openVPN routing issue
David Bandel
david.bandel
Thu Jan 25 13:21:26 PST 2007
On 1/25/07, Tim Wunder <tim at thewunders.org> wrote:
> I'm trying to create a VPN tunnel from linux to linux using openVPN so that a
> server on the local LAN behind the client can have access to a device (a
> printer) located on the local LAN behind the server. I've managed to
> configure everythig so that I can create a connection from the client to the
> server, and can ping from the client box to the server, and to devices on the
> local LAN behind the server. The problem is, I can't ping from the server to
> the client, or theLAN behind the client. Nor can I ping from the LAN behinf
> the client to the server, or the LAN behind the server.
The below looks OK. What I would check first is to ensure the client
is routing, i.e., /etc/sysctl.conf has one or more of the following
lines:
net.ipv4.conf.default.forwarding=1
net.ipv4/ip_forward=1
You'll need the top line for recent kernels, the bottom line for older
ones (not sure where the change came in, but around 2.6.16).
>
> The server:
> running openvpn 2.0.7 on CentOS 4
> eth0 is 192.168.2.252
>
> The client:
> also running openvpn 2.0.7, but on Fedora Core 4
> eth0 is 192.168.1.2
> eth1 is 192.168.1.1
>
> the server conf file:
> # egrep -v "^(#|;|*$)" /etc/openvpn/server.conf
> port 1194
> proto tcp
> dev tun
> ca /etc/openvpn/serverkeys/ca.crt
> cert /etc/openvpn/serverkeys/rescodefense_server.crt
> key /etc/openvpn/serverkeys/rescodefense_server.key # This file should be
> kept
> secret
> dh /etc/openvpn/serverkeys/dh1024.pem
> server 10.8.0.0 255.255.255.0
> ifconfig-pool-persist ipp.txt
> push "route 192.168.2.0 255.255.255.0"
> client-config-dir ccd
> route 192.168.1.0 255.255.255.0
> client-to-client
> keepalive 10 120
> comp-lzo
> user nobody
> group nobody
> persist-key
> persist-tun
> status openvpn-status.log
> verb 5
>
> the ccd/<client> file is as follows:
> # cat ccd/rescoelectronics
> iroute 192.168.1.0 255.255.255.0
>
> The client conf file:
> # egrep -v "^(#|;|*$)" /etc/openvpn/client.conf
> client
> dev tun
> proto tcp
> remote home.rescodefense.com 1194
> resolv-retry infinite
> nobind
> user nobody
> group nobody
> persist-key
> persist-tun
> ca /etc/openvpn/rescodefense_ca.crt
> cert /etc/openvpn/clientkeys/rescoelectronics_client.crt
> key /etc/openvpn/clientkeys/rescoelectronics_client.key
> comp-lzo
> verb 3
>
> after making the connection, this is the routing table of the server:
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
> 192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0
>
> after making the connection, this is the routing table of the client:
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 192.168.2.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
> 10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
> 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
> 0.0.0.0 192.168.1.253 0.0.0.0 UG 0 0 0 eth0
>
> Any idea what I'm doing wrong? Is there a better solution than trying to use
> openvpn to do this?
>
> Help would be greatly appreciated...
>
Just as a note (but not related to the above): the clocks cannot be
too far off from each other, so be sure to set them with ntpdate
during bootup and keep them sync'd w/ ntp.
Ciao,
David A. Bandel
--
Focus on the dream, not the competition.
- Nemesis Air Racing Team motto
More information about the Linux-users
mailing list