[Openvpn-users] routing tunnel, multi client: routing does not work

["Toninho" <Feitosa_Neto_A_R@xxxxxxxxxxx>]

Title: Mensagem

I am trying to link 3 very small LANs using 2 tunnels under openvpn 2.0.5 via Internet.

I am not a networking specialist, but I have been reading many posts, the man page, howtos, and I still have problems.

A present case:

I am trying to link 2 LANS:

192.168.90.0/24 =================== 192.168.2.0/24
 LINUX RH9                          WINDOWS XP PRO
 OPENVPN 2.0.1                     openvpn 2.0.5

routes at XP with VPN down: (Windows XP XP portuguese)

===========================================================================
Lista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 02 44 82 53 e2 ...... Realtek RTL8139/810X Family PCI Fast Ethernet

=========================================================================
===========================================================================
Rotas ativas:
Endere‡o de rede          M scara   Ender. gateway       Interface   Custo
          0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.235   20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      192.168.2.0    255.255.255.0    192.168.2.235   192.168.2.235   20
    192.168.2.235  255.255.255.255        127.0.0.1       127.0.0.1   20
    192.168.2.255  255.255.255.255    192.168.2.235   192.168.2.235   20
        224.0.0.0        240.0.0.0    192.168.2.235   192.168.2.235   20
  255.255.255.255  255.255.255.255    192.168.2.235   192.168.2.235   1
Gateway:        192.168.2.1
===========================================================================
Rotas persistentes:
  Nenhuma

Then the vpn is started. here, the

server conf:
============================================================
dev tun
server 10.3.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca /usr/local/openvpn/easy-rsa/2.0/keys/ca.crt
cert /usr/local/openvpn/easy-rsa/2.0/keys/server.crt
key /usr/local/openvpn/easy-rsa/2.0/keys/server.key
dh /usr/local/openvpn/easy-rsa/2.0/keys/dh1024.pem
route 192.168.2.0 255.255.255.0
push "route 192.168.2.0 255.255.255.0"
push "route 192.168.90.0 255.255.255.0"
client-config-dir ccd
client-to-client
keepalive 10 120
status openvpn-status.log
log-append openvpn.log
comp-lzo
verb 3
============================================================

client1 file at ccd dir:
============================================================
iroute 192.168.2.0 255.255.255.0
============================================================

client1 config at XP box:
============================================================
client
pull
dev tun
dev-node VPN2
proto udp
remote a.b.c.d 1194
nobind
persist-key
persist-tun
ca "C:\\Arquivos de programas\\OpenVPN\\config\\craf_ca.crt"
cert "C:\\Arquivos de programas\\OpenVPN\\config\\craf_client1.crt"
key "C:\\Arquivos de programas\\OpenVPN\\config\\craf_client1.key"
ns-cert-type server
keepalive 10 120

route 192.168.90.0 255.255.255.0

comp-lzo
verb 3
mute 20
log-append client1.log
============================================================

log at linux rh9 server
============================================================
Sat Dec  3 10:28:52 2005 MULTI: multi_create_instance called
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 Re-using SSL/TLS context
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 LZO compression initialized
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 Local Options hash (VER=V4): '530fdded'
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 Expected Remote Options hash (VER=V4): '41690919'
Sat Dec  3 10:28:52 2005 x.y.z.t:61503 TLS: Initial packet from x.y.z.t:61503, sid=1a9637a5 dc90095b
Sat Dec  3 10:29:04 2005 x.y.z.t:61503 VERIFY OK: depth=1, /C=br/ST=SP/L=SaoPaulo/O=CRAFTECH/CN=CRAFTECH_CA/emailAddress=toninho@xxxxxxxxxxxxxxxxxxxxx
Sat Dec  3 10:29:04 2005 x.y.z.t:61503 VERIFY OK: depth=0,

/C=br/ST=SP/L=SaoPaulo/O=CRAFTECH/OU=clientes/CN=client1/emailAddress=toninho@xxxxxxxxxxxxxxxxxxxxx
Sat Dec  3 10:29:06 2005 x.y.z.t:61503 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Dec  3 10:29:06 2005 x.y.z.t:61503 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec  3 10:29:06 2005 x.y.z.t:61503 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Dec  3 10:29:06 2005 x.y.z.t:61503 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec  3 10:29:07 2005 x.y.z.t:61503 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Dec  3 10:29:07 2005 x.y.z.t:61503 [client1] Peer Connection Initiated with x.y.z.t:61503
Sat Dec  3 10:29:07 2005 OPTIONS IMPORT: reading client specific options from: ccd/client1
Sat Dec  3 10:29:07 2005 MULTI: Learn: 10.3.0.6 -> client1/x.y.z.t:61503
Sat Dec  3 10:29:07 2005 MULTI: primary virtual IP for client1/x.y.z.t:61503: 10.3.0.6
Sat Dec  3 10:29:07 2005 MULTI: internal route 192.168.2.0/24 -> client1/x.y.z.t:61503
Sat Dec  3 10:29:07 2005 MULTI: Learn: 192.168.2.0/24 -> client1/x.y.z.t:61503
Sat Dec  3 10:29:07 2005 REMOVE PUSH ROUTE: 'route 192.168.2.0 255.255.255.0'
Sat Dec  3 10:29:08 2005 client1/x.y.z.t:61503 PUSH: Received control message: 'PUSH_REQUEST'
Sat Dec  3 10:29:08 2005 client1/x.y.z.t:61503 SENT CONTROL [client1]: 'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route

10.3.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 10.3.0.6 10.3.0.5' (status=1)
============================================================

log at XP BOX
============================================================
Sat Dec 03 10:28:43 2005 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov  2 2005
Sat Dec 03 10:28:43 2005 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by

IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Dec 03 10:28:43 2005 LZO compression initialized
Sat Dec 03 10:28:43 2005 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Dec 03 10:28:43 2005 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sat Dec 03 10:28:43 2005 Local Options hash (VER=V4): '41690919'
Sat Dec 03 10:28:43 2005 Expected Remote Options hash (VER=V4): '530fdded'
Sat Dec 03 10:28:43 2005 UDPv4 link local: [undef]
Sat Dec 03 10:28:43 2005 UDPv4 link remote: 200.206.208.155:1194
Sat Dec 03 10:28:44 2005 TLS: Initial packet from 200.206.208.155:1194, sid=71c25f36 972f4360
Sat Dec 03 10:28:47 2005 VERIFY OK: depth=1,

/C=br/ST=SP/L=SaoPaulo/O=CRAFTECH/CN=CRAFTECH_CA/emailAddress=toninho@xxxxxxxxxxxxxxxxxxxxx
Sat Dec 03 10:28:47 2005 VERIFY OK: nsCertType=SERVER
Sat Dec 03 10:28:47 2005 VERIFY OK: depth=0,

/C=br/ST=SP/L=SaoPaulo/O=CRAFTECH/OU=teste/CN=server/emailAddress=toninho@xxxxxxxxxxxxxxxxxxxxx
Sat Dec 03 10:28:58 2005 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Dec 03 10:28:58 2005 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 03 10:28:58 2005 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Dec 03 10:28:58 2005 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Dec 03 10:28:58 2005 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Dec 03 10:28:58 2005 [server] Peer Connection Initiated with 200.206.208.155:1194
Sat Dec 03 10:28:59 2005 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sat Dec 03 10:29:00 2005 PUSH: Received control message: 'PUSH_REPLY,route 192.168.90.0 255.255.255.0,route 10.3.0.0

255.255.255.0,ping 10,ping-restart 120,ifconfig 10.3.0.6 10.3.0.5'
Sat Dec 03 10:29:00 2005 OPTIONS IMPORT: timers and/or timeouts modified
Sat Dec 03 10:29:00 2005 OPTIONS IMPORT: --ifconfig/up options modified
Sat Dec 03 10:29:00 2005 OPTIONS IMPORT: route options modified
Sat Dec 03 10:29:00 2005 TAP-WIN32 device [VPN2] opened: \\.\Global\{6274C47A-E4EA-4E96-B887-09FB9FF5A13B}.tap
Sat Dec 03 10:29:00 2005 TAP-Win32 Driver Version 8.1
Sat Dec 03 10:29:00 2005 TAP-Win32 MTU=1500
Sat Dec 03 10:29:00 2005 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.3.0.6/255.255.255.252 on interface

{6274C47A-E4EA-4E96-B887-09FB9FF5A13B} [DHCP-serv: 10.3.0.5, lease-time: 31536000]
Sat Dec 03 10:29:00 2005 Successful ARP Flush on interface [196611] {6274C47A-E4EA-4E96-B887-09FB9FF5A13B}
Sat Dec 03 10:29:00 2005 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0 u/d=down
Sat Dec 03 10:29:00 2005 Route: Waiting for TUN/TAP interface to come up...
Sat Dec 03 10:29:01 2005 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0 u/d=down
Sat Dec 03 10:29:01 2005 Route: Waiting for TUN/TAP interface to come up...
Sat Dec 03 10:29:02 2005 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0 u/d=down
Sat Dec 03 10:29:02 2005 Route: Waiting for TUN/TAP interface to come up...
Sat Dec 03 10:29:03 2005 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0 u/d=down
Sat Dec 03 10:29:03 2005 Route: Waiting for TUN/TAP interface to come up...
Sat Dec 03 10:29:04 2005 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Sat Dec 03 10:29:04 2005 route ADD 192.168.90.0 MASK 255.255.255.0 10.3.0.5
Sat Dec 03 10:29:04 2005 Route addition via IPAPI succeeded
Sat Dec 03 10:29:04 2005 route ADD 192.168.90.0 MASK 255.255.255.0 10.3.0.5
Sat Dec 03 10:29:04 2005 Route addition via IPAPI succeeded
Sat Dec 03 10:29:04 2005 route ADD 10.3.0.0 MASK 255.255.255.0 10.3.0.5
Sat Dec 03 10:29:04 2005 Route addition via IPAPI succeeded
Sat Dec 03 10:29:04 2005 Initialization Sequence Completed

THEN a route print at the XP BOX with the VPN UP:
===========================================================================
Lista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 02 44 82 53 e2 ...... Realtek RTL8139/810X Family PCI Fast Ethernet NIC
0x30003 ...00 ff 62 74 c4 7a ...... TAP-Win32 Adapter V8 #2

===========================================================================
===========================================================================
Rotas ativas:
Endere‡o de rede          M scara   Ender. gateway       Interface   Custo
          0.0.0.0          0.0.0.0      192.168.2.1   192.168.2.235   20
         10.3.0.0    255.255.255.0         10.3.0.5        10.3.0.6   1
         10.3.0.4  255.255.255.252         10.3.0.6        10.3.0.6   30
         10.3.0.6  255.255.255.255        127.0.0.1       127.0.0.1   30
   10.255.255.255  255.255.255.255         10.3.0.6        10.3.0.6   30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      192.168.2.0    255.255.255.0    192.168.2.235   192.168.2.235   20
    192.168.2.235  255.255.255.255        127.0.0.1       127.0.0.1   20
    192.168.2.255  255.255.255.255    192.168.2.235   192.168.2.235   20
     192.168.90.0    255.255.255.0         10.3.0.5        10.3.0.6   1
        224.0.0.0        240.0.0.0         10.3.0.6        10.3.0.6   30
        224.0.0.0        240.0.0.0    192.168.2.235   192.168.2.235   20
  255.255.255.255  255.255.255.255         10.3.0.6        10.3.0.6   1
  255.255.255.255  255.255.255.255    192.168.2.235   192.168.2.235   1
Gateway padrÆo:        192.168.2.1
===========================================================================
Rotas persistentes:
  Nenhuma

AND the routing table at the linux box:
===========================================================================
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.3.0.2        *               255.255.255.255 UH    0      0        0 tun0
192.168.2.0     10.3.0.2        255.255.255.0   UG    0      0        0 tun0
10.3.0.0        10.3.0.2        255.255.255.0   UG    0      0        0 tun0
192.168.90.0    *               255.255.255.0   U     0      0        0 eth1
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.90.1    0.0.0.0         UG    0      0        0 eth1
===========================================================================


What I do not understand:
I can ping the gateway at the other side of the lan, both sindes. The multi-server vpn puts the server on the very first address

of the server-config range, in this case, 10.3.0.1, would be the server address. In fact I can ping the 10.3.0.1 from the XP

box at 10.3.0.6. And I can ping the XP box at 10.3.0.6 from the linux box at 10.3.0.1. But what about the 10.3.0.5 would-be

address of the tunnel end at the linux side? And the 10.3.0.2 would be end of the tunnel, as I see in the routing table of the linux box?

The routing does not work. I do not understand the multi-server option: I know that I am missing something, but I expected the

server to be at 10.3.0.1 for all clients. And the tunnels uses only /30 subnets...

Could someone please help me to see this the right way?

TIA
Antonio