Jonathon Robison wrote:

Be aware that the default firewall in opensuse interferes with openvpn. I haven't nailed down exactly what line yet, but in mine, even though I had all appropriate routes added and ports open, nobody could browse the samba shares (or get a browse list from the WINS server) until I dropped all rules and established only the necessary openvpn rules.

I've got OpenVPN to run preliminatry in ROUTE mode on my openSUSE 10.3 workstation so far by copying most of the config files used on Win2kTS to openSUSE /etc/openvpn. Existing client certificates also work. But I hope someone can throw more "practical light" on the following listed items: OpenVPN and Firewall: During initial testing I disabled the SuseFW2 on my workstation. With YaST2 I've allowed the OpenVPN port 119x for TCP and UDP to the external zone. The OpenVPN BRIDGING document http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.h... tells that the following additional entries should be set in the firewall: iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT How can this be set in SuseFW2, preferably with YaST2? After the OpenVPN rpm installation there is also a longer samle firewall config file located as /usr/share/doc/packages/openvpn/sample-config-files/firewall.sh Does anybody know if this sample OpenVPN-aware firewall script will work for SuseFirewall, possibly how it may be customized to work? Autostart OpenVPN during boot: After the OpenVPN rpm installation there is available a script /etc/init.d/openvpn OpenVPN does not start automatic during boot. I can start openvpn from /etc/openvpn with openvpn server.conf Another installed script document /usr/share/doc/packages/openvpn/suse/openvpn.init tells that OpenVPN can started and stoped by the /etc/init.d init script with service openvpn start service openvpn stop This works. I'm unsure if this openvpn.init file should be copied to /etc/rc.d/init.d/openvpn as mentioned and possible how to use the YaST runlevel editor. There is also a third sample-script after the installation /usr/share/doc/packages/openvpn/sample-scripts/openvpn.init I'm unsure if this document has only relevance for Redhat and other chkconfig-based systems. Lastly, so far, I'm unsure what the purpose is with and possibly what to do with the /usr/share/doc/packages/openvpn/sample-config-files/xinetd-client-config /usr/share/doc/packages/openvpn/sample-config-files/xinetd-server-config The server file tells it should be renamed to openvpn or similar and copied to /etc/xinet.d xinet.d can then be made aware of this file by restarting it or sending it a SIGHUP signal. Thanks, Terje J Hanssen --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org