LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-22-2009, 04:24 AM   #1
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Rep: Reputation: 33
Don't understand OpenVPN IP-assignment


On the OpenVPN-server :

server.conf :
Code:
port 1194
proto udp
dev tun
ca XX
cert XX
key XX
dh XX
server 10.8.0.0 255.255.255.0
client-config-dir ccd
route 10.8.0.0 255.255.255.252
/ccd/my-client :
Code:
ifconfig-push 10.8.0.1 10.8.0.2 (from server.conf documentation)
When I connect my Fedora-client to the OpenVPN-server :

on my Fedora-client :
Code:
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:2 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
I can only ping 10.8.0.6

on the OpenVPN-server :
Code:
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
I can only ping 10.8.0.1

Can someone tell me the meaning of "inet addr:10.8.0.6 P-t-P:10.8.0.5" on the Fedora-client and "inet addr:10.8.0.1 P-t-P:10.8.0.2" on the OpenVPN-server ??

Shouldn't my OpenVPN-server have the IP 10.8.0.1 and my client 10.8.0.2 ??
 
Old 08-22-2009, 01:52 PM   #2
walruz
Member
 
Registered: Aug 2009
Location: Buenos Aires
Distribution: Debian/GNU Linux
Posts: 35

Rep: Reputation: 17
The server will use the 10.8.0.1 ip address
Code:
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
With the CCD included you're trying to give the user the same IP address as the server. Try using the recommended settings
Code:
ifconfig-push 10.9.0.1 10.9.0.2
and in the server.conf file
Code:
client-config-dir ccd
route 10.9.0.0 255.255.255.252
(beware that these lines are commented by default).

Try to reconnect. From the server, try to ping 10.8.0.1 (it's local IP) which should respond fine. The try to ping 10.9.0.1 (the client assigned ip address), which should also respond fine. Then from the client, try to ping its local (10.9.0.1) and then the server (10.8.0.1). If you're running a firewall.. you may also want to add some rules to trust the tun0 interface.
 
Old 08-22-2009, 02:52 PM   #3
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Thanks for your reply !

Followed your instructions :

on the OpenVPN-server (server.conf) :
Code:
server 10.8.0.0 255.255.255.0
client-config-dir ccd
route 10.9.0.0 255.255.255.252
(ccd)
Code:
bash-3.2# cat ccd/client-jonas 
ifconfig-push 10.9.0.1 10.9.0.2
On the server :
Code:
bash-3.2# ping -c 4 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.062 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=0.061 ms
64 bytes from 10.8.0.1: icmp_seq=4 ttl=64 time=0.065 ms

--- 10.8.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.038/0.056/0.065/0.013 ms
bash-3.2# ping -c 4 10.9.0.1
PING 10.9.0.1 (10.9.0.1) 56(84) bytes of data.

--- 10.9.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3008ms
On the Fedora-client :
Code:
[jonas@jonas ~]$ ping -c 4 10.9.0.1
PING 10.9.0.1 (10.9.0.1) 56(84) bytes of data.

--- 10.9.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 12999ms

[jonas@jonas ~]$ ping -c 4 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.

--- 10.8.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 13000ms
On my Fedora-client my firewall is turned off.

Extra oddity :
Code:
bash-3.2# cat ipp.txt 
server.domain.tld,10.8.0.4
So the FQDN of the OpenVPN-server is listed there with an IP-address of 10.8.0.4
 
Old 08-22-2009, 03:12 PM   #4
walruz
Member
 
Registered: Aug 2009
Location: Buenos Aires
Distribution: Debian/GNU Linux
Posts: 35

Rep: Reputation: 17
I asume the firewall is turned on on your server. Which firewall is it? You may want to try disabling it for a couple seconds, ping back & forth and the reenable it.

On the client, if you execute the route command
Code:
10.9.0.2        *               255.255.255.255 UH    0      0        0 tun0
client_name     10.9.0.2        255.255.255.255 UGH   0      0        0 tun0
and this should be the output on the server
Code:
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
10.9.0.0        10.8.0.2        255.255.255.252 UG    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
Let me know what your route results for tun0 are and if the server's firewall disabling helped. If so, adjust it to accept everything (for starters) from tun0.
 
Old 08-22-2009, 03:47 PM   #5
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Quote:
Originally Posted by walruz View Post
I asume the firewall is turned on on your server. Which firewall is it? You may want to try disabling it for a couple seconds, ping back & forth and the reenable it.
The firewall is CSF/LFD (http://www.configserver.com/cp/csf.html)

Route on client firewall enabled :
Code:
[root@jonas jonas]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
vpsXXXX.xlshost clarkconnect.jo 255.255.255.255 UGH   0      0        0 wlan0
192.168.1.0     *               255.255.255.0   U     2      0        0 wlan0
default         10.8.0.5        0.0.0.0         UG    0      0        0 tun0
Route on client firewall disabled :
Code:
[root@jonas jonas]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
vpsXXXX.xlshost clarkconnect.jo 255.255.255.255 UGH   0      0        0 wlan0
192.168.1.0     *               255.255.255.0   U     2      0        0 wlan0
default         10.8.0.5        0.0.0.0         UG    0      0        0 tun0
 
Old 08-22-2009, 03:52 PM   #6
walruz
Member
 
Registered: Aug 2009
Location: Buenos Aires
Distribution: Debian/GNU Linux
Posts: 35

Rep: Reputation: 17
Routes are not changed by firewalls (at least not in linux statefull firewalls), only iptables tables.
You're still having the 10.8.0.5 ip address that is based on your old server.conf settings. Restart the OpenVPN service on the server, reconnect and try to disable the firewall on the server for a minute and ping back & forth.
 
Old 08-23-2009, 02:21 PM   #7
jonaskellens
Member
 
Registered: Jul 2008
Location: Ghent, Belgium
Distribution: Fedora, CentOS
Posts: 632

Original Poster
Rep: Reputation: 33
Although not secure, I have totally disabled the firewall.
Next I restart the OpenVPN-server + I clear the file ipp.txt.

Code:
bash-3.2# /sbin/service lfd stop
Stopping lfd:                                              [  OK  ]
Code:
bash-3.2# /sbin/service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Code:
bash-3.2# /sbin/service openvpn restart
Shutting down openvpn:                                     [  OK  ]
Starting openvpn:                                          [  OK  ]
Code:
bash-3.2# cat ipp.txt 
bash-3.2#

On my Fedora host, when VPN-connected :
Code:
[jonas@jonas ~]$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
vpsXXX.XXXhost clarkconnect.jo 255.255.255.255 UGH   0      0        0 wlan0
192.168.1.0     *               255.255.255.0   U     2      0        0 wlan0
default         10.8.0.5        0.0.0.0         UG    0      0        0 tun0
If not from the server, where could these routes come from ? I don't have a client.conf on my Fedora client or any other file besides the necessary keys where any IP-addresses or routes are defined.

I add the following :

No firewall active, I am directly connected to the internet, no NAT :
on the VPN-server :
Code:
bash-3.2# /sbin/route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
10.9.0.0        10.8.0.2        255.255.255.252 UG    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 tun0
X.31.X.0      *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         gw-vxx.xx-xx.ne 0.0.0.0         UG    0      0        0 eth0
X.31.X.0 = IP of OpenVPN-server
The only IP-address I can ping is 10.8.0.1, no other. Also not 10.9.0.1 or anything else...

On my Fedora-client :
Code:
[jonas@jonas ~]$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.8.0.5        *               255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH   0      0        0 tun0
XX.31.XX.XX    78.XX.XX.1     255.255.255.255 UGH   0      0        0 eth0
78.XX.XX.0     *               255.255.240.0   U     1      0        0 eth0
default         10.8.0.5        0.0.0.0         UG    0      0        0 tun0
XX.31.XX.XX = IP of OpenVPN-server
78.XX.XX.1 = IP ISP-router
78.XX.XX.0 = ISP network

Last edited by jonaskellens; 08-23-2009 at 04:20 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN client has not default gateway when connect to OpenVPN server sailershen Linux - Security 3 03-04-2010 03:20 AM
would and could somebody help me with my homework assignment please... DarDevy Linux - Newbie 3 04-20-2009 03:43 PM
OpenVPN Question : connecting 5-6 comps with OpenVPN duryodhan Linux - Networking 7 02-15-2007 11:28 PM
Last assignment and I am lost Veteq Programming 2 08-12-2004 02:55 PM
IP assignment - permanent? dalraidia Linux - Networking 1 12-13-2002 11:55 AM


All times are GMT -5. The time now is 10:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration