LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   OpenVPN internal network access (https://www.linuxquestions.org/questions/linux-networking-3/openvpn-internal-network-access-359199/)

mmarinho 09-01-2005 11:55 AM
OpenVPN internal network access
 
First , Hello to all

I am installing a package called OpenVPN between two sites.

Cenário:
At one site the package was installed in a Iptables+squid Linux Machine.

At other side We have a Cisco Router that was natting udp 5000 to an internal VPN Server.

Well , I can successful ping between the two machines that OpenVPN package was installed .

The problem is I can not reach any off internal machines.

I already add in the linux machines the line
echo 1 > proc/sys/net/ipv4/ip_forward


Any hint

Thanks before hands

Matir 09-01-2005 01:13 PM
Are you using OpenVPN bridging on the remote side? More specifically, give details including ips and routing tables. Is the connection correctly established?

mmarinho 09-01-2005 09:12 PM
Ok, Let me explain .

I am using Site1 ----------Site2

This is the configuration files
======================================
#Site1.conf
# Use interface TUN
dev tun
# 10.0.0.1 Ip for Site 1
# 10.0.0.2 Ip for Site 2
ifconfig 10.0.0.1 10.0.0.2
# Go to directory OpenVPN
cd /etc/openvpn
#Use static key
secret chave
#OpenVPN will use 5000/UDP
port 5000
#Usuer for daemon
user nobody
#Group for daemon
group nogroup
#Use LZO Compact library
comp-lzo
#Keep alive the connectio using ping
ping 15
#Log
verb 3


#Site2.conf
# Use interface TUN
dev tun
# 10.0.0.1 Ip for Site 1
# 10.0.0.2 Ip for Site 2
ifconfig 10.0.0.2 10.0.0.1
#Call the ip for Site 1
remote External_Ip_for_Site_1
# Go to directory OpenVPN
cd /etc/openvpn
#Use static key
secret chave
#OpenVPN will use 5000/UDP
port 5000
#Usuer for daemon
user nobody
#Group for daemon
group nogroup
#Use LZO Compact library
comp-lzo
#Keep alive the connectio using ping
ping 15
#Log
verb 3


#starting the Tunel in site 1
route add -net ip_network_site2/Mask gw 10.0.0.2
openvpn --config /etc/openvpn/site1.conf --daemon

#starting the Tunel in site 2
route add -net ip_network_site1/Mask gw 10.0.0.1
openvpn --config /etc/openvpn/site2.conf --daemon
======================================

I am successfuly ping both machine but no internal machines inside the networks.

In the Site 1 machine there is a Iptables firewall and squid. This machine has a valid ip address

In Site 2 there is a CISCO router doing ip nat iniside to the VPN gateway ( Site 2 Machine).

I hope this will help in solving this.

Thank you before hands

Matir 09-01-2005 10:08 PM
You'll need to use ipforwarding to route the packets properly, just like a NAT box.

dpajares 09-02-2005 06:27 AM
dear all.
First of all, I am a really bad writing english.
But I can help you.
For rich the internal network, you must be have a route tables for this.
something like this...
ip route add internal-network/mask via tun-ip.
I am sugestting read ip-rute man.
Please remember enable ping, if nmap is not been used.


regards.

mmarinho 09-02-2005 08:24 AM
Thanks folks ,

No a problem with your English.

Let me put the VPN Start files complete this time.

#starting the Tunel in site 1
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 172.19.128.0/23 gw 10.0.0.2
openvpn --config /etc/openvpn/site1.conf --daemon

#starting the Tunel in site 2
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 192.168.1.0/24 gw 10.0.0.1
openvpn --config /etc/openvpn/site2.conf --daemon
=========================================

This was in my start vpn files before, sorry to forget to put this here .

I am able to ping from both vpn gateways to other vpn gateway. The tunel is working fine.

But , I already put a ip route to the other network in the start vpn file but it had not worked.

Any hint ?

dpajares 09-02-2005 09:24 AM
very good.
But not have a rute jaja :)
If you no have a rute not have ping.
After vpn is up.
type (inte the sit1 shell)
$ip route add 10.0.1.0/24 via 192.168.0.1
type (in the sit2 shell)
$ip route add 10.0.2.0/24 via 192.168.0.2
where
10.0.1.0 - internal net sit1
192.168.0.1 - tun0 - sit1

10.0.2.0 - internal net sit2
192.168.0.2 - tun0 sit2

If you need more help, please sen me your two rute tables.
type
$rute >route-sit1
regards

mmarinho 09-02-2005 10:40 AM
Sorry I do not understand this solution ...

What is this 10.0.1.0 or 10.0.2.0 for ?

Where is this came from ?,
I am using 10.0.0.1 to site 1 tunnel side and
10.0.0.2 for site 2 tunnel side.

??

My route table for site 1 is :
===============================
root@proxy1:~# route
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0
external_ip * 255.255.255.248 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
172.19.128.0 10.0.0.2 255.255.254.0 UG 0 0 0 tun0
default * 0.0.0.0 U 0 0 0 eth0
root@proxy1:~#

dpajares 09-02-2005 11:39 AM
you have a semantic problem.
I am explain you how to route internal networks throughput vpn.
Fot this example.
ifaces in sit1
10.0.0.1 tun0
192.168.1.1 eth1
ifaces in sit2
10.0.0.2 tun0
192.168.2.1 eth1
route table in sit1
ip route add 192.168.2.0/24 via 10.0.0.1
route table in sit2
ip route add 192.168.1.0/24 via 10.0.0.2
remember.
Is impossible route two network with the same ip segment.
If you not have a route, no have ping :)

Have fun :)

mmarinho 09-02-2005 12:06 PM
Ok ,

But see my start vpn files
========================
#starting the Tunel in site 1
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 172.19.128.0/23 gw 10.0.0.2
openvpn --config /etc/openvpn/site1.conf --daemon

#starting the Tunel in site 2
modprobe tun
echo 1 > /proc/sys/net/ipv4/ip_forward
route add -net 192.168.0.0/24 gw 10.0.0.1
openvpn --config /etc/openvpn/site2.conf --daemon
=========================================

The ip routes are already in there ...
Sorry I am not understanding you about this route tables.

dpajares 09-02-2005 01:27 PM
your problem is 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1, should be tun0
type in shell.
ip route add 192.168.0.0/24 via 10.0.0.1
if you dont understend, send me a diagram for more info.

regards

mmarinho 09-02-2005 01:34 PM
Well let me be more clear
Network1--VPN/iptables Site1 ---Cisco/nat--VPN Gateway site2 --Site2 Network



Route table for VPN gateway Site 2

Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
10.0.0.1 * 255.255.255.255 UH 0 0 0 tun0
192.168.0.0 10.0.0.1 255.255.255.0 UG 0 0 0 tun0
172.19.128.0 * 255.255.254.0 U 0 0 0 eth0
default 172.19.129.254 0.0.0.0 UG 0 0 0 eth0

============================================
My route table for site 1 is : Remember Site 1 Network is 192.168.0.0/24
===============================
root@proxy1:~# route
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0
external_ip * 255.255.255.248 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
172.19.128.0 10.0.0.2 255.255.254.0 UG 0 0 0 tun0
default * 0.0.0.0 U 0 0 0 eth0

mmarinho 09-02-2005 02:00 PM
rede Site 1 192.168.0.0/24

rede Site 2 172.19.128.0/23


All times are GMT -5. The time now is 10:54 PM.