I am running openvpn 2.0pre6 on a router in server mode, and on two separate remote clients. I am using TAP to bridge the clients into the host network.
The main network is 192.168.2.0. I use a client connect script to force each client to persistently pick up the same IP on each connection and I am using certificate based authentication. everything is working just fine, in that the clients authenticate and connect just fine and I can ping through the tunnels on either end. The problem comes when I am trying to reach the two clients from other boxes on the host network.
I was finding it impossible to ping the second client and I couldn't work out why. Some investigation has turned up some very strange results. From the router (192.168.2.254) I could ping either client as I mentioned but when I traceroute'd it showed some very very strange results.
Tracerouting to 192.168.2.10 would go directly there, but tracerouting to 192.168.2.11 would always route through 192.168.2.10! This was obviously the root of my problem in some way and so I did some further investgation. What I have found is that there is a direct correlation between the contents of the internal routing table shown in my status log (I have status logging enabled on the server) and the routing issues i am seeing. The client list in the status log shows both clients, but the routing table only ever shows one entry - the client i can directly route to.
I have managed to work out that the entries in the internal routing table are created when the server executes a peice of code that genertes an entry such as
Fri Jan 21 13:11:11 2005 us=549269 tom/18.104.22.168:50568 MULTI: Learn: 74:61:70:00:00:00 -> tom/22.214.171.124:50568
in the main log files. What is happening is that when I go to ping the first client for the first time it learns about the route to reach it (god knows why it doesnt make an entry upon connection in the first place) and adds it to the internal routing table. Then when I go to ping the second client it uses the intial route it has stored in its internal routing table -obviously the wrong thing to do. If i persistently traceroute to the second client, what actually happens is that eventually learns about the real route, BUT instead of adding it to the list in it's internal routing table it wipes the first and replaces it with the second! The learning process can be proved by rechecking the main log file where a new MULTI: Learn entry will be present. After that has happened, I can traceroute to the second clientfine, but the problem has now been reversed and if i try a traceroute to the first client it routes through the second client!
The upshot is that I can only really have one working client connection at the moment and it is very very annoying. I have played for hours and hours with the setup but it just refuses to work - noone in the irc channel knows anything so my last hope is this list. I really hope someone on here can shed some light on how this internal routing stuff works - I would have imagined that it would add routes one after the other and not replace the existsing stuff...what am I doing wrong here?
Many thanks in advance.
PS - I didnt post the config files but if need be i'll attach them to a further post.