Problem with OpenVPN
I've spent a number of ours trying to figure out what the problem is... and I just don't want to analize it anymore. Let's see what you can tell me about it.
I want to set up a tunnel between two networks, not just client server. On the client side, there's a 172.16.0/24 network behind it. On the server side, there's a 192.168.0/24 network behind it. I have configured the server to use ccd, and set the network in both the configuration server's configuration file and the ccd client file. I have a rule to push the network behind the server too. When I stablish the connection, both hosts can reach themselves, and the client can reach the network behind the server. However, it' impossible to reach the network behind the client from the server (it's even impossible to reach the client's address on itslan side). Forward policy is set to ACCEPT on both hosts (just to test) and there's a INPUT ACCEPT from the vpns interface. I don't think the firewalls are the problem. Here are both computers route -n. Server: Code:
Destination Gateway Genmask Flags Metric Ref Use Iface Code:
Destination Gateway Genmask Flags Metric Ref Use Iface So... where did I make the mistake? |
Re: Problem with OpenVPN
Quote:
Can you ping 10.0.3.1 from the 'client' ? If yes, the vpn is good. The most important part is to find out where the problem has to be solved. Iptables or routing. |
Yes.. they can ping each other.
|
Quote:
I use shorewall as firewall script, I don't know enough iptables.. Maybe it's worth a try? (you can remove it afterwards) |
I don't think so. I even tried removing all forward "barriers".
|
if the the openvpn box isn't the default gateway for its network, you have to add routing to the actual gateway box. in my case, i added the openvpn subnet pointing to the openvpn box, and the subnet of the internal network on the other side of the connection pointing to the openvpn box. i.e.:
my home subnet: 192.168.253.0/24 my home openvpn box: 192.168.253.1 w/ 192.168.254.1 as the open vpn address remote openvpn box: 10.124.49.44 w/ 192.168.254.2 as the open vpn address remote default gateway: 10.124.49.1 so on 10.124.49.1 do something like: route add -net 192.168.253.0/24 gw 10.124.49.44 route add -net 192.168.254.0/24 gw 10.124.49.44 that way, packets bound for openvpn and/or the other side of the link get to a box that knows what to do with them - otherwise they just die on the gateway box. obviously, this doesn't apply if the openvpn box is also the default gateway for the subnet. |
one other routing tidbit - on both sides, the connection's conf file has a linke like the following:
up /etc/openvpn/connection-name.ip-up.sh on the 10.124.49.0/24 side, that contains: route add -net 192.168.253.0/24 tun0 on the 192.168.253.0/24 side, that contains: route add -net 10.124.49.0/24 tun0 obviously, the openvpn interface is tun0 on both sides. |
server:
Code:
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 Code:
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 This is the "reachability" chart. Code:
| DST | |
ok - i think the routing looks mainly ok assuming the client and server are the default gateways for their respective subnets.
only partially knowing what your firewall is setup like, perhaps this might give you some hint - i use firestarter to configure my firewalls, so from their faq: Quote:
|
All times are GMT -5. The time now is 04:39 PM. |