LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Don't understand OpenVPN IP-assignment (https://www.linuxquestions.org/questions/linux-newbie-8/dont-understand-openvpn-ip-assignment-749475/)

jonaskellens 08-22-2009 03:24 AM
Don't understand OpenVPN IP-assignment
 
On the OpenVPN-server :

server.conf :
Code:
port 1194
proto udp
dev tun
ca XX
cert XX
key XX
dh XX
server 10.8.0.0 255.255.255.0
client-config-dir ccd
route 10.8.0.0 255.255.255.252
/ccd/my-client :
Code:
ifconfig-push 10.8.0.1 10.8.0.2 (from server.conf documentation)
When I connect my Fedora-client to the OpenVPN-server :

on my Fedora-client :
Code:
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.8.0.6  P-t-P:10.8.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:2 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
I can only ping 10.8.0.6

on the OpenVPN-server :
Code:
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
I can only ping 10.8.0.1

Can someone tell me the meaning of "inet addr:10.8.0.6 P-t-P:10.8.0.5" on the Fedora-client and "inet addr:10.8.0.1 P-t-P:10.8.0.2" on the OpenVPN-server ??

Shouldn't my OpenVPN-server have the IP 10.8.0.1 and my client 10.8.0.2 ??

walruz 08-22-2009 12:52 PM
The server will use the 10.8.0.1 ip address
Code:
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
With the CCD included you're trying to give the user the same IP address as the server. Try using the recommended settings
Code:
ifconfig-push 10.9.0.1 10.9.0.2
and in the server.conf file
Code:
client-config-dir ccd
route 10.9.0.0 255.255.255.252
(beware that these lines are commented by default).

Try to reconnect. From the server, try to ping 10.8.0.1 (it's local IP) which should respond fine. The try to ping 10.9.0.1 (the client assigned ip address), which should also respond fine. Then from the client, try to ping its local (10.9.0.1) and then the server (10.8.0.1). If you're running a firewall.. you may also want to add some rules to trust the tun0 interface.

jonaskellens 08-22-2009 01:52 PM
Thanks for your reply !

Followed your instructions :

on the OpenVPN-server (server.conf) :
Code:
server 10.8.0.0 255.255.255.0
client-config-dir ccd
route 10.9.0.0 255.255.255.252
(ccd)
Code:
bash-3.2# cat ccd/client-jonas
ifconfig-push 10.9.0.1 10.9.0.2
On the server :
Code:
bash-3.2# ping -c 4 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.038 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=0.062 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=0.061 ms
64 bytes from 10.8.0.1: icmp_seq=4 ttl=64 time=0.065 ms

--- 10.8.0.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.038/0.056/0.065/0.013 ms
bash-3.2# ping -c 4 10.9.0.1
PING 10.9.0.1 (10.9.0.1) 56(84) bytes of data.

--- 10.9.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3008ms
On the Fedora-client :
Code:
[jonas@jonas ~]$ ping -c 4 10.9.0.1
PING 10.9.0.1 (10.9.0.1) 56(84) bytes of data.

--- 10.9.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 12999ms

[jonas@jonas ~]$ ping -c 4 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.

--- 10.8.0.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 13000ms
On my Fedora-client my firewall is turned off.

Extra oddity :
Code:
bash-3.2# cat ipp.txt
server.domain.tld,10.8.0.4
So the FQDN of the OpenVPN-server is listed there with an IP-address of 10.8.0.4

walruz 08-22-2009 02:12 PM
I asume the firewall is turned on on your server. Which firewall is it? You may want to try disabling it for a couple seconds, ping back & forth and the reenable it.

On the client, if you execute the route command
Code:
10.9.0.2        *              255.255.255.255 UH    0      0        0 tun0
client_name    10.9.0.2        255.255.255.255 UGH  0      0        0 tun0
and this should be the output on the server
Code:
10.8.0.2        *              255.255.255.255 UH    0      0        0 tun0
10.9.0.0        10.8.0.2        255.255.255.252 UG    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0  UG    0      0        0 tun0
Let me know what your route results for tun0 are and if the server's firewall disabling helped. If so, adjust it to accept everything (for starters) from tun0.

jonaskellens 08-22-2009 02:47 PM
Quote:
Originally Posted by walruz (Post 3653815)
I asume the firewall is turned on on your server. Which firewall is it? You may want to try disabling it for a couple seconds, ping back & forth and the reenable it.
The firewall is CSF/LFD (http://www.configserver.com/cp/csf.html)

Route on client firewall enabled :
Code:
[root@jonas jonas]# route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
10.8.0.5        *              255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH  0      0        0 tun0
vpsXXXX.xlshost clarkconnect.jo 255.255.255.255 UGH  0      0        0 wlan0
192.168.1.0    *              255.255.255.0  U    2      0        0 wlan0
default        10.8.0.5        0.0.0.0        UG    0      0        0 tun0
Route on client firewall disabled :
Code:
[root@jonas jonas]# route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
10.8.0.5        *              255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH  0      0        0 tun0
vpsXXXX.xlshost clarkconnect.jo 255.255.255.255 UGH  0      0        0 wlan0
192.168.1.0    *              255.255.255.0  U    2      0        0 wlan0
default        10.8.0.5        0.0.0.0        UG    0      0        0 tun0

walruz 08-22-2009 02:52 PM
Routes are not changed by firewalls (at least not in linux statefull firewalls), only iptables tables.
You're still having the 10.8.0.5 ip address that is based on your old server.conf settings. Restart the OpenVPN service on the server, reconnect and try to disable the firewall on the server for a minute and ping back & forth.

jonaskellens 08-23-2009 01:21 PM
Although not secure, I have totally disabled the firewall.
Next I restart the OpenVPN-server + I clear the file ipp.txt.

Code:
bash-3.2# /sbin/service lfd stop
Stopping lfd:                                              [  OK  ]
Code:
bash-3.2# /sbin/service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
num  target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
num  target    prot opt source              destination

Code:
bash-3.2# /sbin/service openvpn restart
Shutting down openvpn:                                    [  OK  ]
Starting openvpn:                                          [  OK  ]
Code:
bash-3.2# cat ipp.txt
bash-3.2#

On my Fedora host, when VPN-connected :
Code:
[jonas@jonas ~]$ route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
10.8.0.5        *              255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH  0      0        0 tun0
vpsXXX.XXXhost clarkconnect.jo 255.255.255.255 UGH  0      0        0 wlan0
192.168.1.0    *              255.255.255.0  U    2      0        0 wlan0
default        10.8.0.5        0.0.0.0        UG    0      0        0 tun0
If not from the server, where could these routes come from ? I don't have a client.conf on my Fedora client or any other file besides the necessary keys where any IP-addresses or routes are defined.

I add the following :scratch: :

No firewall active, I am directly connected to the internet, no NAT :
on the VPN-server :
Code:
bash-3.2# /sbin/route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
10.8.0.2        *              255.255.255.255 UH    0      0        0 tun0
10.9.0.0        10.8.0.2        255.255.255.252 UG    0      0        0 tun0
10.8.0.0        10.8.0.2        255.255.255.0  UG    0      0        0 tun0
X.31.X.0      *              255.255.255.0  U    0      0        0 eth0
169.254.0.0    *              255.255.0.0    U    0      0        0 eth0
default        gw-vxx.xx-xx.ne 0.0.0.0        UG    0      0        0 eth0
X.31.X.0 = IP of OpenVPN-server
The only IP-address I can ping is 10.8.0.1, no other. Also not 10.9.0.1 or anything else...

On my Fedora-client :
Code:
[jonas@jonas ~]$ route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
10.8.0.5        *              255.255.255.255 UH    0      0        0 tun0
10.8.0.1        10.8.0.5        255.255.255.255 UGH  0      0        0 tun0
XX.31.XX.XX    78.XX.XX.1    255.255.255.255 UGH  0      0        0 eth0
78.XX.XX.0    *              255.255.240.0  U    1      0        0 eth0
default        10.8.0.5        0.0.0.0        UG    0      0        0 tun0
XX.31.XX.XX = IP of OpenVPN-server
78.XX.XX.1 = IP ISP-router
78.XX.XX.0 = ISP network


All times are GMT -5. The time now is 10:15 PM.