[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] routing client to server LAN borked?


  • Subject: Re: [Openvpn-users] routing client to server LAN borked?
  • From: Moshe Hyzon <hyzon.moshe@xxxxxxxxxxxxxxx>
  • Date: Tue, 27 Jun 2006 17:19:01 -0400

Thanks for your help!  Here's more info.

The client subnet is 172.27.255.240/255.255.255.240
The VPN link subnet is 172.28.128.0/255.255.128.0 (provisions for 
multiple clients in the future)

ifconfig on the client looks like this upon connection:

[root@ws01a ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:79:39:3B
          inet addr:192.168.96.99  Bcast:192.168.96.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:115031 errors:2 dropped:0 overruns:0 frame:0
          TX packets:140790 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:45218449 (43.1 Mb)  TX bytes:56774968 (54.1 Mb)
          Interrupt:18 Base address:0x1424

eth1      Link encap:Ethernet  HWaddr 00:0C:29:79:39:45
          inet addr:172.27.255.241  Bcast:172.27.255.255  
Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:799 errors:0 dropped:0 overruns:0 frame:0
          TX packets:284 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:71296 (69.6 Kb)  TX bytes:23516 (22.9 Kb)
          Interrupt:19 Base address:0x14a4

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:823 errors:0 dropped:0 overruns:0 frame:0
          TX packets:823 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:116406 (113.6 Kb)  TX bytes:116406 (113.6 Kb)

tun0      Link encap:Point-to-Point Protocol
          inet addr:172.28.128.11  P-t-P:172.28.128.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:265 errors:0 dropped:0 overruns:0 frame:0
          TX packets:212 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:24316 (23.7 Kb)  TX bytes:27017 (26.3 Kb)

At first connection the routing table is:

[root@ws01a ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
172.28.128.1    *               255.255.255.255 UH    0      0        0 tun0
172.27.255.240  *               255.255.255.240 U     0      0        0 eth1
192.168.96.0    *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         smoothwall      0.0.0.0         UG    0      0        0 eth0

After adding the new route:

[root@ws01a ~]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
172.28.128.1    *               255.255.255.255 UH    0      0        0 tun0
172.27.255.240  *               255.255.255.240 U     0      0        0 eth1
192.168.96.0    *               255.255.255.0   U     0      0        0 eth0
192.168.1.0     172.28.128.1    255.255.255.0   UG    0      0        0 tun0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         smoothwall      0.0.0.0         UG    0      0        0 eth0

I would have thought that 172.28.128.1 would be the remote tunnel 
endpoint.  Or am I getting my terms wrong should I use 172.28.128.11, or 
would I use one of the IPs on the server side, 172.28.128.2?

*ON THE SERVER*
[mhyzon@test02 ~]$ sudo /sbin/ifconfig tun0
Password:
tun0      Link encap:Point-to-Point Protocol
          inet addr:172.28.128.1  P-t-P:172.28.128.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:237 errors:0 dropped:0 overruns:0 frame:0
          TX packets:305 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:33024 (32.2 Kb)  TX bytes:28728 (28.0 Kb)


Erich Titl wrote:
> Moshe Hyzon wrote:
> ...
>
>   
>> In the default configuration, machines on the client lan can ping and connect to the OpenVPN server just fine, the reverse is also true.  IP Forwarding is turned on both the server and the client.  However, if I uncomment any of the 'push route' lines in the server config, or if on the client I execute the equivalent command: 
>>
>> # route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.28.128.1
>>     
>
> This does not look like the correct route setting, it should use a
> different gateway address, e.g. the remote tunnel endpoint.
>
>   
>> the client can no longer ping the server.  I see the OpenVPN client thinking it is sending packets, but nothing ever reaches the server.  Running tcpdump on the server, the client and the intervening firewall, 
>> In fact, no packets ever get sent out of the client's 'real' interface, eth0.  '# tcpdump -i any' only sees tun0 packets.  If I then perform:
>>
>> # route del -net 192.168.1.0 netmask 255.255.255.0 gw 172.28.128.1
>>
>> and start pinging again, nothing happens for a few seconds, then all the  pings come back in a rush:
>>
>> [root@ws01a ~]# route del -net 192.168.1.0 netmask 255.255.255.0 gw 172.28.128.1
>> [root@ws01a ~]# ping 172.28.128.1
>> PING 172.28.128.1 (172.28.128.1) 56(84) bytes of data.
>> 64 bytes from 172.28.128.1: icmp_seq=0 ttl=64 time=6437 ms
>> 64 bytes from 172.28.128.1: icmp_seq=1 ttl=64 time=5419 ms
>> 64 bytes from 172.28.128.1: icmp_seq=2 ttl=64 time=4419 ms
>> 64 bytes from 172.28.128.1: icmp_seq=3 ttl=64 time=3420 ms
>> 64 bytes from 172.28.128.1: icmp_seq=4 ttl=64 time=2419 ms
>> 64 bytes from 172.28.128.1: icmp_seq=5 ttl=64 time=1419 ms
>> 64 bytes from 172.28.128.1: icmp_seq=6 ttl=64 time=411 ms
>> 64 bytes from 172.28.128.1: icmp_seq=7 ttl=64 time=5.41 ms
>> 64 bytes from 172.28.128.1: icmp_seq=8 ttl=64 time=2.74 ms
>> 64 bytes from 172.28.128.1: icmp_seq=9 ttl=64 time=8.68 ms
>>
>> I need to be able to reach subnets on the server side from the client side.  Is there something simple I am missing?  I can provide tcpdump logs and openvpn logs if nessecary.  Thanks for any help!
>>     
>
> What subnet are you using on the client side? Please publish the routing
> table of the client before and after the incriminating command.
>
> cheers
>
> Erich
>
>
>
>   

-- 
----
Moshe Hyzon
Grant Street Group
Ph: 412-391-5555, ext. 344

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users