[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Routing problems?

  • Subject: [Openvpn-users] Routing problems?
  • From: Brian Leyton <bleyton@xxxxxxxxxxxx>
  • Date: Fri, 11 Mar 2005 09:38:22 -0800

I've been following the discussion here, searching the list archives, reading the HOWTOs, FAQs, etc., and still can't get this working properly.
We currently have remote users connecting to our internal LAN through RAS/PPTP to an NT server.  Mostly they use it for connecting to an Exchange Server, and telnet to an AIX machine.  We have an IPCOP firewall, and we just port forward the VPN ports to the VPN server.  This works fine (most of the time).  For various reasons, I'd like to replace this with OpenVPN.
The internal network is is the IPCop.  It does my DHCP, and it serves as the LAN gateway.
I built a new Fedora Core 3 server, on which I'm installing OpenVPN.  I did not build Fedora with any firewall capabilities.  I built everything (OpenSSL, lzo and OpenVPN) from the tarballs, because I couldn't find pre-made RPM files.  The IP Address of this machine is  I have the following statement in my startup script: 
echo "1" > /proc/sys/net/ipv4/ip_forward
The clients I'm testing from are using Windows XP Pro.  I'm using the Openvpn-Gui 1.0rc4 package. 
I'm using OpenVPN 2.0rc16 on both ends.
Here are the config files:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
ifconfig-pool-persist ipp.txt
push "route"
push "dhcp-option DNS"
push "dhcp-option WINS"
keepalive 10 120
user nobody
group nobody
status openvpn-status.log
verb 3
dev tun
proto udp
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
verb 3
I have added the following route statement to my IPCop:
route add -net netmask gw
I also have a port forwarding rule for port 1194 to go to
So here's the problem.  When I connect, I can ping both directions to/from the client & server.  I can ping some machines from the client, but not others.  The name resolution via the WINS server seems to be working properly (it correctly finds the IP addresses for machines on the LAN).  The WINS Server/ NT Domain controller is, and I can ping that one fine.  But I can't ping other NT servers, a FreeBSD server and other workstations.  A tcpdump on tun0 shows the ICMP requests, but no replies.
A tracert from the client only shows, no replies beyond that.  I can ping anything on the LAN from the OpenVPN server.
The machines that can't be reached from the client, also cannot reach the client from the other direction.  For example, from a FreeBSD machine, when I traceroute to, it gets no replies beyond (the OpenVPN server).
I just tried one more thing which has me really baffled.  I ran tcpdump on tun0, and then pinged from the FreeBSD machine (  I see the ICMP echo requests, but no responses.  From the OpenVPN server, the requests look like they're coming from the IPCop machine.
I've tried this with the built-in firewall on the XP machine off and on, and there's no difference.
I'm at a dead-end.  I can't think of anything else to test/try.  Anyone have any ideas?
Brian Leyton
IT Manager
Commercial Petroleum Equipment