[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Unable to ping


  • Subject: Re: [Openvpn-users] Unable to ping
  • From: "Aaron P. Martinez" <ml@xxxxxxxxxxxxxx>
  • Date: Mon, 31 Jan 2005 20:40:33 -0600

On Mon, 2004-06-07 at 15:48, Aaron M. Hirsch wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I am now able to connect to my vpn server from the client and am automatically 
> issued an ipaddress.  
> 
> The server has two NIC's. The ip for eth0 is 148.80.180.170/255.255.255.0 and 
> the ip for eth1 is 192.168.243.2/255.255.255.0.
> 
> The default gw for eth1 is 192.168.243.1.  
> 
> Server Config:
> 
> port 6969
> dev tun
> tls-server

tls-server is redundant if you use 'server' as show below

> dh /usr/share/ssl/dh2048.pem
> ca /usr/share/ssl/demoCA/cacert.pem
> cert /usr/share/ssl/office.crt
> key /usr/share/ssl/office.key
> mode server
> ifconfig 192.168.243.2 192.168.243.3

You're assigning your tunnel an ip space that is in use by your eth1
device, this won't work as far as routing goes.

> ifconfig-pool 192.168.243.6 192.168.243.255

I'm not an expert but i suspect this is somewhat suspect.  you're
starting a /24 network with a .6 start address.

> route 192.168.243.0 255.255.255.0

this sets the route on the local machine wich will be automatically set,
as you can see from the first line of your routing table so you don't
need this one.

you should be able to accomplish what you want with the following
statement:

server 192.168.244.0 255.255.255.0

this will 

give endpoint addresses of 244.1 local and 244.2 remote for all of your
tun interfaces.

give all the clients 244.x/24 addresses in /30 blocks effectively
letting you connect 64(i think) clients.

Add a route to the server for all of your .244.x clients out through
your tun interface.

push a route to the clients to use the 244.1 interface to get back to
your server. 



> push "route 148.80.158.0 255.255.255.128"
> push "route 192.168.243.0 255.255.255.255"
> comp-lzo
> tun-mtu 1500
> tun-mtu-extra 32
> mssfix 1420
> fragment 1420
> route 192.168.243.0 255.255.255.0
> ping 10
> ping-restart 120
> push "ping 10"
> push "ping-restart 60"

the above 3 lines can be effected using keepalive

keepalive 10 120  (yes, it will handle the push as well)

> cipher AES-128-CBC
> verb 4
> 
> Client Config:
> 
> port 6969
> dev tun
> remote 148.80.180.170
remote 148.80.180.170 6969
> tls-client

replace the above with client to set up automatic pull and tls-client

client
> ca /home/ahirsch/openvpn/my-ca.crt
> cert /home/ahirsch/openvpn/aaron.crt
> key /home/ahirsch/openvpn/aaron.key
> comp-lzo
> tun-mtu 1500
> tun-mtu-extra 32
> mssfix 1420
> fragment 1420
> pull


> cipher AES-128-CBC
> verb 4
> 
> When I look at tun0 on the server, with openvpn running of course I see:
> tun0      Link encap:Point-to-Point Protocol
>           inet addr:192.168.243.2  P-t-P:192.168.243.3  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
> and netstat -rn shows me:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 192.168.243.3   0.0.0.0         255.255.255.255 UH        0 0          0 tun0
> 148.80.158.0    192.168.243.1   255.255.255.128 UG        0 0          0 eth1
> 192.168.243.0   0.0.0.0         255.255.255.0   U         0 0          0 eth1
> 148.80.180.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
> 127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
> 0.0.0.0         148.80.180.1    0.0.0.0         UG        0 0          0 eth0
> 
> On the client side I see:
> tun0      Link encap:Point-to-Point Protocol
>           inet addr:192.168.243.6  P-t-P:192.168.243.5  Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
> and netstat -rn shows me:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 192.168.243.5   0.0.0.0         255.255.255.255 UH        0 0          0 tun0
> 148.80.158.0    192.168.243.5   255.255.255.128 UG        0 0          0 tun0
> 148.80.180.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
> 127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
> 0.0.0.0         148.80.180.1    0.0.0.0         UG        0 0          0 eth0
> 

after you do the above your routing tables will be MUCH cleaner i
suspect

> I can ping 148.80.158.x from the server via eth1 so I know connectivity is 
> good there.  However I am unable to ping my server, 192.168.243.2 from my 
> client 192.168.243.6.
> 
> I'm sure I've overlooked something, but am drawing blanks on google and the 
> openvpn web page.  Is the problem related to the fact that I have the eth1 on 
> the same subnet as I am assigning ipaddresses from?
> 
> TIA!
> 
> - -- 
> Aaron M. Hirsch


Aaron Martinez


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users