[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Routing Issue?


  • Subject: Re: [Openvpn-users] Routing Issue?
  • From: pieter claassen <pieter@xxxxxxxxxxxxxx>
  • Date: 01 May 2003 09:42:07 +0100

Hi,

I am not sure if this is relevant to your problem, but to make routing
between different network segments work, you have to decide if you want
to route there (ip level config) or bridge there (ethernet level
config).

Keep in mind that every machine knows only about the interfaces on it
and that is it. If you configure your adaptors to be on the same network
address 10.4.0.x, then whenever your machine tries to talk to an IP that
is on the other network segment, then it requests the ethernet address
via ARP. The tunnel only forwards ip and therefore it never gets the ip
address (nobody knows it)

To solve the question, you can set your adaptors up with ip addresses on
different networks or you have to implement proxy arp (so both networks
can see each others ethernet addresses). I don't know much about proxy
arp and am not sure if it scales well (it is fairly easy to do it for a
small number of machines that needs to be visible to a network, but as I
say I don't now much. Maybe somebody else knows about it?). Bridging
might also be a solution.

Or you can set up two different subnets and route between them.

10.4.0.x and 10.4.1.x

All you then have to do is tell your default gateway that the other
network is available or you set up a specific route through the tun
adaptor to the other network.

Work through the logic of the IP session and you will notice where you
might lack a routing link. Things get a little more confusing if you set
up a VPN between multiple networks as you have to consider the fact that
the default gateway might not be the VPN server.

Hope this helps.
Pieter


On Thu, 2003-05-01 at 07:19, xvx wrote:
> James,
> 
> 	Yes i have already done this.  I noted that on one of the machines
> iptables was running and nothing was showing up on logs, and i log
> EVERYTHING.  And yes I am running Slackware 9 on both machines.  Any other
> suggestions??
> 
> Sean
> 
> On Thu, 1 May 2003, James Yonan wrote:
> 
> > Sean,
> >
> > It looks to me like there is some problem routing packets between the tun
> > device and the local LAN.
> >
> > Are you running linux?
> >
> > If so, do you have an entry in your firewall that looks like this:
> >
> >   iptables -A FORWARD -i tun+ -j ACCEPT
> >
> > James
> >
> > xvx <xvx@xxxxxxxx> said:
> >
> > > Hello there,
> > >
> > > 	Im using OpenVPN 1.3.2 from source.  I have a problem where i can
> > > ping back and forth to the tun's ip address, I can also ping the
> > > interfaces I setup for the route on the internal lan. But then i cant ping
> > > anything on the other side. ie
> > >
> > > 	tun interface
> > >
> > > 	10.4.0.1 <=======> 10.4.0.2
> > > 	i can ping back and forth
> > >
> > > 	internal interfaces
> > >
> > > 	192.168.1.1 <=======> 10.90.10.3
> > > 	i can ping back and forth
> > >
> > > 	192.168.1.1 <xxxxxxx> 10.90.10.1
> > > 	i cant ping
> > >
> > > 	192.168.1.254 <xxxxxxx> 10.90.10.3
> > > 	i cant ping
> > >
> > > My routing table is as so
> > >
> > > 192.168.1.1
> > >
> > > Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> > > 10.4.0.2        *               255.255.255.255 UH    0      0        0 tun1
> > > 192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
> > > 10.90.10.0      10.4.0.2        255.255.255.0   UG    0      0        0 tun1
> > > loopback        *               255.0.0.0       U     0      0        0 lo
> > >
> > > 10.90.10.0
> > >
> > > Kernel IP routing table
> > > Destination     Gateway         Genmask         Flags Metric Ref    Use
> > > Iface
> > > 10.4.0.1        *               255.255.255.255 UH    0      0        0 tun0
> > > 192.168.1.0     10.4.0.1        255.255.255.0   UG    0      0        0 tun0
> > > 10.90.10.0      *               255.255.255.0   U     0      0        0 eth1
> > > loopback        *               255.0.0.0       U     0      0        0 lo
> > >
> > > /proc/sys/net/ipv4/ip_forward is set to one
> > >
> > > One of them is running a firewall, but i see no errors being dropped to
> > > log, I can also ssh from one to the other over the tunnel.  When i
> > > traceroute from one end to the other it looks like
> > >
> > > traceroute to 10.90.10.1 (10.90.10.1), 30 hops max, 38 byte packets
> > >  1  10.4.0.2 (10.4.0.2)  52.231 ms  45.279 ms  45.166 ms
> > >  2  * * *
> > >  3  * * *
> > >  ...
> > >  30 * * *
> > >
> > > and on the other end
> > >
> > > traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 38 byte packets
> > >  1  10.4.0.1 (10.4.0.1)  27.183 ms  22.182 ms  22.701 ms
> > >  2  * * *
> > >  ...
> > >  30 * * *
> > >
> > > Each machine has its own IP directly on the Internet, no NATS, and the
> > > internal interfaces.
> > >
> > > If you could help me out I would greatly appreciate the help.
> > >
> > > Thank you,
> > >
> > > Sean
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This sf.net email is sponsored by:ThinkGeek
> > > Welcome to geek heaven.
> > > http://thinkgeek.com/sf
> > > _______________________________________________
> > > Openvpn-users mailing list
> > > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> > > https://lists.sourceforge.net/lists/listinfo/openvpn-users
> > >
> >
> >
> >
> > --
> >
> >
> >
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users