[SOLVED] OpenVPN

polinux · 02-20-2012, 10:14 AM

Hello Everyone.

I have a problem with configuring OpenVPN.

I did manage to make it run and can connect to the server but cannot see other machines in remote network.

I have one network (192.168.37.0/24) on which there is OpenVPN Server (192.168.37.60) running and around 30 other machines. I can connect to OpenVPN Server but cannot to any other.

Netstat on the server:

Quote:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface

Code:

0.0.0.0         192.168.37.1    0.0.0.0         UG        0 0          0 eth0
10.8.8.0        0.0.0.0         255.255.255.0   U         0 0          0 tap0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
192.168.37.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0

Server config:

Quote:

local 192.168.37.60

port 1194
proto udp

dev tap

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

server 10.8.8.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.37.60 255.255.255.0"

keepalive 10 120

comp-lzo

persist-key
persist-tun

status openvpn-status.log

verb 3

Client conf:

Quote:

client

dev tap

proto udp

remote my-server.dyndns.org 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca /VPN/ca.crt
cert /VPN/my.crt
key /VPN/my.key

comp-lzo

verb 3

What do you think is wrong with this setup?

Thank you very much for any help that you will provide. I'm really tired of this. Red so much about everything connected with OpenVPN and nothing seems to be helpful, so it's better to ask Professionals.

ArcLinux · 02-20-2012, 11:17 AM

Have you setup your OpenVPN server to forward incoming and outgoing packets from the vpn network to your localnetwork in your firewall or routing table?

polinux · 02-20-2012, 01:04 PM

No i didn't.

What should i do next then. ??

What exactly should type?

Thank you for your answer.

ArcLinux · 02-20-2012, 01:12 PM

%> cat /proc/sys/net/ipv4/ip_forward

what is the value of that?

what distro is the server?

polinux · 02-20-2012, 01:14 PM

value is 1 so it's ON

its OpenSuSE 12.1 64bit

Thanks.

catkin · 02-20-2012, 01:24 PM

If you want the OpenVPN clients to be able to participate on the server's LAN, you must configure the server in bridged mode instead of routed mode but this exposes the LAN to a greater security risk.

More information here.

devilboy09 · 02-20-2012, 01:25 PM

i have the same problem with pptp vpn

polinux · 02-20-2012, 01:27 PM

Quote:

Originally Posted by catkin

If you want the OpenVPN clients to be able to participate on the server's LAN, you must configure the server in bridged mode instead of routed mode but this exposes the LAN to a greater security risk.

More information here.

hmm... the funny bt is it was set up to work as bridged before and it didn't work at all

I'll try this method tomorrow and will let you know how that went.

Thank you very much for pointing that out.

ArcLinux · 02-20-2012, 01:32 PM

Bridging is possible, but as you say opens security issues. Keeping the VPN on a separate subnet and building routing table and firewall rules allows you to integrate the VPN into the local subnet and control access and logging.

polinux · 02-20-2012, 01:35 PM

Quote:

Originally Posted by ArcLinux

Bridging is possible, but as you say opens security issues. Keeping the VPN on a separate subnet and building routing table and firewall rules allows you to integrate the VPN into the local subnet and control access and logging.

So if I'm right it's better or more secure to leave it as it is. And just log it through ssh.

But I'll try with the bridged to.

Thank You.

ArcLinux · 02-20-2012, 01:40 PM

Quote:

Originally Posted by polinux

So if I'm right it's better or more secure to leave it as it is. And just log it through ssh.

But I'll try with the bridged to.

Thank You.

Check your firewall rules in Yast and be sure that traffic is enabled for the LAN to communicate with the chosen VPN network.

fritz001 · 02-20-2012, 04:34 PM

server.config

Quote:

daemon
port 1194
proto udp
dev tap
mode server
tls-server
cipher AES-256-CBC
client-to-client

cd /etc/openvpn/

ca certs/ca.crt
dh certs/dh1024.pem
cert keys1/ovpn_server.crt
key keys1/ovpn_server.key
tls-auth keys/key_static.key 0

ifconfig 10.100.0.1 255.255.255.0 # openvpn gateway
ifconfig-pool 10.100.0.2 10.100.0.10 255.255.255.0
ifconfig-pool-persist ipp.txt

#tmp-dir /tmp
#script-security 3
#auth-user-pass-verify /etc/openvpn/user_check.sh via-file

persist-tun
persist-key

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
keepalive 10 60

client-config-dir /etc/openvpn/ccd/

#enabled on client config

comp-lzo yes
status openvpn-status.log

verb 3

####### ip route add 192.168.2.0/24 via 192.168.150.1
####### echo 1 > /proc/sys/net/ipv4/ip_forward
####### iptables -I FORWARD -p all -i tap+ -j ACCEPT
####### iptables -I FORWARD -p all -o tap+ -j ACCEPT

/etc/openvpn/ccd
admin1 <-name of the certificate file generate for client name "admin1"

Quote:

push-reset

ifconfig-push 10.100.0.5 255.255.255.0

#LOCAL-NETS
push "route 192.168.140.0 255.255.255.0 10.100.0.1"
push "route 10.10.10.0 255.255.255.224 10.100.0.1"

#CISCO-ROUTERS
push "route 10.1.1.0 255.255.255.0 10.100.0.1"

#push def gateway to client
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push "route-gateway 10.100.0.1"
push "redirect-gateway def1"
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
push "dhcp-option DNS _SRV1_"
push "dhcp-option DNS _SRV2_"

polinux · 02-22-2012, 10:10 AM

I did reinstall the whole system with CentOS 6.2 and same OpenVPN Setup. Problem was still there.

But.......

I did finally found the solution. I missed the IPTABLES setup.

Thats what was missing:

iptables -I INPUT -i tap0 -j ACCEPT
iptables -I FORWARD -i tap0 -j ACCEPT
iptables -I FORWARD -o tap0 -j ACCEPT
iptables -I OUTPUT -o tap0 -j ACCEPT

And add to stay there permanently and you ready to go

SOLVED..

THANKS GUYS For pointing out where to look.