Re: OpenVPN configuration problem

From: Steve Horsley (steve.horsley_at_gmail.com)
Date: 06/16/05 

Date: Wed, 15 Jun 2005 23:46:24 +0100

Franck wrote:
> Hi,
>
> thanks for your answer.
>
> I've progressed a bit based on your suggestion, but there are still some
> problems.
>
> Here is what I did :
> - I configured tun device driver as mentionned.
> - I setup proper routes in others hosts of each LAN. I added 2 each time :
> *** On server's LAN hosts :
> route to 10.8.0.0 via 192.168.1.1
> route to 192.168.0.0 via 192.168.1.1
>
> *** On client's LAN hosts :
> route to 10.8.0.0 via 192.168.0.1
> route to 192.168.1.0 via 192.168.0.1
>

Looks good...

> Now,
> - when i ping from the client a host on server's LAN, it works.
> - when i ping from the server a host on client's LAN, it works only if add
> the host in the client config file on server. Which is very strange for me
> !!!

Ah! I think I know why this is. There is a virtual router sitting
in the middle of the VPN, with the two IP addreses 10.8.0.2 and
10.8.0.6. Maybe the client config is pushng routes into this
virtual router, telling it which of many possible clients the
192.168.1.x network can be reached on. So I guess the client
config should specify the client network - 192.168.1.0 255.255.255.0.

>
> BUT :
> - if i ping from a host on the client's LAN to a host on server's LAN, it
> doesn't work !
> - if i ping from a host on the server's LAN to a host on client's LAN, it
> doesn't work !
>
> tcpdump -i tun0 on each machine doesn't show any trafic in this case. So it
> means nothing is send via the VPN tunnel when the packet is coming from the
> LAN.
>
> I've checked that ip_forward is enabled on each Linux box.

This I don't understand. We know that forwarding is enabled
because the client can ping the server LAN (proves the server can
forward) and the server can ping the client LAN (proves the
client can forward). It really smells like either missing routes
or firewall entries to me. I would probably use tcpdump to prove
that packets are (not) traversong every interface on every step
of this journey. Prove they arrive on eth0, prove they exit on
tun0 etc. Try to find exactly where they are going missing.

Steve

Relevant Pages

  • self ping...HELP!
    ... >Desktop is host Host CAN ... >ping client (good indication hardware is OK) client can ...
    (microsoft.public.windowsxp.network_web)
  • Single Client wont connect to internet
    ... if yes, can you ping yahoo.com? ... > between computers with no trouble, the client shows the internet ... > internet with IE, can not get Outlook to retrieve mail, and I cannot ... > connection on the host is fine. ...
    (microsoft.public.windowsxp.network_web)
  • Re: how to "join" LAN with plip link?
    ... PLIP howto) about a real case on how I have made a plip connected host ... looking like on the LAN. ... Then I test the proxy-arp by ... LAN (or client), or you need to configure the server to do 'proxy-ARP'. ...
    (comp.os.linux.networking)
  • self ping...HELP!
    ... >>Desktop is host Host CAN ... >>ping client (good indication hardware is OK) client can ... >>self ping. ...
    (microsoft.public.windowsxp.network_web)
  • Re: watching outgoing ping packets via tcpdump/ethereal
    ... > Are you sure that the interface/driver went into promiscuous mode? ... Host listens on the client by: ... my host, if I ping the client with its IP address, the ping is ...
    (comp.dcom.lans.ethernet)