[Openvpn-users] Weird route issue with VMWare

[Rida <rida@xxxxxxxxx>]

Hello everybody,

I want, first, to say thank you to all openvpn developers for this very useful
piece of software! Happy new year too.

So, i got a very strange problem that is getting on my nerve because i can't
resolve the issue. I got vmware server running on a basic server ; there is 1
virtual network (in NAT mode). Here are the routes on the server (after vmware
and openvpn are started):

10.1.0.2 dev tun0  proto kernel  scope link  src 10.1.0.1
10.8.0.0/24 dev vmnet8  proto kernel  scope link  src 10.8.0.1
<public-ip> dev eth0  proto kernel  scope link  src <public-ip>
10.1.0.0/24 via 10.1.0.2 dev tun0
default via 91.121.95.254 dev eth0

Nothing special then (the only thing to keep in mind is that vmware uses source
routing). I set up an openvpn server on the server (the one with the public IP),
and it is working fine, because i can connect to it and i got an IP address on
windows clients. Here's the server's configuration file:

local <public-ip>
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.2.0.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
push "route-delay 2 600"
client-to-client
keepalive 10 120
tls-auth keys/ta.key 0
cipher AES-128-CBC # AES
comp-lzo
max-clients 250
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 6
mute 20

Now the clients one:

client
dev tun0
proto tcp
remote 91.121.95.16 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
tls-auth ta.key 1
cipher AES-128-CBC # AES
comp-lzo
verb 3

Still nothing special, these are basic configuration files. Before i'll "draw" a
network topology so you'll have a better idea of how vmware implement their NAT
(hope there is no error):

[Windows client](10.1.0.6/30 tap) <-> (10.1.0.5/30 tap gw) <-> (10.1.0.2/24 vpn
real gw) <-> (10.1.0.1/24 tun) [server] (10.8.0.1/24 vmnet8) <-> [virtual
machine](10.8.0.128/24 gw 10.8.0.1/24)

The virtual machine route is just a default gw to 10.8.0.1/24. Routes on the
client :

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
         0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.117       25
        10.1.0.0    255.255.255.0         10.1.0.5        10.1.0.6       1
        10.1.0.4  255.255.255.252         10.1.0.6        10.1.0.6       30
        10.1.0.6  255.255.255.255        127.0.0.1       127.0.0.1       30
        10.8.0.0    255.255.255.0         10.1.0.5        10.1.0.6       1
...

Client's output:

Thu Jan 10 00:25:21 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1
2006
Thu Jan 10 00:25:21 2008 IMPORTANT: OpenVPN's default port number is now 1194,
based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and
earlier used 5000 as the default port.
Thu Jan 10 00:25:21 2008 Control Channel Authentication: using 'ta.key' as a
OpenVPN static key file
Thu Jan 10 00:25:21 2008 Outgoing Control Channel Authentication: Using 160 bit
message hash 'SHA1' for HMAC authentication
Thu Jan 10 00:25:21 2008 Incoming Control Channel Authentication: Using 160 bit
message hash 'SHA1' for HMAC authentication
Thu Jan 10 00:25:21 2008 LZO compression initialized
Thu Jan 10 00:25:21 2008 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0
ET:0 EL:0 ]
Thu Jan 10 00:25:21 2008 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135
ET:0 EL:0 AF:3/1 ]
Thu Jan 10 00:25:21 2008 Local Options hash (VER=V4): '<hash>'
Thu Jan 10 00:25:21 2008 Expected Remote Options hash (VER=V4): '<hash>'
Thu Jan 10 00:25:21 2008 Attempting to establish TCP connection with
91.121.95.16:1194
Thu Jan 10 00:25:21 2008 TCP connection established with <public-ip>:1194
Thu Jan 10 00:25:21 2008 TCPv4_CLIENT link local: [undef]
Thu Jan 10 00:25:21 2008 TCPv4_CLIENT link remote: <public-ip>:1194
Thu Jan 10 00:25:21 2008 TLS: Initial packet from <public-ip>:1194, sid=<hash>
Thu Jan 10 00:25:22 2008 VERIFY OK: depth=1, <certificate fqn>
Thu Jan 10 00:25:22 2008 VERIFY OK: nsCertType=SERVER
Thu Jan 10 00:25:22 2008 VERIFY OK: depth=0, <certificate fqn>
Thu Jan 10 00:25:25 2008 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized
with 128 bit key
Thu Jan 10 00:25:25 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1'
for HMAC authentication
Thu Jan 10 00:25:25 2008 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized
with 128 bit key
Thu Jan 10 00:25:25 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1'
for HMAC authentication
Thu Jan 10 00:25:25 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3
DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 10 00:25:25 2008 [client] Peer Connection Initiated with <public-ip>:1194
Thu Jan 10 00:25:27 2008 SENT CONTROL [client]: 'PUSH_REQUEST' (status=1)
Thu Jan 10 00:25:27 2008 PUSH: Received control message: 'PUSH_REPLY,route
10.8.0.0 255.255.255.0,route-delay 2 600,route 10.1.0.0 255.255.255.0,ping
10,ping-restart 120,ifconfig 10.1.0.6 10.1.0.5'
Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: route options modified
Thu Jan 10 00:25:27 2008 TAP-WIN32 device [Local Area Connection 5] opened:
\\.\Global\{F71B3A07-5805-4B69-97C9-73926191180F}.tap
Thu Jan 10 00:25:27 2008 TAP-Win32 Driver Version 8.4
Thu Jan 10 00:25:27 2008 TAP-Win32 MTU=1500
Thu Jan 10 00:25:27 2008 Notified TAP-Win32 driver to set a DHCP IP/netmask of
10.1.0.6/255.255.255.252 on interface {F71B3A07-5805-4B69-97C9-73926191180F}
[DHCP-serv: 10.1.0.5, lease-time: 31536000]
Thu Jan 10 00:25:27 2008 Successful ARP Flush on interface [7]
{F71B3A07-5805-4B69-97C9-73926191180F}
Thu Jan 10 00:25:29 2008 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0 u/d=down
Thu Jan 10 00:25:29 2008 Route: Waiting for TUN/TAP interface to come up...
Thu Jan 10 00:25:31 2008 TEST ROUTES: 3/3 succeeded len=3 ret=1 a=0 u/d=up
Thu Jan 10 00:25:31 2008 route ADD 10.8.0.0 MASK 255.255.255.0 10.1.0.5
Thu Jan 10 00:25:31 2008 Route addition via IPAPI succeeded
Thu Jan 10 00:25:31 2008 route ADD 10.1.0.0 MASK 255.255.255.0 10.1.0.5
Thu Jan 10 00:25:31 2008 Route addition via IPAPI succeeded
Thu Jan 10 00:25:31 2008 Initialization Sequence Completed

Now the issue... From the client, i can ping 10.1.0.5 (tap gw), 10.1.0.1 (vpn
gw), 10.8.0.1 (vmnet8, but on server's side) but not in vmnet8's network
(10.8.0.128 for example).

I've tried everything.... Here are some:
* Set up a virtual interface (on eth0:0) with IP 10.1.0.1,
* Put the openvpn network in vmware's network subnet (i think openvpn won't
understand, well it didn't work anyway),
* pushed gw for routes to the client (the client is slow to connect and tells me
that the gw doesn't exists)

I'm lost. Please help.

 

Regards,

Rida.

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users