OpenVPN routing problems?

nimnull22 · 04-08-2010, 04:25 PM

route add -net 192.168.204.0 netmask 255.255.255.0 gw 192.168.207.5 tun0

You forgot about TUN device, I think

nimnull22 · 04-08-2010, 04:46 PM

See next post

nimnull22 · 04-08-2010, 04:57 PM

Sorry, I have confused you.
Add new route:

route add -net 192.168.204.0 netmask 255.255.255.0 gw 192.168.207.1 tun0

Sorry about this.

Also please, post output of
iptables-save
from client computer without any pudlic IPs.

Thanks

TimothyEBaldwin · 04-10-2010, 09:20 AM

Quote:

Originally Posted by digimars

Thu Apr 8 14:01:09 2010 client2/x.x.x.116:45573 MULTI: bad source address from client [x.x.x.116], packet dropped

As OpenVPN is a router when used in tun server mode, you need to set up the route table on the OpenVPN server process, in addition the kernel route table. Use the "iroute" directive in a client specific config file.

Or use OpenVPN in peer-to-peer mode.

And don't put MASQURADE rules on the LAN interface (eth1), they will just cause problems.

digimars · 04-12-2010, 07:56 AM

Quote:

Originally Posted by nimnull22

Sorry, I have confused you.
Add new route:

route add -net 192.168.204.0 netmask 255.255.255.0 gw 192.168.207.1 tun0

Sorry about this.

Also please, post output of
iptables-save
from client computer without any pudlic IPs.

Thanks

Sorry took so long to respond, I've been off of work the last couple of days.

I tried the above, but I keep getting "network is unreachable"

digimars · 04-12-2010, 09:27 AM

Ok, in an effort to simplify things, I followed the tutorial here, setting up the TLS example:

http://openvpn.net/index.php/open-so...8-1xhowto.html

Here is my server.conf file, on the machine with eth0 being the public IP, and eth1 being 10.10.202.1, on the box vpn01:

Code:

port 1194
proto tcp-server

dev tun

tls-server

# our keys and certificate files
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpnserver.crt
key /etc/openvpn/keys/vpnserver.key
dh /etc/openvpn/keys/dh1024.pem

tls-auth /etc/openvpn/keys/ta.key 0

# 192.168.207.1 is our local VPN endpoint (local location)
# 192.168.207.2 is the remote endpoint (remote location)
ifconfig 192.168.207.1 192.168.207.2

# our up script will establish routes
# once the VPN is active
up ./remote.up

push "redirect-gateway def1"

# force the clients to use the internal LAN's DNS and WINS servers
push "dhcp-option DNS 192.168.1.22"
push "dhcp-option DNS 192.168.1.23"
push "dhcp-option WINS 192.168.1.22"

# advertise the routes for the LANs that we want the client to access
push "route 192.168.1.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "route 10.10.4.0 255.255.252.0"
push "route 10.10.202.0 255.255.255.0"

keepalive 10 120

cipher AES-256-CBC

comp-lzo

max-clients 2

user nobody
group nobody
persist-key
persist-tun

status openvpn-status.log
verb 3
mute 20

chroot /etc/openvpn/

My remote.up script:

Code:

#!/bin/bash
route add -net 192.168.204.0 netmask 255.255.255.0 gw $5

The routing table when the OpenVPN service is running on the server:

Code:

[root@vpn01 openvpn]# ip route show
192.168.207.2 dev tun0  proto kernel  scope link  src 192.168.207.1 
X.X.X.112/29 dev eth0  proto kernel  scope link  src X.X.X.115 
10.10.202.0/24 dev eth1  proto kernel  scope link  src 10.10.202.2 
192.168.204.0/24 via 192.168.207.2 dev tun0 
169.254.0.0/16 dev eth1  scope link 
default via 10.10.202.1 dev eth1

And my IP configuration on the server:

Code:

[root@vpn01 openvpn]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:10:4B:07:03:01  
          inet addr:x.x.x.115  Bcast:x.x.x.119  Mask:255.255.255.248
          inet6 addr: fe80::210:4bff:fe07:301/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:152920 errors:0 dropped:0 overruns:0 frame:0
          TX packets:137494 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:31384118 (29.9 MiB)  TX bytes:14715511 (14.0 MiB)
          Interrupt:209 Base address:0x6c00 

eth1      Link encap:Ethernet  HWaddr 00:0C:F1:BB:E9:96  
          inet addr:10.10.202.2  Bcast:10.10.202.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:f1ff:febb:e996/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24368 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22947 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4129381 (3.9 MiB)  TX bytes:3033400 (2.8 MiB)
          Memory:fc9e0000-fca00000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1311 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1311 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2326044 (2.2 MiB)  TX bytes:2326044 (2.2 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.207.1  P-t-P:192.168.207.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

On my client machine (vpn02), with a public IP on the eth0 interface, and 192.168.204.1 on the eth1 interface:

Code:

client
dev tun
proto tcp-client

# the server and port we're connecting to
remote x.x.x.x 1194

# 192.168.207.2 is our local VPN endpoint (Eagle Rock Library)
# 192.168.207.1 is the remote VPN endpoint (Court House server room)
ifconfig 192.168.207.2 192.168.207.1

# our script will establish routes 
# once the VPN is up
up ./local.up

resolv-retry infinite
nobind

persist-key
persist-tun

tls-client

ca ca.crt
cert client2.crt
key client2.key

tls-auth ta.key 1

ns-cert-type server

cipher AES-256-CBC

comp-lzo

user nobody
group nobody

status openvpn-status.log
verb 3
mute 20

chroot /etc/openvpn/

My local.up script:

Code:

#!/bin/bash
route add -net 10.10.202.0 netmask 255.255.255.0 gw $5

The route and IP information of everything on vpn02 (client):

Code:

[root@vpn02 openvpn]# ip route show
192.168.207.1 dev tun0  proto kernel  scope link  src 192.168.207.2 
x.x.x.115 via x.x.x.113 dev eth0 
x.x.x.112/29 dev eth0  proto kernel  scope link  src x.x.x.116 
192.168.2.0/24 via 192.168.207.1 dev tun0 
192.168.1.0/24 via 192.168.207.1 dev tun0 
10.10.202.0/24 via 192.168.207.1 dev tun0 
192.168.204.0/24 dev eth1  proto kernel  scope link  src 192.168.204.1 
10.10.4.0/22 via 192.168.207.1 dev tun0 
169.254.0.0/16 dev eth1  scope link 
0.0.0.0/1 via 192.168.207.1 dev tun0 
128.0.0.0/1 via 192.168.207.1 dev tun0 
default via x.x.x.113 dev eth0

Code:

[root@vpn02 openvpn]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:01:02:35:C6:55  
          inet addr:X.X.X.116  Bcast:X.X.X.119  Mask:255.255.255.248
          inet6 addr: fe80::201:2ff:fe35:c655/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:387670 errors:0 dropped:0 overruns:1 frame:0
          TX packets:151081 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:47882101 (45.6 MiB)  TX bytes:31725199 (30.2 MiB)
          Interrupt:201 Base address:0xc00 

eth1      Link encap:Ethernet  HWaddr 00:0C:F1:D0:1F:D9  
          inet addr:192.168.204.1  Bcast:192.168.204.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:f1ff:fed0:1fd9/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:2426 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1578 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:228723 (223.3 KiB)  TX bytes:172201 (168.1 KiB)
          Memory:fc9e0000-fca00000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1218 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1218 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:2223585 (2.1 MiB)  TX bytes:2223585 (2.1 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.207.2  P-t-P:192.168.207.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:274 errors:0 dropped:0 overruns:0 frame:0
          TX packets:302 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:21652 (21.1 KiB)  TX bytes:55200 (53.9 KiB)

What I'm seeing now:

With the VPN disconnected, I can browse the web from the client. Once I connect the client to the VPN, I can no longer browse the web.

I can ping across the tunnel in both directions. From the client machine, I can traceroute to the OpenVPN server's default gateway:

Code:

[root@vpn02 openvpn]# traceroute 10.10.202.1
traceroute to 10.10.202.1 (10.10.202.1), 30 hops max, 40 byte packets
 1   (192.168.207.1)  0.998 ms  17.257 ms  17.222 ms
 2   (10.10.202.1)  17.219 ms  17.208 ms  17.186 ms

digimars · 04-12-2010, 09:31 AM

Here is the output of iptables-save on the server:

Code:

[root@vpn01 openvpn]# iptables-save
# Generated by iptables-save v1.3.5 on Mon Apr 12 10:30:46 2010
*nat
:PREROUTING ACCEPT [14142:750387]
:POSTROUTING ACCEPT [2049:151188]
:OUTPUT ACCEPT [1682:127955]
-A POSTROUTING -s 192.168.207.0/255.255.255.0 -o eth1 -j SNAT --to-source 10.10.202.2 
-A POSTROUTING -s 10.10.202.0/255.255.255.0 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Mon Apr 12 10:30:46 2010
# Generated by iptables-save v1.3.5 on Mon Apr 12 10:30:46 2010
*filter
:INPUT DROP [20:900]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [6780:943045]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s 127.0.0.1 -i eth0 -j DROP 
-A INPUT -d 127.0.0.1 -i eth0 -j DROP 
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP 
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP 
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP 
-A INPUT -s 127.0.0.1 -j ACCEPT 
-A INPUT -d 127.0.0.1 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT 
-A INPUT -i tun+ -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s 127.0.0.1 -i eth0 -j DROP 
-A FORWARD -d 127.0.0.1 -i eth0 -j DROP 
-A FORWARD -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP 
-A FORWARD -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP 
-A FORWARD -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP 
-A FORWARD -o eth0 -p tcp -m tcp --sport 137:139 -j DROP 
-A FORWARD -o eth0 -p udp -m udp --sport 137:139 -j DROP 
-A FORWARD -s ! 10.10.202.0/255.255.255.0 -i eth1 -j DROP 
-A FORWARD -i tun+ -j ACCEPT 
-A FORWARD -i eth1 -j ACCEPT 
-A FORWARD -o eth0 -m state --state NEW -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o eth0 -p tcp -m tcp --sport 137:139 -j DROP 
-A OUTPUT -o eth0 -p udp -m udp --sport 137:139 -j DROP 
-A OUTPUT -o eth0 -m state --state NEW -j ACCEPT 
COMMIT
# Completed on Mon Apr 12 10:30:46 2010

Here is the output of iptables-save on the client:

Code:

[root@vpn02 openvpn]# iptables-save
# Generated by iptables-save v1.3.5 on Mon Apr 12 10:29:23 2010
*nat
:PREROUTING ACCEPT [95823:14275268]
:POSTROUTING ACCEPT [2038:144705]
:OUTPUT ACCEPT [9934:588022]
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -s 192.168.204.0/255.255.255.0 -o eth0 -j MASQUERADE 
COMMIT
# Completed on Mon Apr 12 10:29:23 2010
# Generated by iptables-save v1.3.5 on Mon Apr 12 10:29:23 2010
*filter
:INPUT DROP [90:13356]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [476:53359]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s 127.0.0.1 -j ACCEPT 
-A INPUT -d 127.0.0.1 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT 
-A INPUT -i tun+ -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -s ! 192.168.204.0/255.255.255.0 -i eth1 -j DROP 
-A FORWARD -i tun+ -j ACCEPT 
-A FORWARD -i eth1 -j ACCEPT 
-A FORWARD -o eth0 -m state --state NEW -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o eth0 -m state --state NEW -j ACCEPT 
COMMIT
# Completed on Mon Apr 12 10:29:23 2010

digimars · 04-12-2010, 09:49 AM

Ok, so it was a firewalling issue, I removed the following line:

Code:

-A FORWARD -s ! 10.10.202.0/255.255.255.0 -i eth1 -j DROP

and I was able to pull up a webpage on the client while it was connected to the VPN.

However, I still have a firewall issue of some sorts that blocking web access from the 192.168.204.0 range.

I connected a Windows XP laptop up to my OpenVPN client server (it's running dhcpd handing out 192.168.204.0 addresses) and I verified the client PC is getting an IP, but I can't browse the web from it.

To check further, from the OpenVPN client machine I can ping google by IP, but I can not from my XP laptop that's connected to it.

Here is my dhcpd.conf file:

Code:

[root@vpn02 ~]# cat /etc/dhcpd.conf 
#
# DHCP Server Configuration file.
#   see /usr/share/doc/dhcp*/dhcpd.conf.sample  
#

ddns-update-style interim;
ignore client-updates;

subnet 192.168.204.0 netmask 255.255.255.0 {
	option routers			192.168.204.1;
	option domain-name-servers	192.168.204.1,8.8.8.8;
	option subnet-mask		255.255.255.0;
	
	range dynamic-bootp 192.168.204.100 192.168.204.254;

	default-lease-time 21600;
	max-lease-time 43200;
}

And whereas I can ping 10.10.202.1 from the OpenVPN client/server, I can not from the XP laptop. So for some reason it looks as if there is a disconnect between 192.168.204.1 and anything else.

And to confuse me further, I can ping both 192.168.204.1 (the client/server) and 192.168.204.254 (the IP of my XP laptop) from the other end of the tunnel. So since that's the case, it seems the routing is fine, I just have a firewall issue still somewhere. When the VPN isn't up, the laptop can get out to the Internet fine.

digimars · 04-12-2010, 12:46 PM

Ok, I found the disconnect here. What I've drawn out below is my ping testing. Double sided arrows means I was able to ping these IP's in both directions:

Code:

XP client               VPN02                                       VPN01                Gateway
---------               ---------                                   --------              ----------
                        192.168.207.2 (tun0) <--------------------> 192.168.207.1 (tun0)

                        192.168.207.2 -----------this direction only------------------->  10.10.202.1

                                                                    10.10.202.2 (eth1)<-> 10.10.202.1

192.168.204.254 <-----> 192.168.207.2

192.168.204.254 <-------------------------------------------------> 192.168.207.1

192.168.204.254 <-------------------------------------------------> 10.10.202.2

192.168.204.254 < -X--X--X--X--X-Can Not Ping-X--X--X--X--X--X--X--X--X--X--X--X--X--X--> 10.10.202.1

                        192.168.204.1 (eth1)<---------------------> 10.10.202.2

                        192.168.204.1 < -X--X-Can Not Ping-X--X-X--X--X--X--X--X--X--X-> 10.10.202.1

So obviously the fact that the 192.168.204.0/24 traffic can't make it to 10.10.202.1 is not good, but I don't understand how that is if it can hit 10.10.202.2.

And I wonder why 192.168.207.2 and 192.168.207.1 can ping 10.10.202.1, but not the other way around.

digimars · 04-12-2010, 02:25 PM

I got it.

I was missing a route for 192.168.204.0/24 traffic to go to 10.10.202.2 on the router that 10.10.202.1 is on.

Once I did that, I was able to get the pings working right. Then I was able to make firewall rules on our edge firewall to go out to the Internet.

nowonmai · 04-13-2010, 06:51 AM

I'm curious to know why you used tunnelling at all? Bridging gives much more flexibility IMO.

digimars · 04-13-2010, 07:01 AM

Quote:

Originally Posted by nowonmai

I'm curious to know why you used tunnelling at all? Bridging gives much more flexibility IMO.

The reason why I went that route is because from what I have been reading, tunneling doesn't have as much overhead as bridging does. I don't know from experience, as this is my first attempt at putting together a site-to-site VPN.

nowonmai · 04-13-2010, 08:57 AM

Fair enough. Bridging can seem to be a little bit involved too, as far as the neophyte is concerned. Do give it a try though... use is much more transparent.
My laptop automatically connects to 4 or 5 bridged VPNs whenever they are available... I take care that they are on different segments as each other, but I can access any machine on any of the VPNs as if I was in the office.