Cannot bring up openvpn link

J_Szucs · 06-22-2005, 10:55 PM

I have a working ppp-over-ssh vpn solution between our two sites. Now I tried to use openvpn for the purpose, instead, using the simple example I found at the openvpn site.

My problem is that when I bring up the openvpn link, it does not work, and I cannot even ping the local end of the link.

The two sites (I call them local and remote) to be connected together are as follows:
local public IP: 212.212.85.138
local private network1: 192.168.0.0/24
local private network2: 192.168.226.0/24
remote public IP: 212.212.85.146
remote private network: 192.168.2.0/24

I think openvpn should use a separate IP address range for the vpn link itself, this should be:
local vpn link ip: 192.168.230.1
remote vpn link ip: 192.168.230.2

Here is my local (server-side) openvpn.conf:

dev tun
ifconfig 192.168.230.1 192.168.230.2
secret /usr/local/etc/openvpn.key
route 192.168.2.65 255.255.255.192

When I try to bring up the link like this:
openvpn --config openvpn.conf

I get these messages:
dmx# Thu Jun 23 05:08:45 2005 0: OpenVPN 1.6.0 i386-portbld-freebsd4.5 [SSL] [LZO] built on Jun 19 2005
Thu Jun 23 05:08:45 2005 1: gw 212.212.85.137
Thu Jun 23 05:08:45 2005 2: TUN/TAP device /dev/tun0 opened
Thu Jun 23 05:08:45 2005 3: /sbin/ifconfig tun0 192.168.230.1 192.168.230.2 mtu 1256 netmask 255.255.255.255 up
add net 192.168.2.65: gateway 192.168.230.2
Thu Jun 23 05:08:46 2005 4: UDPv4 link local (bound): [undef]:5000
Thu Jun 23 05:08:46 2005 5: UDPv4 link remote: [undef]

Here is my local ifconfig output after I bring up the link:
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.226.1 netmask 0xffffffe0 broadcast 192.168.226.31
ether 00:00:e8:ec:9c:ba
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
ed0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 212.212.85.138 netmask 0xfffffffc broadcast 212.212.85.139
ether 00:c0:0c:b0:35:47
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1256
inet 192.168.230.1 --> 192.168.230.2 netmask 0xffffffff
Opened by PID 95941
tun1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500

Here is the netstat -r output:
Destination Gateway Flags Refs Use Netif Expire
default datanet-gw.foo.bar UGSc 282760 151306900 ed0
localhost localhost UH 293 93196 lo0
192.168.0.64/26 castor.foo.bar. UGSc 0 6301 sis0
192.168.0.128/26 cross.foo.bar. UGSc 0 9303 sis0
192.168.0.192/26 hydra.foo.bar. UGSc 0 0 sis0
192.168.2.64/26 192.168.230.2 UGSc 1 95 tun0
192.168.226/27 link#1 UC 5 0 sis0
dmx.foo.bar. 0:0:e8:ec:9c:ba UHLW 307 1439247 lo0
castor.foo.bar. 0:50:22:80:9b:6e UHLW 11734 137606878 sis0 598
cross.foo.bar. link#1 UHLW 94 7600324 sis0
hydra.foo.bar. link#1 UHLW 2 2739318 sis0
192.168.230.2 192.168.230.1 UH 1 0 tun0
212.212.85.136/30 link#2 UC 2 0 ed0
datanet-gw.foo.bar 0:7:e9:7:0:7c UHLW 1003 0 ed0 1196
dmx.foo.bar. 0:c0:c:b0:35:47 UHLW 0 83 lo0

When I try to ping the local end of the vpn, it fails:
PING 192.168.230.1 (192.168.230.1): 56 data bytes
ping: sendto: Permission denied

It looks like the ping packages get denied and dropped by just my first rule on the local ipfw firewall, which rule is intended against ip spoofing:
00010 61512 5115361 deny ip from any to 192.168.0.0/16 via ed0

I just do not understand why this happens?
I ping 192.168.230.1, which ip address is a local one attached to tun0, so I suppose my ping packages should not be routed to ed0 at all, thus they should never get denied by a firewall rule for ed0.
Am I missing something important? Could you help me?