Re: [Openvpn-users] Mysterious difficulties with dual-homed host

On 1/26/07, Kevin <lists@xxxxxxxxxxxxx> wrote:

Hi List-

I seem to have OpenVPN 2.0.6 correctly configured for complete LAN-to-LAN
connectivity through an OpenVPN tunnel over the Internet using the section
of the HOWTO entitled: "Expanding the scope of the VPN to include additional
machines on either the client or server subnet."

I'm using tun interfaces, running on various machines (none of them
Windows).  The OpenVPN server version is 2.0.6 running on a dual-homed linux
server with one NIC connecting to LAN A and the other to the Internet.  I'll
refer to this host henceforth as dh1.

I can ping and ssh to any client on LAN A (server LAN) from a client on LAN
B (client LAN), and vice versa while the OpenVPN tunnel is up.

The only exception to that statement is for another dual-homed server (which
I'll refer to as dh2) on LAN A.  dh2 is also connected to both the Internet
and LAN A, and for the Internet-connected NIC, has a separate IP address
from the OpenVPN server (dh1), on the same IP block as the OpenVPN server.
For the LAN-A-connected NIC, there is also a separate IP address for dh2
from dh1, but again, they're on the same LAN and the same IP block with the
same netmask and everything.

For dh2 (also a linux server), I can access it normally in every way from
both the Internet and LAN-A, but I can't access it in any way from LAN-B
even with the OpenVPN tunnel up, and not even from the OpenVPN client
machine that establishes the tunnel with the OpenVPN server machine.

I sense that my problem with dh2 stems from a mis-configured routing table
on dh2, but I'll be darned if I can figure out what it is.  The routing
table now looks like this:

dh2 Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use IF
211.143.74.192  0.0.0.0         255.255.255.240 U     0      0        0 eth0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         211.143.74.193  0.0.0.0         UG    0      0        0 eth0

dh1 (OpenVPN server) Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use IF
10.1.2.2        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
211.143.74.192   0.0.0.0         255.255.255.240 U     0      0        0 eth2
10.1.2.0        10.1.2.2         255.255.255.0   UG    0      0        0 tun0
10.1.1.0        0.0.0.0         255.255.255.0    U     0      0        0 eth1
10.1.3.0        10.1.2.2        255.255.255.0   UG    0      0        0 tun0
10.1.4.0        10.1.2.2        255.255.255.0   UG    0      0        0 tun0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         211.143.74.193  0.0.0.0          UG    0      0        0 eth2

I am running iptables, but I've verified that it's not blocking packets from
LAN-B.

Does anyone have any idea what's wrong here?  If not, then perhaps
suggestions on increasing the logging details in order to facilitate
troubleshooting?

I'd be glad to share config file details if anyone thinks it would help, but
because of the fact that every other aspect of this LAN-to-LAN VPN works as
expected, I don't think it's a problem with my OpenVPN configuration.

Thanks in advance for suggestions and replies.

-Kevin

Kevin,

I could be wrong, but I do not see a route on dh2 sending traffic back to the OpenVPN server where it can be sent down the tun0 pipe.

I would expect you to need something like:
10.1.2.0 255.255.253.0 gw <IP of dh1> eth1

I am far from an expert... and can't seem to get my own openvpn installation going right... but I think this might be a step in the right direction.

Paul H.