Hi guys,
I'm having difficulties to understand the logic behind the routing procedure in VPN.
Let's say I have two machines, one is vpn-server the other is client.
The server has even an extra eth1 interface 192.168.0.1 on private network 192.168.0.0/24 . I want my client machine be able to reach other machines that may be on the 192.168.0.0/24 network.
I activated ip_forward and set up forward rules in IP-tables (which, other than that, are clean).
iptables -A FORWARD -i tun+ -j ACCEPT
When using routed aproach, I configure the server/client accordingly, I "push" the 192.168.0.0/24 from the server and this is the result I get when startup of server / client is complete, I get following tun0 interfaces.
Server:
Code:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
Client:
Code:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
Now, I'm not actually sure what P-t-P addresses are. I guess it stands for "peer-to-peer" but I'm having difficulties to understand, in practical sense, what they do.
With startup sequences complete, I'm able to ping the server tun0 interface from the client. I'm even able to ping the 192.168.0.1 eth1 interface of the server (network I pushed), but I'm still not able to connect to any machine on that same network.
During the initalization, I can spot the following rows on the client side:
Code:
Thu Jun 24 12:31:05 2010 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500
Thu Jun 24 12:31:05 2010 /sbin/route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.5
Thu Jun 24 12:31:05 2010 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5
As you can see, the 10.8.0.5 address is being used as gateway (the p-t-p address). I don't quite understand what it does. It's obviously, from what I can see, being used as gw to the network 192.168.0.0 that I want to reach. But still, I cant reach it.
When using route command on the client I see the following row regardign the 192.168.0.0 route.
Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
Obviously this "p-t-p" address is being used for gateway to that network. But I can't reach it.
To be actually able to do what I want to do (reach other machines behind VPN internal network 192.168.0.0 - I have to manually add the following on my client:
route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.8.0.6 (the actuall IP address of the tun0 device on the client).
Why does OpenVPN behave like this?
Shouldnt it add this automatically? For that matter, what is the purpose of the rows that it actually did add automatically during the initalization?
Thanks in advance (and I hope I made myself clear).