[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Weird route issue with VMWare


  • Subject: Re: [Openvpn-users] Weird route issue with VMWare
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Wed, 30 Jan 2008 14:02:36 +0100

Hi Rida,

sorry for the delay but I was away for a while; I've got a vmware server 
here now and have tried your setup; indeed, routing does not work (as 
the docs for vmnet8 NAT'ting state). A work-around is to add an iptable 
NATting rule on the vmnet8 NAT device ;-) :

  iptables -t nat -I POSTROUTING -o vmnet8 -j MASQUERADE

that solved the routing issue on my setup. This is not an OpenVPN issue, 
really, but a vmware NATting+routing issue.

HTH,

JJK

Rida wrote:
> Request timeout for the first ping (from an openvpn client to a 
> virtual machine) and can't try the second one because i only have 
> windows clients (there's no equivalent to -I in windows)
> If i do these pings on the server running vmware, it works for both.
>  
> On Jan 19, 2008 3:48 AM, Jan Just Keijser <janjust@xxxxxxxxx 
> <mailto:janjust@xxxxxxxxx>> wrote:
>
>     ah OK, so I have the network layout correct... next, on the
>     server, with
>     the openvpn server running, try
>
>      ping 10.8.0.128 <http://10.8.0.128/> (or any other vmware client)
>      ping -I 10.1.0.2 <http://10.1.0.2/> 10.8.0.128 <http://10.8.0.128/>
>
>     do both work?
>
>     cheers,
>
>     JJK
>
>     Rida wrote:
>     > Hi,
>     >
>     > Sorry for the late answer. Here are the answers to your questions:
>     >
>     >     * The openvpn server is running on the host running vmware,
>     binded
>     >       to the public address only
>     >     * The subnet for the openvpn clients is 10.1.0.0/24
>     <http://10.1.0.0/24>
>     >       <http://10.1.0.0/24>, right
>     >     * The subet for vmnet8 is 10.8.0.0/24 <http://10.8.0.0/24>
>     <http://10.8.0.0/24>, right
>     >       again
>     >
>     > And here is the output of the "netstat -rn" command:
>     >
>     >
>     >     ~# netstat -rn
>     >     Kernel IP routing table
>     >     Destination     Gateway         Genmask         Flags   MSS
>     >     Window  irtt Iface
>     >     10.1.0.2 <http://10.1.0.2/> <http://10.1.0.2
>     <http://10.1.0.2/>>         0.0.0.0 <http://0.0.0.0/>
>     <http://0.0.0.0 <http://0.0.0.0/>>
>     >     255.255.255.255 <http://255.255.255.255/>
>     <http://255.255.255.255 <http://255.255.255.255/>> UH        0 0  
>            0 tun0
>     >     10.8.0.0 <http://10.8.0.0/> <http://10.8.0.0
>     <http://10.8.0.0/>>         0.0.0.0 <http://0.0.0.0/>
>     <http://0.0.0.0 <http://0.0.0.0/>>
>     >     255.255.255.0 <http://255.255.255.0/> <http://255.255.255.0
>     <http://255.255.255.0/>>   U         0 0          0 vmnet8
>     >     <public address>     0.0.0.0 <http://0.0.0.0/>
>     <http://0.0.0.0 <http://0.0.0.0/>>
>     >     255.255.255.0 <http://255.255.255.0/> <http://255.255.255.0
>     <http://255.255.255.0/>>   U         0 0          0 eth0
>     >     10.1.0.0 <http://10.1.0.0/> < http://10.1.0.0
>     <http://10.1.0.0/>>        10.1.0.2 <http://10.1.0.2/>
>     >     <http://10.1.0.2 <http://10.1.0.2/>>         255.255.255.0
>     <http://255.255.255.0/> <http://255.255.255.0 <http://255.255.255.0/>>
>     >     UG        0 0          0 tun0
>     >     0.0.0.0 <http://0.0.0.0/> <http://0.0.0.0 <http://0.0.0.0/>>
>             <public address>   0.0.0.0 <http://0.0.0.0/>
>     >     <http://0.0.0.0 <http://0.0.0.0/>>         UG        0 0    
>          0 eth0
>     >
>     >
>     > Thank you in advance,
>     > Rida.
>     >
>     > On Jan 18, 2008 3:37 AM, Jan Just Keijser <janjust@xxxxxxxxx
>     <mailto:janjust@xxxxxxxxx>
>     > <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>>> wrote:
>     >
>     >     Hi Rida,
>     >
>     >     I just reread the entire thread and am still confused... can you
>     >     please
>     >     tell me/us
>     >
>     >     - on which server (incl IP address) the openvpn server is
>     running
>     >     - what the subnet for the openvpn is (10.1.0.0/24
>     <http://10.1.0.0/24>
>     >     <http://10.1.0.0/24>, right?)
>     >     - what the subnet for vmnet8 is ( 10.8.0.0/24
>     <http://10.8.0.0/24>
>     >     <http://10.8.0.0/24>, right)
>     >
>     >     and/or could you post the output of
>     >      netstat -rn
>     >     after the openvpn server has started.
>     >
>     >     cheers,
>     >
>     >     JJK
>     >
>     >     Rida wrote:
>     >     > Hi,
>     >     >
>     >     > Yep, routing is enabled on the server (echo 1 >
>     >     > /proc/sys/net/ipv4/ip_forward). I understand what you
>     meant by the
>     >     > route subnet pointing to itself. I removed the routes from
>     the
>     >     server
>     >     > configuration (those pushed to the client) and... it still
>     >     doesn't work.
>     >     >
>     >     > Regards,
>     >     > Rida.
>     >     >
>     >     > On Jan 12, 2008 3:09 AM, Jan Just Keijser <
>     janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>
>     >     <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>>
>     >     > <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>
>     <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>>>> wrote:
>     >     >
>     >     >     Hi Rida,
>     >     >
>     >     >     I am not surprised that that route statement did not work:
>     >     it's a
>     >     >     route
>     >     >     to a subnet pointing to itself!
>     >     >     If the host running the openvpn software is 10.8.0.1
>     <http://10.8.0.1/>
>     >     <http://10.8.0.1/>
>     >     >     <http://10.8.0.1/ <http://10.8.0.1/>> itself then no
>     >     >     extra route statement should be required.
>     >     >     However, how vmware routes traffic between the
>     different VMs
>     >     is a
>     >     >     different matter; is routing enabled on the server?
>     >     >
>     >     >     HTH,
>     >     >
>     >     >     JJK
>     >     >
>     >     >     Rida wrote:
>     >     >     > Hi,
>     >     >     >
>     >     >     > Thanks for the quick answer. Actually, i tried to
>     "fix" this
>     >     >     (because
>     >     >     > i've seen the tip in the openvpn faq), but impossible to
>     >     add the
>     >     >     route
>     >     >     > on the virtual machines. ie "route add -net 10.1.0.0
>     <http://10.1.0.0/>
>     >     <http://10.1.0.0/>
>     >     >     <http://10.1.0.0/ <http://10.1.0.0/>> <http://10.1.0.0
>     <http://10.1.0.0/> <http://10.1.0.0/>
>     >     <http://10.1.0.0/ <http://10.1.0.0/>>>
>     >     >     > netmask 255.255.255.0 <http://255.255.255.0/>
>     <http://255.255.255.0/>
>     >     <http://255.255.255.0/>
>     >     >     < http://255.255.255.0 <http://255.255.255.0/>
>     <http://255.255.255.0/>
>     >     <http://255.255.255.0/>> gw 10.1.0.1 <http://10.1.0.1/> <
>     http://10.1.0.1/>
>     >     >     <http://10.1.0.1/>
>     >     >     > <http://10.1.0.1 <http://10.1.0.1/> <
>     http://10.1.0.1/> < http://10.1.0.1/>>"
>     >     tells me "Network
>     >     >     unreachable" (but i can ping it
>     >     >     > from there). And yes, there is a default gateway (
>     >     10.8.0.1 <http://10.8.0.1/> <http://10.8.0.1/>
>     >     >     < http://10.8.0.1/>
>     >     >     > < http://10.8.0.1 <http://10.8.0.1/>
>     <http://10.8.0.1/> <http://10.8.0.1/>>)
>     >     >     >
>     >     >     > Regards,
>     >     >     > Rida.
>     >     >     >
>     >     >     > On Jan 11, 2008 2:30 AM, Jan Just Keijser
>     >     < janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>
>     <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>>
>     >     >     <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>
>     <mailto: janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>>>
>     >     >     > <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>
>     <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>>
>     >     <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>
>     <mailto:janjust@xxxxxxxxx <mailto:janjust@xxxxxxxxx>>>>> wrote:
>     >     >     >
>     >     >     >     Hi Rida,
>     >     >     >
>     >     >     >     this does not sound like an VMware issue but
>     more like a
>     >     >     routing
>     >     >     >     issue.
>     >     >     >     How would clients in the vmnet8 domain (
>     10.8.0.128 <http://10.8.0.128/>
>     >     <http://10.8.0.128/>
>     >     >     <http://10.8.0.128/ <http://10.8.0.128/>>
>     >     >     >     <http://10.8.0.128/ >) know where to send
>     >     >     >     stuff back to? Do they know that all packets
>     intended for
>     >     >     10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/>
>     <http://10.1.0.6/>
>     >     >     >     < http://10.1.0.6/>
>     >     >     >     should be fed back to the openvpn server? In most
>     >     cases the
>     >     >     >     clients on
>     >     >     >     your LAN (vmnet LAN in this case) will not know
>     any route
>     >     >     for the
>     >     >     >     10.1.0
>     >     >     >     net and will return packets thru the default
>     gateway.
>     >     Again,
>     >     >     in most
>     >     >     >     cases that is not what you want ;-)
>     >     >     >
>     >     >     >     HTH,
>     >     >     >
>     >     >     >     JJK
>     >     >     >
>     >     >     >     PS I use a openvpn-on-vmware setup all the time
>     without
>     >     >     problems (tun
>     >     >     >     setup).
>     >     >     >
>     >     >     >
>     >     >     >     Rida wrote:
>     >     >     >     >
>     >     >     >     > Hello everybody,
>     >     >     >     >
>     >     >     >     > I want, first, to say thank you to all openvpn
>     >     developers
>     >     >     for this
>     >     >     >     > very useful
>     >     >     >     > piece of software! Happy new year too.
>     >     >     >     >
>     >     >     >     > So, i got a very strange problem that is
>     getting on
>     >     my nerve
>     >     >     >     because i
>     >     >     >     > can't
>     >     >     >     > resolve the issue. I got vmware server running
>     on a
>     >     basic
>     >     >     server ;
>     >     >     >     > there is 1
>     >     >     >     > virtual network (in NAT mode). Here are the routes
>     >     on the
>     >     >     server
>     >     >     >     > (after vmware
>     >     >     >     > and openvpn are started):
>     >     >     >     >
>     >     >     >     > 10.1.0.2 <http://10.1.0.2/> <
>     http://10.1.0.2/> < http://10.1.0.2/>
>     >     <http://10.1.0.2/>
>     >     >     < http://10.1.0.2 <http://10.1.0.2/>
>     <http://10.1.0.2/> <http://10.1.0.2/> <
>     >     http://10.1.0.2/>>
>     >     >     >     dev tun0  proto kernel  scope link  src
>     >     >     >     > 10.1.0.1 <http://10.1.0.1/> <http://10.1.0.1/>
>     <http://10.1.0.1/
>     >     <http://10.1.0.1/ <http://10.1.0.1/>>> <http://10.1.0.1/> <
>     >     >     http://10.1.0.1 <http://10.1.0.1/> < http://10.1.0.1/>
>     <http://10.1.0.1/
>     >     <http://10.1.0.1/>> <http://10.1.0.1/>>
>     >     >     >     > 10.8.0.0/24 <http://10.8.0.0/24>
>     <http://10.8.0.0/24>
>     >     <http://10.8.0.0/24> < http://10.8.0.0/24> <
>     >     >     http://10.8.0.0/24> dev
>     >     >     >     vmnet8  proto kernel  scope link
>     >     >     >     > src 10.8.0.1 <http://10.8.0.1/>
>     <http://10.8.0.1/> <http://10.8.0.1/>
>     >     < http://10.8.0.1/> <
>     >     >     http://10.8.0.1 <http://10.8.0.1/> <http://10.8.0.1/>
>     < http://10.8.0.1/>
>     >     <http://10.8.0.1/>>
>     >     >     >     > <public-ip> dev eth0  proto kernel  scope link
>      src
>     >     >     <public-ip>
>     >     >     >     > 10.1.0.0/24 <http://10.1.0.0/24>
>     <http://10.1.0.0/24> <
>     >     http://10.1.0.0/24> < http://10.1.0.0/24> <
>     >     >     http://10.1.0.0/24 < http://10.1.0.0/24>> via
>     >     >     >     10.1.0.2 <http://10.1.0.2/> <http://10.1.0.2/> <
>     http://10.1.0.2/> <
>     >     http://10.1.0.2/ <http://10.1.0.2/>>
>     >     >     < http://10.1.0.2 <http://10.1.0.2/>
>     <http://10.1.0.2/> <http://10.1.0.2/>
>     >     <http://10.1.0.2/ <http://10.1.0.2/>>>
>     >     >     >     dev tun0
>     >     >     >     > default via 91.121.95.254
>     <http://91.121.95.254/> <http://91.121.95.254/>
>     >     <http://91.121.95.254/ <http://91.121.95.254/>
>     <http://91.121.95.254/>>
>     >     >     <http://91.121.95.254/>
>     >     >     >     < http://91.121.95.254 <http://91.121.95.254/>
>     <http://91.121.95.254/> <
>     >     http://91.121.95.254/> <
>     >     >     http://91.121.95.254/>> dev eth0
>     >     >     >     >
>     >     >     >     > Nothing special then (the only thing to keep
>     in mind is
>     >     >     that vmware
>     >     >     >     > uses source
>     >     >     >     > routing). I set up an openvpn server on the
>     server (the
>     >     >     one with the
>     >     >     >     > public IP),
>     >     >     >     > and it is working fine, because i can connect
>     to it
>     >     and i
>     >     >     got an IP
>     >     >     >     > address on
>     >     >     >     > windows clients. Here's the server's
>     configuration file:
>     >     >     >     >
>     >     >     >     > local <public-ip>
>     >     >     >     > port 1194
>     >     >     >     > proto tcp
>     >     >     >     > dev tun
>     >     >     >     > ca keys/ca.crt
>     >     >     >     > cert keys/server.crt
>     >     >     >     > key keys/server.key
>     >     >     >     > dh keys/dh1024.pem
>     >     >     >     > server 10.1.0.0 <http://10.1.0.0/> <
>     http://10.1.0.0/>
>     >     <http://10.1.0.0/> < http://10.1.0.0/> <
>     >     >     http://10.1.0.0 <http://10.1.0.0/> <http://10.1.0.0/>
>     <http://10.1.0.0/>
>     >     >     >     <http://10.1.0.0/>> 255.255.255.0
>     <http://255.255.255.0/>
>     >     < http://255.255.255.0/> < http://255.255.255.0/> <
>     >     >     http://255.255.255.0/>
>     >     >     >     < http://255.255.255.0 <http://255.255.255.0/>
>     <http://255.255.255.0/>
>     >     <http://255.255.255.0/ <http://255.255.255.0/>>
>     >     >     <http://255.255.255.0/>>
>     >     >     >     > ifconfig-pool-persist ipp.txt
>     >     >     >     > push "route 10.2.0.0 <http://10.2.0.0/>
>     <http://10.2.0.0/>
>     >     <http://10.2.0.0/> < http://10.2.0.0/
>     >     >     <http://10.2.0.0/ <http://10.2.0.0/>>> <
>     http://10.2.0.0 <http://10.2.0.0/>
>     >     <http://10.2.0.0/> <http://10.2.0.0/>
>     >     >     >     < http://10.2.0.0/>> 255.255.255.0
>     <http://255.255.255.0/>
>     >     <http://255.255.255.0/> < http://255.255.255.0/>
>     >     >     <http://255.255.255.0/>
>     >     >     >     > <http://255.255.255.0 <http://255.255.255.0/>
>     <http://255.255.255.0/>
>     >     <http://255.255.255.0/> <
>     >     >     http://255.255.255.0/>>"
>     >     >     >     > push "route 10.8.0.0 <http://10.8.0.0/>
>     <http://10.8.0.0/> <
>     >     http://10.8.0.0/> <http://10.8.0.0/>
>     >     >     < http://10.8.0.0 <http://10.8.0.0/>
>     <http://10.8.0.0/> <http://10.8.0.0/>
>     >     >     >     <http://10.8.0.0/>> 255.255.255.0
>     <http://255.255.255.0/>
>     >     < http://255.255.255.0/> < http://255.255.255.0/> <
>     >     >     http://255.255.255.0/>
>     >     >     >     > < http://255.255.255.0 <http://255.255.255.0/>
>     <http://255.255.255.0/>
>     >     <http://255.255.255.0/ <http://255.255.255.0/>>
>     >     >     <http://255.255.255.0/>>"
>     >     >     >     > push "route-delay 2 600"
>     >     >     >     > client-to-client
>     >     >     >     > keepalive 10 120
>     >     >     >     > tls-auth keys/ta.key 0
>     >     >     >     > cipher AES-128-CBC # AES
>     >     >     >     > comp-lzo
>     >     >     >     > max-clients 250
>     >     >     >     > user nobody
>     >     >     >     > group nobody
>     >     >     >     > persist-key
>     >     >     >     > persist-tun
>     >     >     >     > status /var/log/openvpn- status.log
>     >     >     >     > log-append /var/log/openvpn.log
>     >     >     >     > verb 6
>     >     >     >     > mute 20
>     >     >     >     >
>     >     >     >     > Now the clients one:
>     >     >     >     >
>     >     >     >     > client
>     >     >     >     > dev tun0
>     >     >     >     > proto tcp
>     >     >     >     > remote 91.121.95.16 <http://91.121.95.16/>
>     <http://91.121.95.16/>
>     >     <http://91.121.95.16/>
>     >     >     < http://91.121.95.16/> < http://91.121.95.16
>     <http://91.121.95.16/>
>     >     <http://91.121.95.16/> < http://91.121.95.16/
>     <http://91.121.95.16/>>
>     >     >     >     <http://91.121.95.16/>> 1194
>     >     >     >     > resolv-retry infinite
>     >     >     >     > nobind
>     >     >     >     > persist-key
>     >     >     >     > persist-tun
>     >     >     >     > ca ca.crt
>     >     >     >     > cert client.crt
>     >     >     >     > key client.key
>     >     >     >     > ns-cert-type server
>     >     >     >     > tls-auth ta.key 1
>     >     >     >     > cipher AES-128-CBC # AES
>     >     >     >     > comp-lzo
>     >     >     >     > verb 3
>     >     >     >     >
>     >     >     >     > Still nothing special, these are basic
>     configuration
>     >     >     files. Before
>     >     >     >     > i'll "draw" a
>     >     >     >     > network topology so you'll have a better idea
>     of how
>     >     vmware
>     >     >     >     implement
>     >     >     >     > their NAT
>     >     >     >     > (hope there is no error):
>     >     >     >     >
>     >     >     >     > [Windows client](10.1.0.6/30
>     <http://10.1.0.6/30> < http://10.1.0.6/30> <
>     >     http://10.1.0.6/30> <
>     >     >     http://10.1.0.6/30>
>     >     >     >     < http://10.1.0.6/30 > tap) <->
>     >     >     >     > (10.1.0.5/30 <http://10.1.0.5/30> <
>     http://10.1.0.5/30>
>     >     <http://10.1.0.5/30> < http://10.1.0.5/30 < http://10.1.0.5/30>>
>     >     >     <http://10.1.0.5/30> tap gw)
>     >     >     >     <-> ( 10.1.0.2/24 <http://10.1.0.2/24>
>     <http://10.1.0.2/24> <
>     >     http://10.1.0.2/24> <http://10.1.0.2/24 <http://10.1.0.2/24>>
>     >     >     >     > < http://10.1.0.2/24> vpn
>     >     >     >     > real gw) <-> ( 10.1.0.1/24
>     <http://10.1.0.1/24> <http://10.1.0.1/24>
>     >     <http://10.1.0.1/24>
>     >     >     < http://10.1.0.1/24> <
>     >     >     >     http://10.1.0.1/24> tun) [server]
>     >     >     >     > ( 10.8.0.1/24 <http://10.8.0.1/24>
>     <http://10.8.0.1/24> <
>     >     http://10.8.0.1/24> < http://10.8.0.1/24
>     >     >     <http://10.8.0.1/24>> < http://10.8.0.1/24> vmnet8)
>     >     >     >     <-> [virtual
>     >     >     >     > machine]( 10.8.0.128/24 <http://10.8.0.128/24>
>     <http://10.8.0.128/24> <
>     >     http://10.8.0.128/24>
>     >     >     <http://10.8.0.128/24>
>     >     >     >     <http://10.8.0.128/24 <http://10.8.0.128/24>> gw
>     10.8.0.1/24 <http://10.8.0.1/24>
>     >     <http://10.8.0.1/24> <http://10.8.0.1/24 <http://10.8.0.1/24>>
>     >     >     <http://10.8.0.1/24 <http://10.8.0.1/24> <
>     http://10.8.0.1/24>>
>     >     >     >     > < http://10.8.0.1/24>)
>     >     >     >     >
>     >     >     >     > The virtual machine route is just a default gw to
>     >     >     10.8.0.1/24 <http://10.8.0.1/24> <http://10.8.0.1/24>
>     <http://10.8.0.1/24 <http://10.8.0.1/24>>
>     >     >     >     <http://10.8.0.1/24 <http://10.8.0.1/24>>
>     >     >     >     > < http://10.8.0.1/24 < http://10.8.0.1/24>>.
>     Routes
>     >     on the
>     >     >     >     > client :
>     >     >     >     >
>     >     >     >     > Active Routes:
>     >     >     >     > Network Destination        Netmask        
>      Gateway
>     >     >     Interface
>     >     >     >     > Metric
>     >     >     >     >           0.0.0.0 <http://0.0.0.0/>
>     <http://0.0.0.0/>
>     >     < http://0.0.0.0/> <http://0.0.0.0/>
>     >     >     < http://0.0.0.0 <http://0.0.0.0/> < http://0.0.0.0/>
>     <http://0.0.0.0/>
>     >     >     >     < http://0.0.0.0/>>          0.0.0.0
>     <http://0.0.0.0/> < http://0.0.0.0/>
>     >     < http://0.0.0.0/>
>     >     >     <http://0.0.0.0/>
>     >     >     >     > < http://0.0.0.0 <http://0.0.0.0/>
>     <http://0.0.0.0/> <
>     >     http://0.0.0.0/> < http://0.0.0.0/>>
>     >     >       192.168.0.1 <http://192.168.0.1/>
>     <http://192.168.0.1/> < http://192.168.0.1/>
>     >     >     >     < http://192.168.0.1/> <http://192.168.0.1
>     <http://192.168.0.1/>
>     >     < http://192.168.0.1/>
>     >     >     <http://192.168.0.1/> < http://192.168.0.1/>>
>     >     >     >     192.168.0.117 <http://192.168.0.117/>
>     <http://192.168.0.117/>
>     >     < http://192.168.0.117/> < http://192.168.0.117/>
>     >     >     >     > < http://192.168.0.117 <http://192.168.0.117/>
>     <http://192.168.0.117/>
>     >     <http://192.168.0.117/> <
>     >     >     http://192.168.0.117/>>       25
>     >     >     >     >         10.1.0.0 <http://10.1.0.0/> <
>     http://10.1.0.0/> <
>     >     http://10.1.0.0/> <http://10.1.0.0/> <
>     >     >     http://10.1.0.0 <http://10.1.0.0/> <http://10.1.0.0/>
>     < http://10.1.0.0/>
>     >     >     >     <http://10.1.0.0/>>     255.255.255.0
>     <http://255.255.255.0/>
>     >     < http://255.255.255.0/>
>     >     >     < http://255.255.255.0/> < http://255.255.255.0/>
>     >     >     >     > < http://255.255.255.0 <http://255.255.255.0/>
>     <http://255.255.255.0/>
>     >     <http://255.255.255.0/ <http://255.255.255.0/>>
>     >     >     <http://255.255.255.0/>>         10.1.0.5
>     <http://10.1.0.5/> < http://10.1.0.5/>
>     >     < http://10.1.0.5/>
>     >     >     >     <http://10.1.0.5/> < http://10.1.0.5
>     <http://10.1.0.5/> <http://10.1.0.5/>
>     >     < http://10.1.0.5/>
>     >     >     <http://10.1.0.5/ <http://10.1.0.5/>>>
>     >     >     >     > 10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/>
>     <http://10.1.0.6/>
>     >     < http://10.1.0.6/>
>     >     >     < http://10.1.0.6 <http://10.1.0.6/>
>     <http://10.1.0.6/> < http://10.1.0.6/>
>     >     <http://10.1.0.6/>>
>     >     >     >           1
>     >     >     >     >         10.1.0.4 <http://10.1.0.4/>
>     <http://10.1.0.4/>
>     >     <http://10.1.0.4/> < http://10.1.0.4/ <http://10.1.0.4/>>
>     >     >     <http://10.1.0.4 <http://10.1.0.4/> <http://10.1.0.4/>
>     < http://10.1.0.4/>
>     >     >     >     <http://10.1.0.4/>>   255.255.255.252
>     <http://255.255.255.252/>
>     >     < http://255.255.255.252/>
>     >     >     < http://255.255.255.252/> <http://255.255.255.252/ >
>     >     >     >     > <http://255.255.255.252
>     <http://255.255.255.252/> <http://255.255.255.252/>
>     >     < http://255.255.255.252/> <
>     >     >     http://255.255.255.252/>>
>     >     >     >     10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/> <
>     http://10.1.0.6/>
>     >     < http://10.1.0.6/> <
>     >     >     http://10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/>
>     < http://10.1.0.6/>
>     >     <http://10.1.0.6/>>
>     >     >     >     > 10.1.0.6 <http://10.1.0.6/> <
>     http://10.1.0.6/> <http://10.1.0.6/>
>     >     <http://10.1.0.6/ < http://10.1.0.6/>
>     >     >     <http://10.1.0.6/>> < http://10.1.0.6
>     <http://10.1.0.6/> < http://10.1.0.6/>
>     >     <http://10.1.0.6/ <http://10.1.0.6/>>
>     >     >     >     < http://10.1.0.6/>>       30
>     >     >     >     >         10.1.0.6 <http://10.1.0.6/>
>     <http://10.1.0.6/> <
>     >     http://10.1.0.6/> < http://10.1.0.6/>
>     >     >     <http://10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6/>
>     < http://10.1.0.6/>
>     >     >     >     <http://10.1.0.6/>>   255.255.255.255
>     <http://255.255.255.255/>
>     >     < http://255.255.255.255/>
>     >     >     < http://255.255.255.255/> <http://255.255.255.255/ >
>     >     >     >     > <http://255.255.255.255
>     <http://255.255.255.255/> <http://255.255.255.255/>
>     >     < http://255.255.255.255/> <
>     >     >     http://255.255.255.255/>>
>     >     >     >       127.0.0.1 <http://127.0.0.1/>
>     <http://127.0.0.1/> < http://127.0.0.1/>
>     >     < http://127.0.0.1/> <
>     >     >     http://127.0.0.1 <http://127.0.0.1/>
>     <http://127.0.0.1/ <http://127.0.0.1/>> < http://127.0.0.1/>
>     >     <http://127.0.0.1/>>
>     >     >     >     > 127.0.0.1 <http://127.0.0.1/> <
>     http://127.0.0.1/> <http://127.0.0.1/> <
>     >     http://127.0.0.1/>
>     >     >     < http://127.0.0.1 <http://127.0.0.1/>
>     <http://127.0.0.1/> <http://127.0.0.1/>
>     >     >     >     <http://127.0.0.1/>>       30
>     >     >     >     >         10.8.0.0 <http://10.8.0.0/>
>     <http://10.8.0.0/> <
>     >     http://10.8.0.0/> < http://10.8.0.0/ <http://10.8.0.0/>>
>     >     >     <http://10.8.0.0 <http://10.8.0.0/> <http://10.8.0.0/>
>     < http://10.8.0.0/>
>     >     >     >     <http://10.8.0.0/>>     255.255.255.0
>     <http://255.255.255.0/>
>     >     < http://255.255.255.0/>
>     >     >     < http://255.255.255.0/> <http://255.255.255.0/>
>     >     >     >     > < http://255.255.255.0 <http://255.255.255.0/>
>     <http://255.255.255.0/> <
>     >     http://255.255.255.0/> <
>     >     >     http://255.255.255.0/>>         10.1.0.5
>     <http://10.1.0.5/> <http://10.1.0.5/>
>     >     < http://10.1.0.5/>
>     >     >     >     < http://10.1.0.5/> < http://10.1.0.5
>     <http://10.1.0.5/>
>     >     <http://10.1.0.5/> < http://10.1.0.5/>
>     >     >     <http://10.1.0.5/>>
>     >     >     >     > 10.1.0.6 <http://10.1.0.6/> <
>     http://10.1.0.6/> < http://10.1.0.6/>
>     >     <http://10.1.0.6/
>     >     >     < http://10.1.0.6/>> < http://10.1.0.6
>     <http://10.1.0.6/> <http://10.1.0.6/>
>     >     < http://10.1.0.6/>
>     >     >     >     <http://10.1.0.6/>>       1
>     >     >     >     > ...
>     >     >     >     >
>     >     >     >     > Client's output:
>     >     >     >     >
>     >     >     >     > Thu Jan 10 00:25:21 2008 OpenVPN 2.0.9
>     Win32-MinGW [SSL]
>     >     >     [LZO] built
>     >     >     >     > on Oct  1
>     >     >     >     > 2006
>     >     >     >     > Thu Jan 10 00:25:21 2008 IMPORTANT: OpenVPN's
>     >     default port
>     >     >     >     number is
>     >     >     >     > now 1194,
>     >     >     >     > based on an official port number assignment by
>     IANA.
>     >      OpenVPN
>     >     >     >     > 2.0-beta16 and
>     >     >     >     > earlier used 5000 as the default port.
>     >     >     >     > Thu Jan 10 00:25:21 2008 Control Channel
>     >     Authentication: using
>     >     >     >     > 'ta.key' as a
>     >     >     >     > OpenVPN static key file
>     >     >     >     > Thu Jan 10 00:25:21 2008 Outgoing Control Channel
>     >     >     Authentication:
>     >     >     >     > Using 160 bit
>     >     >     >     > message hash 'SHA1' for HMAC authentication
>     >     >     >     > Thu Jan 10 00:25:21 2008 Incoming Control Channel
>     >     >     Authentication:
>     >     >     >     > Using 160 bit
>     >     >     >     > message hash 'SHA1' for HMAC authentication
>     >     >     >     > Thu Jan 10 00:25:21 2008 LZO compression
>     initialized
>     >     >     >     > Thu Jan 10 00:25:21 2008 Control Channel MTU
>     parms [
>     >     >     L:1560 D:168
>     >     >     >     > EF:68 EB:0
>     >     >     >     > ET:0 EL:0 ]
>     >     >     >     > Thu Jan 10 00:25:21 2008 Data Channel MTU parms [
>     >     L:1560
>     >     >     D:1450
>     >     >     >     EF:60
>     >     >     >     > EB:135
>     >     >     >     > ET:0 EL:0 AF:3/1 ]
>     >     >     >     > Thu Jan 10 00:25:21 2008 Local Options hash
>     (VER=V4):
>     >     >     '<hash>'
>     >     >     >     > Thu Jan 10 00:25:21 2008 Expected Remote
>     Options hash
>     >     >     (VER=V4):
>     >     >     >     '<hash>'
>     >     >     >     > Thu Jan 10 00:25:21 2008 Attempting to
>     establish TCP
>     >     >     connection with
>     >     >     >     > 91.121.95.16:1194 <http://91.121.95.16:1194/>
>     <http://91.121.95.16:1194/>
>     >     <http://91.121.95.16:1194/>
>     >     >     < http://91.121.95.16:1194/>
>     >     >     >     < http://91.121.95.16:1194
>     <http://91.121.95.16:1194/> < http://91.121.95.16:1194/>
>     >     < http://91.121.95.16:1194/>
>     >     >     <http://91.121.95.16:1194/ <http://91.121.95.16:1194/>>>
>     >     >     >     > Thu Jan 10 00:25:21 2008 TCP connection
>     established with
>     >     >     >     <public-ip>:1194
>     >     >     >     > Thu Jan 10 00:25:21 2008 TCPv4_CLIENT link local:
>     >     [undef]
>     >     >     >     > Thu Jan 10 00:25:21 2008 TCPv4_CLIENT link remote:
>     >     >     <public-ip>:1194
>     >     >     >     > Thu Jan 10 00:25:21 2008 TLS: Initial packet from
>     >     >     <public-ip>:1194,
>     >     >     >     > sid=<hash>
>     >     >     >     > Thu Jan 10 00:25:22 2008 VERIFY OK: depth=1,
>     >     <certificate fqn>
>     >     >     >     > Thu Jan 10 00:25:22 2008 VERIFY OK:
>     nsCertType=SERVER
>     >     >     >     > Thu Jan 10 00:25:22 2008 VERIFY OK: depth=0,
>     >     <certificate fqn>
>     >     >     >     > Thu Jan 10 00:25:25 2008 Data Channel Encrypt:
>     Cipher
>     >     >     'AES-128-CBC'
>     >     >     >     > initialized
>     >     >     >     > with 128 bit key
>     >     >     >     > Thu Jan 10 00:25:25 2008 Data Channel Encrypt:
>     Using
>     >     160 bit
>     >     >     >     message
>     >     >     >     > hash 'SHA1'
>     >     >     >     > for HMAC authentication
>     >     >     >     > Thu Jan 10 00:25:25 2008 Data Channel Decrypt:
>     Cipher
>     >     >     'AES-128-CBC'
>     >     >     >     > initialized
>     >     >     >     > with 128 bit key
>     >     >     >     > Thu Jan 10 00:25:25 2008 Data Channel Decrypt:
>     Using
>     >     160 bit
>     >     >     >     message
>     >     >     >     > hash 'SHA1'
>     >     >     >     > for HMAC authentication
>     >     >     >     > Thu Jan 10 00:25:25 2008 Control Channel:
>     TLSv1, cipher
>     >     >     TLSv1/SSLv3
>     >     >     >     > DHE-RSA-AES256-SHA, 1024 bit RSA
>     >     >     >     > Thu Jan 10 00:25:25 2008 [client] Peer Connection
>     >     >     Initiated with
>     >     >     >     > <public-ip>:1194
>     >     >     >     > Thu Jan 10 00:25:27 2008 SENT CONTROL [client]:
>     >     'PUSH_REQUEST'
>     >     >     >     (status=1)
>     >     >     >     > Thu Jan 10 00:25:27 2008 PUSH: Received
>     control message:
>     >     >     >     'PUSH_REPLY,route
>     >     >     >     > 10.8.0.0 <http://10.8.0.0/> <http://10.8.0.0/>
>     < http://10.8.0.0/>
>     >     <http://10.8.0.0/> <
>     >     >     http://10.8.0.0 <http://10.8.0.0/> < http://10.8.0.0/>
>     <http://10.8.0.0/>
>     >     <http://10.8.0.0/>>
>     >     >     >     255.255.255.0 <http://255.255.255.0/> <
>     http://255.255.255.0/>
>     >     <http://255.255.255.0/> < http://255.255.255.0/>
>     >     >     >     > < http://255.255.255.0 <http://255.255.255.0/>
>     <http://255.255.255.0/>
>     >     <http://255.255.255.0/>
>     >     >     <http://255.255.255.0/>>,route-delay 2
>     >     >     >     600,route 10.1.0.0 <http://10.1.0.0/>
>     <http://10.1.0.0/> <
>     >     http://10.1.0.0/> <http://10.1.0.0/>
>     >     >     >     > <http://10.1.0.0 <http://10.1.0.0/> <
>     http://10.1.0.0/>
>     >     <http://10.1.0.0/> <http://10.1.0.0/>>
>     >     >     255.255.255.0 <http://255.255.255.0/>
>     <http://255.255.255.0/> <http://255.255.255.0/>
>     >     >     >     < http://255.255.255.0/ <http://255.255.255.0/>>
>     >     >     <http://255.255.255.0 <http://255.255.255.0/> <
>     http://255.255.255.0/>
>     >     <http://255.255.255.0/>
>     >     >     >     < http://255.255.255.0/
>     <http://255.255.255.0/>>>,ping
>     >     >     >     > 10,ping-restart 120,ifconfig 10.1.0.6
>     <http://10.1.0.6/>
>     >     <http://10.1.0.6/> < http://10.1.0.6/>
>     >     >     <http://10.1.0.6/> <
>     >     >     >     http://10.1.0.6 <http://10.1.0.6/>
>     <http://10.1.0.6/> < http://10.1.0.6/>
>     >     < http://10.1.0.6/
>     >     >     <http://10.1.0.6/>>> 10.1.0.5 <http://10.1.0.5/> <
>     http://10.1.0.5/>
>     >     <http://10.1.0.5/ <http://10.1.0.5/>> < http://10.1.0.5/>
>     >     >     >     > <http://10.1.0.5 <http://10.1.0.5/>
>     <http://10.1.0.5/> <
>     >     http://10.1.0.5/> < http://10.1.0.5/>>'
>     >     >     >     > Thu Jan 10 00:25:27 2008 OPTIONS IMPORT:
>     timers and/or
>     >     >     timeouts
>     >     >     >     modified
>     >     >     >     > Thu Jan 10 00:25:27 2008 OPTIONS IMPORT:
>     >     --ifconfig/up options
>     >     >     >     modified
>     >     >     >     > Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: route
>     options
>     >     >     modified
>     >     >     >     > Thu Jan 10 00:25:27 2008 TAP-WIN32 device
>     [Local Area
>     >     >     Connection 5]
>     >     >     >     > opened:
>     >     >     >     >
>     \\.\Global\{F71B3A07-5805-4B69-97C9-73926191180F}.tap
>     >     >     >     >
>     >     >
>     >    
>     <file:////Global/%7BF71B3A07-5805-4B69-97C9-73926191180F%7D.tap>
>     >     >     >     > Thu Jan 10 00:25:27 2008 TAP-Win32 Driver
>     Version 8.4
>     >     >     >     > Thu Jan 10 00:25:27 2008 TAP-Win32 MTU=1500
>     >     >     >     > Thu Jan 10 00:25:27 2008 Notified TAP-Win32
>     driver
>     >     to set
>     >     >     a DHCP
>     >     >     >     > IP/netmask of
>     >     >     >     > 10.1.0.6/255.255.255.252
>     <http://10.1.0.6/255.255.255.252>
>     >     <http://10.1.0.6/255.255.255.252> <
>     http://10.1.0.6/255.255.255.252>
>     >     >     < http://10.1.0.6/255.255.255.252>
>     >     >     >     < http://10.1.0.6/255.255.255.252
>     <http://10.1.0.6/255.255.255.252>> on
>     >     >     >     > interface {F71B3A07-5805-4B69-97C9-73926191180F}
>     >     >     >     > [DHCP-serv: 10.1.0.5 <http://10.1.0.5/> <
>     http://10.1.0.5/> <
>     >     http://10.1.0.5/> <http://10.1.0.5/>
>     >     >     < http://10.1.0.5 <http://10.1.0.5/>
>     <http://10.1.0.5/> < http://10.1.0.5/>
>     >     >     >     <http://10.1.0.5/> >, lease-time: 31536000]
>     >     >     >     > Thu Jan 10 00:25:27 2008 Successful ARP Flush on
>     >     interface [7]
>     >     >     >     > {F71B3A07-5805-4B69-97C9-73926191180F}
>     >     >     >     > Thu Jan 10 00:25:29 2008 TEST ROUTES: 0/0
>     succeeded
>     >     len=3
>     >     >     ret=0 a=0
>     >     >     >     > u/d=down
>     >     >     >     > Thu Jan 10 00:25:29 2008 Route: Waiting for
>     TUN/TAP
>     >     >     interface to
>     >     >     >     come
>     >     >     >     > up...
>     >     >     >     > Thu Jan 10 00:25:31 2008 TEST ROUTES: 3/3
>     succeeded
>     >     len=3
>     >     >     ret=1
>     >     >     >     a=0 u/d=up
>     >     >     >     > Thu Jan 10 00:25:31 2008 route ADD 10.8.0.0
>     <http://10.8.0.0/>
>     >     <http://10.8.0.0/>
>     >     >     <http://10.8.0.0/ <http://10.8.0.0/>> < http://10.8.0.0/>
>     >     >     >     <http://10.8.0.0 <http://10.8.0.0/> <
>     http://10.8.0.0/> <http://10.8.0.0/>
>     >     < http://10.8.0.0/>> MASK
>     >     >     >     > 255.255.255.0 <http://255.255.255.0/> <
>     http://255.255.255.0/>
>     >     <http://255.255.255.0/>
>     >     >     < http://255.255.255.0/ > < http://255.255.255.0
>     <http://255.255.255.0/>
>     >     <http://255.255.255.0/> < http://255.255.255.0/>
>     >     >     >     <http://255.255.255.0/>> 10.1.0.5
>     <http://10.1.0.5/> < http://10.1.0.5/> <
>     >     http://10.1.0.5/>
>     >     >     <http://10.1.0.5/ < http://10.1.0.5/>>
>     >     >     >     <http://10.1.0.5 <http://10.1.0.5/>
>     <http://10.1.0.5/> < http://10.1.0.5/>
>     >     < http://10.1.0.5/>>
>     >     >     >     > Thu Jan 10 00:25:31 2008 Route addition via IPAPI
>     >     succeeded
>     >     >     >     > Thu Jan 10 00:25:31 2008 route ADD 10.1.0.0
>     <http://10.1.0.0/>
>     >     <http://10.1.0.0/>
>     >     >     <http://10.1.0.0/ <http://10.1.0.0/>> <
>     http://10.1.0.0/> <
>     >     >     >     http://10.1.0.0 <http://10.1.0.0/> <
>     http://10.1.0.0/> <http://10.1.0.0/>
>     >     <http://10.1.0.0/>> MASK
>     >     >     >     > 255.255.255.0 <http://255.255.255.0/> <
>     http://255.255.255.0/>
>     >     <http://255.255.255.0/>
>     >     >     < http://255.255.255.0/ > <http://255.255.255.0
>     <http://255.255.255.0/>
>     >     <http://255.255.255.0/> < http://255.255.255.0/>
>     >     >     >     < http://255.255.255.0/>> 10.1.0.5
>     <http://10.1.0.5/> < http://10.1.0.5/>
>     >     < http://10.1.0.5/>
>     >     >     <http://10.1.0.5/>
>     >     >     >     < http://10.1.0.5 <http://10.1.0.5/>
>     <http://10.1.0.5/> <
>     >     http://10.1.0.5/> <http://10.1.0.5/>>
>     >     >     >     > Thu Jan 10 00:25:31 2008 Route addition via IPAPI
>     >     succeeded
>     >     >     >     > Thu Jan 10 00:25:31 2008 Initialization Sequence
>     >     Completed
>     >     >     >     >
>     >     >     >     > Now the issue... From the client, i can ping
>     >     10.1.0.5 <http://10.1.0.5/> <http://10.1.0.5/>
>     >     >     <http://10.1.0.5/ <http://10.1.0.5/>>
>     >     >     >     <http://10.1.0.5/ <http://10.1.0.5/>>
>     >     >     >     > < http://10.1.0.5 <http://10.1.0.5/>
>     <http://10.1.0.5/>
>     >     <http://10.1.0.5/> < http://10.1.0.5/>>
>     >     >     (tap gw), 10.1.0.1 <http://10.1.0.1/>
>     <http://10.1.0.1/> <http://10.1.0.1/>
>     >     >     >     < http://10.1.0.1/ <http://10.1.0.1/>>
>     >     <http://10.1.0.1 <http://10.1.0.1/> < http://10.1.0.1/>
>     >     >     <http://10.1.0.1/> <http://10.1.0.1/>> (vpn
>     >     >     >     > gw), 10.8.0.1 <http://10.8.0.1/>
>     <http://10.8.0.1/> <http://10.8.0.1/>
>     >     < http://10.8.0.1/>
>     >     >     < http://10.8.0.1 <http://10.8.0.1/>
>     <http://10.8.0.1/> < http://10.8.0.1/>
>     >     >     >     <http://10.8.0.1/>> (vmnet8, but on server's
>     side) but not
>     >     >     >     > in vmnet8's network
>     >     >     >     > ( 10.8.0.128 <http://10.8.0.128/>
>     <http://10.8.0.128/>
>     >     < http://10.8.0.128/> <http://10.8.0.128/>
>     >     >     <http://10.8.0.128 <http://10.8.0.128/> <
>     http://10.8.0.128/> <http://10.8.0.128/>
>     >     >     >     <http://10.8.0.128/>> for example).
>     >     >     >     >
>     >     >     >     > I've tried everything.... Here are some:
>     >     >     >     > * Set up a virtual interface (on eth0:0) with IP
>     >     10.1.0.1 <http://10.1.0.1/> <http://10.1.0.1/>
>     >     >     <http://10.1.0.1/>
>     >     >     >     < http://10.1.0.1/>
>     >     >     >     > < http://10.1.0.1 <http://10.1.0.1/>
>     <http://10.1.0.1/>
>     >     <http://10.1.0.1/ < http://10.1.0.1/>> <http://10.1.0.1/>>,
>     >     >     >     > * Put the openvpn network in vmware's network
>     subnet
>     >     (i think
>     >     >     >     openvpn
>     >     >     >     > won't
>     >     >     >     > understand, well it didn't work anyway),
>     >     >     >     > * pushed gw for routes to the client (the
>     client is slow
>     >     >     to connect
>     >     >     >     > and tells me
>     >     >     >     > that the gw doesn't exists)
>     >     >     >     >
>     >     >     >     > I'm lost. Please help.
>     >     >     >     >
>     >     >     >
>     >     >
>

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users