On 12/1/13, Ron Leach <ronle...@tesco.net> wrote:
> On 30/11/2013 20:22, François Fayard wrote:
Francois, it might be useful if you let us know what software you are
using to set up the vpn.
To set up NAT ("ICS") I use a little nat-enable shell script:
---
#!/bin/sh
wan=eth2
echo "NOTE: external/WAN Internet facing device is set to:"
echo " $wan"
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE
#iptables -A FORWARD -i $wan -o eth1 -m state \
# --state RELATED,ESTABLISHED -j ACCEPT
#iptables -A FORWARD -i eth1 -o $wan -j ACCEPT
echo "NAT enabled for $wan"
---
So after establishing your vpn as ppp0, you would probably need to
re-run the above script (on the vpn gateway host) with "wan=ppp0" line
in the above script.
However, we are kind of grasping at straws here, because we don't know
how you're setting up NAT, or your VPN.
> I think the problem is a routing gateway; and I am suspicious of the
> '*' entry on the default line. My guess is that the default route
> should not be *, should not be 192.168.1.anything, but should be
> something like the ppp0 far end address, which is 173.255.189.129 .
Yes.
But, is ppp0 likely to include the "private" part of VPN?
I would with eg OpenVPN expect tun0, not ppp0.
Which Linux-based VPN software encrypts over ppp0 device?
> Also, be clear what
> (a) the address is that the other machines use to reach your Debian
> system (that is the 'gateway' address for them), and
> (b) it should be a different gateway address from the 'gateway
> address' that your Debian machine uses for its gateway
> (c) and the gateway address that your debian machine uses
> should be on the default route line in the route table, I believe.
This sounds ambiguous. Let's say:
After establishing your VPN on your local-LAN gateway host, it's
default route should be the address of the far-end of the VPN link;
and that routing table will still need specific routes (the VPN
software/config should set this up).
> (d) and your VPN should be on a different IP address subnet from the
> local LAN subnet
Definitely.
e) be clear on the difference between PTPP tunnelling link,
unencrypted, which looks acts and quacks like a VPN-duck to the other
machines on your local LAN, as compared to a true VPN, which also
encrypts the tunnel.
f) also, make sure you update your NAT firewall rule after bringing up your VPN
Good luck
Zenaan
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/CAOsGNST71O=zS3=How-ZW1s=0oekk-yw2rtvxlhmnsb6ctd...@mail.gmail.com
