I've been following the discussion here, searching the list archives, reading the HOWTOs, FAQs, etc., and still can't get this working properly.
We currently have remote users connecting to our internal LAN through RAS/PPTP to an NT server. Mostly they use it for connecting to an Exchange Server, and telnet to an AIX machine. We have an IPCOP firewall, and we just port forward the VPN ports to the VPN server. This works fine (most of the time). For various reasons, I'd like to replace this with OpenVPN.
The internal network is 192.168.1.0/24. 192.168.1.4 is the IPCop. It does my DHCP, and it serves as the LAN gateway.
I built a new Fedora Core 3 server, on which I'm installing OpenVPN. I did not build Fedora with any firewall capabilities. I built everything (OpenSSL, lzo and OpenVPN) from the tarballs, because I couldn't find pre-made RPM files. The IP Address of this machine is 192.168.1.249. I have the following statement in my startup script:
echo "1" > /proc/sys/net/ipv4/ip_forward
The clients I'm testing from are using Windows XP Pro. I'm using the Openvpn-Gui 1.0rc4 package.
I'm using OpenVPN 2.0rc16 on both ends.
Here are the config files:
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.4"
push "dhcp-option WINS 192.168.1.175"
keepalive 10 120
I have added the following route statement to my IPCop:
route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.1.249
I also have a port forwarding rule for port 1194 to go to 192.168.1.249:1194
So here's the problem. When I connect, I can ping both directions to/from the client & server. I can ping some machines from the client, but not others. The name resolution via the WINS server seems to be working properly (it correctly finds the IP addresses for machines on the LAN). The WINS Server/ NT Domain controller is 192.168.1.175, and I can ping that one fine. But I can't ping other NT servers, a FreeBSD server and other workstations. A tcpdump on tun0 shows the ICMP requests, but no replies.
A tracert from the client only shows 10.8.0.1, no replies beyond that. I can ping anything on the LAN from the OpenVPN server.
The machines that can't be reached from the client, also cannot reach the client from the other direction. For example, from a FreeBSD machine, when I traceroute to 10.8.0.6, it gets no replies beyond 192.168.1.249 (the OpenVPN server).
I just tried one more thing which has me really baffled. I ran tcpdump on tun0, and then pinged 10.8.0.6 from the FreeBSD machine (192.168.1.104). I see the ICMP echo requests, but no responses. From the OpenVPN server, the requests look like they're coming from the IPCop machine.
I've tried this with the built-in firewall on the XP machine off and on, and there's no difference.
I'm at a dead-end. I can't think of anything else to test/try. Anyone have any ideas?
Commercial Petroleum Equipment