OpenVPN internal network access
First , Hello to all
I am installing a package called OpenVPN between two sites. Cenário: At one site the package was installed in a Iptables+squid Linux Machine. At other side We have a Cisco Router that was natting udp 5000 to an internal VPN Server. Well , I can successful ping between the two machines that OpenVPN package was installed . The problem is I can not reach any off internal machines. I already add in the linux machines the line echo 1 > proc/sys/net/ipv4/ip_forward Any hint Thanks before hands |
Are you using OpenVPN bridging on the remote side? More specifically, give details including ips and routing tables. Is the connection correctly established?
|
Ok, Let me explain .
I am using Site1 ----------Site2 This is the configuration files ====================================== #Site1.conf # Use interface TUN dev tun # 10.0.0.1 Ip for Site 1 # 10.0.0.2 Ip for Site 2 ifconfig 10.0.0.1 10.0.0.2 # Go to directory OpenVPN cd /etc/openvpn #Use static key secret chave #OpenVPN will use 5000/UDP port 5000 #Usuer for daemon user nobody #Group for daemon group nogroup #Use LZO Compact library comp-lzo #Keep alive the connectio using ping ping 15 #Log verb 3 #Site2.conf # Use interface TUN dev tun # 10.0.0.1 Ip for Site 1 # 10.0.0.2 Ip for Site 2 ifconfig 10.0.0.2 10.0.0.1 #Call the ip for Site 1 remote External_Ip_for_Site_1 # Go to directory OpenVPN cd /etc/openvpn #Use static key secret chave #OpenVPN will use 5000/UDP port 5000 #Usuer for daemon user nobody #Group for daemon group nogroup #Use LZO Compact library comp-lzo #Keep alive the connectio using ping ping 15 #Log verb 3 #starting the Tunel in site 1 route add -net ip_network_site2/Mask gw 10.0.0.2 openvpn --config /etc/openvpn/site1.conf --daemon #starting the Tunel in site 2 route add -net ip_network_site1/Mask gw 10.0.0.1 openvpn --config /etc/openvpn/site2.conf --daemon ====================================== I am successfuly ping both machine but no internal machines inside the networks. In the Site 1 machine there is a Iptables firewall and squid. This machine has a valid ip address In Site 2 there is a CISCO router doing ip nat iniside to the VPN gateway ( Site 2 Machine). I hope this will help in solving this. Thank you before hands |
You'll need to use ipforwarding to route the packets properly, just like a NAT box.
|
dear all.
First of all, I am a really bad writing english. But I can help you. For rich the internal network, you must be have a route tables for this. something like this... ip route add internal-network/mask via tun-ip. I am sugestting read ip-rute man. Please remember enable ping, if nmap is not been used. regards. |
Thanks folks ,
No a problem with your English. Let me put the VPN Start files complete this time. #starting the Tunel in site 1 modprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward route add -net 172.19.128.0/23 gw 10.0.0.2 openvpn --config /etc/openvpn/site1.conf --daemon #starting the Tunel in site 2 modprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward route add -net 192.168.1.0/24 gw 10.0.0.1 openvpn --config /etc/openvpn/site2.conf --daemon ========================================= This was in my start vpn files before, sorry to forget to put this here . I am able to ping from both vpn gateways to other vpn gateway. The tunel is working fine. But , I already put a ip route to the other network in the start vpn file but it had not worked. Any hint ? |
very good.
But not have a rute jaja :) If you no have a rute not have ping. After vpn is up. type (inte the sit1 shell) $ip route add 10.0.1.0/24 via 192.168.0.1 type (in the sit2 shell) $ip route add 10.0.2.0/24 via 192.168.0.2 where 10.0.1.0 - internal net sit1 192.168.0.1 - tun0 - sit1 10.0.2.0 - internal net sit2 192.168.0.2 - tun0 sit2 If you need more help, please sen me your two rute tables. type $rute >route-sit1 regards |
Sorry I do not understand this solution ...
What is this 10.0.1.0 or 10.0.2.0 for ? Where is this came from ?, I am using 10.0.0.1 to site 1 tunnel side and 10.0.0.2 for site 2 tunnel side. ?? My route table for site 1 is : =============================== root@proxy1:~# route Tabela de Roteamento IP do Kernel Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface 10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0 external_ip * 255.255.255.248 U 0 0 0 eth0 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 172.19.128.0 10.0.0.2 255.255.254.0 UG 0 0 0 tun0 default * 0.0.0.0 U 0 0 0 eth0 root@proxy1:~# |
you have a semantic problem.
I am explain you how to route internal networks throughput vpn. Fot this example. ifaces in sit1 10.0.0.1 tun0 192.168.1.1 eth1 ifaces in sit2 10.0.0.2 tun0 192.168.2.1 eth1 route table in sit1 ip route add 192.168.2.0/24 via 10.0.0.1 route table in sit2 ip route add 192.168.1.0/24 via 10.0.0.2 remember. Is impossible route two network with the same ip segment. If you not have a route, no have ping :) Have fun :) |
Ok ,
But see my start vpn files ======================== #starting the Tunel in site 1 modprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward route add -net 172.19.128.0/23 gw 10.0.0.2 openvpn --config /etc/openvpn/site1.conf --daemon #starting the Tunel in site 2 modprobe tun echo 1 > /proc/sys/net/ipv4/ip_forward route add -net 192.168.0.0/24 gw 10.0.0.1 openvpn --config /etc/openvpn/site2.conf --daemon ========================================= The ip routes are already in there ... Sorry I am not understanding you about this route tables. |
your problem is 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1, should be tun0
type in shell. ip route add 192.168.0.0/24 via 10.0.0.1 if you dont understend, send me a diagram for more info. regards |
Well let me be more clear
Network1--VPN/iptables Site1 ---Cisco/nat--VPN Gateway site2 --Site2 Network Route table for VPN gateway Site 2 Tabela de Roteamento IP do Kernel Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface 10.0.0.1 * 255.255.255.255 UH 0 0 0 tun0 192.168.0.0 10.0.0.1 255.255.255.0 UG 0 0 0 tun0 172.19.128.0 * 255.255.254.0 U 0 0 0 eth0 default 172.19.129.254 0.0.0.0 UG 0 0 0 eth0 ============================================ My route table for site 1 is : Remember Site 1 Network is 192.168.0.0/24 =============================== root@proxy1:~# route Tabela de Roteamento IP do Kernel Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface 10.0.0.2 * 255.255.255.255 UH 0 0 0 tun0 external_ip * 255.255.255.248 U 0 0 0 eth0 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 172.19.128.0 10.0.0.2 255.255.254.0 UG 0 0 0 tun0 default * 0.0.0.0 U 0 0 0 eth0 |
rede Site 1 192.168.0.0/24
rede Site 2 172.19.128.0/23 |
All times are GMT -5. The time now is 10:54 PM. |