LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-06-2005, 08:08 PM   #1
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Rep: Reputation: 83
Angry Problem with OpenVPN


I've spent a number of ours trying to figure out what the problem is... and I just don't want to analize it anymore. Let's see what you can tell me about it.

I want to set up a tunnel between two networks, not just client server.

On the client side, there's a 172.16.0/24 network behind it. On the server side, there's a 192.168.0/24 network behind it.

I have configured the server to use ccd, and set the network in both the configuration server's configuration file and the ccd client file. I have a rule to push the network behind the server too.

When I stablish the connection, both hosts can reach themselves, and the client can reach the network behind the server. However, it' impossible to reach the network behind the client from the server (it's even impossible to reach the client's address on itslan side).

Forward policy is set to ACCEPT on both hosts (just to test) and there's a INPUT ACCEPT from the vpns interface. I don't think the firewalls are the problem.

Here are both computers route -n.

Server:
Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.3.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun1
10.78.0.2       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
172.16.0.0      10.0.3.2        255.255.255.0   UG    0      0        0 tun1
192.168.1.0     192.168.0.254   255.255.255.0   UG    0      0        0 eth0
10.0.3.0        10.0.3.2        255.255.255.0   UG    0      0        0 tun1
10.78.0.0       10.78.0.2       255.255.255.0   UG    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.79.0.0       192.168.0.2     255.255.255.0   UG    0      0        0 eth0
201.208.32.0    0.0.0.0         255.255.248.0   U     0      0        0 eth1
10.79.0.0       192.168.0.2     255.255.0.0     UG    0      0        0 eth0
0.0.0.0         201.208.32.1    0.0.0.0         UG    0      0        0 eth1
Client:
Code:
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.3.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     10.0.3.5        255.255.255.0   UG    0      0        0 tun0
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.3.0        10.0.3.5        255.255.255.0   UG    0      0        0 tun0
192.168.0.0     10.0.3.5        255.255.255.0   UG    0      0        0 tun0
0.0.0.0         10.0.0.60       0.0.0.0         UG    0      0        0 eth1
See the client has two separate 10.0.x segments. 10.0.0 for its internet access and 10.0.3 for the VPN tunnel.

So... where did I make the mistake?

Last edited by eantoranz; 10-06-2005 at 08:10 PM.
 
Old 10-08-2005, 02:56 PM   #2
stoffell
Member
 
Registered: Apr 2003
Location: belgium
Distribution: debian
Posts: 72

Rep: Reputation: 15
Re: Problem with OpenVPN

Quote:
Originally posted by eantoranz
On the client side, there's a 172.16.0/24 network behind it. On the server side, there's a 192.168.0/24 network behind it.
Can you ping both gateways (I'll assume 192.168.1.1 and 172.16.0.1) from both servers?
Can you ping 10.0.3.1 from the 'client' ? If yes, the vpn is good.

The most important part is to find out where the problem has to be solved. Iptables or routing.
 
Old 10-08-2005, 08:32 PM   #3
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Original Poster
Rep: Reputation: 83
Yes.. they can ping each other.
 
Old 10-09-2005, 03:44 AM   #4
stoffell
Member
 
Registered: Apr 2003
Location: belgium
Distribution: debian
Posts: 72

Rep: Reputation: 15
Quote:
Originally posted by eantoranz
Yes.. they can ping each other.
Hm, it could still be iptables, if your client pc's have the correct default gateway..
I use shorewall as firewall script, I don't know enough iptables.. Maybe it's worth a try? (you can remove it afterwards)
 
Old 10-10-2005, 11:54 AM   #5
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Original Poster
Rep: Reputation: 83
I don't think so. I even tried removing all forward "barriers".
 
Old 10-10-2005, 12:10 PM   #6
alleycat
LQ Newbie
 
Registered: Jun 2004
Location: Chicago, IL
Distribution: fedora / centos / rhel
Posts: 12

Rep: Reputation: 0
if the the openvpn box isn't the default gateway for its network, you have to add routing to the actual gateway box. in my case, i added the openvpn subnet pointing to the openvpn box, and the subnet of the internal network on the other side of the connection pointing to the openvpn box. i.e.:

my home subnet: 192.168.253.0/24
my home openvpn box: 192.168.253.1 w/ 192.168.254.1 as the open vpn address

remote openvpn box: 10.124.49.44 w/ 192.168.254.2 as the open vpn address
remote default gateway: 10.124.49.1

so on 10.124.49.1 do something like:

route add -net 192.168.253.0/24 gw 10.124.49.44
route add -net 192.168.254.0/24 gw 10.124.49.44

that way, packets bound for openvpn and/or the other side of the link get to a box that knows what to do with them - otherwise they just die on the gateway box. obviously, this doesn't apply if the openvpn box is also the default gateway for the subnet.
 
Old 10-10-2005, 12:15 PM   #7
alleycat
LQ Newbie
 
Registered: Jun 2004
Location: Chicago, IL
Distribution: fedora / centos / rhel
Posts: 12

Rep: Reputation: 0
one other routing tidbit - on both sides, the connection's conf file has a linke like the following:

up /etc/openvpn/connection-name.ip-up.sh

on the 10.124.49.0/24 side, that contains:
route add -net 192.168.253.0/24 tun0

on the 192.168.253.0/24 side, that contains:
route add -net 10.124.49.0/24 tun0

obviously, the openvpn interface is tun0 on both sides.
 
Old 10-10-2005, 04:12 PM   #8
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Colombia
Distribution: Kubuntu, Debian, Knoppix
Posts: 1,982
Blog Entries: 1

Original Poster
Rep: Reputation: 83
server:
Code:
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     192.168.0.254   255.255.255.0   UG    0      0        0 eth0
172.16.0.0      10.0.3.2        255.255.255.0   UG    0      0        0 tun1
Client:
Code:
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.0     10.0.3.5        255.255.255.0   UG    0      0        0 tun0
192.168.1.0     10.0.3.5        255.255.255.0   UG    0      0        0 tun0
As you can see, routing is not the problem. They both know how to route packets to 172.16.0/24, 192.168.0/24 and 192.168.1/24.

This is the "reachability" chart.

Code:
         |            DST                    |
| SRC    |CLNT LAN|CLNT    | SRV    |SRV LAN |
|CLNT LAN|   -    |  GOOD  |  NONE  |  NONE  |
|CLNT    |  GOOD  |    -   |  GOOD  |  GOOD  |
|SRV     |  NONE  |  GOOD  |    -   |  GOOD  |
|SRV LAN |  NONE  |  NONE  |  GOOD  |    -   |
The most interesting part in the chart is that you could reach the SRV lan from the client, but not viceversa.

Last edited by eantoranz; 10-10-2005 at 04:13 PM.
 
Old 10-10-2005, 05:49 PM   #9
alleycat
LQ Newbie
 
Registered: Jun 2004
Location: Chicago, IL
Distribution: fedora / centos / rhel
Posts: 12

Rep: Reputation: 0
ok - i think the routing looks mainly ok assuming the client and server are the default gateways for their respective subnets.

only partially knowing what your firewall is setup like, perhaps this might give you some hint - i use firestarter to configure my firewalls, so from their faq:

Quote:
How to use the VPN workarounds in Firestarter 1.0

Copy the lines specific to your VPN solution listed below, and paste them into the /etc/firestarter/user-pre file on the firewall host. Restarting the firewall, for example by executing "/etc/firestarter/firewall.sh start", commits the new settings.

<SNIP>

OpenVPN

OpenVPN is an easy to use cross-platform VPN solution that is also Open Source. If OpenVPN is to be used on the computer that Firestarter is running on, traffic must be allowed to and from the OpenVPN virtual interface with the following lines:

# Allow traffic on the OpenVPN inteface
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT
http://www.fs-security.com/docs/vpn.php
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN config problem linuxpyro Linux - Networking 7 10-07-2005 08:12 PM
openvpn and shorewall problem from outside network nbccbn Linux - Networking 1 07-12-2005 02:24 AM
OpenVPN Routing problem groetschel Linux - Networking 4 04-28-2004 05:07 AM
OpenVPN dunmarie Linux - Networking 1 03-31-2004 10:28 AM
OpenVPN dunmarie Linux - Software 1 10-13-2003 01:10 PM


All times are GMT -5. The time now is 03:49 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration