Issues accessing inside resources using OpenVPN.
One of my projects I'm working on is creating a Linux (Ubuntu Server 12.10) PC as a Router/Firewall/Gateway (Which is working great!). I'm also going to setup the system to act as a VPN server using OpenVPN. I seemed to be having an issue accessing my server when using the VPN. The steps I've completed:
Installed OpenVPN Configured certificates for both the server and the client. Install and configured OpenVPN on a Microsoft Windows 7 (64Bit) system. On the outside, I've connected, authenticated with the VPN server, and been assigned a IP address. I can ping and even access the linux system (via SSH and webmin) using the linux system's tunnel address, not it's inside address. I cannot ping or access any device on the inside. I'm guessing it's a routing or firewall issue. My issue is that I'm a novice with the linux firewall (iptables) and how to properly permitting VPN clients access to the inside network. Any suggestions would be great! |
Hi,
Check if IP forwarding is enabled: cat /proc/sys/net/ipv4/ip_forward 1 Add an iptables rule to allow traffic from the OpenVPN tunnel interface usually tun0: iptables -I FORWARD -i tun0 -j ACCEPT |
IPv4 is already being forwarded. I've also applied the rule in the iptables, but still no luck.
|
On the Windows 7 machine, while connecting via OpenVPN client does it show any errors in the onscreen logs?
Run the OpenVPN client as Administrator and post the output of route table (route print) |
One other thing I notice before I connected is that port 1194 may be blocked, I did a port scan and 1194 isn't responding. Although it's kind of bizarre that my notebook is able to connect to the VPN.
Below is the Win7 route output: =========================================================================== Interface List 22...00 ff c6 df 4b 83 ......TAP-Windows Adapter V9 9...00 21 9b d6 d9 fc ......Marvell Yukon 88E8040 PCI-E Fast Ethernet Controll er 10...00 21 5c 7d 82 ef ......Intel(R) Wireless WiFi Link 4965AGN 1...........................Software Loopback Interface 1 26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 19...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 21...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter 24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.6.1 192.168.6.28 25 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 30 10.8.0.4 255.255.255.252 On-link 10.8.0.6 286 10.8.0.6 255.255.255.255 On-link 10.8.0.6 286 10.8.0.7 255.255.255.255 On-link 10.8.0.6 286 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.6.0 255.255.255.0 On-link 192.168.6.28 281 192.168.6.28 255.255.255.255 On-link 192.168.6.28 281 192.168.6.255 255.255.255.255 On-link 192.168.6.28 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.8.0.6 286 224.0.0.0 240.0.0.0 On-link 192.168.6.28 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.8.0.6 286 255.255.255.255 255.255.255.255 On-link 192.168.6.28 281 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 19 58 ::/0 On-link 1 306 ::1/128 On-link 19 58 2001::/32 On-link 19 306 2001:0:4137:9e76:2854:32c2:3f57:f9e3/128 On-link 22 286 fe80::/64 On-link 19 306 fe80::/64 On-link 22 286 fe80::1e4:2886:91df:67e5/128 On-link 19 306 fe80::2854:32c2:3f57:f9e3/128 On-link 1 306 ff00::/8 On-link 19 306 ff00::/8 On-link 22 286 ff00::/8 On-link =========================================================================== Persistent Routes: None |
To check port 1194 is open, telnet <vpn-server-ip> 1194
From your route table output: There's no default route being added by the OpenVPN client. Exit the OpenVPN client. Right click on the OpenVPN icon and Select Run as administrator. This should enable OpenVPN client to add a default route through the VPN tunnel. |
Before I launched the VPN client, I selected "Run as Administrator". As for the port, it seems to be block. Connecting via putty closes the window, and Microsoft telnet fails to connect when specifying port 1194.
|
All times are GMT -5. The time now is 07:23 PM. |