[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Routing problems?


  • Subject: [Openvpn-users] Routing problems?
  • From: Brian Leyton <bleyton@xxxxxxxxxxxx>
  • Date: Fri, 11 Mar 2005 09:38:22 -0800

I've been following the discussion here, searching the list archives, reading the HOWTOs, FAQs, etc., and still can't get this working properly.
 
We currently have remote users connecting to our internal LAN through RAS/PPTP to an NT server.  Mostly they use it for connecting to an Exchange Server, and telnet to an AIX machine.  We have an IPCOP firewall, and we just port forward the VPN ports to the VPN server.  This works fine (most of the time).  For various reasons, I'd like to replace this with OpenVPN.
 
The internal network is 192.168.1.0/24.  192.168.1.4 is the IPCop.  It does my DHCP, and it serves as the LAN gateway.
 
I built a new Fedora Core 3 server, on which I'm installing OpenVPN.  I did not build Fedora with any firewall capabilities.  I built everything (OpenSSL, lzo and OpenVPN) from the tarballs, because I couldn't find pre-made RPM files.  The IP Address of this machine is 192.168.1.249.  I have the following statement in my startup script: 
 
echo "1" > /proc/sys/net/ipv4/ip_forward
The clients I'm testing from are using Windows XP Pro.  I'm using the Openvpn-Gui 1.0rc4 package. 
 
I'm using OpenVPN 2.0rc16 on both ends.
 
Here are the config files:
 
Server.conf
 
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.4"
push "dhcp-option WINS 192.168.1.175"
keepalive 10 120
comp-lzo
user nobody
group nobody
daemon
persist-key
persist-tun
status openvpn-status.log
verb 3
client.conf
 
client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
 
I have added the following route statement to my IPCop:
 
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.249
I also have a port forwarding rule for port 1194 to go to 192.168.1.249:1194
 
--------
 
So here's the problem.  When I connect, I can ping both directions to/from the client & server.  I can ping some machines from the client, but not others.  The name resolution via the WINS server seems to be working properly (it correctly finds the IP addresses for machines on the LAN).  The WINS Server/ NT Domain controller is 192.168.1.175, and I can ping that one fine.  But I can't ping other NT servers, a FreeBSD server and other workstations.  A tcpdump on tun0 shows the ICMP requests, but no replies.
 
A tracert from the client only shows 10.8.0.1, no replies beyond that.  I can ping anything on the LAN from the OpenVPN server.
 
The machines that can't be reached from the client, also cannot reach the client from the other direction.  For example, from a FreeBSD machine, when I traceroute to 10.8.0.6, it gets no replies beyond 192.168.1.249 (the OpenVPN server).
 
I just tried one more thing which has me really baffled.  I ran tcpdump on tun0, and then pinged 10.8.0.6 from the FreeBSD machine (192.168.1.104).  I see the ICMP echo requests, but no responses.  From the OpenVPN server, the requests look like they're coming from the IPCop machine.
 
I've tried this with the built-in firewall on the XP machine off and on, and there's no difference.
 
I'm at a dead-end.  I can't think of anything else to test/try.  Anyone have any ideas?
 
Brian Leyton
IT Manager
Commercial Petroleum Equipment