LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-06-2010, 07:19 AM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,113

Rep: Reputation: 57
OpenVPN and Routing


I am using Centos 5.4 and the latest version of OpenVPN. My client can connect fine through the VPN and can ping the gateway but cannot ping any device past that. The VPN client network is a 192.168.4.0/27 network. My LAN network is a 192.168.3.0/27 network. I cannot ping my client(192.168.4.6) from my laptop(192.168.3.10) nor can my client ping me. I can ping the client device from the VPN/Firewall(same device). I suspect it is my firewall that is not allowing the proper routing but here are my configs for everyone to review. ?

Server.conf

PHP Code:
# listen on? (optional)
;local a.b.c.d
port 1723
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca 
/etc/openvpn/ca.crt
cert 
/etc/openvpn/server.crt
key 
/etc/openvpn/server.key
dh 
/etc/openvpn/dh1024.pem
#tls-auth ta.key 0
server 192.168.4.0 255.255.255.224
ifconfig
-pool-persist ipp.txt
push 
"dhcp-option DNS 192.168.3.1"
#push "dhcp-option DNS 4.2.2.5"
route 192.168.4.0 255.255.255.224
push 
"route 192.168.3.0 255.255.255.224"
push "route 192.168.4.0 255.255.255.224"
#push "redirect-gateway def1 bypass-dhcp"
;client-config-dir ccd
;client-config-dir ccd
;learn-address ./script
;push "redirect-gateway"
client-to-client
duplicate
-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
#cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
max
-clients 2
user nobody
group nobody
persist
-key
persist
-tun
status openvpn
-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20 
and the client.conf

PHP Code:
client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
remote daman2010
.test.com 1723
;remote my-server-2 1194
;remote-random
ns
-cert-type server
resolv
-retry infinite
nobind
;user nobody
;group nobody
persist
-key
persist
-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca 
"C:\\PROGRA~1\\OpenVPN\\config\\ca.crt"
cert "C:\\PROGRA~1\\OpenVPN\\config\\dachit.crt"
key "C:\\PROGRA~1\\OpenVPN\\config\\dachit.key"
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp
-lzo
verb 3
route
-method exe
route
-delay 2
;mute 20 

Last edited by metallica1973; 09-07-2010 at 07:52 AM.
 
Old 09-06-2010, 07:30 AM   #2
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
Because of you're using a routed VPN, read the following the document:
http://www.openvpn.net/index.php/ope...wto.html#scope

Pay attention to:
Quote:
Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines).

Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine.
 
Old 09-06-2010, 07:35 AM   #3
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,113

Original Poster
Rep: Reputation: 57
My VPN device and LAN gateway are the same device. I have one server that is the VPN device and the LAN gateway. I dont think this applies but I will look into it. thanks
 
Old 09-06-2010, 07:59 AM   #4
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
Post the routing table of LAN gateway?
 
Old 09-06-2010, 08:46 AM   #5
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,113

Original Poster
Rep: Reputation: 57
PHP Code:
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    
Use Iface
192.168.4.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.3.0     0.0.0.0         255.255.255.224 U     0      0        0 eth1
192.168.4.0     192.168.4.2     255.255.255.224 UG    0      0        0 tun0
192.168.2.0     0.0.0.0         255.255.255.224 U     0      0        0 eth2
XX
.XX.XXX.0     0.0.0.0         255.255.252.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         XX
.XX.XXX.X     0.0.0.0         UG    0      0        0 eth0 
nothing can talk from the 4.0 to 3.0 and vice versa. But from the VPN/firewall/router I can ping everything

Last edited by metallica1973; 09-06-2010 at 08:48 AM.
 
Old 09-06-2010, 10:06 PM   #6
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
Make sure you have IP and TUN forwarding enabled on VPN server.

Let's do step by step:

1. Ping from your client to 3.x, you need:
  • push "route 192.168.3.0 255.255.255.224" (push "route 192.168.4.0 255.255.255.224" is wrong, needless)
  • enable IP and TUN forwarding

2. Ping from your laptop to 4.x: read the section Including multiple machines on the client side when using a routed VPN (dev tun).
 
Old 09-07-2010, 07:50 AM   #7
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,113

Original Poster
Rep: Reputation: 57
resolved the issue. It was IPTables firewall ruleset inbound and I believe server.conf that has a couple of route issues.Here are my configs and firewall rules or at least a snippet of importance:

PHP Code:
cat /etc/openvpn/server.conf
# listen on? (optional)
;local a.b.c.d
port 1723
;proto tcp
proto udp
;dev tap
dev tun
;dev-node MyTap
ca 
/etc/openvpn/ca.crt
cert 
/etc/openvpn/server.crt
key 
/etc/openvpn/server.key
dh 
/etc/openvpn/dh1024.pem
#tls-auth ta.key 0
server 192.168.4.0 255.255.255.224
ifconfig
-pool-persist ipp.txt
push 
"dhcp-option DNS 192.168.3.1"
#push "dhcp-option DNS 4.2.2.5"
#route 192.168.4.0 255.255.255.224
push "route 192.168.3.0 255.255.255.224"
#push "route 192.168.4.0 255.255.255.224"
#push "redirect-gateway def1 bypass-dhcp"
;client-config-dir ccd
;client-config-dir ccd
;learn-address ./script
;push "redirect-gateway"
client-to-client
duplicate
-cn
keepalive 10 120
;tls-auth ta.key 0 # This file is secret
#cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
max
-clients 2
user nobody
group nobody
persist
-key
persist
-tun
status openvpn
-status.log
;log         openvpn.log
;log-append  openvpn.log
verb 3
;mute 20 
client.conf

PHP Code:
client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
remote daman2010
.test.com 1723
;remote my-server-2 1194
;remote-random
ns
-cert-type server
resolv
-retry infinite
nobind
;user nobody
;group nobody
persist
-key
persist
-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca 
"C:\\PROGRA~1\\OpenVPN\\config\\ca.crt"
cert "C:\\PROGRA~1\\OpenVPN\\config\\dachit.crt"
key "C:\\PROGRA~1\\OpenVPN\\config\\dachit.key"
;ns-cert-type server
;tls-auth ta.key 1
;cipher x
comp
-lzo
verb 3
route
-method exe
route
-delay 2
;mute 20 
and my firewall ruleset (snippet)

PHP Code:
$IPTABLES -A INPUT -i $VPNIF -j ACCEPT

$IPTABLES 
-A OUTPUT -o $EXTIF -s $VPNNET -j ACCEPT

$IPTABLES 
-A OUTPUT -o $VPNIF -s $VPNNET -j ACCEPT

$IPTABLES 
-A OUTPUT -o $VPNIF -j ACCEPT

$IPTABLES 
-A FORWARD -i $VPNIF -m state --state NEW -j ACCEPT

$IPTABLES 
-A FORWARD -i $VPNIF -s $VPNNET -j ACCEPT

$IPTABLES 
-A FORWARD -o $VPNIF -s $INTLAN  -j ACCEPT

$IPTABLES 
-A FORWARD -i $VPNIF -j ACCEPT

$IPTABLES 
-A FORWARD -o $VPNIF -j ACCEPT 

If you see anything in my firewall rules please let me know. But this worked like a charm. Thanks for your help.

Last edited by metallica1973; 09-07-2010 at 07:51 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN routing. MheAd Linux - Networking 6 06-25-2010 12:35 PM
Error When converting Routing OpenVPN to bridge mode openvpn danmartinj Linux - Software 0 11-06-2009 09:23 AM
routing using openvpn williebens Linux - Newbie 1 07-11-2008 09:28 PM
OpenVPN and Routing. Eightpock Linux - Networking 2 07-10-2008 06:48 AM
openVPN and routing issues mdkelly069 Linux - Networking 0 07-12-2004 12:19 PM


All times are GMT -5. The time now is 06:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration