OpenVPN config problem

linuxpyro · 09-30-2005, 08:09 PM

Hello, I am trying to setup OpenVPN to connect two networks together. Here is the situation:

Server net
192.168.1.0/24
server IP 192.168.1.10

Client net
192.168.2.0/24
client IP 192.168.2.1

VPN net
10.8.0.0/24

I have the tunnel devices set up on both machines, as well as IP forwarding. The server is a Gentoo box, and runs as a Samba server on its network. The client box is running Fedora Core 2, and is a gateway for my other network, and does NAT and firewalling, etc. Port 1194 is forwarded to the server.

My problem is that I can't even ping the server from the client machine, when using the server's VPN IP (the one of the server's tun interface). When I try, I get this error:

ping: sendmsg: Operation not permitted

This is directly from the terminal of the client machine; I plan to worry about forwarding the packets between the networks after I can get the client and server to talk to each other properly.

Here is the routing table I get on the client:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
129.21.109.0    *               255.255.255.128 U     0      0        0 eth0
10.0.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth1
10.8.0.0        10.8.0.5        255.255.255.0   UG    0      0        0 tun0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         rit-dorm1-gw-04 0.0.0.0         UG    0      0        0 eth0

Here is the routing table on the server:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         router.whatsmyk 0.0.0.0         UG    0      0        0 eth0

Here is the config file for the server:

Code:

proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.8.0.0 255.255.255.0"
push "route 10.0.0.0 255.255.255.0"
keepalive 10 120
comp-lzo
user openvpn
groupe openvpn
persist-key
persist-tun
status openvpn-status.log
verb 3

Here is the config for the client:

Code:

client
dev tun
proto udp
remote my.vpn.server 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tunca ca.crt
cert badger.crt
key badger.key
ns-cert-type server
comp-lzo
verb 3
ifconfig 10.0.0.2 10.0.0.1

Can anybody who's gotten this to work post their config? Thanks for any help.

avasaralak · 10-02-2005, 09:23 AM

I have an OpenVPN configuration running between a SuSE 9.3 client and a SuSE 9.2 server over WLAN. I pretty much followed the instructions on the OpenVPN website. However, I should mention that I had firewall issues and I had to initially disable the firewalls on both the client and the server to get OpenVPN working.

linuxpyro · 10-02-2005, 07:50 PM

OK, when I disabled the IPtables firewall running on the client, I was able to ping across. What rules did you have to put into IPtables in order to get it to work properly?

linuxpyro · 10-04-2005, 12:34 PM

OK, per the OpenVPN howto, I added the following to my firewall rules:

Code:

iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

However, this has not helped. Can someone who has gotten this to work post their firewall config?

stoffell · 10-06-2005, 03:47 PM

Quote:

Originally posted by linuxpyro
However, this has not helped. Can someone who has gotten this to work post their firewall config?

First of all, try using tcp as protocol? If did help me out sometimes..

linuxpyro · 10-06-2005, 06:01 PM

I tried that, but I still get the same error when I try to ping.

stoffell · 10-07-2005, 12:50 AM

Quote:

Originally posted by linuxpyro
I tried that, but I still get the same error when I try to ping.

In a previous post you mentioned that it works without firewall rules..
Well, I suggest trying shorewall (www.shorewall.net), it's an iptables script with great flexibility and it has support for OpenVPN, so it should be much easier to allow the vpn traffic.

Good luck

linuxpyro · 10-07-2005, 07:12 PM

OK, I got it to work. I searched around abit and found this thread. I added the IPtables rules the guy uesd there, and now it seems to work fine. Thanks for the input!