openVPN routing issue
James McDonald
james
Thu Jan 25 13:27:12 PST 2007
Tim Wunder wrote:
> I'm trying to create a VPN tunnel from linux to linux using openVPN so that a
> server on the local LAN behind the client can have access to a device (a
> printer) located on the local LAN behind the server. I've managed to
> configure everythig so that I can create a connection from the client to the
> server, and can ping from the client box to the server, and to devices on the
> local LAN behind the server. The problem is, I can't ping from the server to
> the client, or theLAN behind the client. Nor can I ping from the LAN behinf
> the client to the server, or the LAN behind the server.
>
> The server:
> running openvpn 2.0.7 on CentOS 4
> eth0 is 192.168.2.252
>
> The client:
> also running openvpn 2.0.7, but on Fedora Core 4
> eth0 is 192.168.1.2
> eth1 is 192.168.1.1
>
> the server conf file:
> # egrep -v "^(#|;|*$)" /etc/openvpn/server.conf
> port 1194
> proto tcp
> dev tun
> ca /etc/openvpn/serverkeys/ca.crt
> cert /etc/openvpn/serverkeys/rescodefense_server.crt
> key /etc/openvpn/serverkeys/rescodefense_server.key # This file should be
> kept
> secret
> dh /etc/openvpn/serverkeys/dh1024.pem
> server 10.8.0.0 255.255.255.0
> ifconfig-pool-persist ipp.txt
> push "route 192.168.2.0 255.255.255.0"
> client-config-dir ccd
> route 192.168.1.0 255.255.255.0
> client-to-client
> keepalive 10 120
> comp-lzo
> user nobody
> group nobody
> persist-key
> persist-tun
> status openvpn-status.log
> verb 5
>
> the ccd/<client> file is as follows:
> # cat ccd/rescoelectronics
> iroute 192.168.1.0 255.255.255.0
>
> The client conf file:
> # egrep -v "^(#|;|*$)" /etc/openvpn/client.conf
> client
> dev tun
> proto tcp
> remote home.rescodefense.com 1194
> resolv-retry infinite
> nobind
> user nobody
> group nobody
> persist-key
> persist-tun
> ca /etc/openvpn/rescodefense_ca.crt
> cert /etc/openvpn/clientkeys/rescoelectronics_client.crt
> key /etc/openvpn/clientkeys/rescoelectronics_client.key
> comp-lzo
> verb 3
>
> after making the connection, this is the routing table of the server:
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
> 192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 0.0.0.0 192.168.2.254 0.0.0.0 UG 0 0 0 eth0
>
> after making the connection, this is the routing table of the client:
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.8.0.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
> 192.168.2.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
> 10.8.0.0 10.8.0.5 255.255.255.0 UG 0 0 0 tun0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
> 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
> 0.0.0.0 192.168.1.253 0.0.0.0 UG 0 0 0 eth0
>
> Any idea what I'm doing wrong? Is there a better solution than trying to use
> openvpn to do this?
>
> Help would be greatly appreciated...
>
> Thanks,
> Tim
>
Tim,
I use OpenVPN at work to link sites.
I have been tripped up by ip forwarding not being enabled e.g
cat /proc/sys/net/ipv4/ip_forward should return 1
If your client has a network behind it then the server and it's subnet
need to know about the route/s.
Also sometimes something as simple as IPTables being enabled and
blocking pings.
More information about the Linux-users
mailing list