[SOLVED] cant get VPN routing to work properly

taara · 07-06-2012, 05:01 AM

Hi, I have been googleling and reading manuals for a day now and I still dont seem to get openvpn to share its server side network with clients. I am sure that I am making a trivial mistake somewhere either in my routing or in configs but I cant figure out where.

I have 3 networks

1. openvpn network (10.9.0.0/24)
2. office network (10.0.0.0/24)
3. home network (10.1.1.0/24)

The openvpn server has interfaces:
eth0 x.x.x.x (public interface)
eth1 10.0.0.5 (lan interface)
tun0 10.9.0.1

NAT ENABLED
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth1 -j ACCEPT
ROUTING ENABLED
echo 1 > /proc/sys/net/ipv4/ip_forward

routing table looking like this:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.9.0.2 * 255.255.255.255 UH 0 0 0 tun0
X.X.X.X * 255.255.255.240 U 0 0 0 eth0
10.0.0.0 10.9.0.2 255.255.255.0 UG 0 0 0 tun0
10.0.0.0 * 255.255.255.0 U 0 0 0 eth1
10.1.1.0 10.9.0.1 255.255.255.0 UG 0 0 0 tun0
10.9.0.0 10.9.0.2 255.255.255.0 UG 0 0 0 tun0
default asdasdasd 0.0.0.0 UG 100 0 0 eth0

OpenVPN Server conf:
################################
port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key # This file should be kept secret

dh dh1024.pem

server 10.9.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

client-to-client
route 10.0.0.0 255.255.255.0
route 10.1.1.0 255.255.255.0
push "route 10.0.0.0 255.255.255.0"
push "route 10.9.0.0 255.255.255.0"
#push "redirect-gateway def1"

keepalive 10 120

comp-lzo
max-clients 100

user nobody
group nogroup

persist-key
persist-tun
status openvpn-status.log

;log openvpn.log
;log-append openvpn.log

verb 3
###################################

I can ping the server on address 10.0.0.5 from client 10.1.1.188 but I cant ping 10.0.0.7 for example. I am quite frustrated already please help :S.

Thank you.

Lexus45 · 07-06-2012, 05:10 AM

taara, can you draw a picture of your network(s) ? It will be helpful.

taara · 07-06-2012, 05:34 AM

networks look like this:

Code:

   *office network [subnet 10.0.0.0/24]*
         *openVPN server on office subnet with ip 10.0.0.5 VPN ip 10.9.0.1*

                            |
                            |
                      VPN 10.9.0.0/24  
                            |
                            |

         *home network [subnet 10.1.1.0/24]*
         *openVPN client 10.9.0.6 / lan ip 10.1.1.188

izaakrach · 07-10-2012, 07:11 PM

It looks like you have your nat on the wrong interface (tun0 is where the information is really coming in. eth1 is out.). I personally don't do it this way because it's just easier to use FireHOL to configure iptables. Take a look at this article http://wiki.ismytech.com/How-Tos/FireHOL

Lexus45 · 07-22-2012, 11:38 PM

1. turn ip_forward on

2. you may SNAT from VPN subnet to ethX interface of your VPN-server. The incoming interface will be tun0. the outgoing - eth0, or smth like this. In case of SNAT the host on the server-side LAN should not know the route to VPN clients.

Code:

iptables -t nat -A POSTROUTING		-s $VPN_SUBNET  -o eth0 -j SNAT --to $ROUTER'S_EXTERNAL_IP

3. enable the traffic on tun+ interface in your iptables ruleset.

Code:

iptables -A FORWARD -p all -s $VPN_SUBNET  -i tun0 -o eth0 -j ACCEPT

I have the same scheme and it works fine.

taara · 07-24-2012, 05:20 AM

Hey! Thanks for your replay,

I had ip_forwarding set to on, but it turned out that the reason why it didn't work was that openVPN blocked the traffic from one side to the other. I think it is a safety mechanism so that dumb clients would not route their home network to the office and possibly cause chaos along the way. When I figured that out, it was rather easy to fix it.

All I had to do was configure ccd iroute files in openvpn config and everything started to work. So I mark it as solved.

Thank you all for your help.