I have a Redhat linux box set up as a OpenVPN server. It has 2 NICs and the tunnel interface. One NIC is for the internal subnet and the second for the public interenet. I have an Ubuntu client that connects via OpenVPN. The connection comes up but the client cannot connect to any IP addresses on the server or on the internal subnet. I fired up wireshark. The OpenVPN server is seeing the packets from the client but it's sending ARP whois packets for the clients IP address. Only problem being that it's sending them on the internal subnet NIC rather than the tunnel interface so it's not getting any replies. The server's default route goes to a separate firewall router on the internal subnet that also accesses the public internet. Not sure if thats part of the problem but I don't see how it would be.

The ultimate goal is for the client to have complete access to the server internal subnet. Currently I have the firewall pretty much shut off on both the internal and tunnel interfaces. Below is all the configuration info I think is pertinent.

The big question is why the ARP packets are being broadcast on the internal subnet NIC when there is a route going over the tunnel interface for the IP address of the client.

Not sure what the hell I've got screwed up. Any hints would be greatly appreciated.

**********************************************************************
OpenVPN server
--------------
Internal subnet:
eth0 Link encap:Ethernet HWaddr 00:22:15:7F:76:95
inet addr:10.91.91.10 Bcast:10.91.91.255 Mask:255.255.255.0
inet6 addr: fe80::222:15ff:fe7f:7695/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4565330 errors:0 dropped:0 overruns:0 frame:0
TX packets:3888446 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:521713805 (497.5 MiB) TX bytes:7145436968 (6.6 GiB)
------------------------------------------------------------------------

Public subnet (Public IP redacted):
eth1 Link encap:Ethernet HWaddr 00:22:15:7F:76:C9
inet addr:1.2.3.4 Bcast:1.2.3.255 Mask:255.255.255.0
inet6 addr: 1::2:3:4:5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:187173 errors:0 dropped:0 overruns:0 frame:0
TX packets:19175 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12531332 (11.9 MiB) TX bytes:2582328 (2.4 MiB)
------------------------------------------------------------------------
Interrupt:248 Base address:0xc000

Tunnel interface:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.91.92.1 P-t-P:10.91.92.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:6679 errors:0 dropped:0 overruns:0 frame:0
TX packets:3597 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:750902 (733.3 KiB) TX bytes:1602243 (1.5 MiB)
------------------------------------------------------------------------

netstat -r (Public IP redacted):
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.91.92.2 * 255.255.255.255 UH 0 0 0 tun0
1.2.3.0 * 255.255.255.0 U 0 0 0 eth1
10.91.91.0 * 255.255.255.0 U 0 0 0 eth0
10.91.92.0 elephant.nowher 255.255.255.0 UG 0 0 0 eth0
10.91.92.0 10.91.92.2 255.255.255.0 UG 0 0 0 tun0
192.168.122.0 * 255.255.255.0 U 0 0 0 virbr0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default 10.91.91.1 0.0.0.0 UG 0 0 0 eth0
------------------------------------------------------------------------

IP Forwarding:
sysctl -a|egrep 'ipv4.*forward'
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.tun0.mc_forwarding = 0
net.ipv4.conf.tun0.forwarding = 1
net.ipv4.conf.virbr0.mc_forwarding = 0
net.ipv4.conf.virbr0.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1


**********************************************************************
Client System
-------------
Internal subnet:
eth1 Link encap:Ethernet HWaddr 00:1d:7d:95:b5:a9
inet addr:192.168.91.201 Bcast:192.168.91.255 Mask:255.255.255.0
inet6 addr: fe80::21d:7dff:fe95:b5a9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:45639 errors:0 dropped:0 overruns:0 frame:0
TX packets:39144 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:33860135 (33.8 MB) TX bytes:15047149 (15.0 MB)
Interrupt:24 Base address:0xe000
------------------------------------------------------------------------

Tunnel interface:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.91.92.10 P-t-P:10.91.92.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:86 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:5976 (5.9 KB)
------------------------------------------------------------------------

netstat -r:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.91.92.9 * 255.255.255.255 UH 0 0 0 tun0
10.91.91.0 10.91.92.9 255.255.255.0 UG 0 0 0 tun0
10.91.92.0 10.91.92.9 255.255.255.0 UG 0 0 0 tun0
192.168.91.0 * 255.255.255.0 U 0 0 0 eth1
link-local * 255.255.0.0 U 0 0 0 eth1
default usr8200a.anywhe 0.0.0.0 UG 0 0 0 eth1
------------------------------------------------------------------------

**********************************************************************
OpenVPN conf
------------
Server:
cat server.conf|egrep -v '^#'

;local a.b.c.d

port 11194

;proto tcp
proto udp

;dev tap
dev tun

;dev-node MyTap

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/elephant.crt
key /etc/openvpn/keys/elephant.key # This file should be kept secret

dh /etc/openvpn/keys/dh2048.pem

server 10.91.92.0 255.255.255.0

ifconfig-pool-persist ipp.txt

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

push "route 10.91.91.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"


;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

;learn-address ./script


push "dhcp-option WINS 10.91.91.10"

client-to-client

;duplicate-cn

keepalive 10 120

;tls-auth ta.key 0 # This file is secret

;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

comp-lzo

max-clients 10

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

;log openvpn.log
log-append /var/log/openvpn.log

verb 4

;mute 20

------------------------------------------------------------------------
Client (server domain redacted):
cat client.conf|egrep -v '^#'

client

;dev tap
dev tun

;dev-node MyTap

;proto tcp
proto udp

remote openvpn.nowhere.com 11194
;remote my-server-2 1194

;remote-random

resolv-retry infinite

nobind

user nobody
group nogroup

persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

;mute-replay-warnings

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/snowman.crt
key /etc/openvpn/keys/snowman.key

ns-cert-type server

;tls-auth ta.key 1

;cipher x

comp-lzo

log-append /var/log/openvpn.log

verb 6

;mute 20

I've always wanted to play with OpenVPN, but haven't taken the time. Forgive me if I'm way off base, but in looking at this, I'd expect both ends of the tunnel to have matching IP addresses, and it looks like yours don't:

Server:
inet addr:10.91.92.1 P-t-P:10.91.92.2 Mask:255.255.255.255

Client:
inet addr:10.91.92.10 P-t-P:10.91.92.9 Mask:255.255.255.255

Of course, having an all-ones mask looks odd, too, but I assume that's part of the 'P-t-P' magic.

ch

- Is there a reverse route on the internal machines to reach the machine connected by VPN? Looking at your setup 10.91.92.X will not be reachable by 10.91.91.X since they are on different subnets. Without a route on 10.91.91.X to reach 10.91.92.X your setup will never work.

- Have you enabled routing on this VPN Server? cat /proc/sys/net/ipv4/ip_forward should return 1.

Thanks for the input. There are routes set up on the internal machines but the client can't even talk to the server which should be part of both subnets and do the routing between them. And yes ip_forward is set to one. It was easy to miss but I included the output from sysctl -a and also it's set to one in /etc/sysctrl.conf. Thanks again and any other ideas are appreciated.

Hmmm...not off base at all. Don't know how I missed that. Not sure if it's the cause but it certainly looks like something to check. The interesting part is that all those IPs are generated dynamically by OpenVPN. Gonna have to try to figure out how it comes up with them. Anyway, thanks for the input.

It was these duplicate routes for the 10.91.92.0 subnet.