Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've spent a number of ours trying to figure out what the problem is... and I just don't want to analize it anymore. Let's see what you can tell me about it.
I want to set up a tunnel between two networks, not just client server.
On the client side, there's a 172.16.0/24 network behind it. On the server side, there's a 192.168.0/24 network behind it.
I have configured the server to use ccd, and set the network in both the configuration server's configuration file and the ccd client file. I have a rule to push the network behind the server too.
When I stablish the connection, both hosts can reach themselves, and the client can reach the network behind the server. However, it' impossible to reach the network behind the client from the server (it's even impossible to reach the client's address on itslan side).
Forward policy is set to ACCEPT on both hosts (just to test) and there's a INPUT ACCEPT from the vpns interface. I don't think the firewalls are the problem.
Here are both computers route -n.
Server:
Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.3.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.78.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.16.0.0 10.0.3.2 255.255.255.0 UG 0 0 0 tun1
192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 0 eth0
10.0.3.0 10.0.3.2 255.255.255.0 UG 0 0 0 tun1
10.78.0.0 10.78.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.79.0.0 192.168.0.2 255.255.255.0 UG 0 0 0 eth0
201.208.32.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
10.79.0.0 192.168.0.2 255.255.0.0 UG 0 0 0 eth0
0.0.0.0 201.208.32.1 0.0.0.0 UG 0 0 0 eth1
Client:
Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.3.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 10.0.3.5 255.255.255.0 UG 0 0 0 tun0
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.3.0 10.0.3.5 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 10.0.3.5 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 10.0.0.60 0.0.0.0 UG 0 0 0 eth1
See the client has two separate 10.0.x segments. 10.0.0 for its internet access and 10.0.3 for the VPN tunnel.
Originally posted by eantoranz On the client side, there's a 172.16.0/24 network behind it. On the server side, there's a 192.168.0/24 network behind it.
Can you ping both gateways (I'll assume 192.168.1.1 and 172.16.0.1) from both servers?
Can you ping 10.0.3.1 from the 'client' ? If yes, the vpn is good.
The most important part is to find out where the problem has to be solved. Iptables or routing.
Originally posted by eantoranz Yes.. they can ping each other.
Hm, it could still be iptables, if your client pc's have the correct default gateway..
I use shorewall as firewall script, I don't know enough iptables.. Maybe it's worth a try? (you can remove it afterwards)
if the the openvpn box isn't the default gateway for its network, you have to add routing to the actual gateway box. in my case, i added the openvpn subnet pointing to the openvpn box, and the subnet of the internal network on the other side of the connection pointing to the openvpn box. i.e.:
my home subnet: 192.168.253.0/24
my home openvpn box: 192.168.253.1 w/ 192.168.254.1 as the open vpn address
remote openvpn box: 10.124.49.44 w/ 192.168.254.2 as the open vpn address
remote default gateway: 10.124.49.1
that way, packets bound for openvpn and/or the other side of the link get to a box that knows what to do with them - otherwise they just die on the gateway box. obviously, this doesn't apply if the openvpn box is also the default gateway for the subnet.
ok - i think the routing looks mainly ok assuming the client and server are the default gateways for their respective subnets.
only partially knowing what your firewall is setup like, perhaps this might give you some hint - i use firestarter to configure my firewalls, so from their faq:
Quote:
How to use the VPN workarounds in Firestarter 1.0
Copy the lines specific to your VPN solution listed below, and paste them into the /etc/firestarter/user-pre file on the firewall host. Restarting the firewall, for example by executing "/etc/firestarter/firewall.sh start", commits the new settings.
<SNIP>
OpenVPN
OpenVPN is an easy to use cross-platform VPN solution that is also Open Source. If OpenVPN is to be used on the computer that Firestarter is running on, traffic must be allowed to and from the OpenVPN virtual interface with the following lines:
# Allow traffic on the OpenVPN inteface
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.