Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-06-2005, 08:08 PM
|
#1
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Rep:
|
Problem with OpenVPN
I've spent a number of ours trying to figure out what the problem is... and I just don't want to analize it anymore. Let's see what you can tell me about it.
I want to set up a tunnel between two networks, not just client server.
On the client side, there's a 172.16.0/24 network behind it. On the server side, there's a 192.168.0/24 network behind it.
I have configured the server to use ccd, and set the network in both the configuration server's configuration file and the ccd client file. I have a rule to push the network behind the server too.
When I stablish the connection, both hosts can reach themselves, and the client can reach the network behind the server. However, it' impossible to reach the network behind the client from the server (it's even impossible to reach the client's address on itslan side).
Forward policy is set to ACCEPT on both hosts (just to test) and there's a INPUT ACCEPT from the vpns interface. I don't think the firewalls are the problem.
Here are both computers route -n.
Server:
Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.3.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
10.78.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.16.0.0 10.0.3.2 255.255.255.0 UG 0 0 0 tun1
192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 0 eth0
10.0.3.0 10.0.3.2 255.255.255.0 UG 0 0 0 tun1
10.78.0.0 10.78.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.79.0.0 192.168.0.2 255.255.255.0 UG 0 0 0 eth0
201.208.32.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
10.79.0.0 192.168.0.2 255.255.0.0 UG 0 0 0 eth0
0.0.0.0 201.208.32.1 0.0.0.0 UG 0 0 0 eth1
Client:
Code:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.3.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 10.0.3.5 255.255.255.0 UG 0 0 0 tun0
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.3.0 10.0.3.5 255.255.255.0 UG 0 0 0 tun0
192.168.0.0 10.0.3.5 255.255.255.0 UG 0 0 0 tun0
0.0.0.0 10.0.0.60 0.0.0.0 UG 0 0 0 eth1
See the client has two separate 10.0.x segments. 10.0.0 for its internet access and 10.0.3 for the VPN tunnel.
So... where did I make the mistake?
Last edited by eantoranz; 10-06-2005 at 08:10 PM.
|
|
|
10-08-2005, 02:56 PM
|
#2
|
Member
Registered: Apr 2003
Location: belgium
Distribution: debian
Posts: 72
Rep:
|
Re: Problem with OpenVPN
Quote:
Originally posted by eantoranz
On the client side, there's a 172.16.0/24 network behind it. On the server side, there's a 192.168.0/24 network behind it.
|
Can you ping both gateways (I'll assume 192.168.1.1 and 172.16.0.1) from both servers?
Can you ping 10.0.3.1 from the 'client' ? If yes, the vpn is good.
The most important part is to find out where the problem has to be solved. Iptables or routing.
|
|
|
10-08-2005, 08:32 PM
|
#3
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Original Poster
Rep:
|
Yes.. they can ping each other.
|
|
|
10-09-2005, 03:44 AM
|
#4
|
Member
Registered: Apr 2003
Location: belgium
Distribution: debian
Posts: 72
Rep:
|
Quote:
Originally posted by eantoranz
Yes.. they can ping each other.
|
Hm, it could still be iptables, if your client pc's have the correct default gateway..
I use shorewall as firewall script, I don't know enough iptables.. Maybe it's worth a try? (you can remove it afterwards)
|
|
|
10-10-2005, 11:54 AM
|
#5
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Original Poster
Rep:
|
I don't think so. I even tried removing all forward "barriers".
|
|
|
10-10-2005, 12:10 PM
|
#6
|
LQ Newbie
Registered: Jun 2004
Location: Chicago, IL
Distribution: fedora / centos / rhel
Posts: 12
Rep:
|
if the the openvpn box isn't the default gateway for its network, you have to add routing to the actual gateway box. in my case, i added the openvpn subnet pointing to the openvpn box, and the subnet of the internal network on the other side of the connection pointing to the openvpn box. i.e.:
my home subnet: 192.168.253.0/24
my home openvpn box: 192.168.253.1 w/ 192.168.254.1 as the open vpn address
remote openvpn box: 10.124.49.44 w/ 192.168.254.2 as the open vpn address
remote default gateway: 10.124.49.1
so on 10.124.49.1 do something like:
route add -net 192.168.253.0/24 gw 10.124.49.44
route add -net 192.168.254.0/24 gw 10.124.49.44
that way, packets bound for openvpn and/or the other side of the link get to a box that knows what to do with them - otherwise they just die on the gateway box. obviously, this doesn't apply if the openvpn box is also the default gateway for the subnet.
|
|
|
10-10-2005, 12:15 PM
|
#7
|
LQ Newbie
Registered: Jun 2004
Location: Chicago, IL
Distribution: fedora / centos / rhel
Posts: 12
Rep:
|
one other routing tidbit - on both sides, the connection's conf file has a linke like the following:
up /etc/openvpn/connection-name.ip-up.sh
on the 10.124.49.0/24 side, that contains:
route add -net 192.168.253.0/24 tun0
on the 192.168.253.0/24 side, that contains:
route add -net 10.124.49.0/24 tun0
obviously, the openvpn interface is tun0 on both sides.
|
|
|
10-10-2005, 04:12 PM
|
#8
|
Senior Member
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Original Poster
Rep:
|
server:
Code:
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 0 eth0
172.16.0.0 10.0.3.2 255.255.255.0 UG 0 0 0 tun1
Client:
Code:
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 10.0.3.5 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 10.0.3.5 255.255.255.0 UG 0 0 0 tun0
As you can see, routing is not the problem. They both know how to route packets to 172.16.0/24, 192.168.0/24 and 192.168.1/24.
This is the "reachability" chart.
Code:
| DST |
| SRC |CLNT LAN|CLNT | SRV |SRV LAN |
|CLNT LAN| - | GOOD | NONE | NONE |
|CLNT | GOOD | - | GOOD | GOOD |
|SRV | NONE | GOOD | - | GOOD |
|SRV LAN | NONE | NONE | GOOD | - |
The most interesting part in the chart is that you could reach the SRV lan from the client, but not viceversa.
Last edited by eantoranz; 10-10-2005 at 04:13 PM.
|
|
|
10-10-2005, 05:49 PM
|
#9
|
LQ Newbie
Registered: Jun 2004
Location: Chicago, IL
Distribution: fedora / centos / rhel
Posts: 12
Rep:
|
ok - i think the routing looks mainly ok assuming the client and server are the default gateways for their respective subnets.
only partially knowing what your firewall is setup like, perhaps this might give you some hint - i use firestarter to configure my firewalls, so from their faq:
Quote:
How to use the VPN workarounds in Firestarter 1.0
Copy the lines specific to your VPN solution listed below, and paste them into the /etc/firestarter/user-pre file on the firewall host. Restarting the firewall, for example by executing "/etc/firestarter/firewall.sh start", commits the new settings.
<SNIP>
OpenVPN
OpenVPN is an easy to use cross-platform VPN solution that is also Open Source. If OpenVPN is to be used on the computer that Firestarter is running on, traffic must be allowed to and from the OpenVPN virtual interface with the following lines:
# Allow traffic on the OpenVPN inteface
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT
|
http://www.fs-security.com/docs/vpn.php
|
|
|
All times are GMT -5. The time now is 08:13 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|