[Openvpn-users] gateway vpn problem

[Oscar Knight <knightod@xxxxxxxxxxxx>]

Hello All,

Please help.

In short, I can't reach the machines behind/beside the vpn gateway.  I can
connect and ping the vpn server, but not the other machines.  Yes, I've
read the FAQ, and a lot of other documents.  I've used tcpdump and it's
like the packets are not getting forwarded.  BTW, forwarding is turned
on, but feel free to prove me wrong.  I'm at my wits end...  Lot's
of stuff below.  Thanks in advance!

Setup:


   ovpn server
   OpenBSD 3.8  ------------- Commercial Router/FW ------- larger corp
   OpenVPN 2.0          /      in route/NAT mode            network
                       /
                      /
                     /
                 Other machines
                 behind FW

I want to use OpenVPN to allow connectivity to the machines behind the FW.
Note: making the ovpn/bsd box the fw is not an option.
Yes, the OpenVPN server is NAT'ed.


The network behind the FW is   10.2.10.0/24
The OpenVPN addresses for vpn traffic is 10.2.11.0/24


results of "grep forward sysctl.conf"  on OpenVPN/OpenBSD box
-------------------------------------------------------------
#net.inet.ip.forwarding=1       # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.forwarding=1     # 1=Permit forwarding (routing) of packets
#net.inet6.ip6.accept_rtadv=1   # 1=Permit IPv6 autoconf (forwarding must be 0)


Use the following to disable the pf on OpenVPN/OpenBSD box
----------------------------------------------------------
pfctl -d


server.conf  on OpenVPN/OpenBSD box
----------------------------------
local 10.2.10.8
port 1194
proto udp
dev tun0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.2.11.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.2.10.0 255.255.255.0"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3



"route show" on OpenVPN/OpenBSD box
-----------------------------------
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use    Mtu
Interface
default            10.152.10.254      UGS         0     3590      -   dc0
10.2.10/24         link#1             UC          0        0      -   dc0
10.2.10.4          00:14:22:79:7f:17  UHLc        0        2      -   dc0
10.2.10.8          localhost          UGHS        0        0  33224   lo0
10.2.10.254        00:10:db:a6:25:22  UHLc        0       61      -   dc0
10.2.11/24         10.152.11.2        UGS         0        8      -   tun0
10.2.11.2          10.152.11.1        UH          0        0      -   tun0
loopback           localhost          UGRS        0        0  33224   lo0
localhost          localhost          UH          0        0  33224   lo0
172.20.19/24       link#2             UC          0        0      -   dc1
BASE-ADDRESS.MCAST localhost          URS         0        0  33224   lo0

***NOTE: I did not include the Internet 6 stuff...***



On the commercial FW/Router I included a route
----------------------------------------------
       IP-Prefix      Interface         Gateway   P  Pref    Mtr
  -------------------------------------------------------------------
      10.2.11.0/24      trust         10.2.10.8   S   20      1

There are no other routes for 10.2.11.0/24.



Sample tcpdump
================

 tcpdump -i tun0  (while pinging the VPN server's tun address 10.2.11.1)
 ----------
  20:24:15.774483 10.2.11.6 > 10.2.11.1: icmp: echo request
  20:24:15.774555 10.2.11.1 > 10.2.11.6: icmp: echo reply
  20:24:16.774723 10.2.11.6 > 10.2.11.1: icmp: echo request
  20:24:16.774793 10.2.11.1 > 10.2.11.6: icmp: echo reply
  20:24:17.775928 10.2.11.6 > 10.2.11.1: icmp: echo request
  20:24:17.775994 10.2.11.1 > 10.2.11.6: icmp: echo reply
  20:24:18.777056 10.2.11.6 > 10.2.11.1: icmp: echo request
  20:24:18.777122 10.2.11.1 > 10.2.11.6: icmp: echo reply


 tcpdump -i tun0  (while pinging the VPN server's dc0 address 10.2.10.8)
 ----------
  20:23:26.175432 10.2.11.6 > 10.2.10.8: icmp: echo request
  20:23:26.175502 10.2.10.8 > 10.2.11.6: icmp: echo reply
  20:23:27.176750 10.2.11.6 > 10.2.10.8: icmp: echo request
  20:23:27.176813 10.2.10.8 > 10.2.11.6: icmp: echo reply
  20:23:28.177927 10.2.11.6 > 10.2.10.8: icmp: echo request
  20:23:28.177994 10.2.10.8 > 10.2.11.6: icmp: echo reply
  20:23:29.179068 10.2.11.6 > 10.2.10.8: icmp: echo request
  20:23:29.179131 10.2.10.8 > 10.2.11.6: icmp: echo reply


 tcpdump -i tun0  (while pinging a different machine 10.2.10.5)
 ----------
  20:21:59.353478 10.2.11.6 > 10.2.10.5: icmp: echo request
  20:22:04.397333 10.2.11.6 > 10.2.10.5: icmp: echo request
  20:22:09.403185 10.2.11.6 > 10.2.10.5: icmp: echo request
  20:22:14.409207 10.2.11.6 > 10.2.10.5: icmp: echo request


 tcpdump -i dc0 results are all NULL for the above three pings.




THANKS for reading this FAR!!!!!   I'll be happy to provide additional
info.

Thanks,
odk
--
Oscar D. Knight                              knightod at appstate dot edu
                                                      Voice: 828-262-6946
Appalachian State University, Boone, NC 28608           FAX: 828-262-2236



____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users