LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   OpenVPN problem (http://www.linuxquestions.org/questions/linux-networking-3/openvpn-problem-725877/)

filex 05-14-2009 03:43 AM

OpenVPN problem
 
I was try to setup OPENVPN as detail show below, I'm having an issue connect to another subnet.

OPENVPN server.conf:
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.8.0.1 255.255.255.0"
push "route 172.16.0.0 255.255.0.0"
push "route 219.95.19x.0 255.255.0.0"
push "redirect-gateway"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3

SERVER INTERNAL NETWORK
eth0 Link encap:Ethernet HWaddr 00:22:19:86:A3:70
inet addr:172.16.7.254 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::222:19ff:fe86:a370/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:3637 errors:0 dropped:0 overruns:0 frame:0
TX packets:12999 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:437068 (426.8 KiB) TX bytes:834466 (814.9 KiB)
Interrupt:169 Memory:f8000000-f8012100

SERVER EXTERNAL NETWORK/INTERNET
eth1 Link encap:Ethernet HWaddr 00:22:19:86:A3:72
inet addr:219.95.19x.1xx Bcast:219.95.19x.1xx Mask:255.255.255.252
inet6 addr: fe80::222:19ff:fe86:a372/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27270 errors:0 dropped:0 overruns:0 frame:0
TX packets:25354 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3293475 (3.1 MiB) TX bytes:4886119 (4.6 MiB)
Interrupt:169 Memory:f4000000-f4012100

SERVER OPENVPN
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:69 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4345 (4.2 KiB) TX bytes:540 (540.0 b)

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
219.95.1xx.1xx 0.0.0.0 255.255.255.252 U 0 0 0 eth1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 219.95.19x.1xx 0.0.0.0 UG 0 0 0 eth1


# ip route
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
219.95.1xx.1xx/30 dev eth1 proto kernel scope link src 219.95.1xx.1xx
10.8.0.0/24 via 10.8.0.2 dev tun0
169.254.0.0/16 dev eth1 scope link
172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.7.254
default via 219.95.19x.1xx dev eth1



WINDOWS XP ipconfig /all show:
IP ADDRESS: 10.8.0.6
NETMASK: 255.255.255.252
GATEWAY: 10.8.0.5
DHCP: 10.8.0.5


While connected to OpenVPN server with Windows XP (firewall off), I was managed to ping 172.16.7.254 BUT NOT 172.16.2.1(this IP is pingable in server itself). Any idea why I can't ping 172.16.2.1 or 172.16.2.2?


Please help?

NOTE: IPTABLES and WINDOWS XP Firewall are OFF.

maxut 05-14-2009 09:16 AM

turn on routing on linux by following command
Code:

echo "1" > /proc/sys/net/ipv4/ip_forward
regards

filex 05-14-2009 10:08 AM

done and same problem.

Can I know whether OpenVPN support 255.255.0.0 network?

maxut 05-14-2009 11:01 AM

it should support 255.255.0.0 subnet. it seems that u have network setup trouble.
please check routing table windows side: "route print", and u may want to try traceroute : "traceroute 172.16.2.1"

and what about logs on linux side? check /var/log/messages and openvpn-status.log

u may also want to add an iptables log rule to see if packets comes from windows box and turn back from local network.
Code:

iptables -I FORWARD -i tun0 -d 172.16.0.0/16 -j LOG --log-prefix " packets from windows to local net:"
iptables -I FORWARD -o tun0 -s 172.16.0.0/16 -j LOG --log-prefix " packets to windows from local net:"

u should see those packets in /var/log/messages or /var/log/syslog files depending on your linux distro..

and another point is the local computers that have 172.16.x.x ip addresses, must use 172.16.7.254 (linux) as gateway. if not, u should do ip MASQUERADE on linux box.

regards

filex 05-14-2009 08:56 PM

maxut, you're right. I need MASQUERADE.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Thanks and appreciated!

maxut 05-15-2009 09:16 AM

welcome!
glad to hear that it worked..


All times are GMT -5. The time now is 03:19 PM.