|
|
Thanks for your help! Here's more info.
The client subnet is 172.27.255.240/255.255.255.240
The VPN link subnet is 172.28.128.0/255.255.128.0 (provisions for
multiple clients in the future)
ifconfig on the client looks like this upon connection:
[root@ws01a ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:79:39:3B
inet addr:192.168.96.99 Bcast:192.168.96.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:115031 errors:2 dropped:0 overruns:0 frame:0
TX packets:140790 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:45218449 (43.1 Mb) TX bytes:56774968 (54.1 Mb)
Interrupt:18 Base address:0x1424
eth1 Link encap:Ethernet HWaddr 00:0C:29:79:39:45
inet addr:172.27.255.241 Bcast:172.27.255.255
Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:799 errors:0 dropped:0 overruns:0 frame:0
TX packets:284 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:71296 (69.6 Kb) TX bytes:23516 (22.9 Kb)
Interrupt:19 Base address:0x14a4
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:823 errors:0 dropped:0 overruns:0 frame:0
TX packets:823 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:116406 (113.6 Kb) TX bytes:116406 (113.6 Kb)
tun0 Link encap:Point-to-Point Protocol
inet addr:172.28.128.11 P-t-P:172.28.128.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:265 errors:0 dropped:0 overruns:0 frame:0
TX packets:212 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:24316 (23.7 Kb) TX bytes:27017 (26.3 Kb)
At first connection the routing table is:
[root@ws01a ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
172.28.128.1 * 255.255.255.255 UH 0 0 0 tun0
172.27.255.240 * 255.255.255.240 U 0 0 0 eth1
192.168.96.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default smoothwall 0.0.0.0 UG 0 0 0 eth0
After adding the new route:
[root@ws01a ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
172.28.128.1 * 255.255.255.255 UH 0 0 0 tun0
172.27.255.240 * 255.255.255.240 U 0 0 0 eth1
192.168.96.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 172.28.128.1 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default smoothwall 0.0.0.0 UG 0 0 0 eth0
I would have thought that 172.28.128.1 would be the remote tunnel
endpoint. Or am I getting my terms wrong should I use 172.28.128.11, or
would I use one of the IPs on the server side, 172.28.128.2?
*ON THE SERVER*
[mhyzon@test02 ~]$ sudo /sbin/ifconfig tun0
Password:
tun0 Link encap:Point-to-Point Protocol
inet addr:172.28.128.1 P-t-P:172.28.128.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:237 errors:0 dropped:0 overruns:0 frame:0
TX packets:305 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:33024 (32.2 Kb) TX bytes:28728 (28.0 Kb)
Erich Titl wrote:
> Moshe Hyzon wrote:
> ...
>
>
>> In the default configuration, machines on the client lan can ping and connect to the OpenVPN server just fine, the reverse is also true. IP Forwarding is turned on both the server and the client. However, if I uncomment any of the 'push route' lines in the server config, or if on the client I execute the equivalent command:
>>
>> # route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.28.128.1
>>
>
> This does not look like the correct route setting, it should use a
> different gateway address, e.g. the remote tunnel endpoint.
>
>
>> the client can no longer ping the server. I see the OpenVPN client thinking it is sending packets, but nothing ever reaches the server. Running tcpdump on the server, the client and the intervening firewall,
>> In fact, no packets ever get sent out of the client's 'real' interface, eth0. '# tcpdump -i any' only sees tun0 packets. If I then perform:
>>
>> # route del -net 192.168.1.0 netmask 255.255.255.0 gw 172.28.128.1
>>
>> and start pinging again, nothing happens for a few seconds, then all the pings come back in a rush:
>>
>> [root@ws01a ~]# route del -net 192.168.1.0 netmask 255.255.255.0 gw 172.28.128.1
>> [root@ws01a ~]# ping 172.28.128.1
>> PING 172.28.128.1 (172.28.128.1) 56(84) bytes of data.
>> 64 bytes from 172.28.128.1: icmp_seq=0 ttl=64 time=6437 ms
>> 64 bytes from 172.28.128.1: icmp_seq=1 ttl=64 time=5419 ms
>> 64 bytes from 172.28.128.1: icmp_seq=2 ttl=64 time=4419 ms
>> 64 bytes from 172.28.128.1: icmp_seq=3 ttl=64 time=3420 ms
>> 64 bytes from 172.28.128.1: icmp_seq=4 ttl=64 time=2419 ms
>> 64 bytes from 172.28.128.1: icmp_seq=5 ttl=64 time=1419 ms
>> 64 bytes from 172.28.128.1: icmp_seq=6 ttl=64 time=411 ms
>> 64 bytes from 172.28.128.1: icmp_seq=7 ttl=64 time=5.41 ms
>> 64 bytes from 172.28.128.1: icmp_seq=8 ttl=64 time=2.74 ms
>> 64 bytes from 172.28.128.1: icmp_seq=9 ttl=64 time=8.68 ms
>>
>> I need to be able to reach subnets on the server side from the client side. Is there something simple I am missing? I can provide tcpdump logs and openvpn logs if nessecary. Thanks for any help!
>>
>
> What subnet are you using on the client side? Please publish the routing
> table of the client before and after the incriminating command.
>
> cheers
>
> Erich
>
>
>
>
--
----
Moshe Hyzon
Grant Street Group
Ph: 412-391-5555, ext. 344
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|