Hello,
I have been struggling with an OpenVPN issue for the last couple of days and am not sure what I am missing. I have "Site A" and "Site B". "Aite A" is where the OpenVPN server is located, and it is behind a NAT firewall (Cisco ASA). "Site B" has a Linux firewall, and OpenVPN is running on it directly. The tunnel is established, however, it is only working fully one way.
Here is the setup:
SITE A- LAN Subnet: 192.168.10.0/23
- VPN Subnet: 192.168.254.0/24
- Firewall IP: 192.168.10.1
- OpenVPN Server LAN IP: 192.168.10.15
- OpenVPN Server VPN IP: 192.168.254.1
- On the firewall, port 1194 is forwarded to <192.168.10.15>. In addition, the firewall has a route directing all traffic destined for Site B's subnet (see below) to <192.168.10.15>
- The OpenVPN server has forwarding enabled
SITE B- LAN Subnet: 192.168.40.0/24
- Firewall IP: 192.168.40.1
- VPN IP: 192.168.254.10
The situation that is happening is this:
Site A:- OpenVPN server is able to ping across the tunnel to machines on Site B's subnet
- Machines on Site A's subnet are able to ping machines on Site B's subnet
Site B:- From the firewall, I can ping across the tunnel no problem (i.e., I can ping machines on Site A's subnet)
- From a machine on Site B's subnet, I can ping the LAN IP of the OpenVPN server (192.168.10.15)
- A traceroute from a machine on Site B's subnet to an IP on Site A's subnet (192.168.10.20) goes two hops: first hop is Site B's firewall IP (192.168.40.1) and the second hop is the OpenVPN Server's VPN IP (192.168.254.1); the rest of the hops time out (there should be three hops, with the final one being the IP I am tracerouting to)
- The same traceroute from the firewall goes also has just two hops: the first hop is 192.168.254.1 and the second hop is the IP I am tracerouting to (192.168.10.20)
Here is the routing tables from the OpenVPN server at Site A and the firewall at Site B:
Routing Table: Site A
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.254.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.40.0 192.168.254.2 255.255.255.0 UG 0 0 0 tun0
192.168.10.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
0.0.0.0 192.168.10.1 0.0.0.0 UG 0 0 0 eth0
Routing Table: Site B
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.254.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.40.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.10.0 192.168.254.1 255.255.254.0 UG 0 0 0 tun0
111.222.128.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
0.0.0.0 111.222.128.1 0.0.0.0 UG 0 0 0 eth0
Note: In Site B's routing table, I replaced the public IP with <111.222.128.0> and <111.222.128.1>
Based on the fact that a traceroute can get from Site B's subnet to the OpenVPN server's VPN IP (192.168.254.1), it seems that the traffic *is* getting to the OpenVPN server, but for some reason it does not know what to do with it. Here are my OpenVPN configs (IPs and host names masked where appropriate):
Configuration: Site A
Code:
dev tun0
port 1194
local 192.168.10.15
ca keys/site_a/ca.crt
cert keys/site_a/sites.crt
key keys/site_a/sites.key
dh keys/site_a/dh2048.pem
crl-verify keys/site_a/crl.pem
persist-key
server 192.168.254.0 255.255.255.0
ifconfig-pool-persist servers/sites/logs/ipp.txt
status servers/sites/logs/openvpn-status.log
log-append servers/sites/logs/openvpn.log
verb 1
keepalive 10 60
max-clients 10
client-config-dir /etc/openvpn/servers/sites/ccd
comp-lzo
user nobody
group nogroup
mute 0
tls-server
persist-tun
route 192.168.40.0 255.255.255.0
push "route 192.168.10.0 255.255.254.0"
push "route 192.168.40.0 255.255.255.0"
push "dhcp-option DNS 192.168.10.20 192.168.10.23"
push "dhcp-option WINS 192.168.10.20"
push "dhcp-option DOMAIN mydomain.local"
Configuration: Site B
Code:
client
proto udp
dev tun
ca site_b/ca.crt
dh site_b/dh2048.pem
cert site_b/site_b.crt
key site_b/site_b.key
remote remote.mydomain.com 1194
cipher
user nobody
group nogroup
verb 2
mute 20
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
ping 15
ping-restart 45
nobind
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
ping 15
ping-restart 45
nobind
comp-lzo
tls-client
pull
In addition, on the OpenVPN server, I have the following IPTables rule:
Code:
iptables -A POSTROUTING -s 192.168.254.0/24 -j MASQUERADE
I have tried it with and without the rule and it makes no difference. I also tried the following rule, after finding it in another posting elsewhere on the Internet, but also with no difference:
Code:
iptables -A POSTROUTING ! -o tun0 -j MASQUERADE
Any help with this would be appreciated. If setting this up in "bridge" mode would make this work, I am not averse to doing that, but would prefer to use routed mode if posisble.
Thanks! :-)
-SilkBC