LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-17-2013, 03:42 AM   #1
SilkBC
LQ Newbie
 
Registered: Apr 2012
Posts: 4

Rep: Reputation: Disabled
OpenVPN: Site-to_site behind NAT


Hello,

I have been struggling with an OpenVPN issue for the last couple of days and am not sure what I am missing. I have "Site A" and "Site B". "Aite A" is where the OpenVPN server is located, and it is behind a NAT firewall (Cisco ASA). "Site B" has a Linux firewall, and OpenVPN is running on it directly. The tunnel is established, however, it is only working fully one way.

Here is the setup:

SITE A
  • LAN Subnet: 192.168.10.0/23
  • VPN Subnet: 192.168.254.0/24
  • Firewall IP: 192.168.10.1
  • OpenVPN Server LAN IP: 192.168.10.15
  • OpenVPN Server VPN IP: 192.168.254.1
  • On the firewall, port 1194 is forwarded to <192.168.10.15>. In addition, the firewall has a route directing all traffic destined for Site B's subnet (see below) to <192.168.10.15>
  • The OpenVPN server has forwarding enabled

SITE B
  • LAN Subnet: 192.168.40.0/24
  • Firewall IP: 192.168.40.1
  • VPN IP: 192.168.254.10

The situation that is happening is this:

Site A:
  • OpenVPN server is able to ping across the tunnel to machines on Site B's subnet
  • Machines on Site A's subnet are able to ping machines on Site B's subnet

Site B:
  • From the firewall, I can ping across the tunnel no problem (i.e., I can ping machines on Site A's subnet)
  • From a machine on Site B's subnet, I can ping the LAN IP of the OpenVPN server (192.168.10.15)
  • A traceroute from a machine on Site B's subnet to an IP on Site A's subnet (192.168.10.20) goes two hops: first hop is Site B's firewall IP (192.168.40.1) and the second hop is the OpenVPN Server's VPN IP (192.168.254.1); the rest of the hops time out (there should be three hops, with the final one being the IP I am tracerouting to)
  • The same traceroute from the firewall goes also has just two hops: the first hop is 192.168.254.1 and the second hop is the IP I am tracerouting to (192.168.10.20)

Here is the routing tables from the OpenVPN server at Site A and the firewall at Site B:

Routing Table: Site A
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.254.2   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.40.0    192.168.254.2   255.255.255.0   UG    0      0        0 tun0
192.168.10.0    0.0.0.0         255.255.254.0   U     0      0        0 eth0
0.0.0.0         192.168.10.1    0.0.0.0         UG    0      0        0 eth0
Routing Table: Site B
Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.254.1   0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.40.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.10.0    192.168.254.1   255.255.254.0   UG    0      0        0 tun0
111.222.128.0     0.0.0.0         255.255.252.0   U     0      0        0 eth0
0.0.0.0         111.222.128.1     0.0.0.0         UG    0      0        0 eth0
Note: In Site B's routing table, I replaced the public IP with <111.222.128.0> and <111.222.128.1>

Based on the fact that a traceroute can get from Site B's subnet to the OpenVPN server's VPN IP (192.168.254.1), it seems that the traffic *is* getting to the OpenVPN server, but for some reason it does not know what to do with it. Here are my OpenVPN configs (IPs and host names masked where appropriate):

Configuration: Site A
Code:
dev tun0
port 1194
local 192.168.10.15

ca keys/site_a/ca.crt
cert keys/site_a/sites.crt
key keys/site_a/sites.key
dh keys/site_a/dh2048.pem
crl-verify keys/site_a/crl.pem
persist-key

server 192.168.254.0 255.255.255.0
ifconfig-pool-persist servers/sites/logs/ipp.txt
status servers/sites/logs/openvpn-status.log
log-append servers/sites/logs/openvpn.log
verb 1
keepalive 10 60

max-clients 10
client-config-dir /etc/openvpn/servers/sites/ccd
comp-lzo

user nobody
group nogroup
mute 0
tls-server
persist-tun
route 192.168.40.0 255.255.255.0
push "route 192.168.10.0 255.255.254.0"
push "route 192.168.40.0 255.255.255.0"
push "dhcp-option DNS 192.168.10.20 192.168.10.23"
push "dhcp-option WINS 192.168.10.20"
push "dhcp-option DOMAIN mydomain.local"
Configuration: Site B
Code:
client
proto udp
dev tun
ca site_b/ca.crt
dh site_b/dh2048.pem
cert site_b/site_b.crt
key site_b/site_b.key
remote remote.mydomain.com 1194
cipher
user nobody
group nogroup
verb 2
mute 20
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
ping 15
ping-restart 45
nobind
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
ping 15
ping-restart 45
nobind
comp-lzo
tls-client
pull
In addition, on the OpenVPN server, I have the following IPTables rule:

Code:
iptables -A POSTROUTING -s 192.168.254.0/24 -j MASQUERADE
I have tried it with and without the rule and it makes no difference. I also tried the following rule, after finding it in another posting elsewhere on the Internet, but also with no difference:

Code:
iptables -A POSTROUTING ! -o tun0 -j MASQUERADE
Any help with this would be appreciated. If setting this up in "bridge" mode would make this work, I am not averse to doing that, but would prefer to use routed mode if posisble.

Thanks! :-)

-SilkBC
 
Old 09-17-2013, 09:12 PM   #2
SilkBC
LQ Newbie
 
Registered: Apr 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
No ideas or thoughts on what the issue might be, or something else I am overlooking?

-SilkBC
 
Old 09-26-2013, 09:55 AM   #3
Ipolit
Member
 
Registered: Nov 2003
Location: Bulgaria
Distribution: Vector Linux, Morphix
Posts: 321

Rep: Reputation: 33
try to set on some of the computers in Site A
Quote:
ip ro add 192.168.254.0/24 via 192.168.10.15
ip ro add 192.168.40.0/24 via 192.168.10.15
just to be sure the problem is not in the forwarding rules of the firewall
 
  


Reply

Tags
nat, openvpn, vpn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN for Roadwarrior and Site-to-Site depam Linux - Software 0 02-04-2013 03:44 PM
[SOLVED] OpenVPN Site-to-Site TLS problem unestablish tquang Linux - Server 1 11-15-2010 02:25 AM
Site to Site openVPN Server turiyain Linux - Server 2 09-02-2010 03:31 AM
Enabling full routing site to site with openvpn, not using masquerading. Tried quagga pwn Linux - Networking 3 07-30-2010 07:31 AM
multiple site-2-site openvpn connections? licht Linux - Networking 2 07-20-2007 11:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration