Problem with OpenVPN

eantoranz · 10-06-2005, 07:08 PM

I've spent a number of ours trying to figure out what the problem is... and I just don't want to analize it anymore. Let's see what you can tell me about it.

I want to set up a tunnel between two networks, not just client server.

On the client side, there's a 172.16.0/24 network behind it. On the server side, there's a 192.168.0/24 network behind it.

I have configured the server to use ccd, and set the network in both the configuration server's configuration file and the ccd client file. I have a rule to push the network behind the server too.

When I stablish the connection, both hosts can reach themselves, and the client can reach the network behind the server. However, it' impossible to reach the network behind the client from the server (it's even impossible to reach the client's address on itslan side).

Forward policy is set to ACCEPT on both hosts (just to test) and there's a INPUT ACCEPT from the vpns interface. I don't think the firewalls are the problem.

Here are both computers route -n.

Server:

Code:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.3.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
10.78.0.2       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.16.0.0      10.0.3.2        255.255.255.0   UG    0      0        0 tun1
192.168.1.0     192.168.0.254   255.255.255.0   UG    0      0        0 eth0
10.0.3.0        10.0.3.2        255.255.255.0   UG    0      0        0 tun1
10.78.0.0       10.78.0.2       255.255.255.0   UG    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.79.0.0       192.168.0.2     255.255.255.0   UG    0      0        0 eth0
201.208.32.0    0.0.0.0         255.255.248.0   U     0      0        0 eth1
10.79.0.0       192.168.0.2     255.255.0.0     UG    0      0        0 eth0
0.0.0.0         201.208.32.1    0.0.0.0         UG    0      0        0 eth1

Client:

Code:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.3.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     10.0.3.5        255.255.255.0   UG    0      0        0 tun0
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.3.0        10.0.3.5        255.255.255.0   UG    0      0        0 tun0
192.168.0.0     10.0.3.5        255.255.255.0   UG    0      0        0 tun0
0.0.0.0         10.0.0.60       0.0.0.0         UG    0      0        0 eth1

See the client has two separate 10.0.x segments. 10.0.0 for its internet access and 10.0.3 for the VPN tunnel.

So... where did I make the mistake?

stoffell · 10-08-2005, 01:56 PM

Quote:

Originally posted by eantoranz
On the client side, there's a 172.16.0/24 network behind it. On the server side, there's a 192.168.0/24 network behind it.

Can you ping both gateways (I'll assume 192.168.1.1 and 172.16.0.1) from both servers?
Can you ping 10.0.3.1 from the 'client' ? If yes, the vpn is good.

The most important part is to find out where the problem has to be solved. Iptables or routing.

eantoranz · 10-08-2005, 07:32 PM

Yes.. they can ping each other.

stoffell · 10-09-2005, 02:44 AM

Quote:

Originally posted by eantoranz
Yes.. they can ping each other.

Hm, it could still be iptables, if your client pc's have the correct default gateway..
I use shorewall as firewall script, I don't know enough iptables.. Maybe it's worth a try? (you can remove it afterwards)

eantoranz · 10-10-2005, 10:54 AM

I don't think so. I even tried removing all forward "barriers".

alleycat · 10-10-2005, 11:10 AM

if the the openvpn box isn't the default gateway for its network, you have to add routing to the actual gateway box. in my case, i added the openvpn subnet pointing to the openvpn box, and the subnet of the internal network on the other side of the connection pointing to the openvpn box. i.e.:

my home subnet: 192.168.253.0/24
my home openvpn box: 192.168.253.1 w/ 192.168.254.1 as the open vpn address

remote openvpn box: 10.124.49.44 w/ 192.168.254.2 as the open vpn address
remote default gateway: 10.124.49.1

so on 10.124.49.1 do something like:

route add -net 192.168.253.0/24 gw 10.124.49.44
route add -net 192.168.254.0/24 gw 10.124.49.44

that way, packets bound for openvpn and/or the other side of the link get to a box that knows what to do with them - otherwise they just die on the gateway box. obviously, this doesn't apply if the openvpn box is also the default gateway for the subnet.

alleycat · 10-10-2005, 11:15 AM

one other routing tidbit - on both sides, the connection's conf file has a linke like the following:

up /etc/openvpn/connection-name.ip-up.sh

on the 10.124.49.0/24 side, that contains:
route add -net 192.168.253.0/24 tun0

on the 192.168.253.0/24 side, that contains:
route add -net 10.124.49.0/24 tun0

obviously, the openvpn interface is tun0 on both sides.

eantoranz · 10-10-2005, 03:12 PM

server:

Code:

192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     192.168.0.254   255.255.255.0   UG    0      0        0 eth0
172.16.0.0      10.0.3.2        255.255.255.0   UG    0      0        0 tun1

Client:

Code:

172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.0     10.0.3.5        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     10.0.3.5        255.255.255.0   UG    0      0        0 tun0

As you can see, routing is not the problem. They both know how to route packets to 172.16.0/24, 192.168.0/24 and 192.168.1/24.

This is the "reachability" chart.

Code:

         |            DST                    |
| SRC    |CLNT LAN|CLNT    | SRV    |SRV LAN |
|CLNT LAN|   -    |  GOOD  |  NONE  |  NONE  |
|CLNT    |  GOOD  |    -   |  GOOD  |  GOOD  |
|SRV     |  NONE  |  GOOD  |    -   |  GOOD  |
|SRV LAN |  NONE  |  NONE  |  GOOD  |    -   |

The most interesting part in the chart is that you could reach the SRV lan from the client, but not viceversa.

alleycat · 10-10-2005, 04:49 PM

ok - i think the routing looks mainly ok assuming the client and server are the default gateways for their respective subnets.

only partially knowing what your firewall is setup like, perhaps this might give you some hint - i use firestarter to configure my firewalls, so from their faq:

Quote:

How to use the VPN workarounds in Firestarter 1.0

Copy the lines specific to your VPN solution listed below, and paste them into the /etc/firestarter/user-pre file on the firewall host. Restarting the firewall, for example by executing "/etc/firestarter/firewall.sh start", commits the new settings.

<SNIP>

OpenVPN

OpenVPN is an easy to use cross-platform VPN solution that is also Open Source. If OpenVPN is to be used on the computer that Firestarter is running on, traffic must be allowed to and from the OpenVPN virtual interface with the following lines:

# Allow traffic on the OpenVPN inteface
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT

http://www.fs-security.com/docs/vpn.php