0 255.255.255.0
firewall:
iptables -I INPUT 1 -p tcp --dport 1194 -j ACCEPT
iptables -I INPUT 1 -p udp --dport 1194 -j ACCEPT
iptables -I FORWARD 1 --source 192.168.90.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
viscosity settings:
make a new connection in viscosity
address: you're WAN ip (i use a dyndns adress it's easier to remember)
protcol: UDP (try TCP if something doesn't work you never know)
Device: Tun
DNS: enable DNS support
authentication:
SSL/TLS client
select the right CA, CERT and key files
TLS-auth leave this one blank
direction default
persist tun checked
persist key checked
no bind checked
pull options checked
hope this clarify a bit...
and goodluck
Hi scubes13,
The pfSense developers have actually added Viscosity support to the latest build (meaning you can simply download a client file for Viscosity, which all you have to do is double-click and Viscosity will automatically create a new connection to your pfSense box). However I'm not sure when the next full-release will be that includes this.
I can't really go into too much detail, however the gist of setting up a pfSense OpenVPN server is:
1. Create a new OpenVPN Server using the WebGUI
2. Enter an address pool (e.g. 10.0.2.0/24). I'd recommend making this different from your LAN IP range
3. Enter the IP range for your local network (e.g. 10.0.1.0/24)
4. I also usually tick the Client-to-client VPN option
5. The Authentication method should be PKI in most cases. You'll need to generate a CA certificate, Server certificate, Server key, and DH parameters locally on your Mac (as well as a certificate and key for Viscosity), and then open these files and copy-paste them into the corresponding fields. To generate these files you'll need to download OpenVPN from the OpenVPN website (you shouldn't need to compile anything), and then follow the "Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients" section in their How To section.
6. Enter a DNS search domain, and a DNS server (typically the internal IP address of your pfSense box)
7. Save the new server
8. Now you'll need to setup NAT to allow traffic from VPN clients to access the internet. To do this go to Firewall->NAT in the WebGUI
9. Under the Outbound tab set to "Manual Outbound NAT rule generation"
10. Add a new rule for your VPN. For example, if you use the IP ranges above: Interface = WAN. Source Type = Network. Source Address = 10.0.2.0/24. Save the rule
11. Create a new connection in Viscosity. The remote server should be the WAN IP of your pfSense box. Select the client certificates/key you created in the OpenVPN How To guide. Under networking tick "Send all traffic over VPN connection". The defaults for everything else should be fine (although I haven't tested this).
12. Try connecting.
Cheers,
James
The pfSense developers have actually added Viscosity support to the latest build (meaning you can simply download a client file for Viscosity, which all you have to do is double-click and Viscosity will automatically create a new connection to your pfSense box). However I'm not sure when the next full-release will be that includes this.
I can't really go into too much detail, however the gist of setting up a pfSense OpenVPN server is:
1. Create a new OpenVPN Server using the WebGUI
2. Enter an address pool (e.g. 10.0.2.0/24). I'd recommend making this different from your LAN IP range
3. Enter the IP range for your local network (e.g. 10.0.1.0/24)
4. I also usually tick the Client-to-client VPN option
5. The Authentication method should be PKI in most cases. You'll need to generate a CA certificate, Server certificate, Server key, and DH parameters locally on your Mac (as well as a certificate and key for Viscosity), and then open these files and copy-paste them into the corresponding fields. To generate these files you'll need to download OpenVPN from the OpenVPN website (you shouldn't need to compile anything), and then follow the "Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients" section in their How To section.
6. Enter a DNS search domain, and a DNS server (typically the internal IP address of your pfSense box)
7. Save the new server
8. Now you'll need to setup NAT to allow traffic from VPN clients to access the internet. To do this go to Firewall->NAT in the WebGUI
9. Under the Outbound tab set to "Manual Outbound NAT rule generation"
10. Add a new rule for your VPN. For example, if you use the IP ranges above: Interface = WAN. Source Type = Network. Source Address = 10.0.2.0/24. Save the rule
11. Create a new connection in Viscosity. The remote server should be the WAN IP of your pfSense box. Select the client certificates/key you created in the OpenVPN How To guide. Under networking tick "Send all traffic over VPN connection". The defaults for everything else should be fine (although I haven't tested this).
12. Try connecting.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs