eth0 tun0 ip forwarding

riodda · 06-27-2012, 04:54 AM

hi all, here is my linux question:

I have my home network class 192.168.1.X where the DSL router is 192.168.1.1 (Zyxel P-660HN-F1Z).
In this class i have a linux box (Enigma2 Ipbox) it's ip is 192.168.1.38.
On this box i set up OpenVPN as server, lissening on port 1194, on the Zyxel i've open the port and created the nat to the linux box.
then i have a notebook with a 3g connection and open VPN that connects to box, the ip class il 10.8.0.X.
So on the box i have eth0 with 192.168.1.38 tun0 with 10.8.0.1
On the Windows 7 notebook i have 10.8.0.6 and the ip from the 3g connection.

I can actually ping both the interfaces of the linuxbox but i can't ping other machines on the 192.168.1.XXX network such as the router or the NAS machine.

I think i'm missing some routing of the Linuxbos (ip forwarding is enabled).
The linux box is Ipbox sh4 Enigma2 Image PKT Nebula v.1

server.conf
;local a.b.c.d
port 1194
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca /var/etc/openvpn/keys/ca.crt
cert /var/etc/openvpn/keys/ipbox.crt
key /var/etc/openvpn/keys/ipbox.key
dh /var/etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

Clientconfig

client
dev tun
proto udp
remote remoteipaddress 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "C:\\openvpn\\ca.crt"
cert "C:\\openvpn\\hp-dario.crt"
key "C:\\openvpn\\hp-dario.key"
comp-lzo
verb 3

Wed Jun 27 10:11:21 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Wed Jun 27 10:11:21 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Jun 27 10:11:21 2012 LZO compression initialized
Wed Jun 27 10:11:21 2012 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jun 27 10:11:22 2012 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jun 27 10:11:22 2012 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jun 27 10:11:22 2012 Local Options hash (VER=V4): '41690919'
Wed Jun 27 10:11:22 2012 Expected Remote Options hash (VER=V4): '530fdded'
Wed Jun 27 10:11:22 2012 UDPv4 link local: [undef]
Wed Jun 27 10:11:22 2012 UDPv4 link remote: XXXXXXXXX:1194
Wed Jun 27 10:11:22 2012 TLS: Initial packet from XXXXXXXXX:1194, sid=308c0f6a 4fbfa880
Wed Jun 27 10:11:22 2012 VERIFY OK: depth=1, /C=IT/ST=Italy/L=Brescia/O=Rdd/OU=ipbox/CN=ipbox/name=Dario/emailAddress=riodda@XXXX.com
Wed Jun 27 10:11:22 2012 VERIFY OK: nsCertType=SERVER
Wed Jun 27 10:11:22 2012 VERIFY OK: depth=0, /C=IT/ST=Italy/L=Brescia/O=Rdd/OU=ipbox/CN=ipbox/name=Dario/emailAddress=riodda@XXXX.com
Wed Jun 27 10:11:24 2012 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 27 10:11:24 2012 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 27 10:11:24 2012 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jun 27 10:11:24 2012 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jun 27 10:11:24 2012 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jun 27 10:11:24 2012 [ipbox] Peer Connection Initiated with 81.174.12.160:1194
Wed Jun 27 10:11:26 2012 SENT CONTROL [ipbox]: 'PUSH_REQUEST' (status=1)
Wed Jun 27 10:11:26 2012 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5'
Wed Jun 27 10:11:26 2012 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jun 27 10:11:26 2012 OPTIONS IMPORT: --ifconfig/up options modified
Wed Jun 27 10:11:26 2012 OPTIONS IMPORT: route options modified
Wed Jun 27 10:11:26 2012 ROUTE default_gateway=109.117.189.18
Wed Jun 27 10:11:26 2012 TAP-WIN32 device [Vpn_Casa] opened: \\.\Global\{64A0AFA2-BB04-4765-8813-046072B63992}.tap
Wed Jun 27 10:11:26 2012 TAP-Win32 Driver Version 9.9
Wed Jun 27 10:11:26 2012 TAP-Win32 MTU=1500
Wed Jun 27 10:11:26 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.8.0.6/255.255.255.252 on interface {64A0AFA2-BB04-4765-8813-046072B63992} [DHCP-serv: 10.8.0.5, lease-time: 31536000]
Wed Jun 27 10:11:26 2012 Successful ARP Flush on interface [53] {64A0AFA2-BB04-4765-8813-046072B63992}
Wed Jun 27 10:11:32 2012 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Wed Jun 27 10:11:32 2012 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 10.8.0.5
Wed Jun 27 10:11:32 2012 ROUTE: route addition failed using CreateIpForwardEntry: Uno o più argomenti non validi. [status=160 if_index=53]
Wed Jun 27 10:11:32 2012 Route addition via IPAPI failed [adaptive]
Wed Jun 27 10:11:32 2012 Route addition fallback to route.exe
OK
Wed Jun 27 10:11:32 2012 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jun 27 10:11:32 2012 ROUTE: route addition failed using CreateIpForwardEntry: Uno o più argomenti non validi. [status=160 if_index=53]
Wed Jun 27 10:11:32 2012 Route addition via IPAPI failed [adaptive]
Wed Jun 27 10:11:32 2012 Route addition fallback to route.exe
OK
Wed Jun 27 10:11:32 2012 Initialization Sequence Completed

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
rfc-1918 * 255.255.255.255 UH 0 0 0 tun0
rfc-1918 rfc-1918 255.255.255.0 UG 0 0 0 tun0
rfc-1918 * 255.255.255.0 U 0 0 0 eth0
default rfc-1918 0.0.0.0 UG 0 0 0 eth0

From windows 7 i can ping 192.168.1.38 i can ping 10.8.0.1 but not the other 192.168.1.XX.

zer0signal · 06-28-2012, 02:38 PM

create a static route on your Zytel router pointing to anything on the subnet of 10.8.0.0 goes to 192.168.1.38...

so any pings that occur on your 192.168.1.0/24 subnet destined for 10.8.0.0 go to your Zytel router, and then zytel points those to the openvpn server 192.168.1.38

on the clients conf file, you may want to add a route command;

route 192.168.1.0 255.255.255.0

so the client knows, any thing on the 198.168.1.0/24 subnet is on the other side of the tunnel...