|
|
On man, januar 8, 2007 17:33, Harondel J. Sibble wrote: > Okay, I've been asked to get openvpn working for a new client. Someone > previously setup the vpn but never got it working. I'm thinking there must > be > something really simple that I am overlooking, anyone see anything obvious > that I am missing? > > Setup > > - 2 Debian servers behind a Linksys Nat firewall, the BEFSR41 IIRC > - lan has a mix of windows, mac os and linux machines, primarily ubuntu > with > one or 2 other distros. One server is just acting as the openvpn endpoint > while the other is the file, print etc server. > - linksys firewall is the dhcp server for the lan > - linksys firewall has port forwarding for defalt openvpn port to the > openvpn > server > - currently using the tun interface, have also tried using tap (which is > what > it was originally set for) > - the lan scope is 192.168.1.0/24 (will be changed once the basic config > is > working), I am connecting from very different lan scopes > - port forwarding is enabled on the machine (single physical interface) > - iptables is set to accept for all chains on both servers, ie no rules > - disabling the firewall on the xp machine (forticlient) has no impact on > the > issue > > I am connecting from an XP machine behind another Linksys Nat router (I've > tried 2 the BEFVP41 and the WRV54G) > > The problem, I can bring up the connection from the XP machine > successfully, > I can then ping from the openvpn server to the client machine and vice > versa, > interactive ssh etc, all works fine. > > However I cannot get access to the other machines on the same lan as the > openvpn server. > > Configuration is as follows, note some items obscured. > > Server openvpn.conf > > port 1194 > proto tcp > dev tap0 > tls-server > ca /etc/openvpn/easy-rsa/keys/ca.crt > cert /etc/openvpn/easy-rsa/keys/vpnserv.crt > dh /etc/openvpn/easy-rsa/keys/dh1024.pem > key /etc/openvpn/easy-rsa/keys/vpnserv.key > server 10.34.55.0 255.255.255.0 > ifconfig-pool-persist ipp.txt > push "dhcp-option DNS xxx.xxx.xxx.xxx" > push "dhcp-option DNS xxx.xxx.xxx.xxx" > push "route 192.168.1.0 255.255.255.0" > keepalive 10 120 > comp-lzo > user nobody > group nogroup > persist-key > persist-tun > status /var/log/openvpn/openvpn-status.log > log /var/log/openvpn/openvpn.log > log-append /var/log/openvpn/openvpn.log > verb 4 > > Client config > > client > dev tun > ;dev-node MyTap > proto tcp > remote my.remote.server.ip 1194 > ;remote-random > resolv-retry infinite > nobind > ;user nobody > ;group nobody > persist-key > persist-tun > ;http-proxy-retry # retry on connection failures > ;http-proxy [proxy server] [proxy port #] > ;mute-replay-warnings > ca ca.crt > cert vpnserv.crt > key vpnserv.key > ;ns-cert-type server > ;tls-auth ta.key 1 > ;cipher x > comp-lzo > verb 4 > ;mute 20 > > -- > Harondel J. Sibble > Sibble Computer Consulting > Creating solutions for the small business and home computer user. > help@xxxxxxxxx (use pgp keyid 0x3AD5C11D) http://www.pdscc.com > (604) 739-3709 (voice/fax) (604) 686-2253 (pager) > If the openvpn-server is not the default gateway for the other net you'll have to set up a route on machines on the other end or they don't know where to reply.... I.E If you ping from a machine in network A with ip 192.168.1.3 to a machine in network B with ip 10.10.10.5 the computer in network B sees a ping from 192.168.1.3, and since this is not on the local network tries to answer through the default gateway, unless it has a specific rule for the segment 192.168.1.0.... Off the top of my head: "route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.10.10.<ip of vpn-server>" Try this on one machine on the other side and see if it helps... Sturla ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |