[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: Yet Another Routing Issue

  • Subject: [Openvpn-users] Re: Yet Another Routing Issue
  • From: Nik Trevallyn-Jones <nik@xxxxxxxxxxxxxxx>
  • Date: Thu, 16 Dec 2004 13:43:02 +1100

I'm not really an expert, but hopefully I can help.

I'm not clear whether the problem is that you cannot ping ANY Montreal 
machine, or just any Montreal machine OTHER than the openVPN endpoint

1. Can you ping from the Toronto machine?
If so, then the VPN is working at least.

If not, then we have a problem.

1.1 Are you sure the traffic from the Toronto endpoint for the tunnel itself 
is being routed to the Montreal endpoint's public address 132.216.x.y via 
ppp0/eth1, while the traffic for the *remaining* machines on that LAN is 
being routed via tun0?

I presume you have a route on the Toronto machine specifically for the 
Montreal endpoint's address that will take precedence over the route for the network?

2. if you can ping the Montreal endpoint as, but NOT as 132.216.x.y, 
then that could be caused by issues at either end. The most likely culprit is 
firewalling, at either or both ends, since the Toronto endpoint is already 
configured for routing and forwarding packets, and the Montreal machine 
should need no routing rules to recognise its own 132.216.x.y address.

3. If your problem is that you can ping the Montreal endpoint, but cannot 
access any of the other machines on the Montreal LAN, then that 
could be caused by firewalling on the Montreal endpoint stopping traffic 
between <->, or it may be a problem routing packets 
between VPN <-> LAN.

3.1 If the Montreal endpoint has not previously been used for routing, but is 
now being used to route the VPN traffic to the Montreal LAN, be sure that 
packet forwarding is enabled in the kernel. On newer linuxes, something like:

"cat /proc/sys/net/ipv4/ip_forward" should return "1".

If not, you can enable it immediately by echoing 1 into the same file.
(presuming you have the /proc filesystem enabled.)

For a permanent change, either use a configuration tool to enable ip 
forwarding, or edit the network config file manually. On my RedHat box, the 
file is in:

/etc/sysconfig/network, and includes the line: FORWARD_IPV4="yes".

Your OS may differ...

3.2 If the NON-endpoint machines on the Montreal LAN do not use the Montreal 
endpoint as a gateway, then they will need a routing path to correctly route 
the traffic via the Montreal endpoint machine.

How this is done depends on how you currently route traffic, but I presume it 
is more easily done by the LAN router rather than on the individual machines 
on the LAN.


You wrote:
> The Toronto LAN is controled by a Debian Sarge gateway that is doing NAT =
> for lan clients on eth0, and connects to the Internet on eth1 (with a =
> dynamic IP), the Montreal LAN is a bit unusual in that all of the IP =
> addresses on the LAN are public addresses, and the computer that is =
> acting as the VPN endpoint is not a gateway.
> So, currently, I have this:
> Toronto:
> LAN:
> Tun0:
> Internet IP: Dynamic
> Montreal:
> LAN:
> Tun0:
> IP: 132.216.xxx.xxx/16

Openvpn-users mailing list