OpenVPN conencts but can't ping servers on the other network.

klaasde · 08-05-2008, 08:21 AM

Hi all,

I am trying to setup VPN at my work.

I have the following situation:
At work: network is in the 10.0.0.0 range
The server running OpenVPN is CentOS 5
This is the conf file:

Code:

dev tun
ifconfig 10.1.0.1 10.1.0.2
up ./office.up
;route 192.168.0.0 255.255.0.0 10.1.0.2
tls-server
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret 
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
verb 3

And office.up:

Code:

#!/bin/sh
route add -net 192.168.1.0 netmask 255.255.255.0 gw $5

This is what I have at home:
Network is in the 192.168.1.0 range.
Pc is use is Windows XP.
this is the conf file:

Code:

dev tun
remote ****external ip of the server
ifconfig 10.1.0.2 10.1.0.1
;up home.bat
route 10.0.0.0 255.255.255.0 10.1.0.1
tls-client
ca "E:\\Program Files\\OpenVPN\\config\\ca.crt"
cert "E:\\Program Files\\OpenVPN\\config\\client1.crt"
key "E:\\Program Files\\OpenVPN\\config\\client1.key"
verb 3

When I try to connect from home the connection is succesful. And I can ping 10.0.0.20, this is the local-ip adress of the VPN server.
But I can't ping other serves on my office-network.
I did set ip-forwarding on by changing /etc/sysctl.conf; I did set net.ipv4.ip_forward = 1.
I also did set net.ipv4.conf.all.proxy_arp =1 .

I don't use a firewall on both environments.
I use the example files from OpenVPN tls-client.conf and tls-server.conf, and I changed those a little bit.
Here is a screenprint from ipconfig(XP) after connecting to the vpn server: http://img397.imageshack.us/my.php?i...elding1kr0.png

What did I forget??
What have I done wrong??

pronoy · 08-05-2008, 09:05 AM

My assumption:

It means vpn server know how to reach your home network.
But whether all other machines in your office networks knows where to send the response ?
I mean, any response for 10.1.0.1 should be forwaded to your vpn server.
Check if you have a similar route in your office router.

Also I suspect office.up script (what is $5 ?), check manually (using ifconfig) the routes.

klaasde · 08-05-2008, 09:35 AM

Thanks pronoy!!

I added a static route for 10.1.0.2 And now I can ping the other servers from my home network :-D.

Can you maybe also tell me how to setup that a ping to the server name works?

like ping DEMOSERVER01
And then that demoserver01 is known as 10.0.0.10.

Thanks in advance.

pronoy · 08-05-2008, 11:55 PM

If you have many servers, probably having a DNS will help, but that is more complex.

Alternative:
a. If you ping a server from a linux machine, add entries in /etc/hosts file of linux machine.
/etc/hosts contains mapping between ipaddress and name
b. If you ping from a windows machine, probably you have to add an entry in c:\windows\system32\drivers\etc\lmhosts file. (I don't know windows, cross verify with others)

klaasde · 08-06-2008, 02:13 AM

Hi Pronoy,

I think changing the hosts file will work yes.

The config I have now works great for 1 user. What should I change to make it work for multiple users?

Thanks, Klaas

pronoy · 08-06-2008, 04:32 AM

Unfortunately that is much complex.
You need to have a DNS server configured.
So all machine will query that DNS server to resolve the name to ip address mapping.
So for every machine you will put the DNS server ip address in /etc/resolv.conf
Another advantage for this, if later point of time, the address changes for any server, the client machines will get the name resolution to the new ip address automatically.

I don't know any other alternative