[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Network to Network VPN question


  • Subject: Re: [Openvpn-users] Network to Network VPN question
  • From: Mikey Simmons <empurium@xxxxxxxx>
  • Date: Tue, 4 Oct 2005 09:49:13 -0700

Okay well I feel kind of silly now, because I've answered my own question, but I
might as well put it out there for anybody else who might be having the same
confusion.


As I said below, tcpdump was reporting that it was getting icmp requests from
each servers public IP addresses, which is why things were not routing
properly. What I had was this:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0/0 -j SNAT --to $extip

And that was changing the source address of any outgoing packets to $extip.
Including the ones that were going to 192.168.5.0/24. So, before that rule, I
added this:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.5.0/24 -j SNAT --to
192.168.1.1


And then on the other side of the OpenVPN connection, I did the same thing flip
flopped. So now both subnets can communicate with eachother perfectly.


Hope this helps someone out there!

And thanks for the excellent software, OpenVPN is great. :]


After researching it some more, I think that I may have been a little bit
unclear, and also have started wondering if I should be doing NAT.

As it stands with the configuration that I posted below (push routes,
route, and
iroute in dev tun), both the OpenVPN server and client can ping any host on
either side of the network. However, any hosts on either side of the network
cannot ping hosts on the other side of the OpenVPN.

Looking at tcpdump -n -i tun0, I get some interesting information. When I ping
from either the OpenVPN server or client, it comes from the proper
address (the
VPN subnet, 10.x). When I ping from a client on either side of the network
however, it comes from the PUBLIC address of either the client or the server,
which is why the packet gets dropped I think.


So my question is, should it be necessary to do NAT with iptables to get this
working properly? Nowhere in any documentation that I've seen has it said that
NAT is necessary to bridge two networks, but this information makes me curious
if it is necessary.



Thanks for any and all help.

Hello,

I'm attempting to create an OpenVPN connection between two networks, where all
the clients on either side can access each other. I found a post similar to
this here:
http://openvpn.net/archive/openvpn-users/2005-03/msg00091.html


Which also linked to this site:
http://openvpn.net/howto.html#scope

I've read through that documentation and followed it, but it's still not working
the way I need it to.



The network is essentially like this: Femy LAN (192.168.1.0/24) Firewall (OpenVPN client) -- Internet -- Firewall (OpenVPN server) Terminator LAN (192.168.5.0/24)


The relevant server config declarations in server.conf are:

server 10.5.5.0 255.255.255.0
client-config-dir /etc/openvpn/clients
route 192.168.1.0 255.255.255.0
push "route 192.168.5.0 255.255.255.0"


And then on the server, there is a /etc/openvpn/clients/Femy file with this:

iroute 192.168.1.0 255.255.255.0


With this setup, I can ping any clients on the server's network from the client
itself, but when clients on the client's network attempt to do the same, I get
this error message in the server's logs:


Mon Oct 3 16:28:53 2005 us=728238 Femy/64.10x.xxx.xxx:32830 MULTI: bad source
address from client [64.10x.xxx.xxx], packet dropped


And also, none of the clients on the server's network can ping hosts on the
client's network.

If you have any ideas of things I might be able to try, or see anything that I
might be missing, please let me know. Any help is very very much appreciated.



Thank you!


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users