OpenVPN configuration problem

From: Franck (franck_at_franck.net)
Date: 06/14/05 

Date: Tue, 14 Jun 2005 20:02:31 +0200

Hello,

I'm trying to setup a VPN between 2 Linux hosts (remotely connected from
eachother through internet) using openVPN 2.0.1.

I succeed establishing the VPN between the both hosts in both direction
(Host 1 being server and Host2 being client, or Host1 being client and Host2
being server). But i have a routing problem outside of Linux hosts as no
ping is possible except the ping of the virtual network addresses created
through the VPN and the ping of LAN IP address from the client to the
server. a Ping from server to client on LAN IP address is also not working
and no other hosts on each LAN can't ping other side of the VPN.

Here is the detailled network configuration :

Host1 (Linux FC3) : 192.168.1.1 (net : 192.168.1.0/24). this host has a
single NIC interface.
He is located on a LAN where there is a ADSL/Router located in
192.168.1.139.
Several others computer are also on this network.

Host2 (Linux FC3) : 192.168.0.1 (net : 192.168.0.0/24). This host have also
a single NIC interface.
He is on a LAN where there is a ADSL/Router located in 192.168.0.138.

Both LAN are connecting to Internet via the ADSL router and port forwarding
on 1194 has been enabled on both. Firewall is on on the routers but rules
have been temporarily suppressed to be sure there's no firewall problem.
Firewall rules on the linux servers are also suppressed temporarily.

When the VPN is established, a VPN network is created using 10.8.0.0
network.
Server is taking 10.8.0.1 (IP)/10.8.0.2 (P-t-P)
Client is taking 10.8.0.6(IP)/10/8/0/5(P-t-P)

******* Routes established after VPN connection :
*** Server :
10.8.0.2 * 255.255.255.255 UH 0 0
0 tun0
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0
0 tun0
192.168.1.0 * 255.255.255.0 U 0 0
0 eth0
192.168.0.0 10.8.0.2 255.255.255.0 UG 0 0
0 tun0
169.254.0.0 * 255.255.0.0 U 0 0
0 eth0
default 192.168.1.139 0.0.0.0 UG 0 0
0 eth0

*** Client :
10.8.0.5 * 255.255.255.255 UH 0 0
0 tun0
10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0
0 tun0
192.168.1.0 10.8.0.5 255.255.255.0 UG 0 0
0 tun0
192.168.0.0 * 255.255.255.0 U 0 0
0 eth0
169.254.0.0 * 255.255.0.0 U 0 0
0 eth0
default 192.168.0.138 0.0.0.0 UG 0 0
0 eth0

******* TUN interfaces created are :
*** Server :
tun0 Lien encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet adr:10.8.0.1 P-t-P:10.8.0.2 Masque:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

*** Client :
tun0 Lien encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet adr:10.8.0.6 P-t-P:10.8.0.5 Masque:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1

******* Config Files :
*** Server :
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/host1.crt
key /etc/openvpn/keys/host1.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
client-config-dir /etc/openvpn
route 192.168.0.0 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

client-specific file on server contain this single line : iroute
"192.168.0.1 255.255.255.0"

*** Client :
client
dev tun
proto udp
remote fcaconde.dyndns.org 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/optiplex2-client.crt
key /etc/openvpn/keys/optiplex2-client.key
ns-cert-type server
comp-lzo
verb 4

*** TCP forwarding has been enabled on both hosts using : echo 1 >
/proc/sys/net/ipv4/ip_forward

Based on that config, here is what happend :

>From server :
1- PING 10.8.0.6 is OK
2- PING 10.8.0.5 is NOK
3- PING 192.168.0.1 is OK only after creation of client-specific file on
server
4- PING 192.168.0.X is NOK. using a "tcpdump -i tun0" on the client shows
that no trafic is coming from server !!!

>From client :
1- PING 10.8.0.1 is OK
2- PING 10.8.0.2 is NOK
3- PING 192.168.1.1 is OK.
4- PING 192.168.1.X is NOK. using a "tcpdump -i tun0" on the server shows
trafic coming from client, so probably a problem of setting up return routes
on other hosts on the server LAN.

Could someone explains me what I do wrong ?
Is there other hidden option somewhere ?
Why is there no toher trafic possible than the one between Linux hosts ?
Is it coming from the fact that our servers are equipped with a single NIC
interface ?

Thanks for your help.
Franck.

Relevant Pages

  • RE: VPN Connects, but no Internal IP or network resources.
    ... Are you able to get a lease from the DHCP server now? ... I have some experience with using ISA VPN in the past without problems, ... I am still not able to ping by ...
    (microsoft.public.isa.vpn)
  • Re: Remote client access to windows small business server 2003
    ... appwars to be some type of network issue when accessing over VPN but why can ... the server and access the remorte PC but they cannot access the server. ... router providing VPN connectivity. ... I can't ping the server or access ...
    (microsoft.public.windows.server.sbs)
  • Re: RDP
    ... into the server through sbs vpn and attempts to connect to his ... desktop through rdp. ... vpn and gets and IP address but cannot connect to his desktop. ... He can ping the server, but he can't ping his desktop. ...
    (microsoft.public.windows.server.sbs)
  • Re: RDP
    ... into the server through sbs vpn and attempts to connect to his ... desktop through rdp. ... can ping the server, but he can't ping his desktop. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN gives different Server IP address
    ... I cannot ping 192.168.0.2 and therefore my exchange server and other ... I am not new to VPNs but I have always set up a hardware VPN like Netscreen ... > other machines on the network. ...
    (microsoft.public.windows.server.sbs)
Loading